From 7fa1a0614bca2605201b010385a20ea0f789aefd Mon Sep 17 00:00:00 2001 From: Henri Rosten Date: Thu, 30 Nov 2023 16:13:28 +0200 Subject: [PATCH] Update documentation to match recent changes Signed-off-by: Henri Rosten --- README.md | 64 +- doc/img/c_hello_world_buildtime_d2.svg | 1176 ++++++++++++++++++++++++ doc/img/c_hello_world_runtime.svg | 72 ++ doc/nix_outdated.md | 53 +- doc/nixgraph.md | 13 +- doc/replogoy_cli.md | 78 +- doc/vulnxscan.md | 65 +- 7 files changed, 1359 insertions(+), 162 deletions(-) create mode 100644 doc/img/c_hello_world_buildtime_d2.svg create mode 100644 doc/img/c_hello_world_runtime.svg diff --git a/README.md b/README.md index 9b6e615..0a08e53 100644 --- a/README.md +++ b/README.md @@ -6,17 +6,18 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # sbomnix -`sbomnix` is a utility that generates SBOMs given [Nix](https://nixos.org/) derivations or out paths. +This repository is home to various command line tools and Python libraries that aim to help with software supply chain challenges: +- [`sbomnix`](#generate-sbom-based-on-derivation-file-or-out-path) is a utility that generates SBOMs given [Nix](https://nixos.org/) derivation or out path. +- [`nixgraph`](./doc/nixgraph.md) helps query and visualize dependency graphs for [Nix](https://nixos.org/) derivation or out path. +- [`vulnxscan`](./doc/vulnxscan/vulnxscan.md) is a vulnerability scanner demonstrating the usage of SBOMs in running vulnerability scans. +- [`repology_cli`](./doc/replogoy_cli.md) and [`repology_cve`](./doc/replogoy_cli.md#repology-cve-search) are command line clients to [repology.org](https://repology.org/). +- [`nix_outdated`](./doc/nix_outdated.md) is a utility that finds outdated nix dependencies for given out path, listing the outdated packages in priority order based on how many other packages depend on the given outdated package. -In addition to `sbomnix` this repository is home to [nixgraph](./doc/nixgraph.md) - a Python library and command line utility for querying and visualizing dependency graphs for [Nix](https://nixos.org/) Packages. +For an example of how to use the tooling provided in this repository to automate daily vulnerability scans for a nix flake project, see: [ghafscan](https://github.com/tiiuae/ghafscan). -For a demonstration of how to use `sbomnix` generated SBOM in automating vulnerability scans, see: [vulnxscan](scripts/vulnxscan/README.md). +The [CycloneDX](https://cyclonedx.org/) and [SPDX](https://spdx.github.io/spdx-spec/v2.3/) SBOMs for each release of sbomnix tooling is available in the [release assets](https://github.com/tiiuae/sbomnix/releases/latest). -For an example of how to use the tooling provided in this repository to automate vulnerability scanning for a nix flake project, see: [ghafscan](https://github.com/tiiuae/ghafscan). - -The [CycloneDX](https://cyclonedx.org/) and [SPDX](https://spdx.github.io/spdx-spec/v2.3/) SBOMs for each release of `sbomnix` itself are available in the [release assets](https://github.com/tiiuae/sbomnix/releases/latest). - -`sbomnix` and other tools in this repository originate from [Ghaf Framework](https://github.com/tiiuae/ghaf). +All the tools in this repository originate from [Ghaf Framework](https://github.com/tiiuae/ghaf). Table of Contents ================= @@ -24,6 +25,9 @@ Table of Contents * [Getting Started](#getting-started) * [Running as Nix Flake](#running-as-nix-flake) * [Running from Nix Development Shell](#running-from-nix-development-shell) +* [Buildtime vs Runtime Dependencies](#buildtime-vs-runtime-dependencies) + * [Buildtime Dependencies](#buildtime-dependencies) + * [Runtime Dependencies](#runtime-dependencies) * [Usage Examples](#usage-examples) * [Generate SBOM Based on Derivation File or Out-path](#generate-sbom-based-on-derivation-file-or-out-path) * [Generate SBOM Including Meta Information](#generate-sbom-including-meta-information) @@ -51,8 +55,6 @@ $ git clone https://github.com/tiiuae/sbomnix $ cd sbomnix $ nix run .#sbomnix -- --help ``` -Similarly, you can run `nixgraph` with `nix run github:tiiuae/sbomnix#nixgraph -- --help` - See the full list of supported flake targets by running `nix flake show`. ### Running from Nix Development Shell @@ -74,18 +76,46 @@ $ nix-shell Keep in mind this doesn't add the various entrypoint binaries to your `PATH` directly. They are produced during the setuptools build. -While you're in the devshell, you can run run `sbomnix` via the entrypoint file +While you're in the devshell, you can run various command line tools via the entrypoint files directly: ```bash -$ sbomnix/main.py --help +# sbomnix: +$ src/sbomnix/main.py --help + +# nixgraph: +$ src/nixgraph/main.py --help + +# vulnxscan: +$ src/vulnxscan/vulnxscan_cli.py --help + +# repology_cli: +$ src/repology/repology_cli.py --help + +# repology_cve: +$ src/repology/repology_cve.py --help + +# nix_outdated: +$ src/nixupdate/nix_outdated.py --help ``` +## Buildtime vs Runtime Dependencies +#### Buildtime Dependencies +[Closure](https://nixos.org/manual/nix/stable/glossary.html#gloss-closure) of a nix store path is a list of all the dependent store paths, recursively, referenced by the target store path. For a package, the closure of it's derivation lists all the buildtime dependencies. As an example, for a simple C program, the buildtime dependencies include packages to bootstrap gcc, stdenv, glibc, bash, etc. on the target architecture. Even a simple hello-world C program typically includes over 150 packages in its list of buildtime dependencies. It's important to note that generating buildtime dependencies in Nix does not require building the target. + +For reference, following is a link to graph from an example hello-world C program that includes the first two layers of buildtime dependencies: direct dependencies and the first level of transitive dependencies: [C hello-world buildtime, depth=2](doc/img/c_hello_world_buildtime_d2.svg). + +#### Runtime Dependencies +[Runtime dependencies](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-why-depends.html#description) are a subset of buildtime dependencies. Nix automatically determines the runtime dependencies by scanning the generated output paths (i.e. build output) for the buildtime dependencies' store paths. This means nix needs to build the target output first, before runtime dependencies can be determined. For reference, below is a complete runtime dependency graph of an example hello-world C program: + + + + ## Usage Examples The usage examples work for both the built package, as well as inside the devshell. Keep in mind inside the devshell, calls to `sbomnix` need to be replaced with -`sbomnix/main.py` (and similar for other entrypoints). +`src/sbomnix/main.py` (and similar for other entrypoints). In the below examples, we use Nix package `wget` as an example target. To print `wget` out-path on your local system, try: @@ -95,7 +125,8 @@ $ nix eval -f '' 'wget.outPath' ``` #### Generate SBOM Based on Derivation File or Out-path -By default `sbomnix` scans the given target and generates an SBOM including the runtime dependencies. Notice that determining the target runtime dependencies requires realising (building) the target. This stems from the way Nix determines potential [runtime dependencies](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-why-depends.html#description): +By default `sbomnix` scans the given target and generates an SBOM including the runtime dependencies. +Keep in mind that determining the target runtime dependencies requires building the target. ```bash $ sbomnix /nix/store/8nbv1drmvh588pwiwsxa47iprzlgwx6j-wget-1.21.3 ... @@ -117,7 +148,8 @@ $ sbomnix /nix/store/8nbv1drmvh588pwiwsxa47iprzlgwx6j-wget-1.21.3 --meta meta.js #### Generate SBOM Including Buildtime Dependencies By default `sbomnix` scans the given target for runtime dependencies. You can tell sbomnix to determine the buildtime dependencies using the `--type` argument. -Acceptable values for `--type` are `runtime, buildtime, both`. Below example generates SBOM including buildtime dependencies. Notice that determining buildtime dependencies does not require realising (building) the target. +Acceptable values for `--type` are `runtime, buildtime, both`. Below example generates SBOM including buildtime dependencies. +Notice: as opposed to runtime dependencies, determining the buildtime dependencies does not require building the target. ```bash $ sbomnix /nix/store/8nbv1drmvh588pwiwsxa47iprzlgwx6j-wget-1.21.3 --meta meta.json --type=buildtime ``` @@ -141,7 +173,7 @@ Which outputs the dependency graph as an image (with maxdepth 2): For more examples on querying and visualizing the package dependencies, see: [nixgraph](./doc/nixgraph.md). ## Contribute -Any pull requests, suggestions, and error reports are welcome. +Any pull requests, questions and error reports are welcome. To start development, we recommend using Nix flakes development shell: ```bash $ git clone https://github.com/tiiuae/sbomnix diff --git a/doc/img/c_hello_world_buildtime_d2.svg b/doc/img/c_hello_world_buildtime_d2.svg new file mode 100644 index 0000000..e6475cb --- /dev/null +++ b/doc/img/c_hello_world_buildtime_d2.svg @@ -0,0 +1,1176 @@ + + + + + + + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv + +bash-5.2-p15.drv + + + +/nix/store/5jrd75v747s76s16zxk59384xfcjqn58-bash-5.2.tar.gz.drv + +bash-5.2.tar.gz.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/5jrd75v747s76s16zxk59384xfcjqn58-bash-5.2.tar.gz.drv + + + + + +/nix/store/nb8wd3xgfp34vic7xw7rkb186pq7hwfh-bash52-001.drv + +bash52-001.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/nb8wd3xgfp34vic7xw7rkb186pq7hwfh-bash52-001.drv + + + + + +/nix/store/j2zlvksmwzs79zvsqmz45jn39zsyr31f-bash52-002.drv + +bash52-002.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/j2zlvksmwzs79zvsqmz45jn39zsyr31f-bash52-002.drv + + + + + +/nix/store/6k05dfl68y2m382xd5hanfvj7j8c73p1-bash52-003.drv + +bash52-003.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/6k05dfl68y2m382xd5hanfvj7j8c73p1-bash52-003.drv + + + + + +/nix/store/pk6bdyws4n421ak7mwvk5nkg0li7cvq2-bash52-004.drv + +bash52-004.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/pk6bdyws4n421ak7mwvk5nkg0li7cvq2-bash52-004.drv + + + + + +/nix/store/a68j9bys24cr3m1bixy4bz92q27bmx7k-bash52-005.drv + +bash52-005.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/a68j9bys24cr3m1bixy4bz92q27bmx7k-bash52-005.drv + + + + + +/nix/store/1rfn1ylygzdbca5b54qjs6n4vnnsx85f-bash52-006.drv + +bash52-006.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/1rfn1ylygzdbca5b54qjs6n4vnnsx85f-bash52-006.drv + + + + + +/nix/store/rz74q7y5r38in9zdzq9r2brf5yh6lpy5-bash52-007.drv + +bash52-007.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/rz74q7y5r38in9zdzq9r2brf5yh6lpy5-bash52-007.drv + + + + + +/nix/store/f9hs49y4q8bvg4ffdiycbafd5r1gb13r-bash52-008.drv + +bash52-008.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/f9hs49y4q8bvg4ffdiycbafd5r1gb13r-bash52-008.drv + + + + + +/nix/store/6xwbrn3wdxwyphpj64rphhms41vxvqxb-bash52-009.drv + +bash52-009.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/6xwbrn3wdxwyphpj64rphhms41vxvqxb-bash52-009.drv + + + + + +/nix/store/l81h2pb34h1hrgf8hgayzl28zzmqnfm0-bash52-010.drv + +bash52-010.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/l81h2pb34h1hrgf8hgayzl28zzmqnfm0-bash52-010.drv + + + + + +/nix/store/nsw82ybp208qkgs87s5b2h74978lrgd8-bash52-011.drv + +bash52-011.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/nsw82ybp208qkgs87s5b2h74978lrgd8-bash52-011.drv + + + + + +/nix/store/ag9cnvb4pcgcj0rbkzva6qdz54fnr8fg-bash52-012.drv + +bash52-012.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/ag9cnvb4pcgcj0rbkzva6qdz54fnr8fg-bash52-012.drv + + + + + +/nix/store/kssqadrh4044p2na6fclnyh6pv3r9l5s-bash52-013.drv + +bash52-013.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/kssqadrh4044p2na6fclnyh6pv3r9l5s-bash52-013.drv + + + + + +/nix/store/7j0r588ymbv6dq8c98wvzklcsk42wvpb-bash52-014.drv + +bash52-014.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/7j0r588ymbv6dq8c98wvzklcsk42wvpb-bash52-014.drv + + + + + +/nix/store/ah8jsm934168mfnmkf54fh0ms38k6nsm-bash52-015.drv + +bash52-015.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/ah8jsm934168mfnmkf54fh0ms38k6nsm-bash52-015.drv + + + + + +/nix/store/5ai0spxrfjsagqw8c9nnnyg0g02dr7jz-bison-3.8.2.drv + +bison-3.8.2.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/5ai0spxrfjsagqw8c9nnnyg0g02dr7jz-bison-3.8.2.drv + + + + + +/nix/store/ybsv1xvwj1i2cyxg72lgmx5kcy96bhqy-bootstrap-stage4-gcc-wrapper-12.2.0.drv + +bootstrap-stage4-gcc-wrapper-12.2.0.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/ybsv1xvwj1i2cyxg72lgmx5kcy96bhqy-bootstrap-stage4-gcc-wrapper-12.2.0.drv + + + + + +/nix/store/ain2q3jflg2zdavjficaij9d3q0a6vy6-bootstrap-stage4-stdenv-linux.drv + +bootstrap-stage4-stdenv-linux.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/ain2q3jflg2zdavjficaij9d3q0a6vy6-bootstrap-stage4-stdenv-linux.drv + + + + + +/nix/store/ks6kir3vky8mb8zqpfhchwasn0rv1ix6-bootstrap-tools.drv + +bootstrap-tools.