pyrox.dev
Reapply "stdenv: Add CPE fields to meta" (#439074)
authored by Connor Baker and committed by GitHub 7b5e5830 9f71df05
+15
doc/redirects.json
+15
doc/redirects.json
···
225
"sec-language-cosmic": [
226
"index.html#sec-language-cosmic"
227
],
228
"sec-modify-via-packageOverrides": [
229
"index.html#sec-modify-via-packageOverrides"
230
],
···
627
],
628
"var-go-buildTestBinaries": [
629
"index.html#var-go-buildTestBinaries"
630
],
631
"var-meta-teams": [
632
"index.html#var-meta-teams"
···
225
"sec-language-cosmic": [
226
"index.html#sec-language-cosmic"
227
],
228
+
"sec-meta-identifiers": [
229
+
"index.html#sec-meta-identifiers"
230
+
],
231
+
"sec-meta-identifiers-cpe": [
232
+
"index.html#sec-meta-identifiers-cpe"
233
+
],
234
"sec-modify-via-packageOverrides": [
235
"index.html#sec-modify-via-packageOverrides"
236
],
···
633
],
634
"var-go-buildTestBinaries": [
635
"index.html#var-go-buildTestBinaries"
636
+
],
637
+
"var-meta-identifiers-cpe": [
638
+
"index.html#var-meta-identifiers-cpe"
639
+
],
640
+
"var-meta-identifiers-cpeParts": [
641
+
"index.html#var-meta-identifiers-cpeParts"
642
+
],
643
+
"var-meta-identifiers-possibleCPEs": [
644
+
"index.html#var-meta-identifiers-possibleCPEs"
645
],
646
"var-meta-teams": [
647
"index.html#var-meta-teams"
+71
doc/stdenv/meta.chapter.md
+71
doc/stdenv/meta.chapter.md
···
248
### `lib.sourceTypes.binaryBytecode` {#lib.sourceTypes.binaryBytecode}
249
250
Code to run on a VM interpreter or JIT compiled into bytecode by a third party. This includes packages which download Java `.jar` files from another source.
251
+
252
+
## Software identifiers {#sec-meta-identifiers}
253
+
254
+
Package's `meta.identifiers` attribute specifies information about software identifiers associated with this package. Software identifiers are used, for example:
255
+
* to generate Software Bill of Materials (SBOM) that lists all components used to build the software, which can later be used to perform vulnerability or license analysis of the resulting software;
256
+
* to lookup software in different vulnerability databases or report new vulnerabilities to them.
257
+
258
+
Overriding the default `meta.identifiers` attribute is optional, but it is recommended to fill in pieces to help tools mentioned above get precise data.
259
+
For example, we could get automatic notifications about potential vulnerabilities for users in the future.
260
+
All identifiers specified in `meta.identifiers` are expected to be unambiguous and valid.
261
+
262
+
`meta.identifiers` contains `v1` attribute which is an attribute set that guarantees backward compatibility of its constituents. Right now it contains copies of all other attributes in `meta.identifiers`.
263
+
264
+
### CPE {#sec-meta-identifiers-cpe}
265
+
266
+
Common Platform Enumeration (CPE) is a specification maintained by NIST as part of the Security Content Automation Protocol (SCAP). It is used to identify software in National Vulnerabilities Database (NVD, https://nvd.nist.gov) and other vulnerability databases.
267
+
268
+
Current version of CPE 2.3 consists of 13 parts:
269
+
270
+
```
271
+
cpe:2.3:a:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
272
+
```
273
+
274
+
Some of them are as follows:
275
+
276
+
* *CPE version* - current version of CPE is `2.3`
277
+
* *part* - usually in Nixpkgs `a` for "application", can also be `o` for "operating system" or `h` for "hardware"
278
+
* *vendor* - can point to the source of the package, or to Nixpkgs itself
279
+
* *product* - name of the package
280
+
* *version* - version of the package
281
+
* *update* - name of the latest update, can be a patch version for semantically versioned packages
282
+
* *edition* - any additional specification about the version
283
+
284
+
You can find information about all of these attributes in the [official specification](https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe/naming) (heading 5.3.3, pages 11-13).
