feat: read manifest for paths and create/upload sbom

Author: samrose

.github/workflows/ami-release-nix.yml

@@ -206,6 +206,36 @@ jobs:
 
           echo "Catalog uploaded to ${CATALOG_S3}"
 
+      - name: Assume SBOM artifacts role
+        uses: aws-actions/configure-aws-credentials@v4.1.0
+        with:
+          aws-region: ap-southeast-1
+          role-to-assume: arn:aws:iam::279559813984:role/supabase-github-oidc-role
+          role-session-name: shared-services-jump
+
+      - name: Upload comprehensive SBOM to shared artifacts
+        uses: aws-actions/configure-aws-credentials@v4.1.0
+        with:
+          aws-region: ap-southeast-1
+          role-to-assume: arn:aws:iam::279559813984:role/supabase-sbom-artifacts-role
+          role-skip-session-tagging: true
+          role-session-name: upload-sbom
+          role-chaining: true
+
+      - name: Upload SBOM
+        run: |
+          VERSION="${{ steps.process_release_version.outputs.version }}"
+
+          # Check if comprehensive SBOM exists (generated during AMI build)
+          if [ -f "nix-sbom.spdx.json" ]; then
+            aws s3 cp nix-sbom.spdx.json \
+              "s3://${{ secrets.SHARED_AWS_ARTIFACTS_BUCKET }}/sbom/${VERSION}/sbom.spdx.json" \
+              --content-type "application/json"
+            echo "::notice title=SBOM Uploaded::Comprehensive SBOM for ${VERSION} uploaded to shared artifacts"
+          else
+            echo "::warning title=SBOM Missing::Comprehensive SBOM file not found, skipping upload"
+          fi
+
       - name: Create release
         uses: softprops/action-gh-release@v2
         with:

.gitignore

@@ -33,3 +33,8 @@ common-nix.vars.pkr.hcl
 nixos.qcow2
 .lsp
 .clj-kondo
+#sbom development files
+http_cache.sqlite
+nix-sbom.spdx.json
+sbom.cdx.json
+sbom.csv

nix/packages/default.nix

@@ -42,6 +42,7 @@
             sbom-ubuntu
             sbom-nix
             sbom-generator
+            collect-nix-paths
             sbomnix
             ;
 

nix/packages/sbom/cmd/sbom/main.go

@@ -5,12 +5,26 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"strings"
 
 	"github.com/supabase/postgres/nix/packages/sbom/internal/merge"
 	"github.com/supabase/postgres/nix/packages/sbom/internal/nix"
+	"github.com/supabase/postgres/nix/packages/sbom/internal/spdx"
 	"github.com/supabase/postgres/nix/packages/sbom/internal/ubuntu"
 )
 
+// stringSliceFlag allows multiple values for a single flag
+type stringSliceFlag []string
+
+func (s *stringSliceFlag) String() string {
+	return strings.Join(*s, ", ")
+}
+
+func (s *stringSliceFlag) Set(value string) error {
+	*s = append(*s, value)
+	return nil
+}
+
 func main() {
 	if len(os.Args) < 2 {
 		printUsage()
@@ -91,12 +105,12 @@ func nixCommand(args []string) {
 	outputFile := fs.String("output", "nix-sbom.spdx.json", "Output file path")
 
 	fs.Usage = func() {
-		fmt.Println("Usage: sbom nix <derivation-path> [flags]")
+		fmt.Println("Usage: sbom nix <derivation-path> [derivation-path...] [flags]")
 		fmt.Println()
 		fmt.Println("Generate Nix-only SBOM using sbomnix")
 		fmt.Println()
 		fmt.Println("Arguments:")
-		fmt.Println("  derivation-path    Path to the Nix derivation (required)")
+		fmt.Println("  derivation-path    Path(s) to Nix derivation(s) (at least one required)")
 		fmt.Println()
 		fmt.Println("Flags:")
 		fs.PrintDefaults()
@@ -107,34 +121,43 @@ func nixCommand(args []string) {
 	}
 
 	if fs.NArg() < 1 {
-		fmt.Println("Error: derivation path required")
+		fmt.Println("Error: at least one derivation path required")
 		fmt.Println()
 		fs.Usage()
 		os.Exit(1)
 	}
 
