I’m looking into generating SPDX and/or CycloneDX spec Software Bill of Materials (SBOM) from Nix derivations. I have a few questions and proposals.
- Is anyone aware of any work on this already?
- If there isn’t already tooling on this, I could write some tooling for this but does anyone have any thoughts on the approach to take to pull the right info from derivation/nix environment required for generating an SBOM? Not just from nix-env but from things like nix built containers?
- This is part of some supply chain security and software factory work as part of the Cloud Native Computing Foundation (CNCF). We would like to work with the Nix community as Nix’s approach to reproducibility, traceability, determinism, etc. is huge for supply chain security. Is anyone interested in collaborating on this?