Some additions to SBOM creation epic

Makefile

@@ -729,9 +729,9 @@ upload-bombon: sbom.json
 # Targets should be independently executable and creating a Nix env in a Nix
 # env doesn't play well.
 
-# Generate all SBOMs (Helm + Docker Compose + Helmfile)
+# Generate all SBOMs (Helm + Docker Compose + Helmfile + Nix Docker Images + Nix DevShell)
 .PHONY: sboms
-sboms: sboms-helm sboms-docker-compose sboms-helmfile
+sboms: sboms-helm sboms-docker-compose sboms-helmfile sboms-nix-docker-images sboms-nix-devshell
 
 # Generate SBOMs for Helm charts
 .PHONY: sboms-helm
@@ -756,6 +756,26 @@ sboms-helmfile: .local/charts
 	fi
 	./hack/bin/create-helmfile-sboms.sh tmp/sboms/helmfile $(HELM_SEMVER)
 
+# Generate SBOMs for Nix-built Docker images using sbomnix
+# This generates SBOMs from the Nix store paths of executables that go into Docker images
+.PHONY: sboms-nix-docker-images
+sboms-nix-docker-images:
+	@if [ "$(HELM_SEMVER)" = "0.0.42" ]; then \
+		echo "Environment variable HELM_SEMVER not set to non-default value. Re-run with HELM_SEMVER=<version>"; \
+		exit 1; \
+	fi
+	./hack/bin/create-nix-docker-image-sboms.sh tmp/sboms/nix-docker-images $(HELM_SEMVER) imagesUnoptimizedNoDocs
+
+# Generate SBOMs for Nix devShells using sbomnix
+# This generates SBOMs from the Nix store paths of packages in the development environments
+.PHONY: sboms-nix-devshell
+sboms-nix-devshell:
+	@if [ "$(HELM_SEMVER)" = "0.0.42" ]; then \
+		echo "Environment variable HELM_SEMVER not set to non-default value. Re-run with HELM_SEMVER=<version>"; \
+		exit 1; \
+	fi
+	./hack/bin/create-nix-devshell-sbom.sh tmp/sboms/nix-devshell $(HELM_SEMVER)
+
 # Validate all SBOM files using cyclonedx
 .PHONY: validate-sboms
 validate-sboms:

changelog.d/5-internal/sbomnix

@@ -0,0 +1 @@
+Use sbomnix to generate SBOMs for Nix-built Docker images and devShells. Adjust Helm chart values for inlined wire-server chart.

flake.nix

@@ -12,6 +12,10 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.flake-utils.follows = "flake-utils";
     };
+    sbomnix = {
+      url = "github:tiiuae/sbomnix/v1.7.4";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     bloodhound = {
       url = "github:wireapp/bloodhound?ref=wire-fork";
@@ -83,7 +87,7 @@
     };
   };
 
-  outputs = inputs@{ nixpkgs, nixpkgs_24_11, nixpkgs-unstable, flake-utils, tom-bombadil, ... }:
+  outputs = inputs@{ nixpkgs, nixpkgs_24_11, nixpkgs-unstable, flake-utils, tom-bombadil, sbomnix, ... }:
     flake-utils.lib.eachDefaultSystem (system:
       let
         pkgs = import nixpkgs {
@@ -134,6 +138,7 @@
             pkgs_unstable.syft
             pkgs.kubernetes-helm
             pkgs.helmfile
+            sbomnix.packages.${system}.default
           ] ++ pkgs.lib.optionals pkgs.stdenv.isLinux [
             # Linux-only container tools
             pkgs.skopeo

hack/bin/create-helm-sboms.sh

@@ -33,10 +33,36 @@ extract_images_from_chart() {
   fi
 
   # Template the chart and extract image references
-  # We use a dummy release name and set a global placeholder to be more lenient
+  # For wire-server and wire-server-enterprise, provide minimal values to pass required checks
   # (we don't want to check the Helm chart, only extract its images)
   local output
-  output=$(helm template test-release "$chart_path" --set-string 'global.placeholder=placeholder' 2>/dev/null) || true
+  if [[ "$chart_name" == "wire-server" ]]; then
+    local tmpval
+    tmpval=$(mktemp --suffix=.yaml)
+    cat > "$tmpval" <<'EOF'
+nginz: {secrets: {zAuth: {publicKeys: placeholder}, basicAuth: placeholder}}
+brig:
+  secrets: {zAuth: {privateKeys: placeholder, publicKeys: placeholder}, turn: {secret: placeholder}, rabbitmq: {username: placeholder, password: placeholder}}
+  config:
+    aws: {sesQueue: placeholder}
+    externalUrls: {nginz: 'https://placeholder'}
+cargohold: {secrets: {placeholder: placeholder}}
+background-worker: {secrets: {rabbitmq: {username: placeholder, password: placeholder}}}
+proxy: {secrets: {proxy_config: placeholder}}
+cannon: {secrets: {rabbitmq: {username: placeholder, password: placeholder}}}
+gundeck: {secrets: {rabbitmq: {username: placeholder, password: placeholder}}}
+cassandra-migrations: {cassandra: {host: placeholder}}
+elasticsearch-index: {elasticsearch: {host: placeholder}, cassandra: {host: placeholder}}
+spar: {config: {appUri: 'https://placeholder', ssoUri: 'https://placeholder', contacts: [placeholder]}}
+galley: {config: {settings: {conversationCodeURI: 'https://placeholder'}}, secrets: {rabbitmq: {username: placeholder, password: placeholder}}}
+EOF
+    output=$(helm template test-release "$chart_path" -f "$tmpval")
+    rm -f "$tmpval"
+  elif [[ "$chart_name" == "wire-server-enterprise" ]]; then
+    output=$(helm template test-release "$chart_path" --set 'secrets.placeholder=placeholder')
+  else
+    output=$(helm template test-release "$chart_path")
+  fi
 
   # Extract image values from the output using yq (jq wrapper)
   # Recursively find all .image fields in objects and output unique values