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/ks6kir3vky8mb8zqpfhchwasn0rv1ix6-bootstrap-tools.drv + + + + + +/nix/store/6xg259477c90a229xwmb53pdfkn6ig3g-default-builder.sh + +default-builder.sh + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/6xg259477c90a229xwmb53pdfkn6ig3g-default-builder.sh + + + + + +/nix/store/sjlm8agj6m3cpglc5v11d40cj7j6kin2-fix-static.patch.drv + +fix-static.patch.drv + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/sjlm8agj6m3cpglc5v11d40cj7j6kin2-fix-static.patch.drv + + + + + +/nix/store/yq0lz1byj4v2rym2ng23a3nj4n6pvqdj-pgrp-pipe-5.patch + +pgrp-pipe-5.patch + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/yq0lz1byj4v2rym2ng23a3nj4n6pvqdj-pgrp-pipe-5.patch + + + + + +/nix/store/22y3il65vigclb1384qjad50wybh1vsw-separate-debug-info.sh + +separate-debug-info.sh + + + +/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv->/nix/store/22y3il65vigclb1384qjad50wybh1vsw-separate-debug-info.sh + + + + + +/nix/store/wwh3s6nzpsi6khcf77immm6mh286ng5h-nix-hello-0.0.1.drv + +nix-hello-0.0.1.drv + + + +/nix/store/wwh3s6nzpsi6khcf77immm6mh286ng5h-nix-hello-0.0.1.drv->/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv + + + + + +/nix/store/wwh3s6nzpsi6khcf77immm6mh286ng5h-nix-hello-0.0.1.drv->/nix/store/6xg259477c90a229xwmb53pdfkn6ig3g-default-builder.sh + + + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv + +glibc-2.37-45.drv + + + +/nix/store/wwh3s6nzpsi6khcf77immm6mh286ng5h-nix-hello-0.0.1.drv->/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv + + + + + +/nix/store/x6bdnxqaqin9p7sd0l3aihqllxjhngv6-src + +src + + + +/nix/store/wwh3s6nzpsi6khcf77immm6mh286ng5h-nix-hello-0.0.1.drv->/nix/store/x6bdnxqaqin9p7sd0l3aihqllxjhngv6-src + + + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv + +stdenv-linux.drv + + + +/nix/store/wwh3s6nzpsi6khcf77immm6mh286ng5h-nix-hello-0.0.1.drv->/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv + + + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/5ai0spxrfjsagqw8c9nnnyg0g02dr7jz-bison-3.8.2.drv + + + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/ks6kir3vky8mb8zqpfhchwasn0rv1ix6-bootstrap-tools.drv + + + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/6xg259477c90a229xwmb53pdfkn6ig3g-default-builder.sh + + + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/22y3il65vigclb1384qjad50wybh1vsw-separate-debug-info.sh + + + + + +/nix/store/k06glk8f3dxj3k0m9b9y7ph2nbnd1ns0-0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch + +0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/k06glk8f3dxj3k0m9b9y7ph2nbnd1ns0-0001-Revert-Remove-all-usage-of-BASH-or-BASH-in-installed.patch + + + + + +/nix/store/sjnp0f95iilryxl391p4sc0s2czhrnkk-2.37-master.patch.gz + +2.37-master.patch.gz + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/sjnp0f95iilryxl391p4sc0s2czhrnkk-2.37-master.patch.gz + + + + + +/nix/store/c81xzgfi1a5nlj6g2fkz9b1m79f2w6hf-binutils-2.40.drv + +binutils-2.40.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/c81xzgfi1a5nlj6g2fkz9b1m79f2w6hf-binutils-2.40.drv + + + + + +/nix/store/bqp7hyyn19gy8qr4s0my2gsl02xy1c23-bootstrap-stage0-glibc-bootstrapFiles.drv + +bootstrap-stage0-glibc-bootstrapFiles.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/bqp7hyyn19gy8qr4s0my2gsl02xy1c23-bootstrap-stage0-glibc-bootstrapFiles.drv + + + + + +/nix/store/a4jfgxywr7wm67qy45aicp22g3gpbbwl-bootstrap-stage2-gcc-wrapper-12.2.0.drv + +bootstrap-stage2-gcc-wrapper-12.2.0.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/a4jfgxywr7wm67qy45aicp22g3gpbbwl-bootstrap-stage2-gcc-wrapper-12.2.0.drv + + + + + +/nix/store/p69xb9g23qx8vv60k1dn8qdhnq8jsh3b-bootstrap-stage2-stdenv-linux.drv + +bootstrap-stage2-stdenv-linux.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/p69xb9g23qx8vv60k1dn8qdhnq8jsh3b-bootstrap-stage2-stdenv-linux.drv + + + + + +/nix/store/b1w7zbvm39ff1i52iyjggyvw2rdxz104-dont-use-system-ld-so-cache.patch + +dont-use-system-ld-so-cache.patch + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/b1w7zbvm39ff1i52iyjggyvw2rdxz104-dont-use-system-ld-so-cache.patch + + + + + +/nix/store/mnglr8rr7nl444h7p50ysyq8qd0fm1lm-dont-use-system-ld-so-preload.patch + +dont-use-system-ld-so-preload.patch + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/mnglr8rr7nl444h7p50ysyq8qd0fm1lm-dont-use-system-ld-so-preload.patch + + + + + +/nix/store/7kw224hdyxd7115lrqh9a4dv2x8msq2s-fix-x64-abi.patch + +fix-x64-abi.patch + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/7kw224hdyxd7115lrqh9a4dv2x8msq2s-fix-x64-abi.patch + + + + + +/nix/store/za0pg7fmysrcwrqcal26fnmzw6vycgdn-fix_path_attribute_in_getconf.patch + +fix_path_attribute_in_getconf.patch + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/za0pg7fmysrcwrqcal26fnmzw6vycgdn-fix_path_attribute_in_getconf.patch + + + + + +/nix/store/h635jjqzf1g34hbb87lwki2z56zmvnwb-glibc-2.37.tar.xz.drv + +glibc-2.37.tar.xz.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/h635jjqzf1g34hbb87lwki2z56zmvnwb-glibc-2.37.tar.xz.drv + + + + + +/nix/store/x6pncslc93zbdfs4mnga7clbcfadlm0m-libidn2-2.3.4.drv + +libidn2-2.3.4.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/x6pncslc93zbdfs4mnga7clbcfadlm0m-libidn2-2.3.4.drv + + + + + +/nix/store/m4z5hc3nfngvcwkmxi9bgjj2nkvh1qdj-linux-headers-6.2.drv + +linux-headers-6.2.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/m4z5hc3nfngvcwkmxi9bgjj2nkvh1qdj-linux-headers-6.2.drv + + + + + +/nix/store/8haph3ng4mgsqr6p4024vj8k6kg3mqc4-nix-locale-archive.patch + +nix-locale-archive.patch + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/8haph3ng4mgsqr6p4024vj8k6kg3mqc4-nix-locale-archive.patch + + + + + +/nix/store/001gp43bjqzx60cg345n2slzg7131za8-nix-nss-open-files.patch + +nix-nss-open-files.patch + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/001gp43bjqzx60cg345n2slzg7131za8-nix-nss-open-files.patch + + + + + +/nix/store/q0nr3grhhjcf6li53r10z6hg4v7rkc4a-python3-minimal-3.10.13.drv + +python3-minimal-3.10.13.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/q0nr3grhhjcf6li53r10z6hg4v7rkc4a-python3-minimal-3.10.13.drv + + + + + +/nix/store/rwnpifhbiky8wmzsfyzah2qpah1z1mzk-reenable_DT_HASH.patch + +reenable_DT_HASH.patch + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/rwnpifhbiky8wmzsfyzah2qpah1z1mzk-reenable_DT_HASH.patch + + + + + +/nix/store/q072lsl54bjjlgsj06w7fb431cz2ckci-xgcc-12.2.0.drv + +xgcc-12.2.0.drv + + + +/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv->/nix/store/q072lsl54bjjlgsj06w7fb431cz2ckci-xgcc-12.2.0.drv + + + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/hla091y2jgs76hd8ps5ky6d81qzkdfz5-bash-5.2-p15.drv + + + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/ks6kir3vky8mb8zqpfhchwasn0rv1ix6-bootstrap-tools.drv + + + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/89fnwld2cnzdshvzc58xx9zwmr6minbw-glibc-2.37-45.drv + + + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/x6pncslc93zbdfs4mnga7clbcfadlm0m-libidn2-2.3.4.drv + + + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/m4z5hc3nfngvcwkmxi9bgjj2nkvh1qdj-linux-headers-6.2.drv + + + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/q072lsl54bjjlgsj06w7fb431cz2ckci-xgcc-12.2.0.drv + + + + + +/nix/store/lczz47bfpkil5rpb24wrsr767rjlm3ng-acl-2.3.1.drv + +acl-2.3.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/lczz47bfpkil5rpb24wrsr767rjlm3ng-acl-2.3.1.drv + + + + + +/nix/store/xl1qdy5sn4y4y8zylnj7wxnz984flc3r-attr-2.5.1.drv + +attr-2.5.