+15

doc/redirects.json

··· 225 225 "sec-language-cosmic": [ 226 226 "index.html#sec-language-cosmic" 227 227 ], 228 228 + "sec-meta-identifiers": [ 229 229 + "index.html#sec-meta-identifiers" 230 230 + ], 231 231 + "sec-meta-identifiers-cpe": [ 232 232 + "index.html#sec-meta-identifiers-cpe" 233 233 + ], 228 234 "sec-modify-via-packageOverrides": [ 229 235 "index.html#sec-modify-via-packageOverrides" 230 236 ], ··· 627 633 ], 628 634 "var-go-buildTestBinaries": [ 629 635 "index.html#var-go-buildTestBinaries" 636 636 + ], 637 637 + "var-meta-identifiers-cpe": [ 638 638 + "index.html#var-meta-identifiers-cpe" 639 639 + ], 640 640 + "var-meta-identifiers-cpeParts": [ 641 641 + "index.html#var-meta-identifiers-cpeParts" 642 642 + ], 643 643 + "var-meta-identifiers-possibleCPEs": [ 644 644 + "index.html#var-meta-identifiers-possibleCPEs" 630 645 ], 631 646 "var-meta-teams": [ 632 647 "index.html#var-meta-teams"

+71

doc/stdenv/meta.chapter.md

··· 248 248 ### `lib.sourceTypes.binaryBytecode` {#lib.sourceTypes.binaryBytecode} 249 249 250 250 Code to run on a VM interpreter or JIT compiled into bytecode by a third party. This includes packages which download Java `.jar` files from another source. 251 251 + 252 252 + ## Software identifiers {#sec-meta-identifiers} 253 253 + 254 254 + Package's `meta.identifiers` attribute specifies information about software identifiers associated with this package. Software identifiers are used, for example: 255 255 + * to generate Software Bill of Materials (SBOM) that lists all components used to build the software, which can later be used to perform vulnerability or license analysis of the resulting software; 256 256 + * to lookup software in different vulnerability databases or report new vulnerabilities to them. 257 257 + 258 258 + Overriding the default `meta.identifiers` attribute is optional, but it is recommended to fill in pieces to help tools mentioned above get precise data. 259 259 + For example, we could get automatic notifications about potential vulnerabilities for users in the future. 260 260 + All identifiers specified in `meta.identifiers` are expected to be unambiguous and valid. 261 261 + 262 262 + `meta.identifiers` contains `v1` attribute which is an attribute set that guarantees backward compatibility of its constituents. Right now it contains copies of all other attributes in `meta.identifiers`. 263 263 + 264 264 + ### CPE {#sec-meta-identifiers-cpe} 265 265 + 266 266 + Common Platform Enumeration (CPE) is a specification maintained by NIST as part of the Security Content Automation Protocol (SCAP). It is used to identify software in National Vulnerabilities Database (NVD, https://nvd.nist.gov) and other vulnerability databases. 267 267 + 268 268 + Current version of CPE 2.3 consists of 13 parts: 269 269 + 270 270 + ``` 271 271 + cpe:2.3:a:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other> 272 272 + ``` 273 273 + 274 274 + Some of them are as follows: 275 275 + 276 276 + * *CPE version* - current version of CPE is `2.3` 277 277 + * *part* - usually in Nixpkgs `a` for "application", can also be `o` for "operating system" or `h` for "hardware" 278 278 + * *vendor* - can point to the source of the package, or to Nixpkgs itself 279 279 + * *product* - name of the package 280 280 + * *version* - version of the package 281 281 + * *update* - name of the latest update, can be a patch version for semantically versioned packages 282 282 + * *edition* - any additional specification about the version 283 283 + 284 284 + You can find information about all of these attributes in the [official specification](https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe/naming) (heading 5.3.3, pages 11-13). 285 285 + 286 286 + Any fields that don't have a value are set to either `-` if the value is not available or `*` when the field can match any value. 287 287 + 288 288 + For example, for glibc 2.40.1 CPE would be `cpe:2.3:a:gnu:glibc:2.40:1:*:*:*:*:*:*`. 289 289 + 290 290 + #### `meta.identifiers.cpeParts` {#var-meta-identifiers-cpeParts} 291 291 + 292 292 + This attribute contains an attribute set of all parts of the CPE for this package. Most of the parts default to `*` (match any value), with some exceptions: 293 293 + 294 294 + * `part` defaults to `a` (application), can also be set to `o` for operating systems, for example, Linux kernel, or to `h` for hardware 295 295 + * `vendor` cannot be deduced from other sources, so it must be specified by the package author 296 296 + * `product` defaults to provided derivation's `pname` attribute and must be provided explicitly if `pname` is missing 297 297 + * `version` and `update` have no defaults and should be specified explicitly or using helper functions, when missing, `cpe` attribute will be empty, and all possible guesses using helper functions will be in `possibleCPEs` attribute. 298 298 + 299 299 + It is up to the package author to make sure all parts are correct and match expected values in [NVD dictionary](https://nvd.nist.gov/products/cpe). Unknown values can be skipped, which would leave them with the default value of `*`. 300 300 + 301 301 + Following functions help with filling out `version` and `update` fields: 302 302 + 303 303 + * [`lib.meta.cpeFullVersionWithVendor`](#function-library-lib.meta.cpeFullVersionWithVendor) 304 304 + * [`lib.meta.cpePatchVersionInUpdateWithVendor`](#function-library-lib.meta.cpePatchVersionInUpdateWithVendor) 305 305 + 306 306 + For many packages to make CPE available it should be enough to specify only: 307 307 + 308 308 + ```nix 309 309 + { 310 310 + # ... 311 311 + meta.identifiers.cpeParts = lib.meta.cpePatchVersionInUpdateWithVendor vendor version; 312 312 + } 313 313 + ``` 314 314 + 315 315 + #### `meta.identifiers.cpe` {#var-meta-identifiers-cpe} 316 316 + 317 317 + A readonly attribute that concatenates all CPE parts in one string. 318 318 + 319 319 + #### `meta.identifiers.possibleCPEs` {#var-meta-identifiers-possibleCPEs} 320 320 + 321 321 + A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess.

