Add Snyk scanning for Logstash release artifacts

[donoghuc]

Release notes

[rn:skip]

What does this PR do?

Logstash artifacts are all based on a logstash tarball. This tarball contains all of the gems/jars that are installed as logstash dependencies. Gradle struggles to find all these gems/jars (shadowed jars and default jruby gems for example). This adds a "shim" layer which produces and SBOM that can be directly handed to snyk. In addition to an SBOM there are some CSV files that show where every artifact was found on disk and does some duplicat analysis.

This PR Implements automated vulnerability scanning of published Logstash tarballs. It extracts JARs and gems from artifacts, generates an SBOM, and reports to Snyk via snyk monitor.

Daily Buildkite pipeline scans all releases and snapshots from logstash-versions.yml. Local extraction available via ./gradlew extractArtifactVersions which follows the pattern of having all CI tasks go through a gradle task.

Why is it important/What is the impact to the user?

N/A

How to test this PR locally

# 1. Make sure you have a Logstash tarball extracted (if not already)
# Download and extract if needed:
curl -O https://artifacts.elastic.co/downloads/logstash/logstash-8.19.9-linux-aarch64.tar.gz
tar -xzf logstash-8.19.9-linux-aarch64.tar.gz

# 2. Run the Gradle task (it will use bundled JRuby)
./gradlew extractArtifactVersions -PartifactDir=./logstash-8.19.9 -PoutputFile=output.csv

# 3. Verify the output files were created
ls -la output.csv output_duplicates.csv output_sbom.json

# 4. Check the SBOM content
less output_sbom.json

# 5. Pass sbom to snyk
snyk sbom test --experimental --file=output_sbom.json

# 5. Test the clean task
./gradlew clean
ls -la output*.csv output*.json  # Should error - files cleaned

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
• /run exhaustive tests : Run the exhaustive tests Buildkite pipeline.

[mergify]

This pull request does not have a backport label. Could you fix it @donoghuc? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
• If no backport is necessary, please add the backport-skip label

[donoghuc]

Note: these are not required for snyk, but i figured we could leave it in the json for analysis if ever there is a question wehre version was extracted from.

[donoghuc]

Build the matrix based on https://github.com/logstash-plugins/.ci/blob/1.x/logstash-versions.yml This will ensure we are in sync with the unified release jobs around release time etc.

[donoghuc]

It may be an enterprise feature to use sbom as input. Need to double check that is feasible. There may be alternative ways.

The main purpose of using sbom instead of pom.xml or Gemfile.lock is that there are duplicate versions. These are difficult to express in those formats.

[donoghuc]

The idea of these CSV files is that CI will be generating more human readable versions. If you want to look in to version paths, duplicates, etc you can download a csv from buildkite and search through it in a spreadsheet tool of your choice.

[donoghuc]

I'm still exploring patterns for the use case where we have a top level gradle task which calls a rake task that has dependencies managed with bundler OUTSIDE that of which we manage with logstash artifacts. I have a similar use case in #18536 where i'm shelling out in gradle.

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: f478239

Failed CI Steps

• 🥼 Integration Tests - FIPS mode / part 4-of-6