-15

doc/redirects.json

··· 225 225 "sec-language-cosmic": [ 226 226 "index.html#sec-language-cosmic" 227 227 ], 228 228 - "sec-meta-identifiers": [ 229 229 - "index.html#sec-meta-identifiers" 230 230 - ], 231 231 - "sec-meta-identifiers-cpe": [ 232 232 - "index.html#sec-meta-identifiers-cpe" 233 233 - ], 234 228 "sec-modify-via-packageOverrides": [ 235 229 "index.html#sec-modify-via-packageOverrides" 236 230 ], ··· 627 621 ], 628 622 "typst-package-scope-and-usage": [ 629 623 "index.html#typst-package-scope-and-usage" 630 630 - ], 631 631 - "var-meta-identifiers-cpe": [ 632 632 - "index.html#var-meta-identifiers-cpe" 633 633 - ], 634 634 - "var-meta-identifiers-cpeParts": [ 635 635 - "index.html#var-meta-identifiers-cpeParts" 636 636 - ], 637 637 - "var-meta-identifiers-possibleCPEs": [ 638 638 - "index.html#var-meta-identifiers-possibleCPEs" 639 624 ], 640 625 "var-meta-teams": [ 641 626 "index.html#var-meta-teams"

-71

doc/stdenv/meta.chapter.md

··· 248 248 ### `lib.sourceTypes.binaryBytecode` {#lib.sourceTypes.binaryBytecode} 249 249 250 250 Code to run on a VM interpreter or JIT compiled into bytecode by a third party. This includes packages which download Java `.jar` files from another source. 251 251 - 252 252 - ## Software identifiers {#sec-meta-identifiers} 253 253 - 254 254 - Package's `meta.identifiers` attribute specifies information about software identifiers associated with this package. Software identifiers are used, for example: 255 255 - * to generate Software Bill of Materials (SBOM) that lists all components used to build the software, which can later be used to perform vulnerability or license analysis of the resulting software; 256 256 - * to lookup software in different vulnerability databases or report new vulnerabilities to them. 257 257 - 258 258 - Overriding the default `meta.identifiers` attribute is optional, but it is recommended to fill in pieces to help tools mentioned above get precise data. 259 259 - For example, we could get automatic notifications about potential vulnerabilities for users in the future. 260 260 - All identifiers specified in `meta.identifiers` are expected to be unambiguous and valid. 261 261 - 262 262 - `meta.identifiers` contains `v1` attribute which is an attribute set that guarantees backward compatibility of its constituents. Right now it contains copies of all other attributes in `meta.identifiers`. 263 263 - 264 264 - ### CPE {#sec-meta-identifiers-cpe} 265 265 - 266 266 - Common Platform Enumeration (CPE) is a specification maintained by NIST as part of the Security Content Automation Protocol (SCAP). It is used to identify software in National Vulnerabilities Database (NVD, https://nvd.nist.gov) and other vulnerability databases. 267 267 - 268 268 - Current version of CPE 2.3 consists of 13 parts: 269 269 - 270 270 - ``` 271 271 - cpe:2.3:a:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other> 272 272 - ``` 273 273 - 274 274 - Some of them are as follows: 275 275 - 276 276 - * *CPE version* - current version of CPE is `2.3` 277 277 - * *part* - usually in Nixpkgs `a` for "application", can also be `o` for "operating system" or `h` for "hardware" 278 278 - * *vendor* - can point to the source of the package, or to Nixpkgs itself 279 279 - * *product* - name of the package 280 280 - * *version* - version of the package 281 281 - * *update* - name of the latest update, can be a patch version for semantically versioned packages 282 282 - * *edition* - any additional specification about the version 283 283 - 284 284 - You can find information about all of these attributes in the [official specification](https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe/naming) (heading 5.3.3, pages 11-13). 285 285 - 286 286 - Any fields that don't have a value are set to either `-` if the value is not available or `*` when the field can match any value. 287 287 - 288 288 - For example, for glibc 2.40.1 CPE would be `cpe:2.3:a:gnu:glibc:2.40:1:*:*:*:*:*:*`. 289 289 - 290 290 - #### `meta.identifiers.cpeParts` {#var-meta-identifiers-cpeParts} 291 291 - 292 292 - This attribute contains an attribute set of all parts of the CPE for this package. Most of the parts default to `*` (match any value), with some exceptions: 293 293 - 294 294 - * `part` defaults to `a` (application), can also be set to `o` for operating systems, for example, Linux kernel, or to `h` for hardware 295 295 - * `vendor` cannot be deduced from other sources, so it must be specified by the package author 296 296 - * `product` defaults to provided derivation's `pname` attribute and must be provided explicitly if `pname` is missing 297 297 - * `version` and `update` have no defaults and should be specified explicitly or using helper functions, when missing, `cpe` attribute will be empty, and all possible guesses using helper functions will be in `possibleCPEs` attribute. 298 298 - 299 299 - It is up to the package author to make sure all parts are correct and match expected values in [NVD dictionary](https://nvd.nist.gov/products/cpe). Unknown values can be skipped, which would leave them with the default value of `*`. 300 300 - 301 301 - Following functions help with filling out `version` and `update` fields: 302 302 - 303 303 - * [`lib.meta.cpeFullVersionWithVendor`](#function-library-lib.meta.cpeFullVersionWithVendor) 304 304 - * [`lib.meta.cpePatchVersionInUpdateWithVendor`](#function-library-lib.meta.cpePatchVersionInUpdateWithVendor) 305 305 - 306 306 - For many packages to make CPE available it should be enough to specify only: 307 307 - 308 308 - ```nix 309 309 - { 310 310 - # ... 311 311 - meta.identifiers.cpeParts = lib.meta.cpePatchVersionInUpdateWithVendor vendor version; 312 312 - } 313 313 - ``` 314 314 - 315 315 - #### `meta.identifiers.cpe` {#var-meta-identifiers-cpe} 316 316 - 317 317 - A readonly attribute that concatenates all CPE parts in one string. 318 318 - 319 319 - #### `meta.identifiers.possibleCPEs` {#var-meta-identifiers-possibleCPEs} 320 320 - 321 321 - A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess.

