feat: SBOMs for OpenSearch and opensearch-security-plugin

[dervoeti]

Description

I had to use an older version of the cyclonedx-gradle-plugin for OpenSearch itself, since newer versions caused issues with the version of the com.networknt:json-schema-validator component used by the OpenSearch build process. Updating com.networknt:json-schema-validator to the latest version is also possible (then the most recent version of cyclonedx-gradle-plugin works), but I decided against it to prevent side effect on the OpenSearch build process.

--warning-mode=summary is passed to the cyclonedxBom subcommand to prevent it from failing because of deprecated features. The SBOM is generated correctly, it will probably not work with Gradle 9 but by then newer versions of OpenSearch and the cyclonedx-gradle-plugin might be ready that fix these warnings.

I also moved the COPY line of the security plugin further down to avoid rebuilding OpenSearch when changing something in the plugin.

Definition of Done Checklist

Note

Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant.

Please make sure all these things are done and tick the boxes

• Changes are OpenShift compatible
• All added packages (via microdnf or otherwise) have a comment on why they are added
• Things not downloaded from Red Hat repositories should be mirrored in the Stackable repository and downloaded from there
• All packages should have (if available) signatures/hashes verified
• Add an entry to the CHANGELOG.md file
• Integration tests ran successfully

TIP: Running integration tests with a new product image

The image can be built and uploaded to the kind cluster with the following commands:

bake --product <product> --image-version <stackable-image-version>
kind load docker-image <image-tagged-with-the-major-version> --name=<name-of-your-test-cluster>

See the output of bake to retrieve the image tag for <image-tagged-with-the-major-version>.

[labrenbe]

Thanks!