diff --git a/README.md b/README.md index 6ca2bde7..9ee11212 100644 --- a/README.md +++ b/README.md @@ -270,11 +270,12 @@ $ python tests/.py ``` ## Project Status -Release 2.0.0 is out! See the [release notes](docs/releases/v2_0_0.md) for more information. +Release 2.1.0 is out! See the [release notes](docs/releases/v2_1_0.md) for more information. -We try to keep the [project roadmap](./docs/project-roadmap.md) as up to date as possible. We are currently working on Release 2.1.0. +We try to keep the [project roadmap](./docs/project-roadmap.md) as up to date as possible. We are currently working on Release 2.2.0. ## Releases +* [v2.1.0](docs/releases/v2_1_0.md) * [v2.0.0](docs/releases/v2_0_0.md) * [v1.0.1](docs/releases/v1_0_1.md) * [v0.5.4](docs/releases/v0_5_4.md) diff --git a/docs/releases/v2_1_0-requirements.txt b/docs/releases/v2_1_0-requirements.txt new file mode 100644 index 00000000..f7295db8 --- /dev/null +++ b/docs/releases/v2_1_0-requirements.txt @@ -0,0 +1,72 @@ +# +# This file is autogenerated by pip-compile +# To update, run: +# +# pip-compile --generate-hashes --output-file=docs/releases/v2_1_0-requirements.txt +# +attrs==19.3.0 \ + --hash=sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c \ + --hash=sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72 \ + # via debut +certifi==2020.4.5.1 \ + --hash=sha256:1d987a998c75633c40847cc966fcf5904906c920a7f17ef374f5aa4282abd304 \ + --hash=sha256:51fcb31174be6e6664c5f69e3e1691a2d72a1a12e90f872cbdb1567eb47b6519 \ + # via requests +chardet==3.0.4 \ + --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae \ + --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691 \ + # via debut, requests +debut==0.9.4 \ + --hash=sha256:218d64f72602d6f8a690c7af3e735b2e338a3b52040f797ea56ee873629b9fd6 \ + --hash=sha256:4bf44200da54b8cfc730a236f76de883663cd1edb15e9ecdc060a5a791f863dc \ + # via -r requirements.in +docker==4.2.0 \ + --hash=sha256:1c2ddb7a047b2599d1faec00889561316c674f7099427b9c51e8cb804114b553 \ + --hash=sha256:ddae66620ab5f4bce769f64bcd7934f880c8abe6aa50986298db56735d0f722e \ + # via -r requirements.in +dockerfile-parse==0.0.17 \ + --hash=sha256:7b8ab184c24ab35c2a0af47b1766dfeeeb7f47da42197ee9756aa4695c60c775 \ + --hash=sha256:868a6a00db2150ae92af177757eb35210f54243f6d8b2c362fe777e44fc98279 \ + --hash=sha256:a69d4ed44c4a890c16437327009ae59ec3a3afeb1abc3819d0c1b14a46099220 \ + # via -r requirements.in +idna==2.9 \ + --hash=sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb \ + --hash=sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa \ + # via requests +pbr==5.4.5 \ + --hash=sha256:07f558fece33b05caf857474a366dfcc00562bca13dd8b47b2b3e22d9f9bf55c \ + --hash=sha256:579170e23f8e0c2f24b0de612f71f648eccb79fb1322c814ae6b3c07b5ba23e8 \ + # via -r requirements.in, stevedore +pyyaml==5.3.1 \ + --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \ + --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \ + --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \ + --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \ + --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \ + --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \ + --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \ + --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \ + --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \ + --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \ + --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \ + # via -r requirements.in +requests==2.23.0 \ + --hash=sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee \ + --hash=sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6 \ + # via -r requirements.in, docker +six==1.15.0 \ + --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \ + --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced \ + # via docker, dockerfile-parse, stevedore +stevedore==1.32.0 \ + --hash=sha256:18afaf1d623af5950cc0f7e75e70f917784c73b652a34a12d90b309451b5500b \ + --hash=sha256:a4e7dc759fb0f2e3e2f7d8ffe2358c19d45b9b8297f393ef1256858d82f69c9b \ + # via -r requirements.in +urllib3==1.25.9 \ + --hash=sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527 \ + --hash=sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115 \ + # via requests +websocket-client==0.57.0 \ + --hash=sha256:0fc45c961324d79c781bab301359d5a1b00b13ad1b10415a4780229ef71a5549 \ + --hash=sha256:d735b91d6d1692a6a181f2a8c9e0238e5f6373356f561bb9dc4c7af36f452010 \ + # via docker diff --git a/docs/releases/v2_1_0.md b/docs/releases/v2_1_0.md new file mode 100644 index 00000000..f78030d2 --- /dev/null +++ b/docs/releases/v2_1_0.md @@ -0,0 +1,135 @@ +# Release 2.1.0 + +## Summary +A handful of significant features were added to increase the amount of information Tern is able to collect and provide to the user. Some of these features include metadata collection for pip, npm and gem, as well as license reporting in the default report for Debian-based images. + +In addition to the new features mentioned above, we have also included bug fixes and resolved some technical debt. + +We are still in Alpha development mode and hope to transition to Beta within the next 6-8 months. The successful transition to Beta will happen when the following features are completed: +* Enable Tern to run natively in a container for Mac and Windows. +* Golang package manager support. +* Replacement of cache.yml with a backend database. + +We'd like to thank all those who contributed to this release. + +## New Features +* [Enable pip package listing](https://github.com/tern-tools/tern/issues/149): Tern now collects package metadata information for pip packages installed in an image. +* [Enable gem and npm package listing](https://github.com/tern-tools/tern/issues/609): Tern now collects package metadata information for gem and npm packages installed in an image. Note: npm package metadata collection times can be rather long due to the often large number of modules installed. +* [License reporting for Debian](https://github.com/tern-tools/tern/issues/499): Debian license information is embedded in the copyright text. Before this enhancement, license metadata for Debian images was not reported in the default report and the only way to see it was to use an alternative format like SPDX. Debian license metadata information will now be provided in the default report. +* [Update SPDX format to include file level analysis](https://github.com/tern-tools/tern/issues/586): File level metadata collected using the Scancode plugin will now be represented in spdxtagvalue-formatted reports. + +## Bug Fixes +* [Tern fails when image has no created_by key](https://github.com/tern-tools/tern/issues/636) +* [Tern fails to perform analysis for Buildpack images](https://github.com/tern-tools/tern/issues/684) +* [--redo flag does not redo file level analysis](https://github.com/tern-tools/tern/issues/653) +* [Teardown fails for raw container images](https://github.com/tern-tools/tern/issues/628) +* [Return new lines in Dockerfile lock feature](https://github.com/tern-tools/tern/issues/596) +* [Fixed error: chroot: failed to run command '/bin/bash'](https://github.com/tern-tools/tern/issues/644) +* [error in dockerfile lock when ADDed file is not found](https://github.com/tern-tools/tern/issues/642) +* [Fix timeout error for large images](https://github.com/tern-tools/tern/issues/630) +* [cve-bin-tool errors out in Tern but prints report accurately without it](https://github.com/tern-tools/tern/issues/689) +* [Dockerfile lock gets confused when installing pip packages](https://github.com/tern-tools/tern/issues/702) + + +## Resolved Technical Debt +* Fix "too-many-branches" prospector errors for [generator.py](https://github.com/tern-tools/tern/issues/648) and [helpers.py](https://github.com/tern-tools/tern/issues/647) +* [Resolved Scancode header in generated documents](https://github.com/tern-tools/tern/issues/643) +* [Update warning messages to be more helpful](https://github.com/tern-tools/tern/issues/687) + +## Future Work +* We will be focusing on how to run Tern natively in a container on Windows and Mac. +* We will add a debug feature to Tern that can be used by contributors. +* We will create an option to view JSON report output in a web interface UI. +* We will start to