+188 -1

lib/meta.nix

··· 15 15 assertMsg 16 16 ; 17 17 inherit (lib.attrsets) mapAttrs' filterAttrs; 18 18 - inherit (builtins) isString match typeOf; 18 18 + inherit (builtins) 19 19 + isString 20 20 + match 21 21 + typeOf 22 22 + elemAt 23 23 + ; 19 24 20 25 in 21 26 rec { ··· 491 496 assert assertMsg (match ".*/.*" y == null) 492 497 "lib.meta.getExe': The second argument \"${y}\" is a nested path with a \"/\" character, but it should just be the name of the executable instead."; 493 498 "${getBin x}/bin/${y}"; 499 499 + 500 500 + /** 501 501 + Generate [CPE parts](#var-meta-identifiers-cpeParts) from inputs. Copies `vendor` and `version` to the output, and sets `update` to `*`. 502 502 + 503 503 + # Inputs 504 504 + 505 505 + `vendor` 506 506 + 507 507 + : package's vendor 508 508 + 509 509 + `version` 510 510 + 511 511 + : package's version 512 512 + 513 513 + # Type 514 514 + 515 515 + ``` 516 516 + cpeFullVersionWithVendor :: string -> string -> AttrSet 517 517 + ``` 518 518 + 519 519 + # Examples 520 520 + :::{.example} 521 521 + ## `lib.meta.cpeFullVersionWithVendor` usage example 522 522 + 523 523 + ```nix 524 524 + lib.meta.cpeFullVersionWithVendor "gnu" "1.2.3" 525 525 + => { 526 526 + vendor = "gnu"; 527 527 + version = "1.2.3"; 528 528 + update = "*"; 529 529 + } 530 530 + ``` 531 531 + 532 532 + ::: 533 533 + :::{.example} 534 534 + ## `lib.meta.cpeFullVersionWithVendor` usage in derivations 535 535 + 536 536 + ```nix 537 537 + mkDerivation rec { 538 538 + version = "1.2.3"; 539 539 + # ... 540 540 + meta = { 541 541 + # ... 542 542 + identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "gnu" version; 543 543 + }; 544 544 + } 545 545 + ``` 546 546 + ::: 547 547 + */ 548 548 + cpeFullVersionWithVendor = vendor: version: { 549 549 + inherit vendor version; 550 550 + update = "*"; 551 551 + }; 552 552 + 553 553 + /** 554 554 + Alternate version of [`lib.meta.cpePatchVersionInUpdateWithVendor`](#function-library-lib.meta.cpePatchVersionInUpdateWithVendor). 555 555 + If `cpePatchVersionInUpdateWithVendor` succeeds, returns an attribute set with `success` set to `true` and `value` set to the result. 556 556 + Otherwise, `success` is set to `false` and `error` is set to the string representation of the error. 557 557 + 558 558 + # Inputs 559 559 + 560 560 + `vendor` 561 561 + 562 562 + : package's vendor 563 563 + 564 564 + `version` 565 565 + 566 566 + : package's version 567 567 + 568 568 + # Type 569 569 + 570 570 + ``` 571 571 + tryCPEPatchVersionInUpdateWithVendor :: string -> string -> AttrSet 572 572 + ``` 573 573 + 574 574 + # Examples 575 575 + :::{.example} 576 576 + ## `lib.meta.tryCPEPatchVersionInUpdateWithVendor` usage example 577 577 + 578 578 + ```nix 579 579 + lib.meta.tryCPEPatchVersionInUpdateWithVendor "gnu" "1.2.3" 580 580 + => { 581 581 + success = true; 582 582 + value = { 583 583 + vendor = "gnu"; 584 584 + version = "1.2"; 585 585 + update = "3"; 586 586 + }; 587 587 + } 588 588 + ``` 589 589 + 590 590 + ::: 591 591 + :::{.example} 592 592 + ## `lib.meta.cpePatchVersionInUpdateWithVendor` error example 593 593 + 594 594 + ```nix 595 595 + lib.meta.tryCPEPatchVersionInUpdateWithVendor "gnu" "5.3p0" 596 596 + => { 597 597 + success = false; 598 598 + error = "version 5.3p0 doesn't match regex `([0-9]+\\.[0-9]+)\\.([0-9]+)`"; 599 599 + } 600 600 + ``` 601 601 + 602 602 + ::: 603 603 + */ 604 604 + tryCPEPatchVersionInUpdateWithVendor = 605 605 + vendor: version: 606 606 + let 607 607 + regex = "([0-9]+\\.[0-9]+)\\.([0-9]+)"; 608 608 + # we have to call toString here in case version is an attrset with __toString attribute 609 609 + versionMatch = builtins.match regex (toString version); 610 610 + in 611 611 + if versionMatch == null then 612 612 + { 613 613 + success = false; 614 614 + error = "version ${version} doesn't match regex `${regex}`"; 615 615 + } 616 616 + else 617 617 + { 618 618 + success = true; 619 619 + value = { 620 620 + inherit vendor; 621 621 + version = elemAt versionMatch 0; 622 622 + update = elemAt versionMatch 1; 623 623 + }; 624 624 + }; 625 625 + 626 626 + /** 627 627 + Generate [CPE parts](#var-meta-identifiers-cpeParts) from inputs. Copies `vendor` to the result. When `version` matches `X.Y.Z` where all parts are numerical, sets `version` and `update` fields to `X.Y` and `Z`. Throws an error if the version doesn't match the expected template. 628 628 + 629 629 + # Inputs 630 630 + 631 631 + `vendor` 632 632 + 633 633 + : package's vendor 634 634 + 635 635 + `version` 636 636 + 637 637 + : package's version 638 638 + 639 639 + # Type 640 640 + 641 641 + ``` 642 642 + cpePatchVersionInUpdateWithVendor :: string -> string -> AttrSet 643 643 + ``` 644 644 + 645 645 + # Examples 646 646 + :::{.example} 647 647 + ## `lib.meta.cpePatchVersionInUpdateWithVendor` usage example 648 648 + 649 649 + ```nix 650 650 + lib.meta.cpePatchVersionInUpdateWithVendor "gnu" "1.2.3" 651 651 + => { 652 652 + vendor = "gnu"; 653 653 + version = "1.2"; 654 654 + update = "3"; 655 655 + } 656 656 + ``` 657 657 + 658 658 + ::: 659 659 + :::{.example} 660 660 + ## `lib.meta.cpePatchVersionInUpdateWithVendor` usage in derivations 661 661 + 662 662 + ```nix 663 663 + mkDerivation rec { 664 664 + version = "1.2.3"; 665 665 + # ... 666 666 + meta = { 667 667 + # ... 668 668 + identifiers.cpeParts = lib.meta.cpePatchVersionInUpdateWithVendor "gnu" version; 669 669 + }; 670 670 + } 671 671 + ``` 672 672 + 673 673 + ::: 674 674 + */ 675 675 + cpePatchVersionInUpdateWithVendor = 676 676 + vendor: version: 677 677 + let 678 678 + result = tryCPEPatchVersionInUpdateWithVendor vendor version; 679 679 + in 680 680 + if result.success then result.value else throw result.error; 494 681 }

