From 900bfe53b6cb4d0c8a0c647f58ae96e8b1e4714b Mon Sep 17 00:00:00 2001 From: Rose Judge Date: Mon, 30 Mar 2020 16:39:00 -0700 Subject: [PATCH] Prep for Release 2.0.0 This commit includes the release notes for v2.0.0, two small updates to the release checklist for clarity and changes to requirements.txt and requirements.in files to update dependency versions. Signed-off-by: Rose Judge --- docs/releases/release_checklist.md | 5 +- docs/releases/v2_0_0-requirements.txt | 62 +++++++++++ docs/releases/v2_0_0.md | 153 ++++++++++++++++++++++++++ requirements.in | 1 + requirements.txt | 8 +- 5 files changed, 223 insertions(+), 6 deletions(-) create mode 100644 docs/releases/v2_0_0-requirements.txt create mode 100644 docs/releases/v2_0_0.md diff --git a/docs/releases/release_checklist.md b/docs/releases/release_checklist.md index 57017dee..8feb590a 100644 --- a/docs/releases/release_checklist.md +++ b/docs/releases/release_checklist.md @@ -33,7 +33,7 @@ This is a checklist for cutting a release - Changelog * "Note: This changelog will not include these release notes" * "Changelog produced by command: `git log --pretty=format:"%h %s" v..master`" - - Contributors (look at Authors in the changelog `git log --pretty=format:"%an %ae" v..master | uniq`) + - Contributors (look at Authors in the changelog `git log --pretty=format:"%an %ae" v..master | sort | uniq`). Remove the maintainers name from the contributor list. - Contact the Maintainers - [ ] Commit release notes and create patch for your changes @@ -43,7 +43,8 @@ This is a checklist for cutting a release * Create a new branch. You will use this branch to submit a PR for the release changes. * Copy the patch file you just created into your new forked repo environment. * Run `git am 0001-.patch`. - * After running the `git am` command above, the changes in the patch will be available in your forked repo. You can verify this by running `git log` and looking at the top commit from the output. + * Run `git push origin ` to push the changes to your forked repo. + * The changes are now available in your forked repo. You can verify this by running `git log` and looking at the top commit from the output. * Open a pull request in the Tern project repository for your release changes. * Request a review from another maintainer. Update PR as needed based on feedback. Merge the PR. This commit is where the release will be tagged. diff --git a/docs/releases/v2_0_0-requirements.txt b/docs/releases/v2_0_0-requirements.txt new file mode 100644 index 00000000..0a8a35f8 --- /dev/null +++ b/docs/releases/v2_0_0-requirements.txt @@ -0,0 +1,62 @@ +# +# This file is autogenerated by pip-compile +# To update, run: +# +# pip-compile --generate-hashes --output-file=docs/releases/v2_0_0-requirements.txt +# +certifi==2019.11.28 \ + --hash=sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3 \ + --hash=sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f \ + # via requests +chardet==3.0.4 \ + --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae \ + --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691 \ + # via requests +docker==4.2.0 \ + --hash=sha256:1c2ddb7a047b2599d1faec00889561316c674f7099427b9c51e8cb804114b553 \ + --hash=sha256:ddae66620ab5f4bce769f64bcd7934f880c8abe6aa50986298db56735d0f722e \ + # via -r requirements.in +dockerfile-parse==0.0.16 \ + --hash=sha256:1e3c6f190eff204ab232ebba34d2f5c68591d22a27a9606bf2612c17499ec30b \ + # via -r requirements.in +idna==2.9 \ + --hash=sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb \ + --hash=sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa \ + # via requests +pbr==5.4.4 \ + --hash=sha256:139d2625547dbfa5fb0b81daebb39601c478c21956dc57e2e07b74450a8c506b \ + --hash=sha256:61aa52a0f18b71c5cc58232d2cf8f8d09cd67fcad60b742a60124cb8d6951488 \ + # via -r requirements.in, stevedore +pyyaml==5.3.1 \ + --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \ + --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \ + --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \ + --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \ + --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \ + --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \ + --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \ + --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \ + --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \ + --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \ + --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \ + # via -r requirements.in +requests==2.23.0 \ + --hash=sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee \ + --hash=sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6 \ + # via -r requirements.in, docker +six==1.14.0 \ + --hash=sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a \ + --hash=sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c \ + # via docker, dockerfile-parse, stevedore +stevedore==1.32.0 \ + --hash=sha256:18afaf1d623af5950cc0f7e75e70f917784c73b652a34a12d90b309451b5500b \ + --hash=sha256:a4e7dc759fb0f2e3e2f7d8ffe2358c19d45b9b8297f393ef1256858d82f69c9b \ + # via -r requirements.in +urllib3==1.25.8 \ + --hash=sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc \ + --hash=sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc \ + # via requests +websocket-client==0.57.0 \ + --hash=sha256:0fc45c961324d79c781bab301359d5a1b00b13ad1b10415a4780229ef71a5549 \ + --hash=sha256:d735b91d6d1692a6a181f2a8c9e0238e5f6373356f561bb9dc4c7af36f452010 \ + # via docker diff --git a/docs/releases/v2_0_0.md b/docs/releases/v2_0_0.md new file mode 100644 index 00000000..7e66606a --- /dev/null +++ b/docs/releases/v2_0_0.md @@ -0,0 +1,153 @@ +# Release 2.0.0 + +## Summary +This is Tern's second major release. Our CLI has changed since the last release to account for a new feature and two new CLI options: +* The ability to "lock" a provided Dockerfile (`tern lock ` will produce `Dockerfile.lock`). See "New Features" section below for more details. +* Enable logging capability by default (i.e. remove the `-l, --logging` CLI option) and instead add the ability to silence terminal output as an option (`-q, --quiet` option). +* Add new CLI option for user to set the working directory somewhere else besides the default location of the users home directory (`--wd, --working-dir` option) + +We are still in alpha development mode, so the CLI might change in the future, in which case, expect another major release bump. + +Apart from the addition of the new `Dockerfile lock` feature and CLI option changes, we have also included some bug fixes and work towards better test coverage. Significant improvements have been made to the way Tern runs with the Scancode extension and documentation has been improved. + +We'd like to thank all those who contributed to this release, which ended up being a more signficant milestone than expected. + +## New Features +* Dockerfile lock: This is new functionality that creates a "locked" Dockerfile in which the base image is pinned to a digest and the packages installed for each subsequent layer are pinned to their versions if they are known. Tern will also expand `ARG` and `ENV` variables and try to find information about git repositories that may be `ADD`ed within the Dockerfile provided. This helps create a Dockerfile from which a repeatable container image may be built. To utilize this feature, run `tern lock -o `. Tern will try to first build your Dockerfile before creating the pinned output file. If there are artifacts not accessible to the build or the build fails for other reasons, Tern will only inspect the base image and therefore, won't be able to pin package information in the locked output file +* [Map Scancode's data into Tern's data model](https://github.com/vmware/tern/issues/480): This allows file level licenses found in Scancode's data collection to be reported in Tern's default report format when running with the `-x, --extend` CLI option. + +## Bug Fixes +* [Only allow specifying an image and tag or an image digest](https://github.com/vmware/tern/issues/519) +* [Allow user to set working directory](https://github.com/vmware/tern/issues/523) +* [Allow Tern to save to and load from FileData information from the cache](https://github.com/vmware/tern/issues/574) +* [Fix reporting of file level data in defualt and SPDX reports](https://github.com/vmware/tern/issues/583) +* Fix file and base OS caching +* [Exit gracefully if Dockerfile base OS does not exist](https://github.com/vmware/tern/issues/610) +* [Update Scancode documentation](https://github.com/vmware/tern/issues/532) +* [Map Scancode's data into Tern's data model](https://github.com/vmware/tern/issues/480) + +## Resolved