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/xl1qdy5sn4y4y8zylnj7wxnz984flc3r-attr-2.5.1.drv + + + + + +/nix/store/h9lc1dpi14z7is86ffhl3ld569138595-audit-tmpdir.sh + +audit-tmpdir.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/h9lc1dpi14z7is86ffhl3ld569138595-audit-tmpdir.sh + + + + + +/nix/store/jk4j50lpqjmq8fmlkryxzgp96ciin5rx-binutils-2.40.drv + +binutils-2.40.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/jk4j50lpqjmq8fmlkryxzgp96ciin5rx-binutils-2.40.drv + + + + + +/nix/store/fih1wl123r50p5v3lf8r6l5dj9100fln-binutils-wrapper-2.40.drv + +binutils-wrapper-2.40.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/fih1wl123r50p5v3lf8r6l5dj9100fln-binutils-wrapper-2.40.drv + + + + + +/nix/store/ckzrg0f0bdyx8rf703nc61r3hz5yys9q-builder.sh + +builder.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/ckzrg0f0bdyx8rf703nc61r3hz5yys9q-builder.sh + + + + + +/nix/store/2kpnzdrqw27n47f83jrazdhdd2qc8pcn-bzip2-1.0.8.drv + +bzip2-1.0.8.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/2kpnzdrqw27n47f83jrazdhdd2qc8pcn-bzip2-1.0.8.drv + + + + + +/nix/store/m54bmrhj6fqz8nds5zcj97w9s9bckc9v-compress-man-pages.sh + +compress-man-pages.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/m54bmrhj6fqz8nds5zcj97w9s9bckc9v-compress-man-pages.sh + + + + + +/nix/store/pygvr0fmgmghw3sn4zw6xbsfl0nyx1w6-coreutils-9.1.drv + +coreutils-9.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/pygvr0fmgmghw3sn4zw6xbsfl0nyx1w6-coreutils-9.1.drv + + + + + +/nix/store/c965v55c97q9z9gb1cwx7hddxf49y5jj-diffutils-3.9.drv + +diffutils-3.9.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/c965v55c97q9z9gb1cwx7hddxf49y5jj-diffutils-3.9.drv + + + + + +/nix/store/3f9c7l66iiwax257yi8bqwqzrcf2hm3b-ed-1.19.drv + +ed-1.19.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/3f9c7l66iiwax257yi8bqwqzrcf2hm3b-ed-1.19.drv + + + + + +/nix/store/kb8r8f8k0hkxsk4dzskr59gddksiynqb-expand-response-params.drv + +expand-response-params.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/kb8r8f8k0hkxsk4dzskr59gddksiynqb-expand-response-params.drv + + + + + +/nix/store/26p8na6c8m7x8hc2lkfdd3zv8c5hml1a-file-5.44.drv + +file-5.44.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/26p8na6c8m7x8hc2lkfdd3zv8c5hml1a-file-5.44.drv + + + + + +/nix/store/mlbvqb767vb5ij7ns70agisx9y13292i-findutils-4.9.0.drv + +findutils-4.9.0.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/mlbvqb767vb5ij7ns70agisx9y13292i-findutils-4.9.0.drv + + + + + +/nix/store/5nbivqrv4gssi842ywz87mn365smxdqn-gawk-5.2.1.drv + +gawk-5.2.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/5nbivqrv4gssi842ywz87mn365smxdqn-gawk-5.2.1.drv + + + + + +/nix/store/shjif9jdblhwzm6ivlglfvldpbmf189b-gcc-12.2.0.drv + +gcc-12.2.0.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/shjif9jdblhwzm6ivlglfvldpbmf189b-gcc-12.2.0.drv + + + + + +/nix/store/82s65p11ck20pvib4pc3dbd9nyvx8qqf-gcc-wrapper-12.2.0.drv + +gcc-wrapper-12.2.0.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/82s65p11ck20pvib4pc3dbd9nyvx8qqf-gcc-wrapper-12.2.0.drv + + + + + +/nix/store/akwir79vxw9j2z7xvlzm9halwznlj807-gmp-6.2.1.drv + +gmp-6.2.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/akwir79vxw9j2z7xvlzm9halwznlj807-gmp-6.2.1.drv + + + + + +/nix/store/48yjyjx5qhifcrsry42kv914yaw7zbz8-gmp-with-cxx-6.2.1.drv + +gmp-with-cxx-6.2.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/48yjyjx5qhifcrsry42kv914yaw7zbz8-gmp-with-cxx-6.2.1.drv + + + + + +/nix/store/m4cyqwyzda46912dirznjzx5cml6d018-gnugrep-3.7.drv + +gnugrep-3.7.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/m4cyqwyzda46912dirznjzx5cml6d018-gnugrep-3.7.drv + + + + + +/nix/store/51jadnm9ava2z2b0srgsmhlwgdyav58s-gnumake-4.4.1.drv + +gnumake-4.4.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/51jadnm9ava2z2b0srgsmhlwgdyav58s-gnumake-4.4.1.drv + + + + + +/nix/store/4jqr7dhg1955v540km9bqfl573qp3k1r-gnused-4.9.drv + +gnused-4.9.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/4jqr7dhg1955v540km9bqfl573qp3k1r-gnused-4.9.drv + + + + + +/nix/store/nkdpr1ms0n2kpk37s1jmpx9q375irmb8-gnutar-1.35.drv + +gnutar-1.35.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/nkdpr1ms0n2kpk37s1jmpx9q375irmb8-gnutar-1.35.drv + + + + + +/nix/store/mmlbn928pnqb0j26fspd91862lrwdxc6-gzip-1.12.drv + +gzip-1.12.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/mmlbn928pnqb0j26fspd91862lrwdxc6-gzip-1.12.drv + + + + + +/nix/store/ydgc8qgv67s9kip45y8fbxi5y7cc77w4-isl-0.20.drv + +isl-0.20.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/ydgc8qgv67s9kip45y8fbxi5y7cc77w4-isl-0.20.drv + + + + + +/nix/store/knqhvivyrmynch9dj89bvnl5jiki1ra8-libmpc-1.3.1.drv + +libmpc-1.3.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/knqhvivyrmynch9dj89bvnl5jiki1ra8-libmpc-1.3.1.drv + + + + + +/nix/store/xvn3anp019d0mcx0hagacyfc0cslh5ih-libunistring-1.1.drv + +libunistring-1.1.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/xvn3anp019d0mcx0hagacyfc0cslh5ih-libunistring-1.1.drv + + + + + +/nix/store/wgrbkkaldkrlrni33ccvm3b6vbxzb656-make-symlinks-relative.sh + +make-symlinks-relative.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/wgrbkkaldkrlrni33ccvm3b6vbxzb656-make-symlinks-relative.sh + + + + + +/nix/store/5yzw0vhkyszf2d179m0qfkgxmp5wjjx4-move-docs.sh + +move-docs.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/5yzw0vhkyszf2d179m0qfkgxmp5wjjx4-move-docs.sh + + + + + +/nix/store/fyaryjvghbkpfnsyw97hb3lyb37s1pd6-move-lib64.sh + +move-lib64.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/fyaryjvghbkpfnsyw97hb3lyb37s1pd6-move-lib64.sh + + + + + +/nix/store/kd4xwxjpjxi71jkm6ka0np72if9rm3y0-move-sbin.sh + +move-sbin.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/kd4xwxjpjxi71jkm6ka0np72if9rm3y0-move-sbin.sh + + + + + +/nix/store/pag6l61paj1dc9sv15l7bm5c17xn5kyk-move-systemd-user-units.sh + +move-systemd-user-units.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/pag6l61paj1dc9sv15l7bm5c17xn5kyk-move-systemd-user-units.sh + + + + + +/nix/store/93z6f6jhkhnyhfhcskcy12xbpynjrcrb-mpfr-4.2.0.drv + +mpfr-4.2.0.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/93z6f6jhkhnyhfhcskcy12xbpynjrcrb-mpfr-4.2.0.drv + + + + + +/nix/store/bxsly8a56yb8kyrq03s82a3vyc8fqrb3-multiple-outputs.sh + +multiple-outputs.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/bxsly8a56yb8kyrq03s82a3vyc8fqrb3-multiple-outputs.sh + + + + + +/nix/store/7v5sghixg03gb6zjrshi99s5ispsrivj-patch-2.7.6.drv + +patch-2.7.6.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/7v5sghixg03gb6zjrshi99s5ispsrivj-patch-2.7.6.drv + + + + + +/nix/store/nf1lkdrhapsx5lr6diyxyjr7pb7r20gr-patch-shebangs.sh + +patch-shebangs.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/nf1lkdrhapsx5lr6diyxyjr7pb7r20gr-patch-shebangs.sh + + + + + +/nix/store/pwjg629qlijnz033395bcmb9hzagwgfr-patchelf-0.15.0.drv + +patchelf-0.15.0.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/pwjg629qlijnz033395bcmb9hzagwgfr-patchelf-0.15.0.drv + + + + + +/nix/store/1nk2gnq5iczrcl3y811wzgf2kp8hmrdl-pcre-8.45.drv + +pcre-8.45.