+1 -188

lib/meta.nix

··· 15 15 assertMsg 16 16 ; 17 17 inherit (lib.attrsets) mapAttrs' filterAttrs; 18 18 - inherit (builtins) 19 19 - isString 20 20 - match 21 21 - typeOf 22 22 - elemAt 23 23 - ; 18 18 + inherit (builtins) isString match typeOf; 24 19 25 20 in 26 21 rec { ··· 489 484 assert assertMsg (match ".*/.*" y == null) 490 485 "lib.meta.getExe': The second argument \"${y}\" is a nested path with a \"/\" character, but it should just be the name of the executable instead."; 491 486 "${getBin x}/bin/${y}"; 492 492 - 493 493 - /** 494 494 - Generate [CPE parts](#var-meta-identifiers-cpeParts) from inputs. Copies `vendor` and `version` to the output, and sets `update` to `*`. 495 495 - 496 496 - # Inputs 497 497 - 498 498 - `vendor` 499 499 - 500 500 - : package's vendor 501 501 - 502 502 - `version` 503 503 - 504 504 - : package's version 505 505 - 506 506 - # Type 507 507 - 508 508 - ``` 509 509 - cpeFullVersionWithVendor :: string -> string -> AttrSet 510 510 - ``` 511 511 - 512 512 - # Examples 513 513 - :::{.example} 514 514 - ## `lib.meta.cpeFullVersionWithVendor` usage example 515 515 - 516 516 - ```nix 517 517 - lib.meta.cpeFullVersionWithVendor "gnu" "1.2.3" 518 518 - => { 519 519 - vendor = "gnu"; 520 520 - version = "1.2.3"; 521 521 - update = "*"; 522 522 - } 523 523 - ``` 524 524 - 525 525 - ::: 526 526 - :::{.example} 527 527 - ## `lib.meta.cpeFullVersionWithVendor` usage in derivations 528 528 - 529 529 - ```nix 530 530 - mkDerivation rec { 531 531 - version = "1.2.3"; 532 532 - # ... 533 533 - meta = { 534 534 - # ... 535 535 - identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "gnu" version; 536 536 - }; 537 537 - } 538 538 - ``` 539 539 - ::: 540 540 - */ 541 541 - cpeFullVersionWithVendor = vendor: version: { 542 542 - inherit vendor version; 543 543 - update = "*"; 544 544 - }; 545 545 - 546 546 - /** 547 547 - Alternate version of [`lib.meta.cpePatchVersionInUpdateWithVendor`](#function-library-lib.meta.cpePatchVersionInUpdateWithVendor). 548 548 - If `cpePatchVersionInUpdateWithVendor` succeeds, returns an attribute set with `success` set to `true` and `value` set to the result. 549 549 - Otherwise, `success` is set to `false` and `error` is set to the string representation of the error. 550 550 - 551 551 - # Inputs 552 552 - 553 553 - `vendor` 554 554 - 555 555 - : package's vendor 556 556 - 557 557 - `version` 558 558 - 559 559 - : package's version 560 560 - 561 561 - # Type 562 562 - 563 563 - ``` 564 564 - tryCPEPatchVersionInUpdateWithVendor :: string -> string -> AttrSet 565 565 - ``` 566 566 - 567 567 - # Examples 568 568 - :::{.example} 569 569 - ## `lib.meta.tryCPEPatchVersionInUpdateWithVendor` usage example 570 570 - 571 571 - ```nix 572 572 - lib.meta.tryCPEPatchVersionInUpdateWithVendor "gnu" "1.2.3" 573 573 - => { 574 574 - success = true; 575 575 - value = { 576 576 - vendor = "gnu"; 577 577 - version = "1.2"; 578 578 - update = "3"; 579 579 - }; 580 580 - } 581 581 - ``` 582 582 - 583 583 - ::: 584 584 - :::{.example} 585 585 - ## `lib.meta.cpePatchVersionInUpdateWithVendor` error example 586 586 - 587 587 - ```nix 588 588 - lib.meta.tryCPEPatchVersionInUpdateWithVendor "gnu" "5.3p0" 589 589 - => { 590 590 - success = false; 591 591 - error = "version 5.3p0 doesn't match regex `([0-9]+\\.[0-9]+)\\.([0-9]+)`"; 592 592 - } 593 593 - ``` 594 594 - 595 595 - ::: 596 596 - */ 597 597 - tryCPEPatchVersionInUpdateWithVendor = 598 598 - vendor: version: 599 599 - let 600 600 - regex = "([0-9]+\\.[0-9]+)\\.([0-9]+)"; 601 601 - # we have to call toString here in case version is an attrset with __toString attribute 602 602 - versionMatch = builtins.match regex (toString version); 603 603 - in 604 604 - if versionMatch == null then 605 605 - { 606 606 - success = false; 607 607 - error = "version ${version} doesn't match regex `${regex}`"; 608 608 - } 609 609 - else 610 610 - { 611 611 - success = true; 612 612 - value = { 613 613 - inherit vendor; 614 614 - version = elemAt versionMatch 0; 615 615 - update = elemAt versionMatch 1; 616 616 - }; 617 617 - }; 618 618 - 619 619 - /** 620 620 - Generate [CPE parts](#var-meta-identifiers-cpeParts) from inputs. Copies `vendor` to the result. When `version` matches `X.Y.Z` where all parts are numerical, sets `version` and `update` fields to `X.Y` and `Z`. Throws an error if the version doesn't match the expected template. 621 621 - 622 622 - # Inputs 623 623 - 624 624 - `vendor` 625 625 - 626 626 - : package's vendor 627 627 - 628 628 - `version` 629 629 - 630 630 - : package's version 631 631 - 632 632 - # Type 633 633 - 634 634 - ``` 635 635 - cpePatchVersionInUpdateWithVendor :: string -> string -> AttrSet 636 636 - ``` 637 637 - 638 638 - # Examples 639 639 - :::{.example} 640 640 - ## `lib.meta.cpePatchVersionInUpdateWithVendor` usage example 641 641 - 642 642 - ```nix 643 643 - lib.meta.cpePatchVersionInUpdateWithVendor "gnu" "1.2.3" 644 644 - => { 645 645 - vendor = "gnu"; 646 646 - version = "1.2"; 647 647 - update = "3"; 648 648 - } 649 649 - ``` 650 650 - 651 651 - ::: 652 652 - :::{.example} 653 653 - ## `lib.meta.cpePatchVersionInUpdateWithVendor` usage in derivations 654 654 - 655 655 - ```nix 656 656 - mkDerivation rec { 657 657 - version = "1.2.3"; 658 658 - # ... 659 659 - meta = { 660 660 - # ... 661 661 - identifiers.cpeParts = lib.meta.cpePatchVersionInUpdateWithVendor "gnu" version; 662 662 - }; 663 663 - } 664 664 - ``` 665 665 - 666 666 - ::: 667 667 - */ 668 668 - cpePatchVersionInUpdateWithVendor = 669 669 - vendor: version: 670 670 - let 671 671 - result = tryCPEPatchVersionInUpdateWithVendor vendor version; 672 672 - in 673 673 - if result.success then result.value else throw result.error; 674 487 }

