sbomnix: Misc updates

- Update flake.lock
- gha: Remove unneeded graphviz installation
- gha: Use nix flakes when running github actions
- gha: Update cachix/install-nix-action to current newest version
- utils.py: Minor improvements to version regexps
- flake.nix: Quote nixpkgs URL
- Minor fixes to documentation

Signed-off-by: Henri Rosten <henri.rosten@unikie.com>

.github/workflows/release_sbomnix.yml

@@ -16,14 +16,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: ts-graphviz/setup-graphviz@v1
-      - uses: cachix/install-nix-action@v18
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
-      - name: Test nix-build
+      - name: Make sure nix-build works
         run: nix-build '<nixpkgs>' -A hello
       - name: Build release asset
-        run: make release-asset
+        run: nix develop --command make release-asset
       - name: Upload release asset
         uses: svenstaro/upload-release-action@v2
         with:

.github/workflows/test_sbomnix.yml

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-name: GitHub Actions CI
+name: Test sbomnix 
 
 on:
   push:
@@ -17,11 +17,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: ts-graphviz/setup-graphviz@v1
-      - uses: cachix/install-nix-action@v18
+      - uses: cachix/install-nix-action@v22
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
-      - name: Test nix-build
+      - name: Make sure nix-build works
         run: nix-build '<nixpkgs>' -A hello
-      - name: Run tests
-        run: make test-ci
+      - name: Run sbomnix CI tests
+        run: nix develop --command make test-ci

README.md

@@ -82,9 +82,9 @@ $ nix-env -f default.nix --install
 
 ## Usage Examples
 In the below examples, we use Nix package `wget` as an example target.
-To install wget and print out its out-path on your local system, try something like:
+To print `wget` out-path on your local system, try something like:
 ```bash
-$ nix-shell -p wget --run exit && nix eval -f '<nixpkgs>' 'wget.outPath'
+$ nix eval -f '<nixpkgs>' 'wget.outPath'
 "/nix/store/8nbv1drmvh588pwiwsxa47iprzlgwx6j-wget-1.21.3"
 ```
 
@@ -97,7 +97,7 @@ INFO     Wrote: sbom.cdx.json
 INFO     Wrote: sbom.spdx.json
 INFO     Wrote: sbom.csv
 ```
-Main output are the SBOM json files sbom.cdx.json and sbom.spdx.json in [CycloneDX](https://cyclonedx.org/) and [SPDX](https://spdx.github.io/spdx-spec/v2.3/) formats.
+Main outputs are the SBOM json files sbom.cdx.json and sbom.spdx.json in [CycloneDX](https://cyclonedx.org/) and [SPDX](https://spdx.github.io/spdx-spec/v2.3/) formats.
 
 #### Generate SBOM Including Meta Information
 To include license information to the SBOM, first generate package meta information with `nix-env`:

doc/nixgraph.md

@@ -27,9 +27,9 @@ To get started, follow the [Getting Started](../README.md#getting-started) secti
 
 ## Usage examples
 In the below examples, we use nix package `wget` as an example target.
-To install nix `wget` package and print out its out-path on your local system, try something like:
+To print `wget` out-path on your local system, try something like:
 ```bash
-$ nix-shell -p wget --run exit && nix eval -f '<nixpkgs>' 'wget.outPath'
+$ nix eval -f '<nixpkgs>' 'wget.outPath'
 "/nix/store/8nbv1drmvh588pwiwsxa47iprzlgwx6j-wget-1.21.3"
 ```
 

flake.nix

@@ -4,7 +4,7 @@
 {
   description = "Flakes file for sbomnix";
 
-  inputs.nixpkgs.url = github:NixOS/nixpkgs/nixos-unstable;
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
   outputs = { self, nixpkgs }:
     let

sbomnix/utils.py

@@ -139,7 +139,7 @@ def number_distance(n1, n2):
     """
     Return float value between [0.0,1.0] indicating the closeness
     of the given two numbers.
-    Returns 1.0 if the two integers are equal.
+    Returns 1.0 if the two numbers are equal.
     Returns 0.0 if either argument is not a number.
     """
     if not isinstance(n1, (float, int)) or not isinstance(n2, (float, int)):
@@ -161,10 +161,9 @@ def version_distance(v1, v2):
     """
     v1 = str(v1)
     v2 = str(v2)
-    re_vclean = re.compile(r"[^0-9.]+")
-    v1_clean = re_vclean.sub(r"", v1)
-    v2_clean = re_vclean.sub(r"", v2)
-    re_vsplit = re.compile(r"(?P<ver_beg>[0-9][0-9]*)(?P<ver_end>.*)$")
+    v1_clean = re.sub(r"[^0-9.]+", "", v1)
+    v2_clean = re.sub(r"[^0-9.]+", "", v2)
+    re_vsplit = re.compile(r".*?(?P<ver_beg>[0-9][0-9]*)(?P<ver_end>.*)$")
     match = re.match(re_vsplit, v1_clean)
     if not match:
         logging.getLogger(LOGGER_NAME).warning("Unexpected v1 version '%s'", v1)
@@ -188,21 +187,21 @@ def parse_version(ver_str):
     Returns None if the version string can not be converted to version object.
     """
     ver_str = str(ver_str)
-    re_ver = re.compile(r"(?P<ver_beg>[0-9][0-9.]*)(?P<ver_end>.*)$")
+    re_ver = re.compile(r".*?(?P<ver_beg>[0-9][0-9.]*)(?P<ver_end>.*)$")
     match = re_ver.match(ver_str)
     if not match:
         logging.getLogger(LOGGER_NAME).warning("Unable to parse version '%s'", ver_str)
         return None
     ver_beg = match.group("ver_beg").rstrip(".")
     ver_end = match.group("ver_end")
-    re_vclean = re.compile("[^0-9.]+")
-    ver_end = re_vclean.sub(r"", ver_end)
+    ver_end = re.sub(r"[^0-9.]+", "", ver_end)
     if ver_end:
         ver_end = f"+{ver_end}"
     else:
         ver_end = ""
     ver_end = ver_end.rstrip(".")
     ver = f"{ver_beg}{ver_end}"
+    ver = re.sub(r"\.+", ".", ver)
     logging.getLogger(LOGGER_NAME).log(LOG_SPAM, "%s --> %s", ver_str, ver)
     if not ver:
         logging.getLogger(LOGGER_NAME).warning("Invalid version '%s'", ver_str)

scripts/nixupdate/README.md

@@ -58,9 +58,9 @@ $ scripts/nixupdate/nix_secupdates.py --help
 
 ## Example Target
 We use Nix package `git` as an example target.
-To install git and print out its out-path on your local system, try something like:
+To print `git` out-path on your local system, try something like:
 ```bash
-$ nix-shell -p git --run exit && nix eval -f '<nixpkgs>' 'git.outPath'
+$ nix eval -f '<nixpkgs>' 'git.outPath'
 "/nix/store/2853v0cidl7jww2hs1mlkg0i372mk368-git-2.39.2"
 ```
 

scripts/nixupdate/nix_secupdates.py

@@ -355,7 +355,7 @@ def _vuln_nixpkgs_pr(row):
         # Query merged PRs based on pkg name and version in title
         prs = _github_query(f"{nixpr} {merged} {pkg} in:title {ver} in:title")
         _search_result_append(prs, result)
-    return " \n".join(list(result))
+    return " \n".join(sorted(list(result)))
 
 
 def _report(df_vulns):