Update cargo-cyclonedx and enable Renovate to update it

CHANGELOG.md

@@ -19,6 +19,7 @@ All notable changes to this project will be documented in this file.
 
 - ci: Rename local actions, adjust action inputs and outputs, add definition
   README file ([#819]).
+- Update cargo-cyclonedx to 0.5.5 and build CycloneDX 1.5 files ([#783])
 
 ### Removed
 
@@ -35,6 +36,7 @@ All notable changes to this project will be documented in this file.
 
 - hbase: link to phoenix server jar ([#811]).
 
+[#783]: https://github.com/stackabletech/docker-images/pull/783
 [#797]: https://github.com/stackabletech/docker-images/pull/797
 [#802]: https://github.com/stackabletech/docker-images/pull/802
 [#809]: https://github.com/stackabletech/docker-images/pull/809

renovate.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "local>stackabletech/.github:renovate-config",
+    "github>stackabletech/.github:renovate-config",
     "docker:pinDigests"
   ]
 }

shared/copy_artifacts.sh

@@ -3,6 +3,6 @@
 # Copy over the binary
 cp "$1" /app
 
-# And now try to find a BOM file named like the binary + .cdx.xml and copy it over as well if it exists
+# And now try to find a BOM file named like the binary + _bin.cdx.xml and copy it over as well if it exists
 base=$(basename "$1")
-find /src/rust/ -type f -name "$base.cdx.xml" -exec cp {} /app \;
+find /src/rust/ -type f -name "${base}_bin.cdx.xml" -exec cp {} /app \;

stackable-base/Dockerfile

@@ -5,14 +5,17 @@
 FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:104cf11d890aeb7dd5728b7d7732e175a0e4018f1bb00d2faebcc8f6bf29bd52 AS product-utils-builder
 
 # Find the latest version here: https://github.com/stackabletech/config-utils/tags
+# renovate: datasource=github-tags packageName=stackabletech/config-utils
 ENV CONFIG_UTILS_VERSION=0.2.0
 # This SHOULD be kept in sync with operator-templating and other tools to reduce build times
 # Find the latest version here: https://doc.rust-lang.org/stable/releases.html
+# renovate: datasource=github-releases packageName=rust-lang/rust
 ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.80.1
 # Find the latest version here: https://crates.io/crates/cargo-cyclonedx
-# IMPORTANT: Do not update until https://github.com/stackabletech/docker-images/pull/783 is merged
-ENV CARGO_CYCLONEDX_CRATE_VERSION=0.4.0
+# renovate: datasource=crate packageName=cargo-cyclonedx
+ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.5
 # Find the latest version here: https://crates.io/crates/cargo-auditable
+# renovate: datasource=crate packageName=cargo-auditable
 ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.4
 
 RUN <<EOF
@@ -32,7 +35,7 @@ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --defaul
 git clone --depth 1 --branch "${CONFIG_UTILS_VERSION}" https://github.com/stackabletech/config-utils
 cd ./config-utils
 . "$HOME/.cargo/env"
-cargo auditable --quiet build --release && cargo cyclonedx --output-pattern package --all --output-cdx
+cargo auditable --quiet build --release && cargo cyclonedx --all --spec-version 1.5 --describe binaries
 EOF
 
 # Find the latest version at https://catalog.redhat.com/software/containers/ubi9/ubi-minimal/615bd9b4075b022acc111bf5?container-tabs=gti
@@ -157,10 +160,11 @@ fi
 EOF
 
 COPY --from=product-utils-builder --chown=stackable:stackable /config-utils/target/release/config-utils /stackable/config-utils
-COPY --from=product-utils-builder --chown=stackable:stackable /config-utils/config-utils.cdx.xml /stackable/config-utils.cdx.xml
+COPY --from=product-utils-builder --chown=stackable:stackable /config-utils/config-utils_bin.cdx.xml /stackable/config-utils.cdx.xml
 ENV PATH="${PATH}:/stackable"
 
 # These labels have mostly been superceded by the OpenContainer spec annotations below but it doesn't hurt to include them
+# http://label-schema.org/rc1/
 LABEL maintainer="[email protected]"
 LABEL vendor="Stackable GmbH"
 

ubi8-rust-builder/Dockerfile

@@ -11,14 +11,17 @@ LABEL maintainer="Stackable GmbH"
 
 # This SHOULD be kept in sync with operator-templating and other tools to reduce build times
 # Find the latest version here: https://doc.rust-lang.org/stable/releases.html
+# renovate: datasource=github-releases packageName=rust-lang/rust
 ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.80.1
 # Find the latest version here: https://crates.io/crates/cargo-cyclonedx
-# IMPORTANT: Do not update until https://github.com/stackabletech/docker-images/pull/783 is merged
-ENV CARGO_CYCLONEDX_CRATE_VERSION=0.4.0
+# renovate: datasource=crate packageName=cargo-cyclonedx
+ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.5
 # Find the latest version here: https://crates.io/crates/cargo-auditable
+# renovate: datasource=crate packageName=cargo-auditable
 ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.4
 # Find the latest version here: https://github.com/protocolbuffers/protobuf/releases
 # Upload any newer version to nexus with ./.scripts/upload_new_protoc_version.sh
+# renovate: datasource=github-releases packageName=protocolbuffers/protobuf
 ENV PROTOC_VERSION=27.3
 