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/1nk2gnq5iczrcl3y811wzgf2kp8hmrdl-pcre-8.45.drv + + + + + +/nix/store/cickvswrvann041nqxb0rxilc46svw1n-prune-libtool-files.sh + +prune-libtool-files.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/cickvswrvann041nqxb0rxilc46svw1n-prune-libtool-files.sh + + + + + +/nix/store/xyff06pkhki3qy1ls77w10s0v79c9il0-reproducible-builds.sh + +reproducible-builds.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/xyff06pkhki3qy1ls77w10s0v79c9il0-reproducible-builds.sh + + + + + +/nix/store/ngg1cv31c8c7bcm2n8ww4g06nq7s4zhm-set-source-date-epoch-to-latest.sh + +set-source-date-epoch-to-latest.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/ngg1cv31c8c7bcm2n8ww4g06nq7s4zhm-set-source-date-epoch-to-latest.sh + + + + + +/nix/store/jsj70nx6fkcjd1yfdqivwqz3cb9zfl31-setup.sh + +setup.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/jsj70nx6fkcjd1yfdqivwqz3cb9zfl31-setup.sh + + + + + +/nix/store/a9ndjg0b1ivi0av9m93vfkrndp7fqbw1-strip.sh + +strip.sh + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/a9ndjg0b1ivi0av9m93vfkrndp7fqbw1-strip.sh + + + + + +/nix/store/lpm3m6f7mipfdbp2grq4223dy3rjivrr-xz-5.4.3.drv + +xz-5.4.3.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/lpm3m6f7mipfdbp2grq4223dy3rjivrr-xz-5.4.3.drv + + + + + +/nix/store/vz2psnzh8fad6s6s9fffc74kd3g9b6la-zlib-1.2.13.drv + +zlib-1.2.13.drv + + + +/nix/store/z9vnfwzs0226f7qid0j0iglfbpvb61hx-stdenv-linux.drv->/nix/store/vz2psnzh8fad6s6s9fffc74kd3g9b6la-zlib-1.2.13.drv + + + + + diff --git a/doc/img/c_hello_world_runtime.svg b/doc/img/c_hello_world_runtime.svg new file mode 100644 index 0000000..bb22c59 --- /dev/null +++ b/doc/img/c_hello_world_runtime.svg @@ -0,0 +1,72 @@ + + + + + + + + + +/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45 + +glibc-2.37-45 + + + +/nix/store/4563gldw8ibz76f1a3x69zq3a1vhdpz9-libidn2-2.3.4 + +libidn2-2.3.4 + + + +/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45->/nix/store/4563gldw8ibz76f1a3x69zq3a1vhdpz9-libidn2-2.3.4 + + + + + +/nix/store/jd99cyc0251p0i5y69w8mqjcai8mcq7h-xgcc-12.2.0-libgcc + +xgcc-12.2.0-libgcc + + + +/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45->/nix/store/jd99cyc0251p0i5y69w8mqjcai8mcq7h-xgcc-12.2.0-libgcc + + + + + +/nix/store/wi2m2ddkkb1g7bdpcw2halmh07a8kncn-nix-hello-0.0.1 + +nix-hello-0.0.1 + + + +/nix/store/wi2m2ddkkb1g7bdpcw2halmh07a8kncn-nix-hello-0.0.1->/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45 + + + + + +/nix/store/wi2m2ddkkb1g7bdpcw2halmh07a8kncn-nix-hello-0.0.1->/nix/store/jd99cyc0251p0i5y69w8mqjcai8mcq7h-xgcc-12.2.0-libgcc + + + + + +/nix/store/567zfi9026lp2q6v97vwn640rv6i3n4c-libunistring-1.1 + +libunistring-1.1 + + + +/nix/store/4563gldw8ibz76f1a3x69zq3a1vhdpz9-libidn2-2.3.4->/nix/store/567zfi9026lp2q6v97vwn640rv6i3n4c-libunistring-1.1 + + + + + diff --git a/doc/nix_outdated.md b/doc/nix_outdated.md index 665b232..014d459 100644 --- a/doc/nix_outdated.md +++ b/doc/nix_outdated.md @@ -4,54 +4,16 @@ SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII) SPDX-License-Identifier: CC-BY-SA-4.0 --> -Table of Contents -================= - -* [Getting Started](#getting-started) - * [Running as Nix Flake](#running-as-nix-flake) - * [Running from Nix Development Shell](#running-from-nix-development-shell) - * [Example Target](#example-target) -* [nix_outdated](#nix_outdated) - # Getting Started -## Running as Nix Flake -`nix_outdated.py` can be run as a [Nix flake](https://nixos.wiki/wiki/Flakes) from the `tiiuae/sbomnix` repository: +To get started, follow the [Getting Started](../README.md#getting-started) section from the main [README](../README.md). + +As an example, to run the [`nix_outdated`](../src/nixupdate/nix_outdated.py) from the `tiiuae/sbomnix` repository: ```bash # '--' signifies the end of argument list for `nix`. # '--help' is the first argument to `nix_outdated` $ nix run github:tiiuae/sbomnix#nix_outdated -- --help ``` -or from a local repository: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -$ nix run .#nix_outdated -- --help -``` - -## Running from Nix Development Shell - -If you have nix flakes enabled, run: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -$ nix develop -``` - -You can also use `nix-shell` to enter the development shell: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -$ nix-shell -``` - -From the development shell, you can run `nix_outdated.py` as follows: -```bash -# Run nix_outdated from nix devshell: -$ scripts/nixupdate/nix_outdated.py --help -``` - - ## Example Target We use Nix package `git` as an example target. To print `git` out-path on your local system, try something like: @@ -61,13 +23,12 @@ $ nix eval -f '' 'git.outPath' ``` # nix_outdated -`nix_outdated` is a command line tool to list outdated nix dependencies for given target nix out path. By default, the script outputs runtime dependencies for the given nix out path that appear outdated in nixpkgs 'nix_unstable' channel - the list of output packages would potentially need a PR to update the package in nixpkgs to the latest upstream release version specified in the output table column 'version_upstream'. The list of output packages is in priority order based on how many other packages depend on the potentially outdated package. +[`nix_outdated`](../src/nixupdate/nix_outdated.py) is a command line tool to list outdated nix dependencies for given target nix out path. By default, the script outputs runtime dependencies for the given nix out path that appear outdated in nixpkgs 'nix_unstable' channel - the list of output packages would potentially need a PR to update the package in nixpkgs to the package's latest upstream release version specified in the output table column 'version_upstream'. The list of output packages is in priority order based on how many other packages depend on the potentially outdated package. -Below command finds runtime dependencies of `git` that would have an update in the package's upstream repository based on repology, but the latest release version is not available in nix unstable: +Below command finds `git` runtime dependencies that would have an update in the package's upstream repository based on repology, and the latest release version is not available in nix unstable: ```bash -# In nix devshell -$ scripts/nixupdate/nix_outdated.py /nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2 +$ nix_outdated /nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2 INFO Generating SBOM for target '/nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2' INFO Loading runtime dependencies referenced by '/nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2' INFO Using SBOM '/tmp/nixdeps_uejjwppb.cdx.json' @@ -111,7 +72,7 @@ INFO Wrote: nix_outdated.csv As an example, the first row in the above output table means