From 1531c257be29219af79b21c9656ee8a063be74dc Mon Sep 17 00:00:00 2001 From: Rose Judge Date: Sun, 23 May 2021 22:29:07 -0700 Subject: [PATCH] Prepare for Release 2.6.0 - Added release notes and freeze file - Bumped the dependency versions - Updated the README with the new Release number - Updated project roadmap Signed-off-by: Rose Judge --- README.md | 7 +- docs/project-roadmap.md | 8 +- docs/releases/v2_6_0-requirements.txt | 158 ++++++++++++++++++++++++++ docs/releases/v2_6_0.md | 89 +++++++++++++++ requirements.txt | 6 +- 5 files changed, 257 insertions(+), 11 deletions(-) create mode 100644 docs/releases/v2_6_0-requirements.txt create mode 100644 docs/releases/v2_6_0.md diff --git a/README.md b/README.md index 9993dcad..94911382 100644 --- a/README.md +++ b/README.md @@ -311,12 +311,13 @@ $ python tests/.py ``` ## Project Status -Release 2.5.0 is out! See the [release notes](docs/releases/v2_5_0.md) for more information. +Release 2.6.0 is out! See the [release notes](docs/releases/v2_6_0.md) for more information. -We try to keep the [project roadmap](./docs/project-roadmap.md) as up to date as possible. We are currently working on Release 3.0.0. +We try to keep the [project roadmap](./docs/project-roadmap.md) as up to date as possible. We are currently working on Release 2.7.0. ## Previous Releases -Be advised: version 2.4.0 and below contain a high-severity security vulnerability (CVE-2021-28363). Please update to version 2.5.0 +Be advised: version 2.4.0 and below contain a high-severity security vulnerability (CVE-2021-28363). Please update to version 2.5.0 or later. +* [v2.5.0](docs/releases/v2_5_0.md) * [v2.4.0](docs/releases/v2_4_0.md) * [v2.3.0](docs/releases/v2_3_0.md) * [v2.2.0](docs/releases/v2_2_0.md) diff --git a/docs/project-roadmap.md b/docs/project-roadmap.md index f9654349..b97b52f6 100644 --- a/docs/project-roadmap.md +++ b/docs/project-roadmap.md @@ -4,12 +4,10 @@ We are getting very close to a beta release. Our beta release is targeted for the summer timeframe. Our goal is to meet these requirements by the end of the year. -- We are working towards enabling "live" analysis for a container. The idea is that if Tern could generate an SBoM at build time, the SBoM would then be available to package and distribute with the container image without the need for post scanning. -- We are very close to enabling inventory for a single container layer which will be available in the next 2.5.0 release. - We will continue investigating how we can run Tern without root privileges. -- We want to enable Tern to pull image digests and images using registry HTTP(s) APIs so that we can pull images from registries other than Dockerhub. -- Create a database backend with an associated API. We are hoping to have a GSoC intern help us tackle this issue. -- Enable inventory of a Distroless image using some sort of custom script. +- We want to transition away from using the Docker Python library to pull container images from Dockerhub. For motivation and context, see the Kubernetes [announcement](https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/) and past [discussion](https://github.com/tern-tools/meetings/blob/main/minutes/04-13-2021.md) on the topic from Tern's community meeting. +- Create a database backend with an associated API. +- Improve coverage of Tern's CI/CD pipeline. We will also continue to work on the following: diff --git a/docs/releases/v2_6_0-requirements.txt b/docs/releases/v2_6_0-requirements.txt new file mode 100644 index 00000000..d7ed0b47 --- /dev/null +++ b/docs/releases/v2_6_0-requirements.txt @@ -0,0 +1,158 @@ +# +# This