Skip to content

Commit 14b6312

Browse files
authored
fix(opensearch): scope CycloneDX SBOM to shipped components only (#1452)
* fix(opensearch): scope CycloneDX SBOM to shipped components only * chore: changelog * chore: add comment about adding OpenSearch plugins
1 parent f474f2e commit 14b6312

4 files changed

Lines changed: 81 additions & 0 deletions

File tree

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,10 @@ All notable changes to this project will be documented in this file.
1111
### Fixed
1212

1313
- trino: Backport fix for wrong deletes in Delta Lake ([#1453]).
14+
- opensearch: Scope CycloneDX SBOM to shipped components only, eliminating false positive CVEs from unshipped plugins ([#1452]).
1415

1516
[#1446]: https://github.com/stackabletech/docker-images/pull/1446
17+
[#1452]: https://github.com/stackabletech/docker-images/pull/1452
1618
[#1453]: https://github.com/stackabletech/docker-images/pull/1453
1719
[#1454]: https://github.com/stackabletech/docker-images/pull/1454
1820

opensearch/Dockerfile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,10 @@ NEW_VERSION="${PRODUCT_VERSION}-stackable${RELEASE_VERSION}"
6363
tar -czf /stackable/opensearch-${NEW_VERSION}-src.tar.gz .
6464
./scripts/build.sh -v "${PRODUCT_VERSION}" -s false -a "${ARCH}"
6565
tar -xzf "artifacts/dist/opensearch-min-${PRODUCT_VERSION}-linux-${ARCH}.tar.gz" -C /stackable
66+
# NOTE: When adding more core plugins here, also update the CycloneDX SBOM patch
67+
# (stackable/patches/<version>/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch)
68+
# to include them in the shippedPlugins list, otherwise their dependencies will
69+
# be missing from the SBOM.
6670
unzip artifacts/core-plugins/repository-s3-${PRODUCT_VERSION}.zip -d /stackable/opensearch-${PRODUCT_VERSION}/plugins/repository-s3/
6771
mv /stackable/opensearch-${PRODUCT_VERSION}/plugins/repository-s3/config /stackable/opensearch-${PRODUCT_VERSION}/config/repository-s3
6872
unzip artifacts/core-plugins/telemetry-otel-${PRODUCT_VERSION}.zip -d /stackable/opensearch-${PRODUCT_VERSION}/plugins/telemetry-otel/
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
From e10e254da6a4fd0ee72accd4da6d4e93e8716bd9 Mon Sep 17 00:00:00 2001
2+
From: dervoeti <lukas.krug@stackable.tech>
3+
Date: Thu, 26 Mar 2026 20:51:26 +0000
4+
Subject: Scope CycloneDX SBOM to shipped components only
5+
6+
Exclude plugin subprojects that are not included in the opensearch-min
7+
distribution from the CycloneDX BOM generation. Only repository-s3 and
8+
telemetry-otel are shipped from the local build. Other plugins like
9+
ingest-attachment (which pulls in tika-core) are not installed in the
10+
Stackable image and should not appear in the runtime SBOM.
11+
---
12+
build.gradle | 10 ++++++++++
13+
1 file changed, 10 insertions(+)
14+
15+
diff --git a/build.gradle b/build.gradle
16+
index 78a15b418e7..505f9020830 100644
17+
--- a/build.gradle
18+
+++ b/build.gradle
19+
@@ -78,6 +78,16 @@ allprojects {
20+
}
21+
22+
cyclonedxBom {
23+
+ // Only include subprojects that are part of the opensearch-min distribution
24+
+ // (server, libs, modules) plus the core plugins shipped in the Stackable
25+
+ // image (repository-s3 and telemetry-otel). This prevents build-only plugin
26+
+ // dependencies (e.g. tika-core from ingest-attachment) from appearing in the
27+
+ // runtime SBOM as false positives.
28+
+ def shippedPlugins = ['repository-s3', 'telemetry-otel'] as Set
29+
+ skipProjects = subprojects.findAll { sub ->
30+
+ (sub.path.startsWith(':plugins:') && !(sub.name in shippedPlugins)) ||
31+
+ sub.path.startsWith(':example-plugins')
32+
+ }.collect { it.name }
33+
includeConfigs = ["runtimeClasspath"]
34+
includeLicenseText = false
35+
skipConfigs = ["compileClasspath", "testCompileClasspath"]
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
From 180057545225e49cea09c74e454ee6bef30521b5 Mon Sep 17 00:00:00 2001
2+
From: dervoeti <lukas.krug@stackable.tech>
3+
Date: Thu, 26 Mar 2026 21:05:47 +0000
4+
Subject: Scope CycloneDX SBOM to shipped components only
5+
6+
Exclude plugin subprojects that are not included in the opensearch-min
7+
distribution from the CycloneDX BOM generation. Only repository-s3 and
8+
telemetry-otel are shipped from the local build. Other plugins like
9+
ingest-attachment (which pulls in tika-core) are not installed in the
10+
Stackable image and should not appear in the runtime SBOM.
11+
---
12+
build.gradle | 15 +++++++++++++++
13+
1 file changed, 15 insertions(+)
14+
15+
diff --git a/build.gradle b/build.gradle
16+
index 49d3b971efa..aa2638b6a60 100644
17+
--- a/build.gradle
18+
+++ b/build.gradle
19+
@@ -82,6 +82,21 @@ allprojects {
20+
version = VersionProperties.getOpenSearch()
21+
description = "OpenSearch subproject ${project.path}"
22+
23+
+ // Only include subprojects that are part of the opensearch-min distribution
24+
+ // (server, libs, modules) plus the core plugins shipped in the Stackable
25+
+ // image (repository-s3 and telemetry-otel). This prevents build-only plugin
26+
+ // dependencies (e.g. tika-core from ingest-attachment) from appearing in the
27+
+ // runtime SBOM as false positives.
28+
+ def shippedPlugins = ['repository-s3', 'telemetry-otel'] as Set
29+
+ def isUnshippedPlugin = (project.path.startsWith(':plugins:') && !(project.name in shippedPlugins)) ||
30+
+ project.path.startsWith(':example-plugins')
31+
+
32+
+ if (isUnshippedPlugin) {
33+
+ tasks.matching { it.name == 'cyclonedxDirectBom' }.configureEach {
34+
+ enabled = false
35+
+ }
36+
+ }
37+
+
38+
cyclonedxDirectBom {
39+
includeConfigs = ["runtimeClasspath"]
40+
skipConfigs = ["compileClasspath", "testCompileClasspath"]

0 commit comments

Comments
 (0)