chore(nifi): Add 1.28.1 and 2.2.0, remove 2.0.0 (#1006)

* chore(nifi): Add and patch 1.28.1

* chore(nifi): Replace 2.0.0 with 2.2.0

* chore: Update changelog

Author: NickLarsenNZ

CHANGELOG.md

@@ -27,7 +27,8 @@ All notable changes to this project will be documented in this file.
 - trino-cli: Add version 470 ([#999]).
 - trino-storage-connector: Add version 470 ([#999]).
 - superset: Add version `4.1.1` ([#991]).
-- Added Patchable patch management tool ([#1003]).
+- Add Patchable patch management tool ([#1003]).
+- nifi: Add 1.28.1, 2.2.0 ([#1006]).
 
 ### Changed
 
@@ -44,6 +45,7 @@ All notable changes to this project will be documented in this file.
 - trino: Remove 469 ([#999]).
 - trino-cli: Remove version 469 ([#999]).
 - trino-storage-connector: Remove version 469 ([#999]).
+- nifi: Remove 2.0.0 ([#1006]).
 
 ### Fixed
 
@@ -74,6 +76,7 @@ All notable changes to this project will be documented in this file.
 [#999]: https://github.com/stackabletech/docker-images/pull/999
 [#1000]: https://github.com/stackabletech/docker-images/pull/1000
 [#1003]: https://github.com/stackabletech/docker-images/pull/1003
+[#1006]: https://github.com/stackabletech/docker-images/pull/1006
 
 ## [24.11.1] - 2025-01-14
 

nifi/stackable/patches/1.28.1/0001-no-zip-assembly.patch

@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 15:13:39 +0100
+Subject: no zip assembly
+
+---
+ nifi-assembly/pom.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
+index 27928cf67e..d00154626a 100644
+--- a/nifi-assembly/pom.xml
++++ b/nifi-assembly/pom.xml
+@@ -66,7 +66,6 @@ language governing permissions and limitations under the License. -->
+                             <tarLongFileMode>posix</tarLongFileMode>
+                             <formats>
+                                 <format>dir</format>
+-                                <format>zip</format>
+                             </formats>
+                         </configuration>
+                     </execution>
+
+base-commit: 883338fe28883733417d10f6ffa9319e75f5ea06
+-- 
+2.40.1
+

nifi/stackable/patches/1.28.1/0002-allow-bypassing-check-for-host-header.patch

@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 15:19:01 +0100
+Subject: allow bypassing check for host header
+
+NiFi has the configuration option 'nifi.web.proxy.host' which controls allowed
+values for the host header field in any incoming request for the web ui.
+
+This frequently causes issues when trying to expose the NiFi UI via for example
+an ingress, loadbalancer or any similar type of mechanism.
+
+NiFi does not allow to disable this behavior, so at the moment the nifi operator
+simply hardcodes all even remotely possible values into this field.
+But in order to allow putting for example in ingress in front of NiFi this means
+using config overrides to change the value of this option, copy all the values
+the operator put in there and add the extra value you need.
+
+This is less than ideal, the proper solution would probably be
+https://github.com/stackabletech/nifi-operator/issues/604
+
+But until that is merged this is a simple workaround that allows overriding the list of allowed
+hostnames by just setting it to "*" and this will effectively bypass the hostname check entirely if set.
+
+This allows us to keep the default behavior in place for those users where it works and not remove
+security features, but also enables users to disable this check if they know what they are doing.
+---
+ .../org/apache/nifi/web/server/HostHeaderHandler.java     | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
+index dd4bbf54c0..ea1b5b2da1 100644
+--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
++++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
+@@ -47,6 +47,7 @@ public class HostHeaderHandler extends ScopedHandler {
+     private final String serverName;
+     private final int serverPort;
+     private final List<String> validHosts;
++    private boolean allowAllHosts = false;
+ 
+     /**
+      * Instantiates a handler with a given server name and port 0.
+@@ -107,6 +108,11 @@ public class HostHeaderHandler extends ScopedHandler {
+         // The value(s) from nifi.web.proxy.host
+         hosts.addAll(parseCustomHostnames(niFiProperties));
+ 
++        // Check if the setting for allowed hosts has only the wildcard entry and
++        // if so store this in allowAllHost for later use
++        List<String> configuredHostNames = niFiProperties.getAllowedHostsAsList();
++        this.allowAllHosts = configuredHostNames.size() == 1 && configuredHostNames.contains("*");
++
+         // empty is ok here
+         hosts.add("");
+ 
+@@ -205,7 +211,7 @@ public class HostHeaderHandler extends ScopedHandler {
+     }
+ 
+     boolean hostHeaderIsValid(String hostHeader) {
+-        return validHosts.contains(hostHeader.toLowerCase().trim());
++        return this.allowAllHosts || validHosts.contains(hostHeader.toLowerCase().trim());
+     }
+ 
+     @Override
+-- 
+2.40.1
+

nifi/stackable/patches/1.28.1/0003-add-cyclonedx-plugin.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 15:25:52 +0100
+Subject: add cyclonedx plugin
+
+---
+ pom.xml | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/pom.xml b/pom.xml
+index 672c023277..641d772286 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1091,6 +1091,24 @@
+                     </excludes>
+                 </configuration>
+             </plugin>
++            <plugin>
++                <groupId>org.cyclonedx</groupId>
++                <artifactId>cyclonedx-maven-plugin</artifactId>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                    <skipNotDeployed>false</skipNotDeployed>
++                </configuration>
++                <executions>
++                  <execution>
++                    <phase>package</phase>
++                    <goals>
++                      <goal>makeBom</goal>
++                    </goals>
++                  </execution>
++                </executions>
++            </plugin>
+         </plugins>
+     </build>
+     <profiles>
+-- 
+2.40.1
+

nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch nifi/stackable/patches/1.28.1/0004-CVE-2024-36114-bump-aircompressor-to-0.27.patch

