From e20dda24f85caf0de4581e3a0df50ec476bbeab8 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Fri, 11 Oct 2024 20:27:31 +0200
Subject: [PATCH 01/19] feat: generate SBOMs at build time for OPA,
 statsd_exporter and kafka

---
 kafka/Dockerfile                              | 31 ++++++++++---
 .../patches/3.7.1/001-cyclonedx-plugin.patch  | 27 ++++++++++++
 kafka/stackable/patches/apply_patches.sh      | 44 +++++++++++++++++++
 opa/Dockerfile                                | 33 ++++++++++----
 statsd_exporter/Dockerfile                    | 18 +++++++-
 5 files changed, 135 insertions(+), 18 deletions(-)
 create mode 100644 kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
 create mode 100755 kafka/stackable/patches/apply_patches.sh

diff --git a/kafka/Dockerfile b/kafka/Dockerfile
index 4d7b204c0..2d916f869 100644
--- a/kafka/Dockerfile
+++ b/kafka/Dockerfile
@@ -1,9 +1,8 @@
-# syntax=docker/dockerfile:1.10.0@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5
-# check=error=true
+# syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
 
 FROM stackable/image/kcat AS kcat
 
-FROM stackable/image/java-devel AS kafka-builder
+FROM stackable/image/java-devel as kafka-builder
 
 ARG PRODUCT
 ARG SCALA
@@ -12,20 +11,37 @@ ARG JMX_EXPORTER
 ARG STACKABLE_USER_UID
 
 USER ${STACKABLE_USER_UID}
+RUN <<EOF
+microdnf update
+
+# patch: Required for the apply-patches.sh script
+microdnf install \
+patch
+
+microdnf clean all
+rm -rf /var/cache/yum
+EOF
+
+USER stackable
 WORKDIR /stackable
 
-RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC . && \
-    cd kafka-${PRODUCT}-src && \
+COPY --chown=stackable:stackable kafka/stackable/patches/apply_patches.sh /stackable/kafka-${PRODUCT}-src/patches/apply_patches.sh
+COPY --chown=stackable:stackable kafka/stackable/patches/${PRODUCT} /stackable/kafka-${PRODUCT}-src/patches/${PRODUCT}
+
+RUN curl --fail -L "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC .
+RUN cd kafka-${PRODUCT}-src && \
+    ./patches/apply_patches.sh ${PRODUCT} && \
     # TODO: Try to install gradle via package manager (if possible) instead of fetching it from the internet
     # We don't specify "-x test" to skip the tests, as we might bump some Kafka internal dependencies in the future and
     # it's a good idea to run the tests in this case.
     ./gradlew clean releaseTarGz && \
+    ./gradlew cyclonedxBom && \
     tar -xf core/build/distributions/kafka_${SCALA}-${PRODUCT}.tgz -C /stackable && \
+    cp build/reports/bom.json /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json && \
     rm -rf /stackable/kafka_${SCALA}-${PRODUCT}/site-docs/ && \
     rm -rf /stackable/kafka-${PRODUCT}-src
 
-# TODO (@NickLarsenNZ): Compile from source: https://github.com/StyraInc/opa-kafka-plugin
-RUN curl https://repo.stackable.tech/repository/packages/kafka-opa-authorizer/opa-authorizer-${OPA_AUTHORIZER}-all.jar \
+RUN curl --fail -L https://repo.stackable.tech/repository/packages/kafka-opa-authorizer/opa-authorizer-${OPA_AUTHORIZER}-all.jar \
     -o /stackable/kafka_${SCALA}-${PRODUCT}/libs/opa-authorizer-${OPA_AUTHORIZER}-all.jar
 
 COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/jmx/ /stackable/jmx/
@@ -55,6 +71,7 @@ LABEL name="Apache Kafka" \
 COPY kafka/kubernetes.repo /etc/yum.repos.d/kubernetes.repo
 COPY --chown=${STACKABLE_USER_UID}:0 kafka/licenses /licenses
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka_${SCALA}-${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/jmx/ /stackable/jmx/
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/bin/kcat-${KCAT}
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses
diff --git a/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch b/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
new file mode 100644
index 000000000..3ed69b543
--- /dev/null
+++ b/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
@@ -0,0 +1,27 @@
+diff --git a/build.gradle b/build.gradle
+index 32e6e8f..7bfe6c2 100644
+--- a/build.gradle
++++ b/build.gradle
+@@ -48,6 +48,22 @@ plugins {
+   // artifacts - see https://github.com/johnrengelman/shadow/issues/901
+   id 'com.github.johnrengelman.shadow' version '8.1.0' apply false
+   id 'com.diffplug.spotless' version '6.14.0' apply false // 6.14.1 and newer require Java 11 at compile time, so we can't upgrade until AK 4.0
++  id 'org.cyclonedx.bom' version '1.9.0'
++}
++
++cyclonedxBom {
++    // Specified the type of project being built. Defaults to 'library'
++    projectType = "application"
++    // Specified the version of the CycloneDX specification to use. Defaults to '1.5'
++    schemaVersion = "1.5"
++    // Boms destination directory. Defaults to 'build/reports'
++    destination = file("build/reports")
++    // The file name for the generated BOMs (before the file format suffix). Defaults to 'bom'
++    outputName = "bom"
++    // The file format generated, can be xml, json or all for generating both. Defaults to 'all'
++    outputFormat = "json"
++	// Fixes: https://github.com/gradle/gradle/issues/6854
++	skipConfigs = ["incrementalScalaAnalysisFortest", "incrementalScalaAnalysisFormain", "compileClasspath", "testCompileClasspath"]
+ }
+ 
+ ext {
diff --git a/kafka/stackable/patches/apply_patches.sh b/kafka/stackable/patches/apply_patches.sh
new file mode 100755
index 000000000..833b3e9c7
--- /dev/null
+++ b/kafka/stackable/patches/apply_patches.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Enable error handling and unset variable checking
+set -eu
+set -o pipefail
+
+# Check if $1 (VERSION) is provided
+if [ -z "${1-}" ]; then
+  echo "Please provide a value for VERSION as the first argument."
+  exit 1
+fi
+
+VERSION="$1"
+PATCH_DIR="patches/$VERSION"
+
+# Check if version-specific patches directory exists
+if [ ! -d "$PATCH_DIR" ]; then
+  echo "Patches directory '$PATCH_DIR' does not exist."
+  exit 1
+fi
+
+# Create an array to hold the patches in sorted order
+declare -a patch_files=()
+
+echo "Applying patches from ${PATCH_DIR}" now
+
+# Read the patch files into the array
+while IFS= read -r -d $'\0' file; do
+  patch_files+=("$file")
+done < <(find "$PATCH_DIR" -name "*.patch" -print0 | sort -zV)
+
+echo "Found ${#patch_files[@]} patches, applying now"
+
+# Iterate through sorted patch files
+for patch_file in "${patch_files[@]}"; do
+  echo "Applying $patch_file"
+  # We can not use Git here, as we are not within a Git repo
+  patch --directory "." --strip=1 < "$patch_file" || {
+    echo "Failed to apply $patch_file"
+    exit 1
+  }
+done
+
+echo "All patches applied successfully."
diff --git a/opa/Dockerfile b/opa/Dockerfile
index df7695c97..5dc708922 100644
--- a/opa/Dockerfile
+++ b/opa/Dockerfile
@@ -64,22 +64,36 @@ ARG TARGETOS
 ENV GOARCH=$TARGETARCH
 ENV GOOS=$TARGETOS
 
-# go - used to build OPA
 # gzip, tar - used to unpack the OPA source
+# git - needed by the cyclonedx-gomod tool to determine the version of OPA
+# golang - used to build OPA
 RUN microdnf update && \
-    microdnf install \
-    go \
-    gzip \
-    tar && \
-    microdnf clean all
+microdnf install \
+gzip \
+git \
+golang \
+tar && \
+microdnf clean all
 
-RUN curl "https://repo.stackable.tech/repository/packages/opa/opa_${PRODUCT}.tar.gz" -o opa.tar.gz && \
+# We use version 1.7.0, since a newer version of cyclonedx-gomod is not compatible with the version of Golang (>= 1.23.1)
+RUN go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0
+RUN curl --fail -L "https://repo.stackable.tech/repository/packages/opa/opa_${PRODUCT}.tar.gz" -o opa.tar.gz && \
     tar -zxvf opa.tar.gz && \
-    mv opa-${PRODUCT} opa
+    mv "opa-${PRODUCT}" opa
 
 WORKDIR /opa
 
-RUN go build -o opa -buildmode=exe
+RUN <<EOF
+# Unfortunately, we need to create a dummy Git repository to allow cyclonedx-gomod to determine the version of OPA
+git init
+git add go.mod
+git config --global user.email "dummy@stackable.tech"
+git config --global user.name "dummy"
+git commit -m "dummy"
+git tag "${PRODUCT}"
+go build -o opa -buildmode=exe
+~/go/bin/cyclonedx-gomod app -json -output-version 1.5 -output "opa_${PRODUCT}.cdx.json" -packages -files
+EOF
 
 FROM stackable/image/vector
 
@@ -98,6 +112,7 @@ LABEL name="Open Policy Agent" \
 COPY opa/licenses /licenses
 
 COPY --from=opa-builder --chown=${STACKABLE_USER_UID}:0 /opa/opa /stackable/opa/opa
+COPY --from=opa-builder --chown=${STACKABLE_USER_UID}:0 /opa/opa_${PRODUCT}.cdx.json /stackable/opa/
 COPY --from=opa-bundle-builder --chown=${STACKABLE_USER_UID}:0 /opa-bundle-builder/target/release/stackable-opa-bundle-builder /stackable/opa-bundle-builder
 COPY --from=multilog-builder --chown=${STACKABLE_USER_UID}:0 /daemontools/admin/daemontools/command/multilog /stackable/multilog
 
diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile
index bd018c6a7..eb3dea1f7 100644
--- a/statsd_exporter/Dockerfile
+++ b/statsd_exporter/Dockerfile
@@ -11,19 +11,33 @@ microdnf update
 
