Change pip installation to use requirements.txt with hashes

Manifest files like requirements.txt are required for all python
dependencies to ensure accurate vulnerability scanning among other
things. The main steps for developing the requirments.txt is to download pip-tools, make a file called requirements.in, type the package you are trying to install in there, run pip-compile on that file and then a requirement.txt file is auto created with dependencies.

BUG=b/242563296
TEST=https://console.cloud.google.com/cloud-build/builds/9184e261-b74d-4fe9-809b-4ebbe1cf7eff?project=228075978874
RELEASE_NOTES=None

Change-Id: Iee0e28fa07198eea1286c46c11ed49a7583419c6
Reviewed-on: https://cos-review.googlesource.com/c/cos/tools/+/36829
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Tested-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Cloud-Build: GCB Service account <228075978874@cloudbuild.gserviceaccount.com>
diff --git a/src/cmd/cos_ova_converter/Dockerfile b/src/cmd/cos_ova_converter/Dockerfile
index ba1445b..ee8c648 100644
--- a/src/cmd/cos_ova_converter/Dockerfile
+++ b/src/cmd/cos_ova_converter/Dockerfile
@@ -20,7 +20,8 @@
     xmlstarlet \
     git
 
-RUN pip3 install cot
+COPY /src/cmd/cos_ova_converter/requirements.txt /work/src/cmd/cos_ova_converter/requirements.txt
+RUN pip3 install --require-hashes -r /work/src/cmd/cos_ova_converter/requirements.txt
 
 RUN git clone https://cos.googlesource.com/third_party/platform/crosutils.git
 RUN cd crosutils && git checkout 74d0afda96dc8c58863f76b2e144c373f92451f6
@@ -29,4 +30,4 @@
 COPY --from=daisyworkflow  /daisy /daisy
 COPY --from=daisyworkflow /workflows /workflows
 
-ENTRYPOINT ["/cos_ova_converter"]
\ No newline at end of file
+ENTRYPOINT ["/cos_ova_converter"]
diff --git a/src/cmd/cos_ova_converter/requirements.txt b/src/cmd/cos_ova_converter/requirements.txt
new file mode 100644
index 0000000..3e29101
--- /dev/null
+++ b/src/cmd/cos_ova_converter/requirements.txt
@@ -0,0 +1,45 @@
+argparse==1.4.0 \
+    --hash=sha256:62b089a55be1d8949cd2bc7e0df0bddb9e028faefc8c32038cc84862aefdd6e4 \
+    --hash=sha256:c31647edb69fd3d465a847ea3157d37bed1f95f19760b11a47aa91c04b666314
+    # via cot
+certifi==2022.6.15.1 \
+    --hash=sha256:43dadad18a7f168740e66944e4fa82c6611848ff9056ad910f8f7a3e46ab89e0 \
+    --hash=sha256:cffdcd380919da6137f76633531a5817e3a9f268575c128249fb637e4f9e73fb
+    # via requests
+charset-normalizer==2.1.1 \
+    --hash=sha256:5a3d016c7c547f69d6f81fb0db9449ce888b418b5b9952cc5e6e66843e9dd845 \
+    --hash=sha256:83e9a75d1911279afd89352c68b45348559d1fc0506b054b346651b5e7fee29f
+    # via requests
+colorlog==6.7.0 \
+    --hash=sha256:0d33ca236784a1ba3ff9c532d4964126d8a2c44f1f0cb1d2b0728196f512f662 \
+    --hash=sha256:bd94bd21c1e13fac7bd3153f4bc3a7dc0eb0974b8bc2fdf1a989e474f6e582e5
+    # via cot
+cot==2.2.1 \
+    --hash=sha256:9529760f0e3b928ec105ff41886c97b59736aa49fc113f3a6f8ced8b51674d18 \
+    --hash=sha256:f4b3553415f90daac656f89d3e82e79b3d751793239bb173a683b4cc0ceb2635
+    # via -r requirements.in
+idna==3.3 \
+    --hash=sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff \
+    --hash=sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d
+    # via requests
+pyvmomi==7.0.3 \
+    --hash=sha256:2ab52d940061d25307e4e4867ffea6e8ed597e7263025b0abaacc5b1d652da31
+    # via cot
+requests==2.28.1 \
+    --hash=sha256:7c5599b102feddaa661c826c56ab4fee28bfd17f5abca1ebbe3e7f19d7c97983 \
+    --hash=sha256:8fefa2a1a1365bf5520aac41836fbee479da67864514bdb821f31ce07ce65349
+    # via
+    #   cot
+    #   pyvmomi
+six==1.16.0 \
+    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
+    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
+    # via pyvmomi
+urllib3==1.26.12 \
+    --hash=sha256:3fa96cf423e6987997fc326ae8df396db2a8b7c667747d47ddd8ecba91f4a74e \
+    --hash=sha256:b930dd878d5a8afb066a637fbb35144fe7901e3b209d1cd4f524bd0e9deee997
+    # via requests
+verboselogs==1.7 \
+    --hash=sha256:d63f23bf568295b95d3530c6864a0b580cec70e7ff974177dead1e4ffbc6ff49 \
+    --hash=sha256:e33ddedcdfdafcb3a174701150430b11b46ceb64c2a9a26198c76a156568e427
+    # via cot