-5

pkgs/applications/networking/sync/rsync/default.nix

··· 85 85 ivan 86 86 ]; 87 87 platforms = platforms.unix; 88 88 - identifiers.cpeParts = { 89 89 - vendor = "samba"; 90 90 - inherit version; 91 91 - update = "-"; 92 92 - }; 93 88 }; 94 89 }

-1

pkgs/by-name/he/hello/package.nix

··· 55 55 maintainers = with lib.maintainers; [ stv0g ]; 56 56 mainProgram = "hello"; 57 57 platforms = lib.platforms.all; 58 58 - identifiers.cpeParts.vendor = "gnu"; 59 58 }; 60 59 })

-1

pkgs/development/compilers/gcc/common/meta.nix

··· 30 30 teams = [ teams.gcc ]; 31 31 mainProgram = "${targetPrefix}gcc"; 32 32 33 33 - identifiers.cpeParts.vendor = "gnu"; 34 33 }

-1

pkgs/development/compilers/gcc/default.nix

··· 419 419 platforms 420 420 teams 421 421 mainProgram 422 422 - identifiers 423 422 ; 424 423 }; 425 424 }

-2

pkgs/development/compilers/llvm/common/common-let.nix

··· 34 34 ++ lib.optionals (lib.versionAtLeast release_version "7") lib.platforms.riscv 35 35 ++ lib.optionals (lib.versionAtLeast release_version "14") lib.platforms.m68k 36 36 ++ lib.optionals (lib.versionAtLeast release_version "16") lib.platforms.loongarch64; 37 37 - 38 38 - identifiers.cpeParts.vendor = "llvm"; 39 37 }; 40 38 41 39 releaseInfo =

-7

pkgs/os-specific/linux/kernel/manual-config.nix

··· 540 540 ] 541 541 ++ lib.optional (lib.versionOlder version "5.19") "loongarch64-linux"; 542 542 timeout = 14400; # 4 hours 543 543 - identifiers.cpeParts = { 544 544 - part = "o"; 545 545 - vendor = "linux"; 546 546 - product = "linux_kernel"; 547 547 - inherit version; 548 548 - update = "*"; 549 549 - }; 550 543 } 551 544 // extraMeta; 552 545 };

-10

pkgs/shells/bash/5.nix

··· 183 183 badPlatforms = [ lib.systems.inspect.patterns.isMinGW ]; 184 184 maintainers = [ ]; 185 185 mainProgram = "bash"; 186 186 - identifiers.cpeParts = 187 187 - let 188 188 - versionSplit = lib.split "p" version; 189 189 - in 190 190 - { 191 191 - vendor = "gnu"; 192 192 - product = "bash"; 193 193 - version = lib.elemAt versionSplit 0; 194 194 - update = lib.elemAt versionSplit 2; 195 195 - }; 196 186 }; 197 187 }