that: - `libidn2` in nix unstable is not up-to-date with what repology.org knows is the package's newest upstream version. -- `libidn2` is on the top of the table, as it has the highest priority among the listed outdated packages. The priority is based on how many other packages depend on the given outdated package. This datapoint is based on [nix-visualize](https://github.com/craigmbooth/nix-visualize) with the following change to allow using nix-visualize for large projects, as well allow post-processing the nix-visualize output data in textual format: https://github.com/craigmbooth/nix-visualize/pull/8. The value of the `priority` column is directly the `level` value determined by [nix-visualize](https://github.com/craigmbooth/nix-visualize). For full description of the `level` values, see nix-visualize documentation: https://github.com/craigmbooth/nix-visualize#vertical-positioning. +- `libidn2` is on the top of the table, as it has the highest priority among the listed outdated packages. The priority is based on how many other packages depend on the given outdated package. This datapoint is based on [nix-visualize](https://github.com/craigmbooth/nix-visualize). The value of the `priority` column is directly the `level` value determined by [nix-visualize](https://github.com/craigmbooth/nix-visualize). For full description of the `level` values, see nix-visualize documentation: https://github.com/craigmbooth/nix-visualize#vertical-positioning. - `libidn2` local version is 2.3.2. - `libidn2` newest version in nix unstable is 2.3.2 (based on repology.org). - `libidn2` newest release version in the package's upstream repository is 2.3.4 (based on repology.org). diff --git a/doc/nixgraph.md b/doc/nixgraph.md index d2b9e45..9838a74 100644 --- a/doc/nixgraph.md +++ b/doc/nixgraph.md @@ -6,7 +6,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # nixgraph -`nixgraph` is a python library and command line utility for querying and visualizing dependency graphs for [nix](https://nixos.org/) packages. +[`nixgraph`](../src/nixgraph/main.py) is a python library and command line utility for querying and visualizing dependency graphs for [Nix](https://nixos.org/) packages. Table of Contents @@ -25,6 +25,13 @@ Table of Contents ## Getting Started To get started, follow the [Getting Started](../README.md#getting-started) section from the main [README](../README.md). +As an example, to run the [`nixgraph`](../src/nixgraph/main.py) from your local clone of the `tiiuae/sbomnix` repository: +```bash +# '--' signifies the end of argument list for `nix`. +# '--help' is the first argument to `repology_cli` +$ nix run .#nixgraph -- --help +``` + ## Usage examples In the below examples, we use nix package `wget` as an example target. To print `wget` out-path on your local system, try something like: @@ -83,7 +90,7 @@ $ nixgraph /nix/store/8nbv1drmvh588pwiwsxa47iprzlgwx6j-wget-1.21.3 --depth=2 --i `--inverse` is especially useful when working with larger graphs. As an example, consider the following graph for `git`: -(`nixgraph /nix/store/sb0fay7ihrqibk325qyx0377ywrfdnxp-git-2.38.1 --depth=3 --colorize="openssl-3|sqlite-3"`) +(`nixgraph /nix/store/sb0fay7ihrqibk325qyx0377ywrfdnxp-git-2.38.1 --depth=3 --colorize="openssl-3|sqlite-3"`)

@@ -94,7 +101,7 @@ To find out what are all the runtime dependency paths from `git` to the highligh # --inverse="openssl-3|sqlite-3": draw the graph backwards starting from nodes that # match the specified reqular expression # --colorize="openssl-3|sqlite-3": colorize the matching nodes -nixgraph /nix/store/sb0fay7ihrqibk325qyx0377ywrfdnxp-git-2.38.1 --depth=100 --colorize="openssl-3|sqlite-3" --inverse="openssl-3|sqlite-3" +nixgraph /nix/store/sb0fay7ihrqibk325qyx0377ywrfdnxp-git-2.38.1 --depth=100 --colorize="openssl-3|sqlite-3" --inverse="openssl-3|sqlite-3" ``` The output now becomes: diff --git a/doc/replogoy_cli.md b/doc/replogoy_cli.md index b6b4663..9787761 100644 --- a/doc/replogoy_cli.md +++ b/doc/replogoy_cli.md @@ -6,76 +6,36 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # repology_cli -`repology_cli` is a command line interface to [repology.org](https://repology.org/). It supports querying package information via package search terms in the same manner as https://repology.org/projects/?search. In addition, it supports querying package information from all packages in a CycloneDX SBOM and printing out some simple statistics based on the input. +[`repology_cli`](../src/repology/repology_cli.py) is a command line interface to [repology.org](https://repology.org/). It supports querying package information via package search terms in the same manner as https://repology.org/projects/?search. In addition, it supports querying package information from all packages in a CycloneDX SBOM and printing out some simple statistics based on the input. Table of Contents ================= * [Getting Started](#getting-started) - * [Running from Nix Development Shell](#running-from-nix-development-shell) - * [Running as Python Script](#running-as-python-script) * [Usage Examples](#usage-examples) * [Search by Package Name Exact Match](#search-by-package-name-exact-match) * [Search by Package Name Search Term](#search-by-package-name-search-term) * [Search by Package Names in SBOM](#search-by-package-names-in-sbom) * [Statistics: SBOM Packages](#statistics-sbom-packages) + * [Repology CVE search](#repology-cve-search) ## Getting Started +To get started, follow the [Getting Started](../README.md#getting-started) section from the main [README](../README.md). -### Running as Nix Flake -`repology_cli` can be run as a [Nix flake](https://nixos.wiki/wiki/Flakes) from the `tiiuae/sbomnix` repository: +As an example, to run the [`repology_cli`](../src/repology/repology_cli.py) from your local clone of the `tiiuae/sbomnix` repository: ```bash # '--' signifies the end of argument list for `nix`. # '--help' is the first argument to `repology_cli` -$ nix run github:tiiuae/sbomnix#repology_cli -- --help -``` - -or from a local repository: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix $ nix run .