Skip to content

generic: add Dependency-Check example from cachi2-generic #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
derasdf wants to merge 2 commits into
base: generic-basic
Choose a base branch
from
Open

generic: add Dependency-Check example from cachi2-generic #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
87524f8
generic: add Dependency-Check example from cachi2-generic
derasdf Feb 12, 2026
bd6caf4
Add README for example
derasdf Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
FROM ibmjava:11-jdk
Copy link

@gemini-code-assist gemini-code-assist bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The Containerfile uses ibmjava:11-jdk as a base image. This image is deprecated by IBM and no longer receives security updates. Using an unmaintained base image exposes the container to known and future vulnerabilities in the operating system and the Java runtime. It is recommended to use a supported base image, such as ibm-semeru-runtimes:open-11-jdk.

Copy link

@gemini-code-assist gemini-code-assist bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The container does not specify a non-root user and will run as root by default. Running containers with root privileges increases the risk of container escape and limits the effectiveness of defense-in-depth strategies. If the application within the container is compromised, the attacker will have full administrative access within the container. It is recommended to create a non-privileged user and use the USER instruction to switch to it before the ENTRYPOINT.


WORKDIR /tmp

# use jar to unzip file in order to avoid having to install more dependencies
RUN jar -xvf hermeto-output/deps/generic/dependency-check.zip

RUN chmod +x dependency-check/bin/dependency-check.sh

ENTRYPOINT ["/tmp/dependency-check/bin/dependency-check.sh", "--version"]
Comment on lines +6 to +10
Copy link

@gemini-code-assist gemini-code-assist bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

I have a couple of suggestions to improve this Containerfile:

  1. Combine RUN layers: To reduce the number of layers in the container image and improve build performance, it's a good practice to chain related RUN commands together.
  2. Run as non-root user: For security reasons, it's a best practice to run containers as a non-root user. You should create a dedicated user and switch to it before setting the ENTRYPOINT.

Here is a suggestion that applies both improvements:

RUN jar -xvf hermeto-output/deps/generic/dependency-check.zip && \
    chmod +x dependency-check/bin/dependency-check.sh

# Create a non-root user and switch to it for security reasons
RUN groupadd -r app && useradd --no-log-init -r -g app app
USER app

ENTRYPOINT ["/tmp/dependency-check/bin/dependency-check.sh", "--version"]

30 changes: 27 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,28 @@
# Repo of examples for Hermeto docs
# Generic fetcher example

Individual examples each live in their own branch (e.g. the basic `pip` example is in
the 'pip-basic' branch)
This example demonstrates using Hermeto's generic fetcher to build a container image with OWASP Dependency-Check tool.

## Pre-fetch dependencies

The `artifacts.lock.yaml` file specifies which files to download. Run Hermeto to fetch the dependencies:

```shell
hermeto fetch-deps --source . --output ./hermeto-output generic
```

## Build the container image

Build the container image while mounting the Hermeto output directory:

```shell
podman build . \
--volume "$(realpath ./hermeto-output)":/tmp/hermeto-output \
Copy link

@gemini-code-assist gemini-code-assist bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The realpath command may not be available on all systems by default (e.g., macOS). Using $(pwd) is a more portable way to get the absolute path of the current directory.

Suggested change
--volume "$(realpath ./hermeto-output)":/tmp/hermeto-output \
--volume "$(pwd)/hermeto-output":/tmp/hermeto-output \

--network none \
--tag dependency-check-example
```

## Run the container

```shell
podman run dependency-check-example
```
7 changes: 7 additions & 0 deletions artifacts.lock.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
metadata:
version: "1.0"
artifacts:
- download_url: "https://github.com/jeremylong/DependencyCheck/releases/download/v11.1.0/dependency-check-11.1.0-release.zip"
checksum: "sha256:c5b5b9e592682b700e17c28f489fe50644ef54370edeb2c53d18b70824de1e22"
filename: "dependency-check.zip"