 # Tar and gzip are used to unpack the statsd_exporter source
 # Golang is used to build statsd_exporter
+# Git is needed by the cyclonedx-gomod tool to determine the version of statsd_exporter
 microdnf install \
   tar \
   gzip \
+  git \
   golang
 
 microdnf clean all
 rm -rf /var/cache/yum
 
 export GOPATH=/go_cache
-curl "https://repo.stackable.tech/repository/packages/statsd_exporter/statsd_exporter-${PRODUCT}.src.tar.gz" | tar -xzC .
+go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0
+EOF
+
+RUN --mount=type=cache,id=go-statsd-exporter,uid=1000,target=/go_cache <<EOF
+curl --fail -L "https://repo.stackable.tech/repository/packages/statsd_exporter/statsd_exporter-${PRODUCT}.src.tar.gz" | tar -xzC .
 (
   cd "statsd_exporter-${PRODUCT}" || exit
+
+  # Unfortunately, we need to create a dummy Git repository to allow cyclonedx-gomod to determine the version of statsd_exporter
+  git init
+  git add go.mod
+  git config --global user.email "dummy@stackable.tech"
+  git config --global user.name "dummy"
+  git commit -m "dummy"
+  git tag "${PRODUCT}"
   go build -o ../statsd_exporter
+  /go_cache/bin/cyclonedx-gomod app -json -output-version 1.5 -output ../statsd_exporter-${PRODUCT}.cdx.json -packages -files
 )
-rm -rf "statsd_exporter-${PRODUCT}"
 EOF

From 20ec9baaea27171784ddd28a1dd05b35b2586131 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Fri, 11 Oct 2024 20:28:08 +0200
Subject: [PATCH 02/19] fix: remove circular dependencies in Airflow SBOM

---
 airflow/Dockerfile | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/airflow/Dockerfile b/airflow/Dockerfile
index 83b9896e7..c70dab35d 100644
--- a/airflow/Dockerfile
+++ b/airflow/Dockerfile
@@ -12,6 +12,7 @@ FROM stackable/image/statsd_exporter AS statsd_exporter-builder
 FROM stackable/image/vector AS airflow-build-image
 
 ARG PRODUCT
+ARG STATSD_EXPORTER
 ARG PYTHON
 ARG TARGETARCH
 
@@ -38,20 +39,40 @@ RUN microdnf update && \
         python${PYTHON}-pip \
         python${PYTHON}-wheel \
         # The airflow odbc provider can compile without the development files (headers and libraries) (see https://github.com/stackabletech/docker-images/pull/683)
-        unixODBC && \
+        unixODBC \
+        # Needed to modify the SBOM
+        jq && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
-RUN python${PYTHON} -m venv --system-site-packages /stackable/app && \
-    source /stackable/app/bin/activate && \
-    pip install --no-cache-dir --upgrade pip && \
-    pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt && \
-    # Needed for pandas S3 integration to e.g. write and read csv and parquet files to/from S3
-    pip install --no-cache-dir s3fs cyclonedx-bom && \
-    cyclonedx-py environment --schema-version 1.5 --outfile /stackable/airflow-${PRODUCT}.cdx.json
+RUN <<EOF
+python${PYTHON} -m venv --system-site-packages /stackable/app
+
+source /stackable/app/bin/activate
+
+pip install --no-cache-dir --upgrade pip
+pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt
+# Needed for pandas S3 integration to e.g. write and read csv and parquet files to/from S3
+pip install --no-cache-dir s3fs cyclonedx-bom
+
+# Create the SBOM for Airflow
+# Important: All `pip install` commands must be above this line, otherwise the SBOM will be incomplete
+cyclonedx-py environment --schema-version 1.5 --outfile /tmp/sbom.json
+
+# Break circular dependencies by removing the apache-airflow dependency from the providers
+jq '.dependencies |= map(if .ref | test("^apache-airflow-providers-") then
+    .dependsOn |= map(select(. != "apache-airflow==${PRODUCT}"))
+else
+    .
+end)' /tmp/sbom.json > /stackable/airflow-${PRODUCT}.cdx.json
+
+rm /tmp/sbom.json
+microdnf remove jq
+EOF
 
 WORKDIR /stackable
 COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter
+COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter-${STATSD_EXPORTER}.cdx.json /stackable/statsd_exporter-${STATSD_EXPORTER}.cdx.json
 
 FROM stackable/image/vector AS airflow-main-image
 

From 306b75636bbbb836b976698af672812062245f8a Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Mon, 14 Oct 2024 16:32:25 +0200
Subject: [PATCH 03/19] fix: kafka: ignore test components in SBOM