-	derivationPath := fs.Arg(0)
-
 	// Use sbomnix from PATH
 	wrapper := nix.NewWrapper("sbomnix")
 
-	if err := wrapper.Generate(derivationPath, *outputFile); err != nil {
-		log.Fatalf("Failed to generate Nix SBOM: %v", err)
+	if fs.NArg() == 1 {
+		// Single path - use original method
+		if err := wrapper.Generate(fs.Arg(0), *outputFile); err != nil {
+			log.Fatalf("Failed to generate Nix SBOM: %v", err)
+		}
+	} else {
+		// Multiple paths - use new method
+		paths := fs.Args()
+		if err := wrapper.GenerateMultiple(paths, *outputFile); err != nil {
+			log.Fatalf("Failed to generate Nix SBOM: %v", err)
+		}
 	}
 
 	fmt.Printf("Nix SBOM generated successfully: %s\n", *outputFile)
 }
 
 func combinedCommand(args []string) {
 	fs := flag.NewFlagSet("combined", flag.ExitOnError)
-	nixTarget := fs.String("nix-target", "", "Path to Nix derivation (required)")
+	var nixTargets stringSliceFlag
+	fs.Var(&nixTargets, "nix-target", "Path to Nix derivation (can be specified multiple times)")
 	outputFile := fs.String("output", "merged-sbom.spdx.json", "Output file path")
 	includeFiles := fs.Bool("include-files", false, "Include file checksums for Ubuntu packages")
 	progress := fs.Bool("progress", true, "Show progress indicators")
 	noProgress := fs.Bool("no-progress", false, "Disable progress indicators")
+	nixOnly := fs.Bool("nix-only", false, "Generate Nix-only SBOM (skip Ubuntu packages)")
 
 	fs.Usage = func() {
-		fmt.Println("Usage: sbom combined --nix-target <derivation> [flags]")
+		fmt.Println("Usage: sbom combined --nix-target <derivation> [--nix-target <derivation>...] [flags]")
 		fmt.Println()
 		fmt.Println("Generate and merge both Ubuntu and Nix SBOMs")
 		fmt.Println()
@@ -146,8 +169,8 @@ func combinedCommand(args []string) {
 		os.Exit(1)
 	}
 
-	if *nixTarget == "" {
-		fmt.Println("Error: --nix-target is required")
+	if len(nixTargets) == 0 {
+		fmt.Println("Error: at least one --nix-target is required")
 		fmt.Println()
 		fs.Usage()
 		os.Exit(1)
@@ -162,33 +185,52 @@ func combinedCommand(args []string) {
 	}
 	defer os.RemoveAll(tmpDir)
 
-	ubuntuSBOM := fmt.Sprintf("%s/ubuntu-sbom.spdx.json", tmpDir)
-	nixSBOM := fmt.Sprintf("%s/nix-sbom.spdx.json", tmpDir)
+	merger := merge.NewMerger()
+	nixWrapper := nix.NewWrapper("sbomnix")
 
-	// Generate Ubuntu SBOM
-	fmt.Println("Generating Ubuntu SBOM...")
-	ubuntuGen := ubuntu.NewGenerator(*includeFiles, showProgress)
-	ubuntuDoc, err := ubuntuGen.Generate()
-	if err != nil {
-		log.Fatalf("Failed to generate Ubuntu SBOM: %v", err)
-	}
-	if err := ubuntuGen.Save(ubuntuDoc, ubuntuSBOM); err != nil {
-		log.Fatalf("Failed to save Ubuntu SBOM: %v", err)
-	}
+	var ubuntuSBOM string
+	if !*nixOnly {
+		// Generate Ubuntu SBOM
+		fmt.Println("Generating Ubuntu SBOM...")
+		ubuntuSBOM = fmt.Sprintf("%s/ubuntu-sbom.spdx.json", tmpDir)
+		ubuntuGen := ubuntu.NewGenerator(*includeFiles, showProgress)
+		ubuntuDoc, err := ubuntuGen.Generate()
+		if err != nil {
+			log.Fatalf("Failed to generate Ubuntu SBOM: %v", err)
+		}
+		if err := ubuntuGen.Save(ubuntuDoc, ubuntuSBOM); err != nil {
+			log.Fatalf("Failed to save Ubuntu SBOM: %v", err)
+		}
+	}
+
+	// Generate Nix SBOM(s)
+	fmt.Printf("Generating Nix SBOM from %d target(s)...\n", len(nixTargets))
+	nixSBOM := fmt.Sprintf("%s/nix-sbom.spdx.json", tmpDir)
 