look at enabling Tern to run for OCI images. +* Google Summer of Code Interns will begin contributing to Tern full time at the beginning of June. +* As usual, we will be refactoring code, addressing technical debt, and fixing bugs. + +The next planned release will take place at the end of July 2020. Watch the [project roadmap](/docs/project-roadmap.md) for updates. + +## Changelog + +Note: This changelog will not include these release notes + +Changelog produced by command: `git log --pretty=format:"%h %s" v2.0.0..master` + +``` +202c4c8 Fix package pinning when package is also pkg mngr +6ed1f0c extensions: scancode: Fix file type reporting +c9b2261 extensions: cve-bin-tool: Print error and result +0d05d53 Fix error with missing keys in cache +fd901e5 classes: Set digest when instantiating DockerImage +20504e0 formats: spdxtagvalue: Update to SPDX 2.2 +4c79585 Update warning message to be more helpful +dd6a864 formats: spdxtagvalue: Add extension_info headers +8716e12 Add Scancode header in generated documents +1f6dd29 Get Debian package licenses from copyrights +ce7b963 Parse Debian copyright texts to get licenses +5031cd6 classes: package: Add property pkg_licenses +33b2190 Enable -r--/redo option for extensions +db83e03 Enable npm and yarn package listing +54b5cb7 extensions: scancode: Increase timeout limit +2c84a13 Let GNU tar extract leading forwardslash members +161c512 Bug fix if image has no created_by key +59a6b60 analyze: Reduce branches in analyze_first_layer +c7ccaab Look for shell in filesystem +cc71316 Adding support for bundler +e2a82b7 Update base.yml to echo debian copyright file path +843d78a Run prospector on all files for CI tests +edafcf0 formats: spdx: add PackageComment for layers +3193a17 Revert "Update base.yml to echo debian copyrig..." +869d605 command_lib: Remove shell listing from base.yml +b8e3d4d analyze: Update finding and using a shell binary +3ad5fd8 command_lib: Add new file common.yml +44ae447 Update base.yml to echo debian copyright file path +ef23604 Enable gem package listing +85dd0df Undo mount operation in event of errors +6c2bee2 Enable pip package listing +92f5301 Fix infinite loop in container_debug.py +ee515be utils: Exclude whiteout files when extracting +0bed397 Combine RUN commands in Tern's Dockerfile +32db7df tools: Update container_debug and verify_invoke +1482bd7 Fix prospector too-many-branches error for plugins +2558db0 Fix linting error for helper.py +2d1963a Fix linting error for generator.py +7bee629 Use absolute path for ADDed Dockerfile files +a6fde9e Add CI test for Dockerfile lock +a01047b docs: Update the project roadmap for 2020 +797b2c6 Include file level data into SPDX documents +f02f363 spdxtagvalue: Fix SPDX validation errors +442ffe8 spdxtagvalue: Create valid doc with file data +15315f0 scancode: Include file_type and checksums +290c4a3 classes: Modify checksums data structure +262c893 tools: Hash only non-empty files +1dffe27 formats: spdx: Use helpers in generator +e90c118 formats: spdx: Move image level SPDX to a new file +9e594a4 formats: spdx: Move layer functions to new file +a5fc985 classes: Get checksum for docker images +340900c formats: spdx: Move package format to new file +d83a83f formats: spdx: Add Package Verification Code +5db1e33 formats: spdx: Add file block functions +2e9cd35 classes: Add short_file_type to FileData class +e0f6108 Point to new code hosting link +bdec7a7 Add docs to create a dev env. when using vagrant +9a4de19 Increase timeout for pulling large images +f0c396f Add exception for raw container image teardown +bcc1686 Find Git Project URL +120876a Fixed some typos and grammar in docs +3f1bb7a Add documentation about Dockerfile lock +dd47575 Preserve newline characters in Dockerfile.lock +d1c846d Add ‘checksums’ properties to Image and ImageLayer +e1698ac Add test to validate cache behavior on layers +``` + +## Contributors + +``` +abhaykatheria abhaykatehria01@gmail.com +Miguel Angel G miguel@gordian.dev +mukultaneja mtaneja@vmware.com +WangJL hazard15020@gmail.com +``` + +## Contact the Maintainers + +Nisha Kumar: nishak@vmware.com +Rose Judge: rjudge@vmware.com