buildNimSbom: init a new package builder for Nim

Ref: #327064

doc/languages-frameworks/nim.section.md

@@ -1,7 +1,9 @@
-# Nim {#nim}
+# Nim {#sec-language-nim}
 
 The Nim compiler and a builder function is available.
-Nim programs are built using `buildNimPackage` and a lockfile containing Nim dependencies.
+Nim programs are built using a lockfile and either `buildNimPackage` or `buildNimSbom`.
+
+## buildNimPackage {#buildNimPackage}
 
 The following example shows a Nim program that depends only on Nim libraries:
 ```nix
@@ -15,7 +17,7 @@ buildNimPackage (finalAttrs: {
     owner = "inv2004";
     repo = "ttop";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-oPdaUqh6eN1X5kAYVvevOndkB/xnQng9QVLX9bu5P5E=";
+    hash = lib.fakeHash;
   };
 
   lockFile = ./lock.json;
@@ -26,7 +28,7 @@ buildNimPackage (finalAttrs: {
 })
 ```
 
-## `buildNimPackage` parameters {#buildnimpackage-parameters}
+### `buildNimPackage` parameters {#buildnimpackage-parameters}
 
 The `buildNimPackage` function takes an attrset of parameters that are passed on to `stdenv.mkDerivation`.
 
@@ -41,7 +43,7 @@ The following parameters are specific to `buildNimPackage`:
   Use this to specify defines with arguments in the form of `-d:${name}=${value}`.
 * `nimDoc` ? false`: Build and install HTML documentation.
 
-## Lockfiles {#nim-lockfiles}
+### Lockfiles {#nim-lockfiles}
 Nim lockfiles are created with the `nim_lk` utility.
 Run `nim_lk` with the source directory as an argument and it will print a lockfile to stdout.
 ```sh
@@ -50,9 +52,41 @@ $ nix build -f . ttop.src
 $ nix run -f . nim_lk ./result | jq --sort-keys > pkgs/by-name/tt/ttop/lock.json
 ```
 
+## buildNimSbom {#buildNimSbom}
+
+An alternative to `buildNimPackage` is `buildNimSbom` which builds packages from [CycloneDX SBOM](https://cyclonedx.org/) files.
+`buildNimSbom` resolves Nim dependencies to [fixed-output derivations](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation) using the [nix:fod namespace](#sec-interop.cylonedx-fod).
+
+In the following minimal example only the source code checkout and a `buildInput` are specified.
+The SBOM file provides metadata such as `pname` and `version` as well as the sources to Nim dependencies.
+```nix
+# pkgs/by-name/ni/nim_lk/package.nix
+{
+  lib,
+  buildNimSbom,
+  fetchFromSourcehut,
+  openssl,
+}:
+
+buildNimSbom (finalAttrs: {
+  src = fetchFromSourcehut {
+    owner = "~ehmry";
+    repo = "nim_lk";
+    rev = finalAttrs.version;
+    hash = lib.fakeHash;
+  };
+  buildInputs = [ openssl ];
+}) ./sbom.json
+```
+
+### Generating SBOMs {#generating-nim-sboms}
+
+The [nim_lk](https://git.sr.ht/~ehmry/nim_lk) utility can generate SBOMs from [Nimble](https://github.com/nim-lang/nimble) package metadata.
+See the [nim_lk documentation](https://git.sr.ht/~ehmry/nim_lk#nimble-to-cyclonedx-sbom) for more information.
+
 ## Overriding Nim packages {#nim-overrides}
 
-The `buildNimPackage` function generates flags and additional build dependencies from the `lockFile` parameter passed to `buildNimPackage`. Using [`overrideAttrs`](#sec-pkg-overrideAttrs) on the final package will apply after this has already been generated, so this can't be used to override the `lockFile` in a package built with `buildNimPackage`. To be able to override parameters before flags and build dependencies are generated from the `lockFile`, use `overrideNimAttrs` instead with the same syntax as `overrideAttrs`:
+The `buildNimPackage` and `buildNimSbom` functions generate flags and additional build dependencies from the `lockFile` parameter passed to `buildNimPackage`. Using [`overrideAttrs`](#sec-pkg-overrideAttrs) on the final package will apply after this has already been generated, so this can't be used to override the `lockFile` in a package built with `buildNimPackage`. To be able to override parameters before flags and build dependencies are generated from the `lockFile`, use `overrideNimAttrs` instead with the same syntax as `overrideAttrs`:
 
 ```nix
 pkgs.nitter.overrideNimAttrs {