feat(nifi): SBOMs for NARs (#1119)

dervoeti · web-flow · commit 91545e580048 · 2025-05-19T09:44:25.000Z
* feat: copy SBOMs of NARs

* chore: align sbom suffixes

* chore: changelog
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -57,6 +57,7 @@ All notable changes to this project will be documented in this file.
 - cyclonedx-bom: Bump airflow and superset to use `6.0.0` ([#1090]).
 - vector: Bump to `0.46.1` ([#1098]).
 - spark: update dependencies for 3.5.5 ([#1094])
+- nifi: include NAR SBOMs ([#1119])
 
 ### Fixed
 
@@ -128,6 +129,7 @@ All notable changes to this project will be documented in this file.
 [#1110]: https://github.com/stackabletech/docker-images/pull/1110
 [#1114]: https://github.com/stackabletech/docker-images/pull/1114
 [#1116]: https://github.com/stackabletech/docker-images/pull/1116
+[#1119]: https://github.com/stackabletech/docker-images/pull/1119
 
 ## [25.3.0] - 2025-03-21
 
diff --git a/nifi/Dockerfile b/nifi/Dockerfile
@@ -59,6 +59,20 @@ mv nifi-assembly/target/nifi-${PRODUCT}-bin/nifi-${PRODUCT} /stackable/nifi-${PR
 # Copy the SBOM as well
 mv nifi-assembly/target/bom.json /stackable/nifi-${PRODUCT}/nifi-${PRODUCT}.cdx.json
 
+# Get a list of NARs
+export NARS=$(ls /stackable/nifi-${PRODUCT}/lib/*.nar | awk -F '/' '{ print $5 }' | sed "s/\-${PRODUCT}.nar\$//g")
+# Get a list of SBOMs
+find . -name bom.json > bomlist.txt
+
+for nar in $NARS; do
+    # Try to find the NAR in the list of SBOMs
+    match=$(grep "\/$nar\/target\/bom.json" bomlist.txt || true)
+    if [[ -n "$match" ]]; then
+        # Copy the SBOM of the NAR
+        cp "$match" "/stackable/nifi-${PRODUCT}/$nar.cdx.json"
+    fi
+done
+
 # Remove sources
 (cd .. && rm -r ${PRODUCT})
 
@@ -100,15 +114,15 @@ if [[ "${PRODUCT}" != 1.* ]] ; then
     cp ./nifi-iceberg-services-api-nar/target/nifi-iceberg-services-api-nar-${NIFI_ICEBERG_BUNDLE}.nar /stackable
     cp ./nifi-iceberg-services-nar/target/nifi-iceberg-services-nar-${NIFI_ICEBERG_BUNDLE}.nar /stackable
     cp ./nifi-iceberg-processors-nar/target/nifi-iceberg-processors-nar-${NIFI_ICEBERG_BUNDLE}.nar /stackable
-    cp ./target/bom.json /stackable/nifi-iceberg-bundle.sbom.json
+    cp ./target/bom.json /stackable/nifi-iceberg-bundle.cdx.json
 
     cd ..
     # Save disk space, even for intermediate images
     rm -rf nifi-iceberg-bundle-${NIFI_ICEBERG_BUNDLE}
 
 # Set correct groups
 chmod g=u /stackable/*.nar
-chmod g=u /stackable/*.sbom.json
+chmod g=u /stackable/*.cdx.json
 fi
 EOF
 
@@ -129,7 +143,7 @@ LABEL name="Apache NiFi" \
 COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/nifi-${PRODUCT} /stackable/nifi-${PRODUCT}/
 COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/stackable-bcrypt.jar /stackable/stackable-bcrypt.jar
 COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-iceberg-bundle-builder /stackable/*.nar /stackable/nifi-${PRODUCT}/lib/
-COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-iceberg-bundle-builder /stackable/*.sbom.json /stackable/nifi-${PRODUCT}/lib/
+COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-iceberg-bundle-builder /stackable/*.cdx.json /stackable/nifi-${PRODUCT}/lib/
 COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/git-sync /stackable/git-sync
 
 COPY --chown=${STACKABLE_USER_UID}:0 nifi/stackable/bin /stackable/bin
