fix(opensearch): scope CycloneDX SBOM to shipped components only (#1452)

dervoeti · web-flow · commit 14b6312a9eda · 2026-04-01T18:48:58.000Z
* fix(opensearch): scope CycloneDX SBOM to shipped components only

* chore: changelog

* chore: add comment about adding OpenSearch plugins
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,8 +11,10 @@ All notable changes to this project will be documented in this file.
 ### Fixed
 
 - trino: Backport fix for wrong deletes in Delta Lake ([#1453]).
+- opensearch: Scope CycloneDX SBOM to shipped components only, eliminating false positive CVEs from unshipped plugins ([#1452]).
 
 [#1446]: https://github.com/stackabletech/docker-images/pull/1446
+[#1452]: https://github.com/stackabletech/docker-images/pull/1452
 [#1453]: https://github.com/stackabletech/docker-images/pull/1453
 [#1454]: https://github.com/stackabletech/docker-images/pull/1454
 
diff --git a/opensearch/Dockerfile b/opensearch/Dockerfile
@@ -63,6 +63,10 @@ NEW_VERSION="${PRODUCT_VERSION}-stackable${RELEASE_VERSION}"
 tar -czf /stackable/opensearch-${NEW_VERSION}-src.tar.gz .
 ./scripts/build.sh -v "${PRODUCT_VERSION}" -s false -a "${ARCH}"
 tar -xzf "artifacts/dist/opensearch-min-${PRODUCT_VERSION}-linux-${ARCH}.tar.gz" -C /stackable
+# NOTE: When adding more core plugins here, also update the CycloneDX SBOM patch
+# (stackable/patches/<version>/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch)
+# to include them in the shippedPlugins list, otherwise their dependencies will
+# be missing from the SBOM.
 unzip artifacts/core-plugins/repository-s3-${PRODUCT_VERSION}.zip -d /stackable/opensearch-${PRODUCT_VERSION}/plugins/repository-s3/
 mv /stackable/opensearch-${PRODUCT_VERSION}/plugins/repository-s3/config /stackable/opensearch-${PRODUCT_VERSION}/config/repository-s3
 unzip artifacts/core-plugins/telemetry-otel-${PRODUCT_VERSION}.zip -d /stackable/opensearch-${PRODUCT_VERSION}/plugins/telemetry-otel/
diff --git a/opensearch/stackable/patches/3.1.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch b/opensearch/stackable/patches/3.1.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch
@@ -0,0 +1,35 @@
+From e10e254da6a4fd0ee72accd4da6d4e93e8716bd9 Mon Sep 17 00:00:00 2001
+From: dervoeti <lukas.krug@stackable.tech>
+Date: Thu, 26 Mar 2026 20:51:26 +0000
+Subject: Scope CycloneDX SBOM to shipped components only
+
+Exclude plugin subprojects that are not included in the opensearch-min
+distribution from the CycloneDX BOM generation. Only repository-s3 and
+telemetry-otel are shipped from the local build. Other plugins like
+ingest-attachment (which pulls in tika-core) are not installed in the
+Stackable image and should not appear in the runtime SBOM.
+---
+ build.gradle | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/build.gradle b/build.gradle
+index 78a15b418e7..505f9020830 100644
+--- a/build.gradle
++++ b/build.gradle
+@@ -78,6 +78,16 @@ allprojects {
+ }
+ 
+ cyclonedxBom {
++  // Only include subprojects that are part of the opensearch-min distribution
++  // (server, libs, modules) plus the core plugins shipped in the Stackable
++  // image (repository-s3 and telemetry-otel). This prevents build-only plugin
++  // dependencies (e.g. tika-core from ingest-attachment) from appearing in the
++  // runtime SBOM as false positives.
++  def shippedPlugins = ['repository-s3', 'telemetry-otel'] as Set
++  skipProjects = subprojects.findAll { sub ->
++    (sub.path.startsWith(':plugins:') && !(sub.name in shippedPlugins)) ||
++    sub.path.startsWith(':example-plugins')
++  }.collect { it.name }
+   includeConfigs = ["runtimeClasspath"]
+   includeLicenseText = false
+   skipConfigs = ["compileClasspath", "testCompileClasspath"]
diff --git a/opensearch/stackable/patches/3.4.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch b/opensearch/stackable/patches/3.4.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch
@@ -0,0 +1,40 @@
+From 180057545225e49cea09c74e454ee6bef30521b5 Mon Sep 17 00:00:00 2001
+From: dervoeti <lukas.krug@stackable.tech>
+Date: Thu, 26 Mar 2026 21:05:47 +0000
+Subject: Scope CycloneDX SBOM to shipped components only
+
+Exclude plugin subprojects that are not included in the opensearch-min
+distribution from the CycloneDX BOM generation. Only repository-s3 and
+telemetry-otel are shipped from the local build. Other plugins like
+ingest-attachment (which pulls in tika-core) are not installed in the
+Stackable image and should not appear in the runtime SBOM.
+---
+ build.gradle | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/build.gradle b/build.gradle
+index 49d3b971efa..aa2638b6a60 100644
+--- a/build.gradle
++++ b/build.gradle
+@@ -82,6 +82,21 @@ allprojects {
+   version = VersionProperties.getOpenSearch()
+   description = "OpenSearch subproject ${project.path}"
+ 
++  // Only include subprojects that are part of the opensearch-min distribution
++  // (server, libs, modules) plus the core plugins shipped in the Stackable
++  // image (repository-s3 and telemetry-otel). This prevents build-only plugin
++  // dependencies (e.g. tika-core from ingest-attachment) from appearing in the
++  // runtime SBOM as false positives.
++  def shippedPlugins = ['repository-s3', 'telemetry-otel'] as Set
++  def isUnshippedPlugin = (project.path.startsWith(':plugins:') && !(project.name in shippedPlugins)) ||
++                          project.path.startsWith(':example-plugins')
++
++  if (isUnshippedPlugin) {
++    tasks.matching { it.name == 'cyclonedxDirectBom' }.configureEach {
++      enabled = false
++    }
++  }
++
+   cyclonedxDirectBom {
+     includeConfigs = ["runtimeClasspath"]
+     skipConfigs = ["compileClasspath", "testCompileClasspath"]
