Generate SBOMs during build

airflow/Dockerfile

@@ -46,7 +46,8 @@ RUN python3 -m venv --system-site-packages /stackable/app && \
     pip install --no-cache-dir --upgrade pip && \
     pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt && \
     # Needed for pandas S3 integration to e.g. write and read csv and parquet files to/from S3
-    pip install --no-cache-dir s3fs
+    pip install --no-cache-dir s3fs cyclonedx-bom && \
+    cyclonedx-py environment --schema-version 1.5 --outfile /stackable/airflow-${PRODUCT}.cdx.json
 
 WORKDIR /stackable
 COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter

druid/Dockerfile

@@ -54,6 +54,7 @@ cd apache-druid-${PRODUCT}-src
 
 mvn --batch-mode --no-transfer-progress clean install -Pdist,stackable-bundle-contrib-exts -DskipTests -Dmaven.javadoc.skip=true
 mv distribution/target/apache-druid-${PRODUCT}-bin/apache-druid-${PRODUCT} /stackable/
+mv distribution/target/bom.json /stackable/apache-druid-${PRODUCT}/apache-druid-${PRODUCT}.cdx.json
 rm -rf /stackable/apache-druid-${PRODUCT}-src
 
 # We're removing these to make the intermediate layer smaller

druid/stackable/patches/26.0.0/07-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index c0f0654..133cbf8 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1558,7 +1558,11 @@
+             <plugin>
+                 <groupId>org.cyclonedx</groupId>
+                 <artifactId>cyclonedx-maven-plugin</artifactId>
+-                <version>2.7.5</version>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                </configuration>
+                 <executions>
+                     <execution>
+                         <phase>package</phase>

druid/stackable/patches/26.0.0/series

@@ -5,3 +5,4 @@
 04-update-patch-dependencies.patch
 05-xmllayout-dependencies.patch
 06-dont-build-targz.patch
+07-cyclonedx-plugin.patch

druid/stackable/patches/28.0.1/07-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index ff6ee97..8c99ed3 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1646,7 +1646,11 @@
+             <plugin>
+                 <groupId>org.cyclonedx</groupId>
+                 <artifactId>cyclonedx-maven-plugin</artifactId>
+-                <version>2.7.9</version>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                </configuration>
+                 <executions>
+                     <execution>
+                         <phase>package</phase>

druid/stackable/patches/28.0.1/series

@@ -5,3 +5,4 @@
 04-update-patch-dependencies.patch
 05-xmllayout-dependencies.patch
 06-dont-build-targz.patch
+07-cyclonedx-plugin.patch

druid/stackable/patches/30.0.0/07-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index 9051ed2..10a2c85 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1728,7 +1728,11 @@
+             <plugin>
+                 <groupId>org.cyclonedx</groupId>
+                 <artifactId>cyclonedx-maven-plugin</artifactId>
+-                <version>2.7.9</version>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                </configuration>
+                 <executions>
+                     <execution>
+                         <phase>package</phase>

druid/stackable/patches/30.0.0/series

@@ -5,3 +5,4 @@
 04-update-patch-dependencies.patch
 05-xmllayout-dependencies.patch
 06-dont-build-targz.patch
+07-cyclonedx-plugin.patch

hadoop/Dockerfile

@@ -65,6 +65,7 @@ RUN curl --fail -L "https://repo.stackable.tech/repository/packages/hadoop/hadoo
     cd hadoop-${PRODUCT}-src && \
     mvn --no-transfer-progress clean package -Pdist,native -pl '!hadoop-tools/hadoop-pipes,!hadoop-yarn-project,!hadoop-mapreduce-project,!hadoop-minicluster' -Drequire.fuse=true -DskipTests -Dmaven.javadoc.skip=true && \
     cp -r hadoop-dist/target/hadoop-${PRODUCT} /stackable/hadoop-${PRODUCT} && \
+    mv hadoop-dist/target/bom.json /stackable/hadoop-${PRODUCT}/hadoop-${PRODUCT}.cdx.json && \
     # HDFS fuse-dfs is not part of the regular dist output, so we need to copy it in ourselves
     cp hadoop-hdfs-project/hadoop-hdfs-native-client/target/main/native/fuse-dfs/fuse_dfs /stackable/hadoop-${PRODUCT}/bin && \
     rm -rf /stackable/hadoop-${PRODUCT}-src