285
+
286
+
Any fields that don't have a value are set to either `-` if the value is not available or `*` when the field can match any value.
287
+
288
+
For example, for glibc 2.40.1 CPE would be `cpe:2.3:a:gnu:glibc:2.40:1:*:*:*:*:*:*`.
289
+
290
+
#### `meta.identifiers.cpeParts` {#var-meta-identifiers-cpeParts}
291
+
292
+
This attribute contains an attribute set of all parts of the CPE for this package. Most of the parts default to `*` (match any value), with some exceptions:
293
+
294
+
* `part` defaults to `a` (application), can also be set to `o` for operating systems, for example, Linux kernel, or to `h` for hardware
295
+
* `vendor` cannot be deduced from other sources, so it must be specified by the package author
296
+
* `product` defaults to provided derivation's `pname` attribute and must be provided explicitly if `pname` is missing
297
+
* `version` and `update` have no defaults and should be specified explicitly or using helper functions, when missing, `cpe` attribute will be empty, and all possible guesses using helper functions will be in `possibleCPEs` attribute.
298
+
299
+
It is up to the package author to make sure all parts are correct and match expected values in [NVD dictionary](https://nvd.nist.gov/products/cpe). Unknown values can be skipped, which would leave them with the default value of `*`.
300
+
301
+
Following functions help with filling out `version` and `update` fields:
302
+
303
+
* [`lib.meta.cpeFullVersionWithVendor`](#function-library-lib.meta.cpeFullVersionWithVendor)
304
+
* [`lib.meta.cpePatchVersionInUpdateWithVendor`](#function-library-lib.meta.cpePatchVersionInUpdateWithVendor)
305
+
306
+
For many packages to make CPE available it should be enough to specify only:
307
+
308
+
```nix
309
+
{
310
+
# ...
311
+
meta.identifiers.cpeParts = lib.meta.cpePatchVersionInUpdateWithVendor vendor version;
312
+
}
313
+
```
314
+
315
+
#### `meta.identifiers.cpe` {#var-meta-identifiers-cpe}
316
+
317
+
A readonly attribute that concatenates all CPE parts in one string.
318
+
319
+
#### `meta.identifiers.possibleCPEs` {#var-meta-identifiers-possibleCPEs}
320
+
321
+
A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess.
+188
-1
lib/meta.nix
+188
-1
lib/meta.nix
···
15
assertMsg
16
;
17
inherit (lib.attrsets) mapAttrs' filterAttrs;
18
-
inherit (builtins) isString match typeOf;
19
20
in
21
rec {
···
491
assert assertMsg (match ".*/.*" y == null)
492
"lib.meta.getExe': The second argument \"${y}\" is a nested path with a \"/\" character, but it should just be the name of the executable instead.";
493
"${getBin x}/bin/${y}";
494
}
···
15
assertMsg
16
;
17
inherit (lib.attrsets) mapAttrs' filterAttrs;
18
+
inherit (builtins)
19
+
isString
20
+
match
21
+
typeOf
22
+
elemAt
23
+
;
24
25
in
26
rec {
···
496
assert assertMsg (match ".*/.*" y == null)
497
"lib.meta.getExe': The second argument \"${y}\" is a nested path with a \"/\" character, but it should just be the name of the executable instead.";
498
"${getBin x}/bin/${y}";
499
+
500
+
/**
501
+
Generate [CPE parts](#var-meta-identifiers-cpeParts) from inputs. Copies `vendor` and `version` to the output, and sets `update` to `*`.