@@ -1,4 +1,8 @@
-Fix CVE-2024-36114
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 15:27:01 +0100
+Subject: CVE-2024-36114 bump aircompressor to 0.27
+
 see https://github.com/stackabletech/vulnerabilities/issues/834
 
 Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
@@ -17,12 +21,15 @@ have been fixed. When decompressing data from untrusted users, this can
 be exploited for a denial-of-service attack by crashing the JVM, or to
 leak other sensitive information from the Java process. There are no
 known workarounds for this issue.
+---
+ nifi-assembly/pom.xml | 6 ++++++
+ 1 file changed, 6 insertions(+)
 
 diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
-index e980e507c6..01eb16795d 100644
+index d00154626a..da38056c7a 100644
 --- a/nifi-assembly/pom.xml
 +++ b/nifi-assembly/pom.xml
-@@ -98,6 +98,12 @@ language governing permissions and limitations under the License. -->
+@@ -97,6 +97,12 @@ language governing permissions and limitations under the License. -->
          </plugins>
      </build>
      <dependencies>
@@ -32,6 +39,9 @@ index e980e507c6..01eb16795d 100644
 +            <artifactId>aircompressor</artifactId>
 +            <version>0.27</version>
 +        </dependency>
-         <dependency>
-             <groupId>ch.qos.logback</groupId>
-             <artifactId>logback-classic</artifactId>
+         <dependency> <!-- handling this explicitly  Must be in root lib -->
+             <groupId>javax.servlet</groupId>
+             <artifactId>javax.servlet-api</artifactId>
+-- 
+2.40.1
+

nifi/stackable/patches/1.28.1/patchable.toml

@@ -0,0 +1,2 @@
+upstream = "https://github.com/apache/nifi"
+base = "883338fe28883733417d10f6ffa9319e75f5ea06"

nifi/stackable/patches/2.0.0/003-patch-cyclonedx-plugin.patch

@@ -1,5 +1,14 @@
+From afe4e4583747c2972d2590e9c1bd7de8b48aa300 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 17:26:20 +0100
+Subject: no zip assembly
+
+---
+ nifi-assembly/pom.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
 diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
-index e980e507c6..cb19c89367 100644
+index c04e1c8650..adcecd6206 100644
 --- a/nifi-assembly/pom.xml
 +++ b/nifi-assembly/pom.xml
 @@ -66,7 +66,6 @@ language governing permissions and limitations under the License. -->

nifi/stackable/patches/2.0.0/001-NIFI-no-zip-assembly-2.0.0.patch nifi/stackable/patches/2.2.0/0001-no-zip-assembly.patch

@@ -1,4 +1,8 @@
-Subject: [PATCH] Allow bypassing check for host header.
+From f6888b73bf6c8b2889f8f7241cdce6714cd6a776 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 17:28:46 +0100
+Subject: allow bypassing check for host header
+
 NiFi has the configuration option 'nifi.web.proxy.host' which controls allowed
 values for the host header field in any incoming request for the web ui.
 
@@ -20,11 +24,9 @@ hostnames by just setting it to "*" and this will effectively bypass the hostnam
 This allows us to keep the default behavior in place for those users where it works and not remove
 security features, but also enables users to disable this check if they know what they are doing.
 ---
-Index: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
-IDEA additional info:
-Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
-<+>UTF-8
-===================================================================
+ .../org/apache/nifi/web/server/HostHeaderHandler.java     | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
 diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
 index 97337d63e2..12ce1d8646 100644
 --- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java

nifi/stackable/patches/2.0.0/002-NIFI-no-host-header-check-2.0.0.patch nifi/stackable/patches/2.2.0/0002-allow-bypassing-check-for-host-header.patch

@@ -0,0 +1,38 @@
+From fbf66d408aefd995a2ac4a2b213b25a12cb9e96c Mon Sep 17 00:00:00 2001
+From: Nick Larsen <[email protected]>
+Date: Mon, 17 Feb 2025 17:31:17 +0100
+Subject: add cyclonedx plugin
+
+---
+ pom.xml | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/pom.xml b/pom.xml
+index 7885e6c208..07e03e66cd 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1007,6 +1007,24 @@
+                     </rulesets>
+                 </configuration>
+             </plugin>
++            <plugin>
++                <groupId>org.cyclonedx</groupId>
++                <artifactId>cyclonedx-maven-plugin</artifactId>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                    <skipNotDeployed>false</skipNotDeployed>
++                </configuration>
++                <executions>
++                  <execution>
++                    <phase>package</phase>
++                    <goals>
++                      <goal>makeBom</goal>
++                    </goals>
++                  </execution>
++                </executions>
++            </plugin>
+         </plugins>
+     </build>
+     <profiles>

nifi/stackable/patches/2.2.0/0003-add-cyclonedx-plugin.patch

@@ -0,0 +1,2 @@
+upstream = "https://github.com/apache/nifi"
+base = "b33ffac8aa10992482f7fa54e6cfccc46a5e8e27"

nifi/stackable/patches/2.2.0/patchable.toml

@@ -5,7 +5,12 @@
         "java-devel": "11",  # There is an error when trying to use the jdk 21 (since nifi 1.26.0)
     },
     {
-        "product": "2.0.0",
+        "product": "1.28.1",
+        "java-base": "11",
+        "java-devel": "11",
+    },
+    {
+        "product": "2.2.0",
         "java-base": "21",
         "java-devel": "21",
     },