Generate SBOMs during build (#814)

* hbase / phoenix / hbase-operator-tools

* airflow / druid

* nifi

* omid

* hadoop / hive / spark / trino

* fix: nifi cyclonedx plugin

* fix: hive cyclonedx plugin

* superset / zookeeper

* move instead of copy SBOMs

* fix: pre-commit lint fix

* fix: simplified zookeeper patch file

* fix: undo split of RUN command in Zookeeper Dockerfile

* feat: patches for all other product versions

* fix: forgot cyclonedx config for druid 26

Author: dervoeti

airflow/Dockerfile

@@ -46,7 +46,8 @@ RUN python3 -m venv --system-site-packages /stackable/app && \
     pip install --no-cache-dir --upgrade pip && \
     pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt && \
     # Needed for pandas S3 integration to e.g. write and read csv and parquet files to/from S3
-    pip install --no-cache-dir s3fs
+    pip install --no-cache-dir s3fs cyclonedx-bom && \
+    cyclonedx-py environment --schema-version 1.5 --outfile /stackable/airflow-${PRODUCT}.cdx.json
 
 WORKDIR /stackable
 COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter

druid/Dockerfile

@@ -54,6 +54,7 @@ cd apache-druid-${PRODUCT}-src
 
 mvn --batch-mode --no-transfer-progress clean install -Pdist,stackable-bundle-contrib-exts -DskipTests -Dmaven.javadoc.skip=true
 mv distribution/target/apache-druid-${PRODUCT}-bin/apache-druid-${PRODUCT} /stackable/
+mv distribution/target/bom.json /stackable/apache-druid-${PRODUCT}/apache-druid-${PRODUCT}.cdx.json
 rm -rf /stackable/apache-druid-${PRODUCT}-src
 
 # We're removing these to make the intermediate layer smaller

druid/stackable/patches/26.0.0/07-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index c0f0654..133cbf8 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1558,7 +1558,11 @@
+             <plugin>
+                 <groupId>org.cyclonedx</groupId>
+                 <artifactId>cyclonedx-maven-plugin</artifactId>
+-                <version>2.7.5</version>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                </configuration>
+                 <executions>
+                     <execution>
+                         <phase>package</phase>

druid/stackable/patches/26.0.0/series

@@ -5,3 +5,4 @@
 04-update-patch-dependencies.patch
 05-xmllayout-dependencies.patch
 06-dont-build-targz.patch
+07-cyclonedx-plugin.patch

druid/stackable/patches/28.0.1/07-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index ff6ee97..8c99ed3 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1646,7 +1646,11 @@
+             <plugin>
+                 <groupId>org.cyclonedx</groupId>
+                 <artifactId>cyclonedx-maven-plugin</artifactId>
+-                <version>2.7.9</version>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                </configuration>
+                 <executions>
+                     <execution>
+                         <phase>package</phase>

druid/stackable/patches/28.0.1/series

@@ -5,3 +5,4 @@
 04-update-patch-dependencies.patch
 05-xmllayout-dependencies.patch
 06-dont-build-targz.patch
+07-cyclonedx-plugin.patch

druid/stackable/patches/30.0.0/07-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index 9051ed2..10a2c85 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1728,7 +1728,11 @@
+             <plugin>
+                 <groupId>org.cyclonedx</groupId>
+                 <artifactId>cyclonedx-maven-plugin</artifactId>
+-                <version>2.7.9</version>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                </configuration>
+                 <executions>
+                     <execution>
+                         <phase>package</phase>

druid/stackable/patches/30.0.0/series

@@ -5,3 +5,4 @@
 04-update-patch-dependencies.patch
 05-xmllayout-dependencies.patch
 06-dont-build-targz.patch
+07-cyclonedx-plugin.patch

hadoop/Dockerfile

@@ -65,6 +65,7 @@ RUN curl --fail -L "https://repo.stackable.tech/repository/packages/hadoop/hadoo
     cd hadoop-${PRODUCT}-src && \
     mvn --no-transfer-progress clean package -Pdist,native -pl '!hadoop-tools/hadoop-pipes,!hadoop-yarn-project,!hadoop-mapreduce-project,!hadoop-minicluster' -Drequire.fuse=true -DskipTests -Dmaven.javadoc.skip=true && \
     cp -r hadoop-dist/target/hadoop-${PRODUCT} /stackable/hadoop-${PRODUCT} && \
+    mv hadoop-dist/target/bom.json /stackable/hadoop-${PRODUCT}/hadoop-${PRODUCT}.cdx.json && \
     # HDFS fuse-dfs is not part of the regular dist output, so we need to copy it in ourselves
     cp hadoop-hdfs-project/hadoop-hdfs-native-client/target/main/native/fuse-dfs/fuse_dfs /stackable/hadoop-${PRODUCT}/bin && \
     rm -rf /stackable/hadoop-${PRODUCT}-src

hadoop/stackable/patches/3.3.4/008-patch-cyclonedx-plugin.patch

@@ -0,0 +1,37 @@
+diff --git a/pom.xml b/pom.xml
+index f4e435c..f050218 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -116,6 +116,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+     <dependency-check-maven.version>1.4.3</dependency-check-maven.version>
+     <spotbugs.version>4.2.2</spotbugs.version>
+     <spotbugs-maven-plugin.version>4.2.0</spotbugs-maven-plugin.version>
++    <cyclonedx.version>2.8.0</cyclonedx.version>
+ 
+     <shell-executable>bash</shell-executable>
+ 
+@@ -491,6 +492,24 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+         <groupId>com.github.spotbugs</groupId>
+         <artifactId>spotbugs-maven-plugin</artifactId>
+       </plugin>
++      <plugin>
++        <groupId>org.cyclonedx</groupId>
++        <artifactId>cyclonedx-maven-plugin</artifactId>
++        <version>${cyclonedx.version}</version>
++        <configuration>
++            <projectType>application</projectType>
++            <schemaVersion>1.5</schemaVersion>
++            <skipNotDeployed>false</skipNotDeployed>
++        </configuration>
++        <executions>
++          <execution>
++            <phase>package</phase>
++            <goals>
++              <goal>makeBom</goal>
++            </goals>
++          </execution>
++        </executions>
++      </plugin>
+     </plugins>
+   </build>
+