+5

pkgs/applications/networking/sync/rsync/default.nix

··· 92 92 ivan 93 93 ]; 94 94 platforms = platforms.unix; 95 95 + identifiers.cpeParts = { 96 96 + vendor = "samba"; 97 97 + inherit version; 98 98 + update = "-"; 99 99 + }; 95 100 }; 96 101 }

+1

pkgs/by-name/he/hello/package.nix

··· 55 55 maintainers = with lib.maintainers; [ stv0g ]; 56 56 mainProgram = "hello"; 57 57 platforms = lib.platforms.all; 58 58 + identifiers.cpeParts.vendor = "gnu"; 58 59 }; 59 60 })

+1

pkgs/development/compilers/gcc/common/meta.nix

··· 30 30 teams = [ teams.gcc ]; 31 31 mainProgram = "${targetPrefix}gcc"; 32 32 33 33 + identifiers.cpeParts.vendor = "gnu"; 33 34 }

+1

pkgs/development/compilers/gcc/default.nix

··· 419 419 platforms 420 420 teams 421 421 mainProgram 422 422 + identifiers 422 423 ; 423 424 }; 424 425 }

+2

pkgs/development/compilers/llvm/common/common-let.nix

··· 34 34 ++ lib.platforms.riscv 35 35 ++ lib.platforms.m68k 36 36 ++ lib.platforms.loongarch64; 37 37 + 38 38 + identifiers.cpeParts.vendor = "llvm"; 37 39 }; 38 40 39 41 releaseInfo =

+7

pkgs/os-specific/linux/kernel/manual-config.nix

··· 546 546 ] 547 547 ++ lib.optional (lib.versionOlder version "5.19") "loongarch64-linux"; 548 548 timeout = 14400; # 4 hours 549 549 + identifiers.cpeParts = { 550 550 + part = "o"; 551 551 + vendor = "linux"; 552 552 + product = "linux_kernel"; 553 553 + inherit version; 554 554 + update = "*"; 555 555 + }; 549 556 } 550 557 // extraMeta; 551 558 };

+10

pkgs/shells/bash/5.nix

··· 183 183 badPlatforms = [ lib.systems.inspect.patterns.isMinGW ]; 184 184 maintainers = [ ]; 185 185 mainProgram = "bash"; 186 186 + identifiers.cpeParts = 187 187 + let 188 188 + versionSplit = lib.split "p" version; 189 189 + in 190 190 + { 191 191 + vendor = "gnu"; 192 192 + product = "bash"; 193 193 + version = lib.elemAt versionSplit 0; 194 194 + update = lib.elemAt versionSplit 2; 195 195 + }; 186 196 }; 187 197 }

