treewide: collect patches from derivations and include in SBOM

nikstur · nikstur · commit bd91205b2075 · 2025-03-17T11:44:16.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.4.0 (unreleased)
+
+### Added
+
+- Added the ability to extract patches from a derivation and include them in
+  the SBOM.
+
 ## 0.3.0
 
 ### Added
diff --git a/nix/buildtime-dependencies.nix b/nix/buildtime-dependencies.nix
@@ -71,6 +71,7 @@ let
     ] drv)
     // {
       path = drv.outPath;
+      patches = lib.flatten (drv.patches or [ ]);
     }
     // lib.optionalAttrs (drv ? src && drv.src ? url) {
       src =
diff --git a/rust/transformer/src/cyclonedx.rs b/rust/transformer/src/cyclonedx.rs
@@ -7,7 +7,10 @@ use std::str::FromStr;
 use anyhow::{Context, Result};
 use cyclonedx_bom::external_models::normalized_string::NormalizedString;
 use cyclonedx_bom::external_models::uri::{Purl, Uri};
+use cyclonedx_bom::models::attached_text::AttachedText;
 use cyclonedx_bom::models::bom::{Bom, UrnUuid};
+use cyclonedx_bom::models::code::{Diff, Patch, PatchClassification, Patches};
+use cyclonedx_bom::models::component::Pedigree;
 use cyclonedx_bom::models::component::{Classification, Component, Components, Scope};
 use cyclonedx_bom::models::external_reference::{
     self, ExternalReference, ExternalReferenceType, ExternalReferences,
@@ -170,6 +173,17 @@ impl CycloneDXComponent {
             component.external_references = Some(ExternalReferences(external_references));
         }
 
+        if !derivation.patches.is_empty() {
+            component.pedigree = Some(Pedigree {
+                ancestors: None,
+                descendants: None,
+                variants: None,
+                commits: None,
+                patches: Some(convert_patches(&derivation.patches)),
+                notes: None,
+            });
+        }
+
         Self(component)
     }
 }
@@ -277,3 +291,25 @@ fn metadata_tools() -> Tools {
         components: Some(Components(vec![component])),
     }
 }
+
+fn convert_patches(patches: &[String]) -> Patches {
+    let cyclonedx_patches = patches
+        .iter()
+        .filter_map(|patch| fs::read_to_string(patch).ok())
+        .map(|diff| Patch {
+            // As we know nothing about the patch at this level, the safest is to assume that it's
+            // unofficial
+            patch_type: PatchClassification::Unofficial,
+            diff: Some(Diff {
+                text: Some(AttachedText {
+                    content_type: Some(NormalizedString::new("text/plain")),
+                    encoding: None,
+                    content: diff,
+                }),
+                url: None,
+            }),
+            resolves: None,
+        })
+        .collect::<Vec<_>>();
+    Patches(cyclonedx_patches)
+}
diff --git a/rust/transformer/src/derivation.rs b/rust/transformer/src/derivation.rs
@@ -13,6 +13,7 @@ pub struct Derivation {
     pub output_hash: Option<String>,
     pub src: Option<Src>,
     pub vendored_sbom: Option<String>,
+    pub patches: Vec<String>,
 }
 
 impl Derivation {

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,7 @@ let`
`71`	`71`	`] drv)`
`72`	`72`	`// {`
`73`	`73`	`path = drv.outPath;`
	`74`	`+ patches = lib.flatten (drv.patches or [ ]);`
`74`	`75`	`}`
`75`	`76`	`// lib.optionalAttrs (drv ? src && drv.src ? url) {`
`76`	`77`	`src =`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ pub struct Derivation {`
`13`	`13`	`pub output_hash: Option<String>,`
`14`	`14`	`pub src: Option<Src>,`
`15`	`15`	`pub vendored_sbom: Option<String>,`
	`16`	`+ pub patches: Vec<String>,`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`impl Derivation {`