file is autogenerated by pip-compile +# To update, run: +# +# pip-compile --generate-hashes --output-file=v2_6_0-requirements.txt +# +attrs==21.2.0 \ + --hash=sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1 \ + --hash=sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb + # via debian-inspector +certifi==2020.12.5 \ + --hash=sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c \ + --hash=sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830 + # via requests +chardet==4.0.0 \ + --hash=sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa \ + --hash=sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5 + # via + # debian-inspector + # requests +debian-inspector==0.9.10 \ + --hash=sha256:d2a01c74e70897f5dc307b813203f366f9bde2fa7ead56895c2bd875e65cf144 \ + --hash=sha256:fd29a02b925a4de0d7bb00c29bb05f19715a304bc10ef7b9ad06a93893dc3a8c + # via -r requirements.in +docker==5.0.0 \ + --hash=sha256:3e8bc47534e0ca9331d72c32f2881bb13b93ded0bcdeab3c833fb7cf61c0a9a5 \ + --hash=sha256:fc961d622160e8021c10d1bcabc388c57d55fb1f917175afbe24af442e6879bd + # via -r requirements.in +dockerfile-parse==1.1.0 \ + --hash=sha256:80ea4b88694ab014001e39e62335aa2f4feb695b80de751377e994a344fa5952 \ + --hash=sha256:f37bfa327fada7fad6833aebfaac4a3aaf705e4cf813b737175feded306109e8 + # via -r requirements.in +gitdb==4.0.7 \ + --hash=sha256:6c4cc71933456991da20917998acbe6cf4fb41eeaab7d6d67fbc05ecd4c865b0 \ + --hash=sha256:96bf5c08b157a666fec41129e6d327235284cca4c81e92109260f353ba138005 + # via gitpython +gitpython==3.1.17 \ + --hash=sha256:29fe82050709760081f588dd50ce83504feddbebdc4da6956d02351552b1c135 \ + --hash=sha256:ee24bdc93dce357630764db659edaf6b8d664d4ff5447ccfeedd2dc5c253f41e + # via -r requirements.in +idna==2.10 \ + --hash=sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6 \ + --hash=sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0 + # via requests +pbr==5.6.0 \ + --hash=sha256:42df03e7797b796625b1029c0400279c7c34fd7df24a7d7818a1abb5b38710dd \ + --hash=sha256:c68c661ac5cc81058ac94247278eeda6d2e6aecb3e227b0387c30d277e7ef8d4 + # via + # -r requirements.in + # stevedore +prettytable==2.1.0 \ + --hash=sha256:5882ed9092b391bb8f6e91f59bcdbd748924ff556bb7c634089d5519be87baa0 \ + --hash=sha256:bb5abc72bdfae6f3cdadb04fb7726f6915af0ddb7c897a41d4ad7736d9bfd8fd + # via -r requirements.in +pyyaml==5.4.1 \ + --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \ + --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \ + --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \ + --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \ + --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \ + --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \ + --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \ + --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \ + --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \ + --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \ + --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \ + --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \ + --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \ + --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \ + --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \ + --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \ + --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \ + --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \ + --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \ + --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \ + --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \ + --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \ + --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \ + --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \ + --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \ + --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \ + --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \ + --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \ + --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 + # via -r requirements.in +regex==2021.4.4 \ + --hash=sha256:01afaf2ec48e196ba91b37451aa353cb7eda77efe518e481707e0515025f0cd5 \ + --hash=sha256:11d773d75fa650cd36f68d7ca936e3c7afaae41b863b8c387a22aaa78d3c5c79 \ + --hash=sha256:18c071c3eb09c30a264879f0d310d37fe5d3a3111662438889ae2eb6fc570c31 \ + --hash=sha256:1e1c20e29358165242928c2de1482fb2cf4ea54a6a6dea2bd7a0e0d8ee321500 \ + --hash=sha256:281d2fd05555079448537fe108d79eb031b403dac622621c78944c235f3fcf11 \ + --hash=sha256:314d66636c494ed9c148a42731b3834496cc9a2c4251b1661e40936814542b14 \ + --hash=sha256:32e65442138b7b76dd8173ffa2cf67356b7bc1768851dded39a7a13bf9223da3 \ + --hash=sha256:339456e7d8c06dd36a22e451d58ef72cef293112b559010db3d054d5560ef439 \ + --hash=sha256:3916d08be28a1149fb97f7728fca1f7c15d309a9f9682d89d79db75d5e52091c \ + --hash=sha256:3a9cd17e6e5c7eb328517969e0cb0c3d31fd329298dd0c04af99ebf42e904f82 \ + --hash=sha256:47bf5bf60cf04d72bf6055ae5927a0bd9016096bf3d742fa50d9bf9f45aa0711 \ + --hash=sha256:4c46e22a0933dd783467cf32b3516299fb98cfebd895817d685130cc50cd1093 \ + --hash=sha256:4c557a7b470908b1712fe27fb1ef20772b78079808c87d20a90d051660b1d69a \ + --hash=sha256:52ba3d3f9b942c49d7e4bc105bb28551c44065f139a65062ab7912bef10c9afb \ + --hash=sha256:563085e55b0d4fb8f746f6a335893bda5c2cef43b2f0258fe1020ab1dd874df8 \ + --hash=sha256:598585c9f0af8374c28edd609eb291b5726d7cbce16be6a8b95aa074d252ee17 \ + --hash=sha256:619d71c59a78b84d7f18891fe914446d07edd48dc8328c8e149cbe0929b4e000 \ + --hash=sha256:67bdb9702427ceddc6ef3dc382455e90f785af4c13d495f9626861763ee13f9d \ + --hash=sha256:6d1b01031dedf2503631d0903cb563743f397ccaf6607a5e3b19a3d76fc10480 \ + --hash=sha256:741a9647fcf2e45f3a1cf0e24f5e17febf3efe8d4ba1281dcc3aa0459ef424dc \ + --hash=sha256:7c2a1af393fcc09e898beba5dd59196edaa3116191cc7257f9224beaed3e1aa0 \ + --hash=sha256:7d9884d86dd4dd489e981d94a65cd30d6f07203d90e98f6f657f05170f6324c9 \ + --hash=sha256:90f11ff637fe8798933fb29f5ae1148c978cccb0452005bf4c69e13db951e765 \ + --hash=sha256:919859aa909429fb5aa9cf8807f6045592c85ef56fdd30a9a3747e513db2536e \ + --hash=sha256:96fcd1888ab4d03adfc9303a7b3c0bd78c5412b2bfbe76db5b56d9eae004907a \ + --hash=sha256:97f29f57d5b84e73fbaf99ab3e26134e6687348e95ef6b48cfd2c06807005a07 \ + --hash=sha256:980d7be47c84979d9136328d882f67ec5e50008681d94ecc8afa8a65ed1f4a6f \ + --hash=sha256:a91aa8619b23b79bcbeb37abe286f2f408d2f2d6f29a17237afda55bb54e7aac \ + --hash=sha256:ade17eb5d643b7fead300a1641e9f45401c98eee23763e9ed66a43f92f20b4a7 \ + --hash=sha256:b9c3db21af35e3b3c05764461b262d6f05bbca08a71a7849fd79d47ba7bc33ed \ + --hash=sha256:bd28bc2e3a772acbb07787c6308e00d9626ff89e3bfcdebe87fa5afbfdedf968 \ + --hash=sha256:bf5824bfac591ddb2c1f0a5f4ab72da28994548c708d2191e3b87dd207eb3ad7 \ + --hash=sha256:c0502c0fadef0d23b128605d69b58edb2c681c25d44574fc673b0e52dce71ee2 \ + --hash=sha256:c38c71df845e2aabb7fb0b920d11a1b5ac8526005e533a8920aea97efb8ec6a4 \ + --hash=sha256:ce15b6d103daff8e9fee13cf7f0add05245a05d866e73926c358e871221eae87 \ + --hash=sha256:d3029c340cfbb3ac0a71798100ccc13b97dddf373a4ae56b6a72cf70dfd53bc8 \ + --hash=sha256:e512d8ef5ad7b898cdb2d8ee1cb09a8339e4f8be706d27eaa180c2f177248a10 \ + --hash=sha256:e8e5b509d5c2ff12f8418006d5a90e9436766133b564db0abaec92fd27fcee29 \ + --hash=sha256:ee54ff27bf0afaf4c3b3a62bcd016c12c3fdb4ec4f413391a90bd38bc3624605 \ + --hash=sha256:fa4537fb4a98fe8fde99626e4681cc644bdcf2a795038533f9f711513a862ae6 \ + --hash=sha256:fd45ff9293d9274c5008a2054ecef86a9bfe819a67c7be1afb65e69b405b3042 + # via -r requirements.in +requests==2.25.1 \ + --hash=sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804 \ + --hash=sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e + # via + # -r requirements.in + # docker +six==1.16.0 \ + --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ + --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 + # via dockerfile-parse +smmap==4.0.0 \ + --hash=sha256:7e65386bd122d45405ddf795637b7f7d2b532e7e401d46bbe3fb49b9986d5182 \ + --hash=sha256:a9a7479e4c572e2e775c404dcd3080c8dc49f39918c2cf74913d30c4c478e3c2 + # via gitdb +stevedore==3.3.0 \ + --hash=sha256:3a5bbd0652bf552748871eaa73a4a8dc2899786bc497a2aa1fcb4dcdb0debeee \ + --hash=sha256:50d7b78fbaf0d04cd62411188fa7eedcb03eb7f4c4b37005615ceebe582aa82a + # via -r requirements.in +urllib3==1.26.4 \ + --hash=sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df \ + --hash=sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937 + # via requests +wcwidth==0.2.5 \ + --hash=sha256:beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784 \ + --hash=sha256:c4d647b99872929fdb7bdcaa4fbe7f01413ed3d98077df798530e5b04f116c83 + # via prettytable +websocket-client==1.0.1 \ + --hash=sha256:3e2bf58191d4619b161389a95bdce84ce9e0b24eb8107e7e590db682c2d0ca81 \ + --hash=sha256:abf306dc6351dcef07f4d40453037e51cc5d9da2ef60d0fc5d0fe3bcda255372 + # via docker diff --git a/docs/releases/v2_6_0.md b/docs/releases/v2_6_0.md new file mode 100644 index 00000000..6131ea68 --- /dev/null +++ b/docs/releases/v2_6_0.md @@ -0,0 +1,89 @@ +# Release 2.6.0 + +## Summary +This release includes the usual mix of features, bug fixes and resolved technical debt. Namely, this release adds the ability to inventory a container at build time. When paired with other container build tools, this feature makes it possible to package and distribute the container SBoM with a container image, which eliminates the need for post-build scanning. Additionally, default reports were reformatted to better organize and display package metadata in a table instead of a list which makes it easier to associate licenses found in the container with the packages they belong to. + +A number of bugs were also resolved in this release. Most importantly, Tern now properly collects and reports on file information from Scancode, drastically improving the accuracy of the reports generated with Tern + Scancode. Tern's run time performance has also improved significantly with the removal of regex based filtering in some files. + +## New Features +* [Generate SBoMs at container build time](https://github.com/tern-tools/tern/issues/849): This feature enables Tern to inventory and generate an SBoM against a mounted container filesystem. This feature is meant to work along with other container build tools and scripts. +* [Display layer packages in a table format](https://github.com/tern-tools/tern/issues/930): The default report now represents package metadata in a formatted table instead of a list. This makes the reports cleaner and easier to understand. +* [Add copyright info for NPM packages](https://github.com/tern-tools/tern/issues/957): Tern can now provide copyright information for NPM packages in the JSON, YAML, HTML and SPDX reports. + +## Bug Fixes +* [Scancode not producing file or file license info](https://github.com/tern-tools/tern/issues/959) +* [AttributeError when