Some packages fail to have meta information extracted

[henrirosten]

I notice some packages fail to have the nix meta extracted, while the package has metadata in nixpkgs.

There's a reproducer here to test this with the below example:

(1) Generate an sbom for pkgs.git:

nix build github:henrirosten/bombon/test-nix-meta#sbom-git

One of the dependencies in the resulting sbom is mailcap with the following fields:

{
  "type": "application",
  "bom-ref": "1jj2lq1kzys105rqq5n1a2r4v59arz43-mailcap-2.1.54",
  "name": "mailcap-2.1.54",
  "version": "",
  "scope": "required",
  "purl": "pkg:nix/mailcap-2.1.54"
},

Notice the fields from nix meta are missing.

(2) However, if you generate an sbom for pkgs.mailcap directly:

nix build github:henrirosten/bombon/test-nix-meta#sbom-mailcap

The meta fields are included in the resulting sbom:

 "type": "application",
 "bom-ref": "1jj2lq1kzys105rqq5n1a2r4v59arz43-mailcap-2.1.54",
 "name": "mailcap",
 "version": "2.1.54",
 "description": "Helper application and MIME type associations for file types",
 "scope": "required",
 "licenses": [
   {
     "license": {
       "id": "MIT"
     }
   }
 ],
 "purl": "pkg:nix/mailcap@2.1.54",
 "externalReferences": [
   {
     "type": "vcs",
     "url": "https://releases.pagure.org/mailcap/mailcap-2.1.54.tar.xz",
     "hashes": [
       {
         "alg": "SHA-256",
         "content": "9a4032202fc0d2b0858f41b167389a9cfe52ac24ec282e6479b90765319de113"
       }
     ]
   },
   {
     "type": "website",
     "url": "https://pagure.io/mailcap"
   }
 ]

I see the same issue occurs on many other packages as well, let me know if you need more examples.

[oneingan]

I was hit by this issue, any hints or workaround?

Seems related to this: NixOS/nixpkgs#420575

[nikstur]

@henrirosten thanks for reporting this!

I haven't had time to look into this. Any more investigation is appreciated!

[nikstur]

This is another instance of a dependency "hiding" in runtime dependencies. See this issue: #74

Mailcap is a dependency of Python, but only in it's string context. See https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/interpreters/python/cpython/default.nix#L431

[henrirosten]

@nikstur:

This is another instance of a dependency "hiding" in runtime dependencies. See this issue: #74

I was trying to put some numbers as to how big a problem this is by generating an sbom including only the runtime dependencies from an example NixOS system using both bombon and sbomnix. I then compared the two sboms counting how many system dependency packages include nix meta information in each sbom.

Bottom line:

• I see bombon sbom included nix meta in 18% of the runtime dependency packages in the example NixOS system (202/1104)
• I see sbomnix sbom included nix meta in 53% of the runtime dependency packages in the example NixOS system (871/1637)

The full list of example NixOS system runtime dependency packages that appear to not include the nix meta in the bombon output is available here: https://gist.github.com/henrirosten/6811796adb28216b63bb9583364c170a#file-gistfile1-txt-L62

I wonder if all of them are similar cases of dependency "hiding" you mentioned above?

You can repeat these results using my example NixOS system by running:

nix run github:henrirosten/dotfiles/runtime-meta-comparison#run-compare-runtime-meta