#repology_cli -- --help ``` -### Running from Nix Development Shell - -If you have nix flakes enabled, run: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -$ nix develop -``` - -You can also use `nix-shell` to enter the development shell: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -$ nix-shell -``` - -From the development shell, you can run `repology_cli` as follows: -```bash -$ scripts/repology/repology_cli.py -``` - -### Running as Python Script -Running `repology_cli` as Python script requires Python packages specified in [requirements.txt](./requirements.txt). You can install the required packages with: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -``` -After you entered the devshell, you can run repology_cli.py as follows: -```bash -$ scripts/repology/repology_cli.py -``` - ## Usage Examples ### Search by Package Name Exact Match Following query finds package name 'firefox' versions in 'nix_unstable' repository: ```bash -$ scripts/repology/repology_cli.py --pkg_exact "firefox" --repository nix_unstable +$ repology_cli --pkg_exact "firefox" --repository nix_unstable INFO GET: https://repology.org/projects/?search=firefox&inrepo=nix_unstable INFO Repology package info, packages:5 @@ -106,7 +66,7 @@ In addition to the above datapoints, `repology_cli` adds the column 'repo_versio Full list of repositories available in repology are available in https://repology.org/repositories/statistics. As an example, to repeat the earlier query for Debian 12, you would run: ```bash -$ scripts/repology/repology_cli.py --pkg_exact "firefox" --repository debian_12 +$ repology_cli --pkg_exact "firefox" --repository debian_12 INFO GET: https://repology.org/projects/?search=firefox&inrepo=debian_12 INFO Repology package info, packages:1 @@ -124,7 +84,7 @@ INFO Wrote: repology_report.csv Following query finds 'debian_12' packages that include 'firefox' anywhere in the name string: ```bash -$ scripts/repology/repology_cli.py --pkg_search "firefox" --repository debian_12 +$ repology_cli --pkg_search "firefox" --repository debian_12 INFO GET: https://repology.org/projects/?search=firefox&inrepo=debian_12 INFO Repology package info, packages:5 @@ -144,7 +104,7 @@ Notice: using short search strings with `--pkg_search` might result a large numb Following query finds 'nix_unstable' packages that match the packages in the CycloneDX sbom 'wget.runtime.sbom.cdx.json': ```bash -$ scripts/repology/repology_cli.py --sbom_cdx wget.runtime.sbom.cdx.json --repository nix_unstable +$ repology_cli --sbom_cdx wget.runtime.sbom.cdx.json --repository nix_unstable INFO GET: https://repology.org/projects/?search=glibc&inrepo=nix_unstable INFO GET: https://repology.org/projects/?search=libidn2&inrepo=nix_unstable @@ -175,7 +135,7 @@ Output includes package details from the packages in the given SBOM that were al Following is the same query as above, but adds the command-line argument `--stats` to print out some simple statistics that might help explain the results. ```bash -$ scripts/repology/repology_cli.py --sbom_cdx wget.runtime.sbom.cdx.json --repository nix_unstable --stats +$ repology_cli --sbom_cdx wget.runtime.sbom.cdx.json --repository nix_unstable --stats INFO GET: https://repology.org/projects/?search=glibc&inrepo=nix_unstable INFO GET: https://repology.org/projects/?search=libidn2&inrepo=nix_unstable INFO GET: https://repology.org/projects/?search=libunistring&inrepo=nix_unstable @@ -244,3 +204,23 @@ $ csvsql --query "select * from repology_report where status == 'NOT_FOUND'" rep ``` Above, we can see the package 'util-linux-minimal' which is one of the components in the example sbom 'wget.runtime.sbom.cdx.json', is not available (with that exact same name) in repology.org. + +### Repology CVE search +Following query shows an example of using the [`repology_cve`](../src/repology/repology_cve.py) client to query CVEs known to repology.org that impact package `openssl` version `3.1.1`. + +```bash +$ repology_cve openssl 3.1.1 + +INFO Repology affected CVE(s) + +| package | version | cve | +|-----------+-----------+---------------| +| openssl | 3.1.1 | CVE-2023-2975 | +| openssl | 3.1.1 | CVE-2023-3446 | +| openssl | 3.1.1 | CVE-2023-3817 | +| openssl | 3.1.1 | CVE-2023-4807 | +| openssl | 3.1.1 | CVE-2023-5363 | +| openssl | 3.1.1 | CVE-2023-5678 | + +INFO Wrote: repology_cves.csv +``` \ No newline at end of file diff --git a/doc/vulnxscan.md b/doc/vulnxscan.md index 68a1807..039aa51 100644 --- a/doc/vulnxscan.md +++ b/doc/vulnxscan.md @@ -6,7 +6,7 @@ SPDX-License-Identifier: CC-BY-SA-4.0 # vulnxscan -`vulnxscan` is a command line utility that demonstrates automating vulnerability scans using SBOM as input. It mainly targets nix packages, however, it can be used with any other targets too as long as the target is expressed as valid CycloneDX SBOM. +[`vulnxscan`](../src/vulnxscan/vulnxscan_cli.py) is a command line utility that demonstrates running vulnerability scans using SBOM as input. It mainly targets nix packages, however, it can be used with any other targets too as long as the target is expressed as valid CycloneDX SBOM. Table of Contents ================= @@ -17,8 +17,6 @@ Table of Contents * [Nix and Grype](#nix-and-grype) * [Vulnix](#vulnix) * [Vulnxscan Usage Examples](#vulnxscan-usage-examples) - * [Running Vulnxscan as Flake](#running-vulnxscan-as-flake) - * [Running from Nix Development Shell](#running-from-nix-development-shell) * [Find Vulnerabilities Impacting Runtime Dependencies](#find-vulnerabilities-impacting-runtime-dependencies) * [Whitelisting Vulnerabilities](#whitelisting-vulnerabilities) * [Find Vulnerabilities Given SBOM as Input](#find-vulnerabilities-given-sbom-as-input) @@ -28,7 +26,14 @@ Table of Contents * [Footnotes and Future Work](#footnotes-and-future-work) ## Getting Started -To get started, follow the [Getting Started](../../README.md#getting-started) section from the main [README](../../README.md). +To get started, follow the [Getting Started](../README.md#getting-started) section from the main [README](../README.md). + +As an example, to run the `vulnxscan` from your local clone of the `tiiuae/sbomnix` repository: +```bash +# '--' signifies the end of argument list for `nix`. +# '--help' is the first argument to `vulnxscan` +$ nix run .#vulnxscan -- --help +``` ## Example Target In the below examples, we use `git` as an example target for `vulnxscan`. @@ -58,47 +63,11 @@ Vulnix matches vulnerabilities based on [heuristic](https://github.com/flyingcir ## Vulnxscan Usage Examples -### Running Vulnxscan as Flake -`vulnxscan` can be run as a [Nix flake](https://nixos.wiki/wiki/Flakes) from the `tiiuae/sbomnix` repository: -```bash -# '--' signifies the end of argument list for `nix`. -# '--help' is the first argument to `vulnxscan` -$ nix run github:tiiuae/sbomnix#vulnxscan -- --help -``` - -or from a local repository: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -$ nix run .#vulnxscan -- --help -``` - -### Running from Nix Development Shell - -If you have nix flakes [enabled](https://nixos.wiki/wiki/Flakes#Enable_flakes), start a development shell: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -$ nix develop -``` - -You can also use `nix-shell` to enter the development shell: -```bash -$ git clone https://github.com/tiiuae/sbomnix -$ cd sbomnix -$ nix-shell -``` - -From the development shell, run `vulnxscan` as follows: -```bash -$ vulnxscan.py --help -``` - ### Find Vulnerabilities Impacting Runtime Dependencies This example shows how to use `vulnxscan` to summarize vulnerabilities impacting the given target or any of its runtime dependencies. ```bash -$ nix run .