generic: add Dependency-Check example from cachi2-generic

[derasdf]

Migrate the generic fetcher sample from cachito-testing/cachi2-generic (sample-app branch) to doc-examples, adapted for Hermeto output.

[gemini-code-assist]

Summary of Changes

Hello @derasdf, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates a new example into the documentation, illustrating the use of Hermeto's generic fetcher to manage and incorporate external tools. The example focuses on packaging the OWASP Dependency-Check tool into a container image, providing a clear, step-by-step guide for users to understand Hermeto's capabilities in fetching and utilizing third-party dependencies within a containerized environment.

Highlights

• New Generic Fetcher Example: Introduces a new example demonstrating Hermeto's generic fetcher, specifically for integrating the OWASP Dependency-Check tool into a container image.
• Containerization of Dependency-Check: Provides a Containerfile to build a container image that includes the OWASP Dependency-Check tool, fetched via Hermeto, using ibmjava:11-jdk as the base image.
• Comprehensive Documentation and Configuration: Adds a README.md with detailed instructions for using the example, including steps for fetching dependencies, building, and running the container, alongside an artifacts.lock.yaml to define the Dependency-Check artifact's download details.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• Containerfile
  • Added a new Containerfile to define the build process for the Dependency-Check container.
  • Utilizes ibmjava:11-jdk as the base image.
  • Includes steps to unzip the dependency-check.zip artifact using the jar command to avoid installing additional utilities.
  • Sets execute permissions for the Dependency-Check script and defines the entrypoint to run it.
• README.md
  • Replaced the generic repository description with a specific guide for the "Generic fetcher example".
  • Added detailed sections for "Pre-fetch dependencies", "Build the container image", and "Run the container" with corresponding shell commands.
• artifacts.lock.yaml
  • Added a new file to specify the download_url, checksum (SHA256), and filename for the dependency-check-11.1.0-release.zip artifact.

Activity

• The pull request was created by derasdf.
• The primary goal is to migrate an existing generic fetcher sample from cachi2-generic to the doc-examples repository, adapting it for Hermeto's output format.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds an example for using Hermeto's generic fetcher with OWASP Dependency-Check, including a Containerfile, an artifacts.lock.yaml, and an updated README.md. A security audit identified two medium-severity issues in the Containerfile: the use of a deprecated base image and the lack of a non-root user configuration. Additionally, my review provides suggestions to improve the Containerfile for better security and efficiency, such as running the container as a non-root user and optimizing image layers, and to enhance the portability of commands in the README.md.

[gemini-code-assist]

I have a couple of suggestions to improve this Containerfile:

1. Combine RUN layers: To reduce the number of layers in the container image and improve build performance, it's a good practice to chain related RUN commands together.
2. Run as non-root user: For security reasons, it's a best practice to run containers as a non-root user. You should create a dedicated user and switch to it before setting the ENTRYPOINT.

Here is a suggestion that applies both improvements:

RUN jar -xvf hermeto-output/deps/generic/dependency-check.zip && \
    chmod +x dependency-check/bin/dependency-check.sh

# Create a non-root user and switch to it for security reasons
RUN groupadd -r app && useradd --no-log-init -r -g app app
USER app

ENTRYPOINT ["/tmp/dependency-check/bin/dependency-check.sh", "--version"]

[gemini-code-assist]

The Containerfile uses ibmjava:11-jdk as a base image. This image is deprecated by IBM and no longer receives security updates. Using an unmaintained base image exposes the container to known and future vulnerabilities in the operating system and the Java runtime. It is recommended to use a supported base image, such as ibm-semeru-runtimes:open-11-jdk.

[gemini-code-assist]

The container does not specify a non-root user and will run as root by default. Running containers with root privileges increases the risk of container escape and limits the effectiveness of defense-in-depth strategies. If the application within the container is compromised, the attacker will have full administrative access within the container. It is recommended to create a non-privileged user and use the USER instruction to switch to it before the ENTRYPOINT.

[gemini-code-assist]

The realpath command may not be available on all systems by default (e.g., macOS). Using $(pwd) is a more portable way to get the absolute path of the current directory.

Suggested change

	--volume "$(realpath ./hermeto-output)":/tmp/hermeto-output \
	--volume "$(pwd)/hermeto-output":/tmp/hermeto-output \

[a-ovchinnikov]

LGTM. While the robot's comments are somewhat valid I'd have focused on migration first and on everything else after that (since there is no guarantee that it won't break things).

[eskultety]

LGTM. While the robot's comments are somewhat valid I'd have focused on migration first and on everything else after that (since there is no guarantee that it won't break things).

Yep, migration first, fixes later OR subsequent commits.