fix(opensearch): scope CycloneDX SBOM to shipped components only

[dervoeti]

Description

Scope the CycloneDX SBOM generation to only include subprojects that are actually shipped in the Stackable OpenSearch image. The image uses the opensearch-min distribution which does not include plugins, but the SBOM was generated from the full Gradle build graph, causing false positive vulnerability reports for dependencies of unshipped plugins (e.g. CVE-2025-66516 for tika-core from the ingest-attachment plugin).

Only repository-s3 and telemetry-otel are extracted from the local build into the image. All other plugin subprojects and example-plugins are now excluded from the BOM.

The approach differs per OpenSearch version due to different CycloneDX plugin versions:

• 3.1.0 (CycloneDX plugin 1.8.2): uses skipProjects
• 3.4.0 (CycloneDX plugin 3.1.0): disables the cyclonedxDirectBom task for unshipped plugins

The patches would ideally need to be adapted once we decide to ship more plugins. However, even if the SBOM is not generated for some plugins, all shipped plugins inside the image should still be picked up by Syft once we scan the container image to generate the SBOM (only the dependency relationship information will probably missing for these plugins).

I built both images and verified the component is not present anymore:

docker run --rm --entrypoint cat oci.stackable.tech/sdp/opensearch:3.4.0-stackable0.0.0-dev-amd64 /stackable/opensearch-3.4.0-stackable0.0.0-dev.cdx.json | jq '[.components[] | select(.name | test("tika"))]'

Definition of Done Checklist

Note

Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant.

Please make sure all these things are done and tick the boxes

• Changes are OpenShift compatible
• All added packages (via microdnf or otherwise) have a comment on why they are added
• Things not downloaded from Red Hat repositories should be mirrored in the Stackable repository and downloaded from there
• All packages should have (if available) signatures/hashes verified
• Add an entry to the CHANGELOG.md file
• Integration tests ran successfully

TIP: Running integration tests with a new product image

The image can be built and uploaded to the kind cluster with the following commands:

boil build <IMAGE> --image-version <RELEASE_VERSION> --strip-architecture --load
kind load docker-image <MANIFEST_URI> --name=<name-of-your-test-cluster>

See the output of boil to retrieve the image manifest URI for <MANIFEST_URI>.