hadoop/stackable/patches/3.3.4/008-patch-cyclonedx-plugin.patch

@@ -0,0 +1,37 @@
+diff --git a/pom.xml b/pom.xml
+index f4e435c..f050218 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -116,6 +116,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+     <dependency-check-maven.version>1.4.3</dependency-check-maven.version>
+     <spotbugs.version>4.2.2</spotbugs.version>
+     <spotbugs-maven-plugin.version>4.2.0</spotbugs-maven-plugin.version>
++    <cyclonedx.version>2.8.0</cyclonedx.version>
+
+     <shell-executable>bash</shell-executable>
+
+@@ -491,6 +492,24 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+         <groupId>com.github.spotbugs</groupId>
+         <artifactId>spotbugs-maven-plugin</artifactId>
+       </plugin>
++      <plugin>
++        <groupId>org.cyclonedx</groupId>
++        <artifactId>cyclonedx-maven-plugin</artifactId>
++        <version>${cyclonedx.version}</version>
++        <configuration>
++            <projectType>application</projectType>
++            <schemaVersion>1.5</schemaVersion>
++            <skipNotDeployed>false</skipNotDeployed>
++        </configuration>
++        <executions>
++          <execution>
++            <phase>package</phase>
++            <goals>
++              <goal>makeBom</goal>
++            </goals>
++          </execution>
++        </executions>
++      </plugin>
+     </plugins>
+   </build>
+

hadoop/stackable/patches/3.3.6/008-cyclonedx-plugin.patch

@@ -0,0 +1,35 @@
+diff --git a/pom.xml b/pom.xml
+index aaa4203..de00177 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -116,7 +116,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+     <dependency-check-maven.version>1.4.3</dependency-check-maven.version>
+     <spotbugs.version>4.2.2</spotbugs.version>
+     <spotbugs-maven-plugin.version>4.2.0</spotbugs-maven-plugin.version>
+-    <cyclonedx.version>2.7.6</cyclonedx.version>
++    <cyclonedx.version>2.8.0</cyclonedx.version>
+
+     <shell-executable>bash</shell-executable>
+
+@@ -649,6 +649,11 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+             <groupId>org.cyclonedx</groupId>
+             <artifactId>cyclonedx-maven-plugin</artifactId>
+             <version>${cyclonedx.version}</version>
++            <configuration>
++                <projectType>application</projectType>
++                <schemaVersion>1.5</schemaVersion>
++                <skipNotDeployed>false</skipNotDeployed>
++            </configuration>
+             <executions>
+               <execution>
+                 <phase>package</phase>
+@@ -657,9 +662,6 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+                 </goals>
+               </execution>
+             </executions>
+-            <configuration>
+-              <outputFormat>xml</outputFormat>
+-            </configuration>
+           </plugin>
+         </plugins>
+       </build>

hadoop/stackable/patches/3.4.0/005-cyclonedx-plugin.patch

@@ -0,0 +1,35 @@
+diff --git a/pom.xml b/pom.xml
+index 0a7a478..3ceaf7a 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -118,7 +118,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+     <spotbugs-maven-plugin.version>4.2.0</spotbugs-maven-plugin.version>
+     <jsonschema2pojo-maven-plugin.version>1.1.1</jsonschema2pojo-maven-plugin.version>
+     <maven-compiler-plugin.version>3.10.1</maven-compiler-plugin.version>
+-    <cyclonedx.version>2.7.10</cyclonedx.version>
++    <cyclonedx.version>2.8.0</cyclonedx.version>
+
+     <shell-executable>bash</shell-executable>
+
+@@ -770,6 +770,11 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+             <groupId>org.cyclonedx</groupId>
+             <artifactId>cyclonedx-maven-plugin</artifactId>
+             <version>${cyclonedx.version}</version>
++            <configuration>
++                <projectType>application</projectType>
++                <schemaVersion>1.5</schemaVersion>
++                <skipNotDeployed>false</skipNotDeployed>
++            </configuration>
+             <executions>
+               <execution>
+                 <phase>package</phase>
+@@ -778,9 +783,6 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/x
+                 </goals>
+               </execution>
+             </executions>
+-            <configuration>
+-              <outputFormat>xml</outputFormat>
+-            </configuration>
+           </plugin>
+         </plugins>
+       </build>

hbase/Dockerfile

@@ -55,6 +55,7 @@ cd /stackable/hbase-${PRODUCT}-src/
 mvn --batch-mode --no-transfer-progress -Dhadoop.profile=3.0 -Dhadoop-three.version=${HADOOP} clean install -DskipTests
 mvn --batch-mode --no-transfer-progress -Dhadoop.profile=3.0 -Dhadoop-three.version=${HADOOP} install assembly:single -DskipTests -Dcheckstyle.skip=true -Prelease
 tar -xzf hbase-assembly/target/hbase-${PRODUCT}-bin.tar.gz -C /stackable/
+mv hbase-assembly/target/bom.json /stackable/hbase-${PRODUCT}/hbase-${PRODUCT}.cdx.json
 rm -rf /stackable/hbase-${PRODUCT}-src
 ln -s "/stackable/hbase-${PRODUCT}" /stackable/hbase
 