502
+
503
+
# Inputs
504
+
505
+
`vendor`
506
+
507
+
: package's vendor
508
+
509
+
`version`
510
+
511
+
: package's version
512
+
513
+
# Type
514
+
515
+
```
516
+
cpeFullVersionWithVendor :: string -> string -> AttrSet
517
+
```
518
+
519
+
# Examples
520
+
:::{.example}
521
+
## `lib.meta.cpeFullVersionWithVendor` usage example
522
+
523
+
```nix
524
+
lib.meta.cpeFullVersionWithVendor "gnu" "1.2.3"
525
+
=> {
526
+
vendor = "gnu";
527
+
version = "1.2.3";
528
+
update = "*";
529
+
}
530
+
```
531
+
532
+
:::
533
+
:::{.example}
534
+
## `lib.meta.cpeFullVersionWithVendor` usage in derivations
535
+
536
+
```nix
537
+
mkDerivation rec {
538
+
version = "1.2.3";
539
+
# ...
540
+
meta = {
541
+
# ...
542
+
identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "gnu" version;
543
+
};
544
+
}
545
+
```
546
+
:::
547
+
*/
548
+
cpeFullVersionWithVendor = vendor: version: {
549
+
inherit vendor version;
550
+
update = "*";
551
+
};
552
+
553
+
/**
554
+
Alternate version of [`lib.meta.cpePatchVersionInUpdateWithVendor`](#function-library-lib.meta.cpePatchVersionInUpdateWithVendor).
555
+
If `cpePatchVersionInUpdateWithVendor` succeeds, returns an attribute set with `success` set to `true` and `value` set to the result.
556
+
Otherwise, `success` is set to `false` and `error` is set to the string representation of the error.
557
+
558
+
# Inputs
559
+
560
+
`vendor`
561
+
562
+
: package's vendor
563
+
564
+
`version`
565
+
566
+
: package's version
567
+
568
+
# Type
569
+
570
+
```
571
+
tryCPEPatchVersionInUpdateWithVendor :: string -> string -> AttrSet
572
+
```
573
+
574
+
# Examples
575
+
:::{.example}
576
+
## `lib.meta.tryCPEPatchVersionInUpdateWithVendor` usage example
577
+
578
+
```nix
579
+
lib.meta.tryCPEPatchVersionInUpdateWithVendor "gnu" "1.2.3"
580
+
=> {
581
+
success = true;
582
+
value = {
583
+
vendor = "gnu";
584
+
version = "1.2";
585
+
update = "3";
586
+
};
587
+
}
588
+
```
589
+
590
+
:::
591
+
:::{.example}
592
+
## `lib.meta.cpePatchVersionInUpdateWithVendor` error example
593
+
594
+
```nix
595
+
lib.meta.tryCPEPatchVersionInUpdateWithVendor "gnu" "5.3p0"
596
+
=> {
597
+
success = false;
598
+
error = "version 5.3p0 doesn't match regex `([0-9]+\\.[0-9]+)\\.([0-9]+)`";
599
+
}
600
+
```
601
+
602
+
:::
603
+
*/
604
+
tryCPEPatchVersionInUpdateWithVendor =
605
+
vendor: version:
606
+
let
607
+
regex = "([0-9]+\\.[0-9]+)\\.([0-9]+)";
608
+
# we have to call toString here in case version is an attrset with __toString attribute
609
+
versionMatch = builtins.match regex (toString version);
610
+
in
611
+
if versionMatch == null then
612
+
{
613
+
success = false;
614
+
error = "version ${version} doesn't match regex `${regex}`";
615
+
}
616
+
else
617
+
{
618
+
success = true;
619
+
value = {
620
+
inherit vendor;
621
+
version = elemAt versionMatch 0;
622
+
update = elemAt versionMatch 1;
623
+
};
624
+
};
625
+
626
+
/**
627
+
Generate [CPE parts](#var-meta-identifiers-cpeParts) from inputs. Copies `vendor` to the result. When `version` matches `X.Y.Z` where all parts are numerical, sets `version` and `update` fields to `X.Y` and `Z`. Throws an error if the version doesn't match the expected template.
