sbomnix: be able to use inside a derivation

[bjornfor]

I'd like to generate SBOMs inside Nix derivations, but that doesn't currently work. I tried both with and without sbomnix --buildtime ... option.

Reproducer:

# file: sbom.nix
let
  nixpkgs = builtins.fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/bc27f0fde01ce4e1bfec1ab122d72b7380278e68.tar.gz"; # nixpkgs-unstable @ 2024-12-09
    sha256 = "0fxl020s1fmxygvi5bj8w30jq1bwynrn2xclwm5ahynw0nv9v6pv";
  };

  pkgs = import nixpkgs { config = { }; overlays = [ ]; };

  sbom = pkgs.runCommand "sbom"
    { nativeBuildInputs = [ pkgs.sbomnix ];
    }
    ''
      mkdir -p "$out"
      (cd "$out" && sbomnix --verbose 3 "${pkgs.bash}")
    '';
in
  sbom

$ nix-build ./sbom.nix
this derivation will be built:
  /nix/store/fbsxwsinyryxr8dk4f0wqqk053pf33xy-sbom.drv
building '/nix/store/fbsxwsinyryxr8dk4f0wqqk053pf33xy-sbom.drv'...
INFO     utils.py:try_resolve_flakeref():182 Evaluating '/nix/store/p6k7xp1lsfmbdd731mlglrdj2d66mr82-bash-5.2p37'
DEBUG    utils.py:exec_cmd():127 Running: nix eval --raw /nix/store/p6k7xp1lsfmbdd731mlglrdj2d66mr82-bash-5.2p37 --extra-experimental-features flakes --extra-experimental-features nix-command
DEBUG    utils.py:exec_cmd():135 Error running shell command:
 cmd:   'nix eval --raw /nix/store/p6k7xp1lsfmbdd731mlglrdj2d66mr82-bash-5.2p37 --extra-experimental-features flakes --extra-experimental-features nix-command'
 stdout: 
 stderr: warning: you don't have Internet access; disabling some network-dependent features
error: creating directory '/nix/var/nix/profiles': Permission denied

DEBUG    utils.py:try_resolve_flakeref():188 not a flakeref: '/nix/store/p6k7xp1lsfmbdd731mlglrdj2d66mr82-bash-5.2p37'
DEBUG    utils.py:exit_unless_nix_artifact():162 force_realize: True
INFO     utils.py:exit_unless_nix_artifact():164 Try force-realising store-path '/nix/store/p6k7xp1lsfmbdd731mlglrdj2d66mr82-bash-5.2p37'
DEBUG    utils.py:exec_cmd():127 Running: nix-store -qf /nix/store/p6k7xp1lsfmbdd731mlglrdj2d66mr82-bash-5.2p37
DEBUG    utils.py:exec_cmd():135 Error running shell command:
 cmd:   'nix-store -qf /nix/store/p6k7xp1lsfmbdd731mlglrdj2d66mr82-bash-5.2p37'
 stdout: 
 stderr: error: creating directory '/nix/var/nix/profiles': Permission denied

CRITICAL utils.py:exit_unless_nix_artifact():172 Specified target is not a nix artifact: '/nix/store/p6k7xp1lsfmbdd731mlglrdj2d66mr82-bash-5.2p37'
error: builder for '/nix/store/fbsxwsinyryxr8dk4f0wqqk053pf33xy-sbom.drv' failed with exit code 1;

[henrirosten]

This is due to the same problem discussed here: #106 (comment), that is:

I believe what you are trying to do cannot be done with sbomnix since it uses nix-store internally, and using nix-store
inside nix-build (in runCommand) will not work due to nix build sandbox.