using debug subcommand](https://github.com/tern-tools/tern/issues/967) +* [Infinite notices are reported](https://github.com/tern-tools/tern/issues/942) +* [Scancode errors when collecting pip package information](https://github.com/tern-tools/tern/issues/964) + +## Resolved Technical Debt +* [Remove regex based filtering to increase run performance](https://github.com/tern-tools/tern/issues/939) +* [Add 'Understanding the Reports' section to README](https://github.com/tern-tools/tern/issues/960) +* [Update 'debut' dependency to reflect new 'debian-inspector' name](https://github.com/tern-tools/tern/issues/961) +* [Use dpkg-query to avoid using cut and awk utilities](https://github.com/tern-tools/tern/issues/936) + +## Future Work +* Enable Dockerfile "locking" for multistage docker builds +* Use skopeo to pull container images + +## Changelog +Note: This changelog will not include these release notes + +Changelog generated by command: `git log --pretty=format:"%h %s" v2.5.0..main` + +``` +6ada44b Record and report scancode file licenses +22ac183 Update README with Cybersecurity EO/SPDX info +63def2d Add 'Understanding the Reports' section to README +1bc7588 Added copyright info for NPM packages +90297ef Update debug execution path with prereqs object +f6535bb scancode: filter license from pip pkg classifiers +7fb3d1b Replace `debut` with `debian-inspector` +0bf92fd Better parsing of created_by values +385301e ADD/COPY command analysis by tern +52fd8f3 Fixed an issue with the export command +264de6c CI: Test lock with single stage Dockerfile +022659d Clean up lines in default report +a03e7d2 Deprecate command library commands in reports +cb99041 Update 'invoke_for_base' Notice verbiage +3710b08 Reorganize package metadata info in default report +c3a2a07 Reorganize package metadata info in default report +f6202a1 Add prettytable dep to reformat default report +31ce1bb Remove regex based filtering for prop_names +6315e26 Generate SBoMs at container build time +28024fd fix: Set layer creation notice only on cache miss +230d6d8 Add devcontainer configuration +22ef379 Handling the traceback in commit message linting +c66c842 Fix linting errors and cyclic import +9e015d0 SPDX JSON SBoM generation at container build time +1068bc5 Add reporting for OS type +4476383 Account for "host" scripts +551b0c4 Add JSON and YAML generator for layer object +a85cd0a Add HTML format for one layer object +7d98f61 Enable default format reporting for live run +448de80 Hook up --live with execution path +da3a869 Added a new option -l,--live to report subcommand +e57508b Introduce inventory of live container +66f81ea Use slim variant of Debian Buster as base image +86dc6e6 Add project_urls to debian based images +b71fc2b Use dpkg-query to list installed packages on debian +``` + +## Contributors +``` +Cole Helbling cole.e.helbling@outlook.com +Dhairya Jain jaindhairya2001@gmail.com +Jamie Magee jamagee@microsoft.com +Jamie Magee jamie.magee@gmail.com +m1-key shubhamtiwari.tiwari84@gmail.com +Matej Zachar mzachar@simpleway.cz +Mukul Taneja mtaneja@vmware.com +quepop thequepop@gmail.com +Yann Jorelle yannjorelle@protonmail.com +``` + +## Contact the Maintainers + +Nisha Kumar: nishak@vmware.com +Rose Judge: rjudge@vmware.com + diff --git a/requirements.txt b/requirements.txt index b09230ef..dd234a12 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,12 +7,12 @@ # what should be updated. PyYAML>=5.4 -docker~=4.4 +docker~=5.0 dockerfile-parse~=1.1 requests~=2.25 stevedore>=3.3 -pbr>=5.5 +pbr>=5.6 debian-inspector>=0.9 -regex>=2021.3 +regex>=2021.4 GitPython~=3.1 prettytable~=2.1