628
+
629
+
# Inputs
630
+
631
+
`vendor`
632
+
633
+
: package's vendor
634
+
635
+
`version`
636
+
637
+
: package's version
638
+
639
+
# Type
640
+
641
+
```
642
+
cpePatchVersionInUpdateWithVendor :: string -> string -> AttrSet
643
+
```
644
+
645
+
# Examples
646
+
:::{.example}
647
+
## `lib.meta.cpePatchVersionInUpdateWithVendor` usage example
648
+
649
+
```nix
650
+
lib.meta.cpePatchVersionInUpdateWithVendor "gnu" "1.2.3"
651
+
=> {
652
+
vendor = "gnu";
653
+
version = "1.2";
654
+
update = "3";
655
+
}
656
+
```
657
+
658
+
:::
659
+
:::{.example}
660
+
## `lib.meta.cpePatchVersionInUpdateWithVendor` usage in derivations
661
+
662
+
```nix
663
+
mkDerivation rec {
664
+
version = "1.2.3";
665
+
# ...
666
+
meta = {
667
+
# ...
668
+
identifiers.cpeParts = lib.meta.cpePatchVersionInUpdateWithVendor "gnu" version;
669
+
};
670
+
}
671
+
```
672
+
673
+
:::
674
+
*/
675
+
cpePatchVersionInUpdateWithVendor =
676
+
vendor: version:
677
+
let
678
+
result = tryCPEPatchVersionInUpdateWithVendor vendor version;
679
+
in
680
+
if result.success then result.value else throw result.error;
681
}
+5
pkgs/applications/networking/sync/rsync/default.nix
+5
pkgs/applications/networking/sync/rsync/default.nix
+1
pkgs/by-name/he/hello/package.nix
+1
pkgs/by-name/he/hello/package.nix
+1
pkgs/development/compilers/gcc/common/meta.nix
+1
pkgs/development/compilers/gcc/common/meta.nix
+1
pkgs/development/compilers/gcc/default.nix
+1
pkgs/development/compilers/gcc/default.nix
+2
pkgs/development/compilers/llvm/common/common-let.nix
+2
pkgs/development/compilers/llvm/common/common-let.nix
+7
pkgs/os-specific/linux/kernel/manual-config.nix
+7
pkgs/os-specific/linux/kernel/manual-config.nix
···
546
]
547
++ lib.optional (lib.versionOlder version "5.19") "loongarch64-linux";
548
timeout = 14400; # 4 hours
549
+
identifiers.cpeParts = {
550
+
part = "o";
551
+
vendor = "linux";
552
+
product = "linux_kernel";
553
+
inherit version;
554
+
update = "*";
555
+
};
556
}
557
// extraMeta;
558
};
+10
pkgs/shells/bash/5.nix
+10
pkgs/shells/bash/5.nix
···
183
badPlatforms = [ lib.systems.inspect.patterns.isMinGW ];
184
maintainers = [ ];
185
mainProgram = "bash";
186
+
identifiers.cpeParts =
187
+
let
188
+
versionSplit = lib.split "p" version;
189
+
in
190
+
{
191
+
vendor = "gnu";
192
+
product = "bash";
193
+
version = lib.elemAt versionSplit 0;
194
+
update = lib.elemAt versionSplit 2;
195
+
};
196
};
197
}
+85
pkgs/stdenv/generic/check-meta.nix
+85
pkgs/stdenv/generic/check-meta.nix
···
11
inherit (lib)
12
all
13
attrNames
14
concatMapStrings
15
concatMapStringsSep
16
concatStrings
···
37
38
inherit (lib.meta)
39
availableOn
40
;
41
42
inherit (lib.generators)
···
438
# Used for the original location of the maintainer and team attributes to assist with pings.
439
maintainersPosition = any;
440
teamsPosition = any;
441
};
442
443
checkMetaAttr =
···
571
else
572
validYes;
573
574
# The meta attribute is passed in the resulting attribute set,
575
# but it's not part of the actual derivation, i.e., it's not
576
# passed to the builder and is not a dependency. But since we
···
634
# if you add a new maintainer or team attribute please ensure that this expectation is still met.
635
maintainers =
636
attrs.meta.maintainers or [ ] ++ concatMap (team: team.members or [ ]) attrs.meta.teams or [ ];
