-
Notifications
You must be signed in to change notification settings - Fork 1
generic: add Dependency-Check example from cachi2-generic #2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: generic-basic
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| FROM ibmjava:11-jdk | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The container does not specify a non-root user and will run as |
||
|
|
||
| WORKDIR /tmp | ||
|
|
||
| # use jar to unzip file in order to avoid having to install more dependencies | ||
| RUN jar -xvf hermeto-output/deps/generic/dependency-check.zip | ||
|
|
||
| RUN chmod +x dependency-check/bin/dependency-check.sh | ||
|
|
||
| ENTRYPOINT ["/tmp/dependency-check/bin/dependency-check.sh", "--version"] | ||
|
Comment on lines
+6
to
+10
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have a couple of suggestions to improve this
Here is a suggestion that applies both improvements: |
||
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,4 +1,28 @@ | ||||||
| # Repo of examples for Hermeto docs | ||||||
| # Generic fetcher example | ||||||
|
|
||||||
| Individual examples each live in their own branch (e.g. the basic `pip` example is in | ||||||
| the 'pip-basic' branch) | ||||||
| This example demonstrates using Hermeto's generic fetcher to build a container image with OWASP Dependency-Check tool. | ||||||
|
|
||||||
| ## Pre-fetch dependencies | ||||||
|
|
||||||
| The `artifacts.lock.yaml` file specifies which files to download. Run Hermeto to fetch the dependencies: | ||||||
|
|
||||||
| ```shell | ||||||
| hermeto fetch-deps --source . --output ./hermeto-output generic | ||||||
| ``` | ||||||
|
|
||||||
| ## Build the container image | ||||||
|
|
||||||
| Build the container image while mounting the Hermeto output directory: | ||||||
|
|
||||||
| ```shell | ||||||
| podman build . \ | ||||||
| --volume "$(realpath ./hermeto-output)":/tmp/hermeto-output \ | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The
Suggested change
|
||||||
| --network none \ | ||||||
| --tag dependency-check-example | ||||||
| ``` | ||||||
|
|
||||||
| ## Run the container | ||||||
|
|
||||||
| ```shell | ||||||
| podman run dependency-check-example | ||||||
| ``` | ||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| --- | ||
| metadata: | ||
| version: "1.0" | ||
| artifacts: | ||
| - download_url: "https://github.com/jeremylong/DependencyCheck/releases/download/v11.1.0/dependency-check-11.1.0-release.zip" | ||
| checksum: "sha256:c5b5b9e592682b700e17c28f489fe50644ef54370edeb2c53d18b70824de1e22" | ||
| filename: "dependency-check.zip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
Containerfileusesibmjava:11-jdkas a base image. This image is deprecated by IBM and no longer receives security updates. Using an unmaintained base image exposes the container to known and future vulnerabilities in the operating system and the Java runtime. It is recommended to use a supported base image, such asibm-semeru-runtimes:open-11-jdk.