---
 .../patches/3.7.1/001-cyclonedx-plugin.patch  | 31 ++++++++++++++++---
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch b/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
index 3ed69b543..88dbc9948 100644
--- a/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
+++ b/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
@@ -1,8 +1,8 @@
 diff --git a/build.gradle b/build.gradle
-index 32e6e8f..7bfe6c2 100644
+index 32e6e8f..d496382 100644
 --- a/build.gradle
 +++ b/build.gradle
-@@ -48,6 +48,22 @@ plugins {
+@@ -48,6 +48,45 @@ plugins {
    // artifacts - see https://github.com/johnrengelman/shadow/issues/901
    id 'com.github.johnrengelman.shadow' version '8.1.0' apply false
    id 'com.diffplug.spotless' version '6.14.0' apply false // 6.14.1 and newer require Java 11 at compile time, so we can't upgrade until AK 4.0
@@ -20,8 +20,31 @@ index 32e6e8f..7bfe6c2 100644
 +    outputName = "bom"
 +    // The file format generated, can be xml, json or all for generating both. Defaults to 'all'
 +    outputFormat = "json"
-+	// Fixes: https://github.com/gradle/gradle/issues/6854
-+	skipConfigs = ["incrementalScalaAnalysisFortest", "incrementalScalaAnalysisFormain", "compileClasspath", "testCompileClasspath"]
++    includeConfigs = ["runtimeClasspath"]
++    skipProjects = [
++      'upgrade-system-tests-0100',
++      'upgrade-system-tests-0101',
++      'upgrade-system-tests-0102',
++      'upgrade-system-tests-0110',
++      'upgrade-system-tests-10',
++      'upgrade-system-tests-11',
++      'upgrade-system-tests-20',
++      'upgrade-system-tests-21',
++      'upgrade-system-tests-22',
++      'upgrade-system-tests-23',
++      'upgrade-system-tests-24',
++      'upgrade-system-tests-25',
++      'upgrade-system-tests-26',
++      'upgrade-system-tests-27',
++      'upgrade-system-tests-28',
++      'upgrade-system-tests-30',
++      'upgrade-system-tests-31',
++      'upgrade-system-tests-32',
++      'upgrade-system-tests-33',
++      'upgrade-system-tests-34',
++      'upgrade-system-tests-35',
++      'upgrade-system-tests-36'
++    ]
  }
  
  ext {

From 924bb56bb5c70fa90376b47432cde9ce6fd27e5e Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Mon, 14 Oct 2024 17:25:26 +0200
Subject: [PATCH 04/19] fix: kafka: missing patchfile for kafka 3.8.0

---
 .../patches/3.8.0/001-cyclonedx-plugin.patch  | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch

diff --git a/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch b/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch
new file mode 100644
index 000000000..e90500b1d
--- /dev/null
+++ b/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch
@@ -0,0 +1,51 @@
+diff --git a/build.gradle b/build.gradle
+index 92082fe..033eb91 100644
+--- a/build.gradle
++++ b/build.gradle
+@@ -48,6 +48,46 @@ plugins {
+   // artifacts - see https://github.com/johnrengelman/shadow/issues/901
+   id 'com.github.johnrengelman.shadow' version '8.1.0' apply false
+   id 'com.diffplug.spotless' version '6.14.0' apply false // 6.14.1 and newer require Java 11 at compile time, so we can't upgrade until AK 4.0
++  id 'org.cyclonedx.bom' version '1.9.0'
++}
++
++cyclonedxBom {
++    // Specified the type of project being built. Defaults to 'library'
++    projectType = "application"
++    // Specified the version of the CycloneDX specification to use. Defaults to '1.5'
++    schemaVersion = "1.5"
++    // Boms destination directory. Defaults to 'build/reports'
++    destination = file("build/reports")
++    // The file name for the generated BOMs (before the file format suffix). Defaults to 'bom'
++    outputName = "bom"
++    // The file format generated, can be xml, json or all for generating both. Defaults to 'all'
++    outputFormat = "json"
++    includeConfigs = ["runtimeClasspath"]
++    skipProjects = [
++      'upgrade-system-tests-0100',
++      'upgrade-system-tests-0101',
++      'upgrade-system-tests-0102',
++      'upgrade-system-tests-0110',
++      'upgrade-system-tests-10',
++      'upgrade-system-tests-11',
++      'upgrade-system-tests-20',
++      'upgrade-system-tests-21',
++      'upgrade-system-tests-22',
++      'upgrade-system-tests-23',
++      'upgrade-system-tests-24',
++      'upgrade-system-tests-25',
++      'upgrade-system-tests-26',
++      'upgrade-system-tests-27',
++      'upgrade-system-tests-28',
++      'upgrade-system-tests-30',
++      'upgrade-system-tests-31',
++      'upgrade-system-tests-32',
++      'upgrade-system-tests-33',
++      'upgrade-system-tests-34',
++      'upgrade-system-tests-35',
++      'upgrade-system-tests-36',
++      'upgrade-system-tests-37'
++    ]
+ }
+ 
+ ext {

From 05b7e5b5f0b4e0684a1646badeffdd1cfa862f81 Mon Sep 17 00:00:00 2001
From: Lukas Voetmand <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 22:58:44 +0200
Subject: [PATCH 05/19] fix: no need to cleanup builder image

Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>
---
 airflow/Dockerfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/airflow/Dockerfile b/airflow/Dockerfile
index c70dab35d..3be604c1a 100644
--- a/airflow/Dockerfile
+++ b/airflow/Dockerfile
@@ -67,7 +67,6 @@ else
 end)' /tmp/sbom.json > /stackable/airflow-${PRODUCT}.cdx.json
 
 rm /tmp/sbom.json
-microdnf remove jq
 EOF
 
 WORKDIR /stackable

From 576553f7bb810afbeed77144372963b7e2cf9f66 Mon Sep 17 00:00:00 2001
From: Lukas Voetmand <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 22:59:25 +0200
Subject: [PATCH 06/19] fix: add comment about cyclonedx-gomod to
 statsd_exporter as well

Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>
---
 statsd_exporter/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile
index eb3dea1f7..77e3c5207 100644
--- a/statsd_exporter/Dockerfile
+++ b/statsd_exporter/Dockerfile
@@ -22,6 +22,7 @@ microdnf clean all
 rm -rf /var/cache/yum
 
 export GOPATH=/go_cache
+# We use version 1.7.0, since a newer version of cyclonedx-gomod is not compatible with the version of Golang (>= 1.23.1)
 go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0
 EOF
 

From 605c0a6ec17147a28b50b10cfc50720c7cd27b0b Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 23:00:04 +0200
Subject: [PATCH 07/19] fix: undo merge errors

---
 kafka/Dockerfile | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/kafka/Dockerfile b/kafka/Dockerfile
index 2d916f869..928f4b9f7 100644
--- a/kafka/Dockerfile
+++ b/kafka/Dockerfile
@@ -1,4 +1,5 @@
-# syntax=docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd
+# syntax=docker/dockerfile:1.10.0@sha256:865e5dd094beca432e8c0a1d5e1c465db5f998dca4e439981029b3b81fb39ed5
+# check=error=true
 
 FROM stackable/image/kcat AS kcat
 
@@ -28,7 +29,7 @@ WORKDIR /stackable
 COPY --chown=stackable:stackable kafka/stackable/patches/apply_patches.sh /stackable/kafka-${PRODUCT}-src/patches/apply_patches.sh
 COPY --chown=stackable:stackable kafka/stackable/patches/${PRODUCT} /stackable/kafka-${PRODUCT}-src/patches/${PRODUCT}
 
-RUN curl --fail -L "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC .
+RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC .
 RUN cd kafka-${PRODUCT}-src && \
     ./patches/apply_patches.sh ${PRODUCT} && \
     # TODO: Try to install gradle via package manager (if possible) instead of fetching it from the internet
@@ -41,7 +42,8 @@ RUN cd kafka-${PRODUCT}-src && \
     rm -rf /stackable/kafka_${SCALA}-${PRODUCT}/site-docs/ && \
     rm -rf /stackable/kafka-${PRODUCT}-src
 
-RUN curl --fail -L https://repo.stackable.tech/repository/packages/kafka-opa-authorizer/opa-authorizer-${OPA_AUTHORIZER}-all.jar \
+# TODO (@NickLarsenNZ): Compile from source: https://github.com/StyraInc/opa-kafka-plugin
+RUN curl https://repo.stackable.tech/repository/packages/kafka-opa-authorizer/opa-authorizer-${OPA_AUTHORIZER}-all.jar \
     -o /stackable/kafka_${SCALA}-${PRODUCT}/libs/opa-authorizer-${OPA_AUTHORIZER}-all.jar
 
 COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/jmx/ /stackable/jmx/

From a49d0d3c8df529bc643198e6cbda54697367d632 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 23:01:14 +0200
Subject: [PATCH 08/19] fix: casing to make linter happy

---
 kafka/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kafka/Dockerfile b/kafka/Dockerfile
index 928f4b9f7..916265e6d 100644
--- a/kafka/Dockerfile
+++ b/kafka/Dockerfile
@@ -3,7 +3,7 @@
 
 FROM stackable/image/kcat AS kcat
 
-FROM stackable/image/java-devel as kafka-builder
+FROM stackable/image/java-devel AS kafka-builder
 
 ARG PRODUCT
 ARG SCALA

From cca93e2db90fe71d5b7a3db2d2a64aba34e04d06 Mon Sep 17 00:00:00 2001
From: Lukas Voetmand <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 23:05:27 +0200
Subject: [PATCH 09/19] fix: indenting and alphabetical sorting of packages

Co-authored-by: Siegfried Weber <mail@siegfriedweber.net>
---
 opa/Dockerfile | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/opa/Dockerfile b/opa/Dockerfile
index 5dc708922..0e917bd63 100644
--- a/opa/Dockerfile
+++ b/opa/Dockerfile
@@ -68,12 +68,12 @@ ENV GOOS=$TARGETOS
 # git - needed by the cyclonedx-gomod tool to determine the version of OPA
 # golang - used to build OPA
 RUN microdnf update && \
-microdnf install \
-gzip \
-git \
-golang \
-tar && \
-microdnf clean all
+    microdnf install \
+    git \
+    golang \
+    gzip \
+    tar && \
+    microdnf clean all
 
 # We use version 1.7.0, since a newer version of cyclonedx-gomod is not compatible with the version of Golang (>= 1.23.1)
 RUN go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0

From c721b5dbf5a2e703db53961e2fe8114226f43594 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 23:07:16 +0200
Subject: [PATCH 10/19] fix: re-added line to remove sourcecode after build of
 statsd_exporter

