From 289a866f45047787d7b2020ec9e0efe8c4da2e37 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Fri, 27 Mar 2026 16:56:25 +0000
Subject: [PATCH 1/3] fix(opensearch): scope CycloneDX SBOM to shipped
 components only

---
 ...neDX-SBOM-to-shipped-components-only.patch | 35 ++++++++++++++++
 ...neDX-SBOM-to-shipped-components-only.patch | 40 +++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 opensearch/stackable/patches/3.1.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch
 create mode 100644 opensearch/stackable/patches/3.4.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch

diff --git a/opensearch/stackable/patches/3.1.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch b/opensearch/stackable/patches/3.1.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch
new file mode 100644
index 000000000..b51c3040a
--- /dev/null
+++ b/opensearch/stackable/patches/3.1.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch
@@ -0,0 +1,35 @@
+From e10e254da6a4fd0ee72accd4da6d4e93e8716bd9 Mon Sep 17 00:00:00 2001
+From: dervoeti <lukas.krug@stackable.tech>
+Date: Thu, 26 Mar 2026 20:51:26 +0000
+Subject: Scope CycloneDX SBOM to shipped components only
+
+Exclude plugin subprojects that are not included in the opensearch-min
+distribution from the CycloneDX BOM generation. Only repository-s3 and
+telemetry-otel are shipped from the local build. Other plugins like
+ingest-attachment (which pulls in tika-core) are not installed in the
+Stackable image and should not appear in the runtime SBOM.
+---
+ build.gradle | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/build.gradle b/build.gradle
+index 78a15b418e7..505f9020830 100644
+--- a/build.gradle
++++ b/build.gradle
+@@ -78,6 +78,16 @@ allprojects {
+ }
+ 
+ cyclonedxBom {
++  // Only include subprojects that are part of the opensearch-min distribution
++  // (server, libs, modules) plus the core plugins shipped in the Stackable
++  // image (repository-s3 and telemetry-otel). This prevents build-only plugin
++  // dependencies (e.g. tika-core from ingest-attachment) from appearing in the
++  // runtime SBOM as false positives.
++  def shippedPlugins = ['repository-s3', 'telemetry-otel'] as Set
++  skipProjects = subprojects.findAll { sub ->
++    (sub.path.startsWith(':plugins:') && !(sub.name in shippedPlugins)) ||
++    sub.path.startsWith(':example-plugins')
++  }.collect { it.name }
+   includeConfigs = ["runtimeClasspath"]
+   includeLicenseText = false
+   skipConfigs = ["compileClasspath", "testCompileClasspath"]
diff --git a/opensearch/stackable/patches/3.4.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch b/opensearch/stackable/patches/3.4.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch
new file mode 100644
index 000000000..a4ad872f2
--- /dev/null
+++ b/opensearch/stackable/patches/3.4.0/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch
@@ -0,0 +1,40 @@
+From 180057545225e49cea09c74e454ee6bef30521b5 Mon Sep 17 00:00:00 2001
+From: dervoeti <lukas.krug@stackable.tech>
+Date: Thu, 26 Mar 2026 21:05:47 +0000
+Subject: Scope CycloneDX SBOM to shipped components only
+
+Exclude plugin subprojects that are not included in the opensearch-min
+distribution from the CycloneDX BOM generation. Only repository-s3 and
+telemetry-otel are shipped from the local build. Other plugins like
+ingest-attachment (which pulls in tika-core) are not installed in the
+Stackable image and should not appear in the runtime SBOM.
+---
+ build.gradle | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/build.gradle b/build.gradle
+index 49d3b971efa..aa2638b6a60 100644
+--- a/build.gradle
++++ b/build.gradle
+@@ -82,6 +82,21 @@ allprojects {
+   version = VersionProperties.getOpenSearch()
+   description = "OpenSearch subproject ${project.path}"
+ 
++  // Only include subprojects that are part of the opensearch-min distribution
++  // (server, libs, modules) plus the core plugins shipped in the Stackable
++  // image (repository-s3 and telemetry-otel). This prevents build-only plugin
++  // dependencies (e.g. tika-core from ingest-attachment) from appearing in the
++  // runtime SBOM as false positives.
++  def shippedPlugins = ['repository-s3', 'telemetry-otel'] as Set
++  def isUnshippedPlugin = (project.path.startsWith(':plugins:') && !(project.name in shippedPlugins)) ||
++                          project.path.startsWith(':example-plugins')
++
++  if (isUnshippedPlugin) {
++    tasks.matching { it.name == 'cyclonedxDirectBom' }.configureEach {
++      enabled = false
++    }
++  }
++
+   cyclonedxDirectBom {
+     includeConfigs = ["runtimeClasspath"]
+     skipConfigs = ["compileClasspath", "testCompileClasspath"]

From 78b3dac0e3e912f15c1f2160640462f1f0a17165 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Fri, 27 Mar 2026 18:07:27 +0100
Subject: [PATCH 2/3] chore: changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c9fb2641f..fc5e077b5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Fixed
+
+- opensearch: Scope CycloneDX SBOM to shipped components only, eliminating false positive CVEs from unshipped plugins ([#1452]).
+
+[#1452]: https://github.com/stackabletech/docker-images/pull/1452
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16

From 1de41d8a112a55b33497ba24ebf8424edcb1694c Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Fri, 27 Mar 2026 18:08:28 +0100
Subject: [PATCH 3/3] chore: add comment about adding OpenSearch plugins

---
 opensearch/Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/opensearch/Dockerfile b/opensearch/Dockerfile
index 60d2dacf2..44a8b4e9e 100644
--- a/opensearch/Dockerfile
+++ b/opensearch/Dockerfile
@@ -63,6 +63,10 @@ NEW_VERSION="${PRODUCT_VERSION}-stackable${RELEASE_VERSION}"
 tar -czf /stackable/opensearch-${NEW_VERSION}-src.tar.gz .
 ./scripts/build.sh -v "${PRODUCT_VERSION}" -s false -a "${ARCH}"
 tar -xzf "artifacts/dist/opensearch-min-${PRODUCT_VERSION}-linux-${ARCH}.tar.gz" -C /stackable
+# NOTE: When adding more core plugins here, also update the CycloneDX SBOM patch
+# (stackable/patches/<version>/0005-Scope-CycloneDX-SBOM-to-shipped-components-only.patch)
+# to include them in the shippedPlugins list, otherwise their dependencies will
+# be missing from the SBOM.
 unzip artifacts/core-plugins/repository-s3-${PRODUCT_VERSION}.zip -d /stackable/opensearch-${PRODUCT_VERSION}/plugins/repository-s3/
 mv /stackable/opensearch-${PRODUCT_VERSION}/plugins/repository-s3/config /stackable/opensearch-${PRODUCT_VERSION}/config/repository-s3
 unzip artifacts/core-plugins/telemetry-otel-${PRODUCT_VERSION}.zip -d /stackable/opensearch-${PRODUCT_VERSION}/plugins/telemetry-otel/