637
638
# Expose the result of the checks for everyone to see.
639
unfree = hasUnfreeLicense attrs;
···
11
inherit (lib)
12
all
13
attrNames
14
+
attrValues
15
concatMapStrings
16
concatMapStringsSep
17
concatStrings
···
38
39
inherit (lib.meta)
40
availableOn
41
+
cpeFullVersionWithVendor
42
+
tryCPEPatchVersionInUpdateWithVendor
43
;
44
45
inherit (lib.generators)
···
441
# Used for the original location of the maintainer and team attributes to assist with pings.
442
maintainersPosition = any;
443
teamsPosition = any;
444
+
445
+
identifiers = attrs;
446
};
447
448
checkMetaAttr =
···
576
else
577
validYes;
578
579
+
# Helper functions and declarations to handle identifiers, extracted to reduce allocations
580
+
hasAllCPEParts =
581
+
cpeParts:
582
+
let
583
+
values = attrValues cpeParts;
584
+
in
585
+
(length values == 11) && !any isNull values;
586
+
makeCPE =
587
+
{
588
+
part,
589
+
vendor,
590
+
product,
591
+
version,
592
+
update,
593
+
edition,
594
+
sw_edition,
595
+
target_sw,
596
+
target_hw,
597
+
language,
598
+
other,
599
+
}:
600
+
"cpe:2.3:${part}:${vendor}:${product}:${version}:${update}:${edition}:${sw_edition}:${target_sw}:${target_hw}:${language}:${other}";
601
+
possibleCPEPartsFuns = [
602
+
(vendor: version: {
603
+
success = true;
604
+
value = cpeFullVersionWithVendor vendor version;
605
+
})
606
+
tryCPEPatchVersionInUpdateWithVendor
607
+
];
608
+
609
# The meta attribute is passed in the resulting attribute set,
610
# but it's not part of the actual derivation, i.e., it's not
611
# passed to the builder and is not a dependency. But since we
···
669
# if you add a new maintainer or team attribute please ensure that this expectation is still met.
670
maintainers =
671
attrs.meta.maintainers or [ ] ++ concatMap (team: team.members or [ ]) attrs.meta.teams or [ ];
672
+
673
+
identifiers =
674
+
let
675
+
# nix-env writes a warning for each derivation that has null in its meta values, so
676
+
# fields without known values are removed from the result
677
+
defaultCPEParts = {
678
+
part = "a";
679
+
#vendor = null;
680
+
${if attrs ? pname then "product" else null} = attrs.pname;
681
+
#version = null;
682
+
#update = null;
683
+
edition = "*";
684
+
sw_edition = "*";
685
+
target_sw = "*";
686
+
target_hw = "*";
687
+
language = "*";
688
+
other = "*";
689
+
};
690
+
691
+
cpeParts = defaultCPEParts // attrs.meta.identifiers.cpeParts or { };
692
+
cpe = if hasAllCPEParts cpeParts then makeCPE cpeParts else null;
693
+
694
+
possibleCPEs =
695
+
if cpe != null then
696
+
[ { inherit cpeParts cpe; } ]
697
+
else if attrs.meta.identifiers.cpeParts.vendor or null == null || attrs.version or null == null then
698
+
[ ]
699
+
else
700
+
concatMap (
701
+
f:
702
+
let
703
+
result = f attrs.meta.identifiers.cpeParts.vendor attrs.version;
704
+
# Note that attrs.meta.identifiers.cpeParts at this point can include defaults with user overrides.
705
+
# Since we can't split them apart, user overrides don't apply to possibleCPEs.
706
+
guessedParts = cpeParts // result.value;
707
+
in
708
+
optional (result.success && hasAllCPEParts guessedParts) {
709
+
cpeParts = guessedParts;
710
+
cpe = makeCPE guessedParts;
711
+
}
712
+
) possibleCPEPartsFuns;
713
+
v1 = {
714
+
inherit cpeParts possibleCPEs;
715
+
${if cpe != null then "cpe" else null} = cpe;
716
+
};
717
+
in
718
+
v1
719
+
// {
720
+
inherit v1;
721
+
};
722
723
# Expose the result of the checks for everyone to see.
724
unfree = hasUnfreeLicense attrs;