---
 statsd_exporter/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile
index 77e3c5207..885262a14 100644
--- a/statsd_exporter/Dockerfile
+++ b/statsd_exporter/Dockerfile
@@ -41,4 +41,5 @@ curl --fail -L "https://repo.stackable.tech/repository/packages/statsd_exporter/
   go build -o ../statsd_exporter
   /go_cache/bin/cyclonedx-gomod app -json -output-version 1.5 -output ../statsd_exporter-${PRODUCT}.cdx.json -packages -files
 )
+rm -rf "statsd_exporter-${PRODUCT}"
 EOF

From cdcf49ca1c62c0de21dd7f35176a45debb2fd74e Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 23:17:11 +0200
Subject: [PATCH 11/19] fix: merge RUN layers in statsd_exporter

---
 statsd_exporter/Dockerfile | 2 --
 1 file changed, 2 deletions(-)

diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile
index 885262a14..d599f9c84 100644
--- a/statsd_exporter/Dockerfile
+++ b/statsd_exporter/Dockerfile
@@ -24,9 +24,7 @@ rm -rf /var/cache/yum
 export GOPATH=/go_cache
 # We use version 1.7.0, since a newer version of cyclonedx-gomod is not compatible with the version of Golang (>= 1.23.1)
 go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0
-EOF
 
-RUN --mount=type=cache,id=go-statsd-exporter,uid=1000,target=/go_cache <<EOF
 curl --fail -L "https://repo.stackable.tech/repository/packages/statsd_exporter/statsd_exporter-${PRODUCT}.src.tar.gz" | tar -xzC .
 (
   cd "statsd_exporter-${PRODUCT}" || exit

From d30b0e163ce7020dcc416ddb535d3af8d9644b4d Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 23:17:54 +0200
Subject: [PATCH 12/19] fix: place SBOM files closer to the application they
 are for

---
 airflow/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/airflow/Dockerfile b/airflow/Dockerfile
index 3be604c1a..3f583bea7 100644
--- a/airflow/Dockerfile
+++ b/airflow/Dockerfile
@@ -64,7 +64,7 @@ jq '.dependencies |= map(if .ref | test("^apache-airflow-providers-") then
     .dependsOn |= map(select(. != "apache-airflow==${PRODUCT}"))
 else
     .
-end)' /tmp/sbom.json > /stackable/airflow-${PRODUCT}.cdx.json
+end)' /tmp/sbom.json > /stackable/app/airflow-${PRODUCT}.cdx.json
 
 rm /tmp/sbom.json
 EOF

From 2b3d70a6a99bf9d0002845198764fd7328eaacd4 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Tue, 15 Oct 2024 23:27:24 +0200
Subject: [PATCH 13/19] fix: update gradle cyclonedx plugin to version 1.10.0

---
 kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch | 4 ++--
 kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch b/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
index 88dbc9948..8c27b4a1c 100644
--- a/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
+++ b/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
@@ -1,12 +1,12 @@
 diff --git a/build.gradle b/build.gradle
-index 32e6e8f..d496382 100644
+index 32e6e8f..33e12a8 100644
 --- a/build.gradle
 +++ b/build.gradle
 @@ -48,6 +48,45 @@ plugins {
    // artifacts - see https://github.com/johnrengelman/shadow/issues/901
    id 'com.github.johnrengelman.shadow' version '8.1.0' apply false
    id 'com.diffplug.spotless' version '6.14.0' apply false // 6.14.1 and newer require Java 11 at compile time, so we can't upgrade until AK 4.0
-+  id 'org.cyclonedx.bom' version '1.9.0'
++  id 'org.cyclonedx.bom' version '1.10.0'
 +}
 +
 +cyclonedxBom {
diff --git a/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch b/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch
index e90500b1d..af0f00d8c 100644
--- a/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch
+++ b/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch
@@ -1,12 +1,12 @@
 diff --git a/build.gradle b/build.gradle
-index 92082fe..033eb91 100644
+index 92082fe..bd7f6e2 100644
 --- a/build.gradle
 +++ b/build.gradle
 @@ -48,6 +48,46 @@ plugins {
    // artifacts - see https://github.com/johnrengelman/shadow/issues/901
    id 'com.github.johnrengelman.shadow' version '8.1.0' apply false
    id 'com.diffplug.spotless' version '6.14.0' apply false // 6.14.1 and newer require Java 11 at compile time, so we can't upgrade until AK 4.0
-+  id 'org.cyclonedx.bom' version '1.9.0'
++  id 'org.cyclonedx.bom' version '1.10.0'
 +}
 +
 +cyclonedxBom {

From acb8c567bd1ec706a63049882da7dd5dd315f7c2 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Wed, 16 Oct 2024 11:13:31 +0200
Subject: [PATCH 14/19] fix: remove unnecessary curl flags, because we have a
 curlrc file

---
 opa/Dockerfile             | 2 +-
 statsd_exporter/Dockerfile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/opa/Dockerfile b/opa/Dockerfile
index 0e917bd63..1979cd061 100644
--- a/opa/Dockerfile
+++ b/opa/Dockerfile
@@ -77,7 +77,7 @@ RUN microdnf update && \
 