-	// Generate Nix SBOM
-	fmt.Println("Generating Nix SBOM...")
-	nixWrapper := nix.NewWrapper("sbomnix")
-	if err := nixWrapper.Generate(*nixTarget, nixSBOM); err != nil {
-		log.Fatalf("Failed to generate Nix SBOM: %v", err)
+	if len(nixTargets) == 1 {
+		if err := nixWrapper.Generate(nixTargets[0], nixSBOM); err != nil {
+			log.Fatalf("Failed to generate Nix SBOM: %v", err)
+		}
+	} else {
+		if err := nixWrapper.GenerateMultiple([]string(nixTargets), nixSBOM); err != nil {
+			log.Fatalf("Failed to generate Nix SBOM: %v", err)
+		}
 	}
 
 	// Merge SBOMs
 	fmt.Println("Merging SBOMs...")
-	merger := merge.NewMerger()
-	mergedDoc, err := merger.Merge(ubuntuSBOM, nixSBOM)
-	if err != nil {
-		log.Fatalf("Failed to merge SBOMs: %v", err)
+	var mergedDoc *spdx.Document
+	if *nixOnly {
+		// Load and output Nix SBOM directly
+		mergedDoc, err = merger.LoadDocument(nixSBOM)
+		if err != nil {
+			log.Fatalf("Failed to load Nix SBOM: %v", err)
+		}
+	} else {
+		mergedDoc, err = merger.Merge(ubuntuSBOM, nixSBOM)
+		if err != nil {
+			log.Fatalf("Failed to merge SBOMs: %v", err)
+		}
 	}
 
 	if err := merger.Save(mergedDoc, *outputFile); err != nil {

nix/packages/sbom/default.nix

@@ -31,13 +31,26 @@ let
     export PATH="${sbomnix}/bin:$PATH"
     ${sbom}/bin/sbom combined "$@"
   '';
+
+  # Script to collect nix store paths from all user profile manifests
+  collect-nix-paths = pkgs.writeShellScriptBin "collect-nix-paths" ''
+    set -euo pipefail
+    USERS="adminapi envoy gotrue kong nginx pgbouncer postgres postgrest supabase-admin-agent ubuntu wal-g"
+    for user in $USERS; do
+      manifest="/home/$user/.nix-profile/manifest.json"
+      if [ -f "$manifest" ]; then
+        ${pkgs.jq}/bin/jq -r '.elements | to_entries[].value.storePaths[]' "$manifest" 2>/dev/null || true
+      fi
+    done | sort -u | grep -v '^$'
+  '';
 in
 {
   inherit
     sbom
     sbom-ubuntu
     sbom-nix
     sbom-generator
+    collect-nix-paths
     sbomnix
     ;
 }

nix/packages/sbom/internal/merge/merger.go

@@ -127,7 +127,130 @@ func (m *Merger) Merge(ubuntuPath, nixPath string) (*spdx.Document, error) {
 	return mergedDoc, nil
 }
 