-63

pkgs/stdenv/generic/check-meta.nix

··· 11 11 inherit (lib) 12 12 all 13 13 attrNames 14 14 - attrValues 15 14 concatMapStrings 16 15 concatMapStringsSep 17 16 concatStrings ··· 38 37 39 38 inherit (lib.meta) 40 39 availableOn 41 41 - cpeFullVersionWithVendor 42 42 - tryCPEPatchVersionInUpdateWithVendor 43 40 ; 44 41 45 42 inherit (lib.generators) ··· 440 437 # Used for the original location of the maintainer and team attributes to assist with pings. 441 438 maintainersPosition = any; 442 439 teamsPosition = any; 443 443 - 444 444 - identifiers = attrs; 445 440 }; 446 441 447 442 checkMetaAttr = ··· 575 570 else 576 571 validYes; 577 572 578 578 - # Helper functions and declarations to handle identifiers, extracted to reduce allocations 579 579 - hasAllCPEParts = cpeParts: !any isNull (attrValues cpeParts); 580 580 - makeCPE = 581 581 - cpeParts: 582 582 - "cpe:2.3:${cpeParts.part}:${cpeParts.vendor}:${cpeParts.product}:${cpeParts.version}:${cpeParts.update}:${cpeParts.edition}:${cpeParts.sw_edition}:${cpeParts.target_sw}:${cpeParts.target_hw}:${cpeParts.language}:${cpeParts.other}"; 583 583 - possibleCPEPartsFuns = [ 584 584 - (vendor: version: { 585 585 - success = true; 586 586 - value = cpeFullVersionWithVendor vendor version; 587 587 - }) 588 588 - tryCPEPatchVersionInUpdateWithVendor 589 589 - ]; 590 590 - 591 573 # The meta attribute is passed in the resulting attribute set, 592 574 # but it's not part of the actual derivation, i.e., it's not 593 575 # passed to the builder and is not a dependency. But since we ··· 651 633 # if you add a new maintainer or team attribute please ensure that this expectation is still met. 652 634 maintainers = 653 635 attrs.meta.maintainers or [ ] ++ concatMap (team: team.members or [ ]) attrs.meta.teams or [ ]; 654 654 - 655 655 - identifiers = 656 656 - let 657 657 - defaultCPEParts = { 658 658 - part = "a"; 659 659 - vendor = null; 660 660 - product = attrs.pname or null; 661 661 - version = null; 662 662 - update = null; 663 663 - edition = "*"; 664 664 - sw_edition = "*"; 665 665 - target_sw = "*"; 666 666 - target_hw = "*"; 667 667 - language = "*"; 668 668 - other = "*"; 669 669 - }; 670 670 - 671 671 - cpeParts = defaultCPEParts // attrs.meta.identifiers.cpeParts or { }; 672 672 - cpe = if hasAllCPEParts cpeParts then makeCPE cpeParts else null; 673 673 - 674 674 - possibleCPEs = 675 675 - if cpe != null then 676 676 - [ { inherit cpeParts cpe; } ] 677 677 - else if attrs.meta.identifiers.cpeParts.vendor or null == null || attrs.version or null == null then 678 678 - [ ] 679 679 - else 680 680 - concatMap ( 681 681 - f: 682 682 - let 683 683 - result = f attrs.meta.identifiers.cpeParts.vendor attrs.version; 684 684 - # Note that attrs.meta.identifiers.cpeParts at this point can include defaults with user overrides. 685 685 - # Since we can't split them apart, user overrides don't apply to possibleCPEs. 686 686 - guessedParts = cpeParts // result.value; 687 687 - in 688 688 - optional (result.success && (hasAllCPEParts guessedParts)) { 689 689 - cpeParts = guessedParts; 690 690 - cpe = (makeCPE guessedParts); 691 691 - } 692 692 - ) possibleCPEPartsFuns; 693 693 - v1 = { inherit cpeParts cpe possibleCPEs; }; 694 694 - in 695 695 - v1 696 696 - // { 697 697 - inherit v1; 698 698 - }; 699 636 700 637 # Expose the result of the checks for everyone to see. 701 638 unfree = hasUnfreeLicense attrs;