 # We use version 1.7.0, since a newer version of cyclonedx-gomod is not compatible with the version of Golang (>= 1.23.1)
 RUN go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0
-RUN curl --fail -L "https://repo.stackable.tech/repository/packages/opa/opa_${PRODUCT}.tar.gz" -o opa.tar.gz && \
+RUN curl "https://repo.stackable.tech/repository/packages/opa/opa_${PRODUCT}.tar.gz" -o opa.tar.gz && \
     tar -zxvf opa.tar.gz && \
     mv "opa-${PRODUCT}" opa
 
diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile
index d599f9c84..7d18ed9f7 100644
--- a/statsd_exporter/Dockerfile
+++ b/statsd_exporter/Dockerfile
@@ -25,7 +25,7 @@ export GOPATH=/go_cache
 # We use version 1.7.0, since a newer version of cyclonedx-gomod is not compatible with the version of Golang (>= 1.23.1)
 go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.7.0
 
-curl --fail -L "https://repo.stackable.tech/repository/packages/statsd_exporter/statsd_exporter-${PRODUCT}.src.tar.gz" | tar -xzC .
+curl "https://repo.stackable.tech/repository/packages/statsd_exporter/statsd_exporter-${PRODUCT}.src.tar.gz" | tar -xzC .
 (
   cd "statsd_exporter-${PRODUCT}" || exit
 

From fc9d2d183ac3d5effb1bf2338735f14f985cf2ce Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Wed, 16 Oct 2024 11:13:56 +0200
Subject: [PATCH 15/19] fix: fixed variable substitution

---
 airflow/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/airflow/Dockerfile b/airflow/Dockerfile
index 3f583bea7..ab2fbbc15 100644
--- a/airflow/Dockerfile
+++ b/airflow/Dockerfile
@@ -61,7 +61,7 @@ cyclonedx-py environment --schema-version 1.5 --outfile /tmp/sbom.json
 
 # Break circular dependencies by removing the apache-airflow dependency from the providers
 jq '.dependencies |= map(if .ref | test("^apache-airflow-providers-") then
-    .dependsOn |= map(select(. != "apache-airflow==${PRODUCT}"))
+    .dependsOn |= map(select(. != "apache-airflow=='${PRODUCT}'"))
 else
     .
 end)' /tmp/sbom.json > /stackable/app/airflow-${PRODUCT}.cdx.json

From 07cb2f6b5ef8d28ad983db65b67c7205c1e6fe32 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Wed, 16 Oct 2024 11:14:31 +0200
Subject: [PATCH 16/19] feat: pinned versions of python packages

---
 airflow/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/airflow/Dockerfile b/airflow/Dockerfile
index ab2fbbc15..a300ee998 100644
--- a/airflow/Dockerfile
+++ b/airflow/Dockerfile
@@ -53,7 +53,7 @@ source /stackable/app/bin/activate
 pip install --no-cache-dir --upgrade pip
 pip install --no-cache-dir apache-airflow[${AIRFLOW_EXTRAS}]==${PRODUCT} --constraint /tmp/constraints.txt
 # Needed for pandas S3 integration to e.g. write and read csv and parquet files to/from S3
-pip install --no-cache-dir s3fs cyclonedx-bom
+pip install --no-cache-dir s3fs==2024.9.0 cyclonedx-bom==5.0.0
 
 # Create the SBOM for Airflow
 # Important: All `pip install` commands must be above this line, otherwise the SBOM will be incomplete

From c459c49c78f899043a3d6c059f34f48a10e15808 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Wed, 16 Oct 2024 12:12:19 +0200
Subject: [PATCH 17/19] fix: fixes to adapt upstream changes

---
 airflow/Dockerfile |  2 --
 kafka/Dockerfile   | 13 ++++++-------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/airflow/Dockerfile b/airflow/Dockerfile
index a300ee998..08eaaafdc 100644
--- a/airflow/Dockerfile
+++ b/airflow/Dockerfile
@@ -65,8 +65,6 @@ jq '.dependencies |= map(if .ref | test("^apache-airflow-providers-") then
 else
     .
 end)' /tmp/sbom.json > /stackable/app/airflow-${PRODUCT}.cdx.json
-
-rm /tmp/sbom.json
 EOF
 
 WORKDIR /stackable
diff --git a/kafka/Dockerfile b/kafka/Dockerfile
index 916265e6d..4fac60a91 100644
--- a/kafka/Dockerfile
+++ b/kafka/Dockerfile
@@ -11,7 +11,6 @@ ARG OPA_AUTHORIZER
 ARG JMX_EXPORTER
 ARG STACKABLE_USER_UID
 
-USER ${STACKABLE_USER_UID}
 RUN <<EOF
 microdnf update
 
@@ -23,14 +22,14 @@ microdnf clean all
 rm -rf /var/cache/yum
 EOF
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
-COPY --chown=stackable:stackable kafka/stackable/patches/apply_patches.sh /stackable/kafka-${PRODUCT}-src/patches/apply_patches.sh
-COPY --chown=stackable:stackable kafka/stackable/patches/${PRODUCT} /stackable/kafka-${PRODUCT}-src/patches/${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/patches/apply_patches.sh /stackable/kafka-${PRODUCT}-src/patches/apply_patches.sh
+COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/patches/${PRODUCT} /stackable/kafka-${PRODUCT}-src/patches/${PRODUCT}
 
-RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC .
-RUN cd kafka-${PRODUCT}-src && \
+RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC . && \
+    cd kafka-${PRODUCT}-src && \
     ./patches/apply_patches.sh ${PRODUCT} && \
     # TODO: Try to install gradle via package manager (if possible) instead of fetching it from the internet
     # We don't specify "-x test" to skip the tests, as we might bump some Kafka internal dependencies in the future and
@@ -73,7 +72,7 @@ LABEL name="Apache Kafka" \
 COPY kafka/kubernetes.repo /etc/yum.repos.d/kubernetes.repo
 COPY --chown=${STACKABLE_USER_UID}:0 kafka/licenses /licenses
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka_${SCALA}-${PRODUCT}
-COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT}.cdx.json /stackable/kafka_${SCALA}-${PRODUCT}/kafka_${SCALA}-${PRODUCT}.cdx.json
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/jmx/ /stackable/jmx/
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/bin/kcat-${KCAT}
 COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses

From 8dcdd7f6d86e579f470cf812f578d3ce70113d83 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Wed, 16 Oct 2024 12:19:47 +0200
Subject: [PATCH 18/19] fix: use GOPATH for invoking cyclonedx-gomod

---
 statsd_exporter/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile
index 7d18ed9f7..89195f078 100644
--- a/statsd_exporter/Dockerfile
+++ b/statsd_exporter/Dockerfile
@@ -37,7 +37,7 @@ curl "https://repo.stackable.tech/repository/packages/statsd_exporter/statsd_exp
   git commit -m "dummy"
   git tag "${PRODUCT}"
   go build -o ../statsd_exporter
-  /go_cache/bin/cyclonedx-gomod app -json -output-version 1.5 -output ../statsd_exporter-${PRODUCT}.cdx.json -packages -files
+  $GOPATH/bin/cyclonedx-gomod app -json -output-version 1.5 -output ../statsd_exporter-${PRODUCT}.cdx.json -packages -files
 )
 rm -rf "statsd_exporter-${PRODUCT}"
 EOF

From 5662fefa7543088e8079a3af26e0be0aad0ef960 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Thu, 17 Oct 2024 10:15:07 +0200
Subject: [PATCH 19/19] feat: add comment on how to obtain skipped projects in
 Kafka build

---
 kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch | 6 ++++--
 kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch b/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
index 8c27b4a1c..152a993f5 100644
--- a/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
+++ b/kafka/stackable/patches/3.7.1/001-cyclonedx-plugin.patch
@@ -1,8 +1,8 @@
 diff --git a/build.gradle b/build.gradle
-index 32e6e8f..33e12a8 100644
+index 32e6e8f..13a0def 100644
 --- a/build.gradle
 +++ b/build.gradle
-@@ -48,6 +48,45 @@ plugins {
+@@ -48,6 +48,47 @@ plugins {
    // artifacts - see https://github.com/johnrengelman/shadow/issues/901
    id 'com.github.johnrengelman.shadow' version '8.1.0' apply false
    id 'com.diffplug.spotless' version '6.14.0' apply false // 6.14.1 and newer require Java 11 at compile time, so we can't upgrade until AK 4.0
@@ -21,6 +21,8 @@ index 32e6e8f..33e12a8 100644
 +    // The file format generated, can be xml, json or all for generating both. Defaults to 'all'
 +    outputFormat = "json"
 +    includeConfigs = ["runtimeClasspath"]
++    // Exclude test components. This list needs to be checked and, if it changed, updated for every new Kafka version.
++    // The list can be obtained by running `gradle projects | grep upgrade-system-tests`
 +    skipProjects = [
 +      'upgrade-system-tests-0100',
 +      'upgrade-system-tests-0101',
diff --git a/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch b/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch
index af0f00d8c..f4587320f 100644
--- a/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch
+++ b/kafka/stackable/patches/3.8.0/001-cyclonedx-plugin.patch
@@ -1,8 +1,8 @@
 diff --git a/build.gradle b/build.gradle
-index 92082fe..bd7f6e2 100644
+index 92082fe..e3d6c72 100644
 --- a/build.gradle
 +++ b/build.gradle
-@@ -48,6 +48,46 @@ plugins {
+@@ -48,6 +48,48 @@ plugins {
    // artifacts - see https://github.com/johnrengelman/shadow/issues/901
    id 'com.github.johnrengelman.shadow' version '8.1.0' apply false
    id 'com.diffplug.spotless' version '6.14.0' apply false // 6.14.1 and newer require Java 11 at compile time, so we can't upgrade until AK 4.0
@@ -21,6 +21,8 @@ index 92082fe..bd7f6e2 100644
 +    // The file format generated, can be xml, json or all for generating both. Defaults to 'all'
 +    outputFormat = "json"
 +    includeConfigs = ["runtimeClasspath"]
++    // Exclude test components. This list needs to be checked and, if it changed, updated for every new Kafka version.
++    // The list can be obtained by running `gradle projects | grep upgrade-system-tests`
 +    skipProjects = [
 +      'upgrade-system-tests-0100',
 +      'upgrade-system-tests-0101',