+// MergeMultipleNix merges multiple Nix SPDX documents into a single document
+func (m *Merger) MergeMultipleNix(nixPaths []string) (*spdx.Document, error) {
+	if len(nixPaths) == 0 {
+		return nil, fmt.Errorf("no SPDX files provided")
+	}
+
+	if len(nixPaths) == 1 {
+		return m.LoadDocument(nixPaths[0])
+	}
+
+	uuid, err := spdx.GenerateUUID()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate UUID: %w", err)
+	}
+
+	// Create merged document
+	mergedDoc := &spdx.Document{
+		SPDXVersion:       "SPDX-2.3",
+		DataLicense:       "CC0-1.0",
+		SPDXID:            "SPDXRef-DOCUMENT",
+		Name:              fmt.Sprintf("Nix-System-SBOM-%s", time.Now().Format("2006-01-02")),
+		DocumentNamespace: fmt.Sprintf("https://sbom.nix.system/%s", uuid),
+		CreationInfo: spdx.CreationInfo{
+			Created:            time.Now().UTC().Format(time.RFC3339),
+			Creators:           []string{"Tool: nix-sbom-merger-1.0"},
+			LicenseListVersion: "3.20",
+		},
+		Packages:      []spdx.Package{},
+		Relationships: []spdx.Relationship{},
+	}
+
+	// Create the single root System package
+	systemPkg := spdx.Package{
+		SPDXID:           "SPDXRef-System",
+		Name:             "Nix-System",
+		DownloadLocation: "NOASSERTION",
+		FilesAnalyzed:    false,
+		LicenseConcluded: "NOASSERTION",
+		LicenseDeclared:  "NOASSERTION",
+		CopyrightText:    "NOASSERTION",
+		Description:      "Combined Nix package system from multiple profiles",
+	}
+	mergedDoc.Packages = append(mergedDoc.Packages, systemPkg)
+
+	// Add document describes relationship
+	mergedDoc.Relationships = append(mergedDoc.Relationships, spdx.Relationship{
+		SPDXElementID:      "SPDXRef-DOCUMENT",
+		RelatedSPDXElement: "SPDXRef-System",
+		RelationshipType:   "DESCRIBES",
+	})
+
+	// Track seen packages by SPDXID to deduplicate
+	seenPackages := make(map[string]bool)
+	totalCount := 0
+
+	for i, nixPath := range nixPaths {
+		nixDoc, err := m.LoadDocument(nixPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load Nix SBOM %s: %w", nixPath, err)
+		}
+
+		// Collect creators
+		for _, creator := range nixDoc.CreationInfo.Creators {
+			found := false
+			for _, existing := range mergedDoc.CreationInfo.Creators {
+				if existing == creator {
+					found = true
+					break
+				}
+			}
+			if !found {
+				mergedDoc.CreationInfo.Creators = append(mergedDoc.CreationInfo.Creators, creator)
+			}
+		}
+
+		// Process Nix packages
+		for _, pkg := range nixDoc.Packages {
+			// Skip root/system packages
+			if strings.Contains(strings.ToLower(pkg.Name), "system") &&
+				(pkg.SPDXID == "SPDXRef-DOCUMENT" || strings.HasSuffix(pkg.SPDXID, "-System")) {
+				continue
+			}
+
+			// Ensure SPDXID has Nix prefix with source index to avoid conflicts
+			originalID := pkg.SPDXID
+			if !strings.HasPrefix(pkg.SPDXID, "SPDXRef-Nix-") {
+				pkg.SPDXID = m.renumberSPDXID(pkg.SPDXID, fmt.Sprintf("Nix%d", i))
+			}
+
+			// Skip if we've already seen this package (by name+version for deduplication)
+			pkgKey := fmt.Sprintf("%s-%s", pkg.Name, pkg.PackageVersion)
+			if seenPackages[pkgKey] {
+				continue
+			}
+			seenPackages[pkgKey] = true
+
+			// Clean up invalid CPE references from sbomnix
+			pkg.ExternalRefs = m.cleanExternalRefs(pkg.ExternalRefs)
+
+			mergedDoc.Packages = append(mergedDoc.Packages, pkg)
+
+			// Add relationship to system root
+			mergedDoc.Relationships = append(mergedDoc.Relationships, spdx.Relationship{
+				SPDXElementID:      "SPDXRef-System",
+				RelatedSPDXElement: pkg.SPDXID,
+				RelationshipType:   "CONTAINS",
+			})
+			totalCount++
+
+			_ = originalID // suppress unused warning
+		}
+	}
+
+	fmt.Printf("Merged %d unique Nix packages from %d sources\n", totalCount, len(nixPaths))
+
+	return mergedDoc, nil
+}
+
 func (m *Merger) loadDocument(path string) (*spdx.Document, error) {
+	return m.LoadDocument(path)
+}
+
+// LoadDocument loads an SPDX document from a file
+func (m *Merger) LoadDocument(path string) (*spdx.Document, error) {
 	data, err := os.ReadFile(path)
 	if err != nil {
 		return nil, err