+85

pkgs/stdenv/generic/check-meta.nix

··· 11 11 inherit (lib) 12 12 all 13 13 attrNames 14 14 + attrValues 14 15 concatMapStrings 15 16 concatMapStringsSep 16 17 concatStrings ··· 37 38 38 39 inherit (lib.meta) 39 40 availableOn 41 41 + cpeFullVersionWithVendor 42 42 + tryCPEPatchVersionInUpdateWithVendor 40 43 ; 41 44 42 45 inherit (lib.generators) ··· 438 441 # Used for the original location of the maintainer and team attributes to assist with pings. 439 442 maintainersPosition = any; 440 443 teamsPosition = any; 444 444 + 445 445 + identifiers = attrs; 441 446 }; 442 447 443 448 checkMetaAttr = ··· 571 576 else 572 577 validYes; 573 578 579 579 + # Helper functions and declarations to handle identifiers, extracted to reduce allocations 580 580 + hasAllCPEParts = 581 581 + cpeParts: 582 582 + let 583 583 + values = attrValues cpeParts; 584 584 + in 585 585 + (length values == 11) && !any isNull values; 586 586 + makeCPE = 587 587 + { 588 588 + part, 589 589 + vendor, 590 590 + product, 591 591 + version, 592 592 + update, 593 593 + edition, 594 594 + sw_edition, 595 595 + target_sw, 596 596 + target_hw, 597 597 + language, 598 598 + other, 599 599 + }: 600 600 + "cpe:2.3:${part}:${vendor}:${product}:${version}:${update}:${edition}:${sw_edition}:${target_sw}:${target_hw}:${language}:${other}"; 601 601 + possibleCPEPartsFuns = [ 602 602 + (vendor: version: { 603 603 + success = true; 604 604 + value = cpeFullVersionWithVendor vendor version; 605 605 + }) 606 606 + tryCPEPatchVersionInUpdateWithVendor 607 607 + ]; 608 608 + 574 609 # The meta attribute is passed in the resulting attribute set, 575 610 # but it's not part of the actual derivation, i.e., it's not 576 611 # passed to the builder and is not a dependency. But since we ··· 634 669 # if you add a new maintainer or team attribute please ensure that this expectation is still met. 635 670 maintainers = 636 671 attrs.meta.maintainers or [ ] ++ concatMap (team: team.members or [ ]) attrs.meta.teams or [ ]; 672 672 + 673 673 + identifiers = 674 674 + let 675 675 + # nix-env writes a warning for each derivation that has null in its meta values, so 676 676 + # fields without known values are removed from the result 677 677 + defaultCPEParts = { 678 678 + part = "a"; 679 679 + #vendor = null; 680 680 + ${if attrs ? pname then "product" else null} = attrs.pname; 681 681 + #version = null; 682 682 + #update = null; 683 683 + edition = "*"; 684 684 + sw_edition = "*"; 685 685 + target_sw = "*"; 686 686 + target_hw = "*"; 687 687 + language = "*"; 688 688 + other = "*"; 689 689 + }; 690 690 + 691 691 + cpeParts = defaultCPEParts // attrs.meta.identifiers.cpeParts or { }; 692 692 + cpe = if hasAllCPEParts cpeParts then makeCPE cpeParts else null; 693 693 + 694 694 + possibleCPEs = 695 695 + if cpe != null then 696 696 + [ { inherit cpeParts cpe; } ] 697 697 + else if attrs.meta.identifiers.cpeParts.vendor or null == null || attrs.version or null == null then 698 698 + [ ] 699 699 + else 700 700 + concatMap ( 701 701 + f: 702 702 + let 703 703 + result = f attrs.meta.identifiers.cpeParts.vendor attrs.version; 704 704 + # Note that attrs.meta.identifiers.cpeParts at this point can include defaults with user overrides. 705 705 + # Since we can't split them apart, user overrides don't apply to possibleCPEs. 706 706 + guessedParts = cpeParts // result.value; 707 707 + in 708 708 + optional (result.success && hasAllCPEParts guessedParts) { 709 709 + cpeParts = guessedParts; 710 710 + cpe = makeCPE guessedParts; 711 711 + } 712 712 + ) possibleCPEPartsFuns; 713 713 + v1 = { 714 714 + inherit cpeParts possibleCPEs; 715 715 + ${if cpe != null then "cpe" else null} = cpe; 716 716 + }; 717 717 + in 718 718 + v1 719 719 + // { 720 720 + inherit v1; 721 721 + }; 637 722 638 723 # Expose the result of the checks for everyone to see. 639 724 unfree = hasUnfreeLicense attrs;