#vulnxscan -- /nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q-git-2.41.0.drv +$ vulnxscan /nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q-git-2.41.0.drv INFO Generating SBOM for target '/nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q-git-2.41.0.drv' INFO Loading runtime dependencies referenced by '/nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q-git-2.41.0.drv' @@ -136,7 +105,7 @@ Potential vulnerabilities impacting '/nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q INFO Wrote: vulns.csv ``` -As printed in the console output, `vulnxscan` first creates an SBOM, then feeds the SBOM (or target path) as input to different vulnerability scanners: [vulnix](https://github.com/nix-community/vulnix), [grype](https://github.com/anchore/grype), and [osv.py](https://github.com/tiiuae/sbomnix/blob/main/scripts/vulnxscan/osv.py) and creates a summary report. The summary report lists the newest vulnerabilities on top, with the `sum` column indicating how many scanners agreed with the exact same finding. In addition to the console output, `vulnxscan` writes the report to csv-file `vulns.csv` to allow easier post-processing of the output. +As printed in the console output, `vulnxscan` first creates an SBOM, then feeds the SBOM (or target path) as input to different vulnerability scanners: [vulnix](https://github.com/nix-community/vulnix), [grype](https://github.com/anchore/grype), and [osv.py](../src/vulnxscan/osv.py) and creates a summary report. The summary report lists the newest vulnerabilities on top, with the `sum` column indicating how many scanners agreed with the exact same finding. In addition to the console output, `vulnxscan` writes the report to csv-file `vulns.csv` to allow easier post-processing of the output. It is worth mentioning that `vulnxscan` filters out vulnerabilities that it detects are patched, as printed out in the console output on lines like '`CVE-2023-2975 for 'openssl' is patched with: ['/nix/store/7gz0nj14469r9dlh8p0j5w5wjj3b6hw4-CVE-2023-2975.patch']`'. This patch auto-detection works in the similar way as the [patch auto-detection on vulnix](https://github.com/nix-community/vulnix#cve-patch-auto-detection), that is, it is based on detecting vulnerability identifiers from the patch filenames. @@ -170,7 +139,7 @@ $ cat whitelist.csv "CVE-20.* ","git","Incorrect package: Impacts Jenkins git plugin, not git." # Apply the whitelist to git vulnxscan output -$ nix run .#vulnxscan -- /nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q-git-2.41.0.drv --whitelist=whitelist.csv +$ vulnxscan /nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q-git-2.41.0.drv --whitelist=whitelist.csv INFO Generating SBOM for target '/nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q-git-2.41.0.drv' INFO Loading runtime dependencies referenced by '/nix/store/ay9sn71cssl4wd7s6bd8xah0zcwqiq2q-git-2.41.0.drv' @@ -233,7 +202,7 @@ INFO Wrote: sbom.cdx.json Then, give the generated SBOM as input to `vulnxscan`: ```bash -$ nix run .#vulnxscan -- --sbom sbom.cdx.json +$ vulnxscan --sbom sbom.cdx.json INFO Running grype scan INFO Running OSV scan @@ -260,7 +229,7 @@ Also notice that `vulnxscan` drops the patch auto-detection if the input is SBOM By default, `vulnxscan` scans the given target for vulnerabilities that impact its runtime-only dependencies. This example shows how to use `vulnxscan` to include also buildtime dependencies to the scan. ```bash -$ nix run .#vulnxscan -- ./result --buildtime +$ vulnxscan ./result --buildtime # ... output not included in this snippet ... ``` @@ -304,7 +273,7 @@ $ nix eval github:tiiuae/ghaf?ref=main#packages.x86_64-linux.generic-x86_64-rele # superset of runtime dependencies. # --whitelist: Use 'manual_analysis.csv' as a whitelist file. # --triage : Help manual analysis by querying version info from repology.org. -$ vulnxscan.py /nix/store/5fjfirqjsxggkx4k8ylrrrjar1c54zxp-nixos-disk-image.drv --buildtime --whitelist=manual_analysis.csv --triage +$ vulnxscan /nix/store/5fjfirqjsxggkx4k8ylrrrjar1c54zxp-nixos-disk-image.drv --buildtime --whitelist=manual_analysis.csv --triage INFO Generating SBOM for target '/nix/store/5fjfirqjsxggkx4k8ylrrrjar1c54zxp-nixos-disk-image.drv' INFO Loading buildtime dependencies referenced by '/nix/store/5fjfirqjsxggkx4k8ylrrrjar1c54zxp-nixos-disk-image.drv' INFO Using cdx SBOM '/tmp/vulnxscan_wt98z5yu.json' @@ -362,7 +331,7 @@ Consider the following example, using the same Ghaf target as earlier: ```bash # Run vulnscan with --triage and --nixprs -$ vulnxscan.py /nix/store/5fjfirqjsxggkx4k8ylrrrjar1c54zxp-nixos-disk-image.drv --buildtime --whitelist=manual_analysis.csv --triage --nixprs +$ vulnxscan /nix/store/5fjfirqjsxggkx4k8ylrrrjar1c54zxp-nixos-disk-image.drv --buildtime --whitelist=manual_analysis.csv --triage --nixprs INFO Generating SBOM for target '/nix/store/5fjfirqjsxggkx4k8ylrrrjar1c54zxp-nixos-disk-image.drv' INFO Loading buildtime dependencies referenced by '/nix/store/5fjfirqjsxggkx4k8ylrrrjar1c54zxp-nixos-disk-image.drv' ... @@ -403,4 +372,4 @@ For now, consider `vulnxscan` as a demonstration. Some improvement ideas are lis ### Other Future Work - [vulnxscan](./vulnxscan.py) uses vulnix from a [forked repository](https://github.com/henrirosten/vulnix), to include vulnix support for [scanning runtime-only dependencies](https://github.com/flyingcircusio/vulnix/compare/master...henrirosten:vulnix:master). -- [vulnxscan](./vulnxscan.py) could include more scanners in addition to [vulnix](https://github.com/flyingcircusio/vulnix), [grype](https://github.com/anchore/grype), and [osv.py](https://github.com/tiiuae/sbomnix/blob/main/scripts/vulnxscan/osv.py). Suggestions for other open-source scanners, especially those that can digest CycloneDX or SPDX SBOMs are welcome. Consider e.g. [bombon](https://github.com/nikstur/bombon) and [cve-bin-tool](https://github.com/intel/cve-bin-tool). Adding cve-bin-tool to vulnxscan was [demonstrated](https://github.com/tiiuae/sbomnix/pull/75) earlier, but not merged due to reasons explained in the [PR](https://github.com/tiiuae/sbomnix/pull/75#issuecomment-1670958503). +- [vulnxscan](./vulnxscan.py) could include more scanners in addition to [vulnix](https://github.com/flyingcircusio/vulnix), [grype](https://github.com/anchore/grype), and [osv.py](../src/vulnxscan/osv.py). Suggestions for other open-source scanners, especially those that can digest CycloneDX or SPDX SBOMs are welcome. Consider e.g. [bombon](https://github.com/nikstur/bombon) and [cve-bin-tool](https://github.com/intel/cve-bin-tool). Adding cve-bin-tool to vulnxscan was [demonstrated](https://github.com/tiiuae/sbomnix/pull/75) earlier, but not merged due to reasons explained in the [PR](https://github.com/tiiuae/sbomnix/pull/75#issuecomment-1670958503).