Mark config files as type=file instead of type=application

[arianvp]

It would be nice if config files that end up in the SBOM. (e.g. the derivation for etc and systemd units) are not marked as type=application but only packages are marked as type=application. That makes filtering in SBOM scanners a lot easier

[henrirosten]

First, notice the default component type was changed ot library in PR: #128.

I agree we should properly classify component types. However, I don't see anything in nix derivation properties that would allow reliably identifying different types.

Any suggestions on how to do this reliably are certainly welcome.

[arianvp]

I think one strong indicator for library instead of file is the presence of pname+version instead of name in the nix derivation. We could adjust the metadata scraper to collect this info and use it as a shorthand.

[arianvp]

We also opened and RFC to start adding CPE info to packages which might help. NixOS/nixpkgs#354012

[henrirosten]

I think one strong indicator for library instead of file is the presence of pname+version instead of name in the nix derivation. We could adjust the metadata scraper to collect this info and use it as a shorthand.

Your suggestion seems to work pretty well: see #141. It needs some more testing still, feel free to try it.