@@ -134,6 +135,7 @@ ARG DELETE_CACHES="true"
 # so that they are not expanded. Disabling ShellCheck rules in a Dockerfile
 # does not work, so please ignore the according warning (SC2016).
 COPY --chown=stackable:stackable hbase/stackable/bin/hbck2.env /stackable/bin/
+COPY --chown=stackable:stackable hbase/stackable/patches /stackable/patches
 
 USER stackable
 WORKDIR /stackable
@@ -144,6 +146,9 @@ RUN --mount=type=cache,id=maven-hbase-operator-tools,uid=1000,target=/stackable/
 
 curl --fail -L "https://repo.stackable.tech/repository/packages/hbase-operator-tools/hbase-operator-tools-${HBASE_OPERATOR_TOOLS}-src.tar.gz" | tar -xzC .
 mv hbase-operator-tools-${HBASE_OPERATOR_TOOLS} hbase-operator-tools-${HBASE_OPERATOR_TOOLS}-src
+chmod +x patches/apply_patches.sh
+patches/apply_patches.sh hbase-operator-tools/${HBASE_OPERATOR_TOOLS} hbase-operator-tools-${HBASE_OPERATOR_TOOLS}-src
+
 mvn \
   --batch-mode \
   --no-transfer-progress \
@@ -160,6 +165,7 @@ tar -xz \
   -f hbase-operator-tools-${HBASE_OPERATOR_TOOLS}-src/hbase-operator-tools-assembly/target/hbase-operator-tools-*-bin.tar.gz \
   -C /stackable/hbase-operator-tools-${HBASE_OPERATOR_TOOLS}/ \
   --strip-components=1
+mv hbase-operator-tools-${HBASE_OPERATOR_TOOLS}-src/hbase-operator-tools-assembly/target/bom.json /stackable/hbase-operator-tools-${HBASE_OPERATOR_TOOLS}/hbase-operator-tools-${HBASE_OPERATOR_TOOLS}.cdx.json
 rm -rf /stackable/hbase-operator-tools-${HBASE_OPERATOR_TOOLS}-src
 
 envsubst '${PRODUCT}:${HBASE_OPERATOR_TOOLS}' < /stackable/bin/hbck2.env > /stackable/bin/hbck2
@@ -219,6 +225,7 @@ ARG HADOOP
 # This can be used to speed up builds when disk space is of no concern.
 ARG DELETE_CACHES="true"
 
+COPY --chown=stackable:stackable hbase/stackable/patches /stackable/patches
 USER stackable
 WORKDIR /stackable
 
@@ -227,6 +234,9 @@ cd /stackable
 curl --fail -L "https://repo.stackable.tech/repository/packages/phoenix/phoenix-${PHOENIX}-src.tar.gz" | tar -xzC .
 mv phoenix-${PHOENIX} phoenix-${PHOENIX}-src
 
+chmod +x patches/apply_patches.sh
+patches/apply_patches.sh phoenix/${PHOENIX} phoenix-${PHOENIX}-src
+
 # Passing "-f" means it'll build in the phoenix source directory without cding into it
 # The Maven command can be found inside of the scripts in the create-release folder (release-util.sh as of Phoenix 5.2.0)
 # https://github.com/apache/phoenix/tree/5.2.0/dev/create-release
@@ -235,8 +245,10 @@ mvn \
   --no-transfer-progress \
   -Dhbase.version=${PRODUCT} \
   -Dhbase.profile=${HBASE_PROFILE} \
+  -Dhadoop.version=${HADOOP} \
   -DskipTests \
   -Dcheckstyle.skip=true \
+  -Prelease \
   -fphoenix-${PHOENIX}-src \
   clean \
   package
@@ -245,6 +257,7 @@ mvn \
 # And we're stripping the top level directory while extracting because it may be called different than the folder name when it's a SNAPSHOT
 mkdir /stackable/phoenix-${HBASE_PROFILE}-${PHOENIX}-bin
 tar -xz -f phoenix-${PHOENIX}-src/phoenix-assembly/target/phoenix-hbase-*-bin.tar.gz -C /stackable/phoenix-${HBASE_PROFILE}-${PHOENIX}-bin/ --strip-components=1
+mv phoenix-${PHOENIX}-src/phoenix-assembly/target/bom.json /stackable/phoenix-${HBASE_PROFILE}-${PHOENIX}-bin/phoenix-${HBASE_PROFILE}-${PHOENIX}.cdx.json
 rm -rf /stackable/phoenix-${PHOENIX}-src
 ln -s "/stackable/phoenix-${HBASE_PROFILE}-${PHOENIX}-bin" /stackable/phoenix
 