 # Sets the default shell to Bash with strict error handling and robust pipeline processing.
@@ -73,8 +76,11 @@ WORKDIR /
 # IMPORTANT
 # If you change the toolchain version here, make sure to also change the "rust_version"
 # property in operator-templating/config/rust.yaml
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_DEFAULT_TOOLCHAIN_VERSION \
- && . "$HOME/.cargo/env" && cargo --quiet install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
+RUN <<EOF
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "$RUST_DEFAULT_TOOLCHAIN_VERSION"
+. "$HOME/.cargo/env"
+cargo --quiet install "cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION" "cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION"
+EOF
 
 # Build artifacts will be available in /app.
 RUN mkdir /app
@@ -84,20 +90,21 @@ COPY shared/copy_artifacts.sh /
 ONBUILD WORKDIR /src
 ONBUILD COPY . /src
 
-ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable --quiet build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
+ONBUILD RUN <<EOF
+. "$HOME/.cargo/env"
+cargo auditable --quiet build --release --workspace
+cargo cyclonedx --all --spec-version 1.5 --describe binaries
 
-# Copy the "interesting" files into /app.
-ONBUILD RUN find /src/target/release \
-                -regextype egrep \
-                # The interesting binaries are all directly in ${BUILD_DIR}.
-                -maxdepth 1 \
-                # Well, binaries are executable.
-                -executable \
-                # Well, binaries are files.
-                -type f \
-                # Filter out tests.
-                ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
-                # Copy the matching files into /app.
-                -exec /copy_artifacts.sh {} \;
+# -maxdepth 1: The interesting binaries are all directly in ${BUILD_DIR}.
+# -regex filters out tests
+# - exec copies matching files to /app
+find /src/target/release \
+  -regextype egrep \
+  -maxdepth 1 \
+  -executable \
+  -type f \
+  ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
+  -exec /copy_artifacts.sh {} \;
 
-ONBUILD RUN echo "The following files will be copied to the runtime image: $(ls /app)"
+echo "The following files will be copied to the runtime image: $(ls /app)"
+EOF

ubi9-rust-builder/Dockerfile

@@ -8,14 +8,17 @@ LABEL maintainer="Stackable GmbH"
 
 # This SHOULD be kept in sync with operator-templating and other tools to reduce build times
 # Find the latest version here: https://doc.rust-lang.org/stable/releases.html
+# renovate: datasource=github-releases packageName=rust-lang/rust
 ENV RUST_DEFAULT_TOOLCHAIN_VERSION=1.80.1
 # Find the latest version here: https://crates.io/crates/cargo-cyclonedx
-# IMPORTANT: Do not update until https://github.com/stackabletech/docker-images/pull/783 is merged
-ENV CARGO_CYCLONEDX_CRATE_VERSION=0.4.0
+# renovate: datasource=crate packageName=cargo-cyclonedx
+ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.5
 # Find the latest version here: https://crates.io/crates/cargo-auditable
+# renovate: datasource=crate packageName=cargo-auditable
 ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.4
 # Find the latest version here: https://github.com/protocolbuffers/protobuf/releases
 # Upload any newer version to nexus with ./.scripts/upload_new_protoc_version.sh
+# renovate: datasource=github-releases packageName=protocolbuffers/protobuf
 ENV PROTOC_VERSION=27.3
 
 # Sets the default shell to Bash with strict error handling and robust pipeline processing.
@@ -72,8 +75,11 @@ WORKDIR /
 # IMPORTANT
 # If you change the toolchain version here, make sure to also change the "rust_version"
 # property in operator-templating/config/rust.yaml
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_DEFAULT_TOOLCHAIN_VERSION \
-&& . "$HOME/.cargo/env" && cargo --quiet install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
+RUN <<EOF
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "$RUST_DEFAULT_TOOLCHAIN_VERSION"
+. "$HOME/.cargo/env"
+cargo install --quiet "cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION" "cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION"
+EOF
 
 # Build artifacts will be available in /app.
 RUN mkdir /app
@@ -83,20 +89,21 @@ COPY shared/copy_artifacts.sh /
 ONBUILD WORKDIR /src
 ONBUILD COPY . /src
 
-ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable --quiet build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
+ONBUILD RUN <<EOF
+. "$HOME/.cargo/env"
+cargo auditable --quiet build --release --workspace
+cargo cyclonedx --all --spec-version 1.5 --describe binaries
 
-# Copy the "interesting" files into /app.
-ONBUILD RUN find /src/target/release \
-                -regextype egrep \
-                # The interesting binaries are all directly in ${BUILD_DIR}.
-                -maxdepth 1 \
-                # Well, binaries are executable.
-                -executable \
-                # Well, binaries are files.
-                -type f \
-                # Filter out tests.
-                ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
-                # Copy the matching files into /app.
-                -exec /copy_artifacts.sh {} \;
+# -maxdepth 1: The interesting binaries are all directly in ${BUILD_DIR}.
+# -regex filters out tests
+# - exec copies matching files to /app
+find /src/target/release \
+  -regextype egrep \
+  -maxdepth 1 \
+  -executable \
+  -type f \
+  ! -regex ".*\-[a-fA-F0-9]{16,16}$" \
+  -exec /copy_artifacts.sh {} \;
 
-ONBUILD RUN echo "The following files will be copied to the runtime image: $(ls /app)"
+echo "The following files will be copied to the runtime image: $(ls /app)"
+EOF