hbase/stackable/patches/2.4.17/006-patch-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index e7df337..566414e 100755
+--- a/pom.xml
++++ b/pom.xml
+@@ -2337,7 +2337,11 @@
+       <plugin>
+         <groupId>org.cyclonedx</groupId>
+         <artifactId>cyclonedx-maven-plugin</artifactId>
+-        <version>2.7.3</version>
++        <version>2.8.0</version>
++        <configuration>
++            <projectType>application</projectType>
++            <schemaVersion>1.5</schemaVersion>
++        </configuration>
+         <executions>
+           <execution>
+             <goals>

hbase/stackable/patches/2.4.18/06-patch-cyclonedx-plugin.patch

@@ -0,0 +1,26 @@
+Bumps cyclonedx-maven-plugin to version 2.8.0 and tweaks its configuration
+
+From: dervoeti <lukas.voetmand@stackable.tech>
+
+
+---
+ pom.xml |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/pom.xml b/pom.xml
+index 8bd80e81e2..a437d5c819 100755
+--- a/pom.xml
++++ b/pom.xml
+@@ -3011,7 +3011,11 @@
+           <plugin>
+             <groupId>org.cyclonedx</groupId>
+             <artifactId>cyclonedx-maven-plugin</artifactId>
+-            <version>2.7.10</version>
++            <version>2.8.0</version>
++            <configuration>
++                <projectType>application</projectType>
++                <schemaVersion>1.5</schemaVersion>
++            </configuration>
+             <executions>
+               <execution>
+                 <goals>

hbase/stackable/patches/2.4.18/series

@@ -4,3 +4,4 @@
 03-HBASE-28379.patch
 04-HBASE-28511.patch
 05-patch-updates.patch
+06-patch-cyclonedx-plugin.patch

hbase/stackable/patches/2.6.0/05-patch-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index 918cdaa..2a83794 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -3218,7 +3218,11 @@
+           <plugin>
+             <groupId>org.cyclonedx</groupId>
+             <artifactId>cyclonedx-maven-plugin</artifactId>
+-            <version>2.7.10</version>
++            <version>2.8.0</version>
++            <configuration>
++                <projectType>application</projectType>
++                <schemaVersion>1.5</schemaVersion>
++            </configuration>
+             <executions>
+               <execution>
+                 <goals>

hbase/stackable/patches/2.6.0/series

@@ -3,3 +3,4 @@
 02-HBASE-28567.patch
 03-patch-updates.patch
 04-include-dataformat-xml.patch
+05-patch-cyclonedx-plugin.patch

hbase/stackable/patches/apply_patches.sh

@@ -12,6 +12,12 @@ fi
 
 VERSION="$1"
 PATCH_DIR="patches/$VERSION"
+SRC_DIR="hbase-${VERSION}-src"
+
+# if a second argument is provided, use it as the source directory instead of the default
+if [ -n "${2-}" ]; then
+  SRC_DIR="$2"
+fi
 
 # Check if version-specific patches directory exists
 if [ ! -d "$PATCH_DIR" ]; then
@@ -34,7 +40,7 @@ echo "Found ${#patch_files[@]} patches, applying now"
 # Iterate through sorted patch files
 for patch_file in "${patch_files[@]}"; do
   echo "Applying $patch_file"
-  git apply --directory "hbase-${VERSION}-src" "$patch_file" || {
+  git apply --directory "$SRC_DIR" "$patch_file" || {
     echo "Failed to apply $patch_file"
     exit 1
   }

hbase/stackable/patches/hbase-operator-tools/1.2.0/01-cyclonedx-plugin.patch

@@ -0,0 +1,28 @@
+diff --git a/pom.xml b/pom.xml
+index aba42b0..0288bde 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -396,6 +396,23 @@
+           <skipAssembly>true</skipAssembly>
+         </configuration>
+       </plugin>
++      <plugin>
++        <groupId>org.cyclonedx</groupId>
++        <artifactId>cyclonedx-maven-plugin</artifactId>
++        <version>2.8.0</version>
++        <configuration>
++          <projectType>application</projectType>
++          <schemaVersion>1.5</schemaVersion>
++        </configuration>
++        <executions>
++          <execution>
++          <goals>
++            <goal>makeBom</goal>
++          </goals>
++          <phase>package</phase>
++          </execution>
++        </executions>
++      </plugin>
+     </plugins>
+   </build>
+   <profiles>