Technical Debt +* [Replace homegrown Dockerfile parser with dockerfile-parse](https://github.com/vmware/tern/issues/522) +* [Parse version and arch when specified in the package name](https://github.com/vmware/tern/issues/2) +* Multiple commits that work towards [Increasing test coverage](https://github.com/vmware/tern/issues/539) +* Enable tox to run unit tests + +## Future Work +* We will be focusing on adding support for language package managers. +* We will integrate Scancode file scanning output in to Tern's output reports. +* We will get two Google Summer of Code Interns to help us work towards our target milestones this summer. +* As usual, we will be refactoring code, addressing technical debt, and fixing bugs. + +The next planned release will take place at the end of June 2020. Watch the [project roadmap](/docs/project-roadmap.md) for updates. + +## Changelog + +Note: This changelog will not include these release notes + +Changelog produced by command: `git log --pretty=format:"%h %s" v1.0.1..master` + +``` +b626d60 Except 'NotFound' error if FROM image DNE +765b699 Fix file and base OS caching +60517eb merge: Dockerfile lock cleanup +3dc7f5d docs: Update scancode documentation +bd21eec Replace manual dfile parser with dockerfile-parse +8476d56 Update parsing functions to use dockerfile objects +0495eba Add dfile_lock & dfobj flags to analysis functions +559a685 analyze: Fix caching for base layer +f7e29ff Don't store multiple copies of notices +94626aa analyze: Resolve loading files and packages +6453df0 analyze: Find the base OS binary without mounting +1b0f454 Add quotations around Dockerfile name for clarity +5a07a79 Revert "Check cache before finding shell" +873094a Include base OS value in Tern's data model +22ec926 file_data.py: Add checksums property +101082e Fix TypeError for Dockerfile scratch base images +92e1971 analyze: docker: Check cache before finding shell +66f72e6 Include file level licenses in the default report +6de1f35 merge: Add dockerfile lock feature +7482f23 Add dockerfile lock functionality +7dda602 Include dockerfile lock in execute_dockerfile() +1a8bdb4 Change path to absolute when building from dfile +7425e70 Add function to return pinning_separator +a8499c4 Add locked dockerfile to constants +282ac28 Add Dockerfile lock functionality to Tern CLI +ef6e778 Record git project name and sha +f5875a8 CLI: Removed -l option add a --quiet option +aa87d3e merge: Integrate file level data from scancode +2c216e5 tests: test_analyze_common.py +69f1b45 Parsing ARG variables +9dc4f2c extensions:scancode: Only scan at directory level +d99461e Cache file level data +f0e5cae Update FileData object and scancode executor +6957e3a classes: Add merge method to FileData class +df58a64 extensions: scancode: Fix call to get_file_command +f73e6c0 Add .tox and .coverage to gitignore +a090517 Load FileData info from cache +c9ff72f Integrate scancode data +a4c107f Parse package name from version +403645f extensions: Integrate scancode results +b292aa6 classes: Add file_type setter to FileData +4d9efd9 image_layer.py: Extract file data attributes +191e6c5 tests: test_class_image +397ba9d Add --wd argument to change the working directory +a389f17 Document YAML data output that Tern produces +e919f2d classes: Add FileData object list to package class +cea8d43 classes: Added FileData object list to ImageLayer +1780b71 tox.ini: configure and run tox +3dbd5a0 Extract sha digest of Docker image +6edc4c8 container: close the client socket +ed2440a README: Clarified extensions usage +705327d Added --rm in docker_run.sh +874da23 Added conditional to check the mountpoints +3438a55 Cleanup README +8ca5287 formats: spdx: Add implementation for file_data +5726c87 Add new class FileData +9f037de tests: Fix reuse of python builtin id +1bca746 Add new class FileData +f6edaf2 Remove coverage --fail-under flag +3f93d66 config.yml: Add coverage +487af91 test_class_docker_image: Add a test image +8f843a0 ci/cd: Migrate Tern from CircleCI to GH Actions +a74ad06 Remove unwanted tests +6f09399 Use dockerfile_parse to get Dockerfile info +d18c4e1 __main__.py: Check docker image string +0c1a7b0 customizes usage instructions for MAC users +0939ffe Bump prospector version and disable pep8 N802 +fce20eb extensions: scancode: Ignore stderr if json exists +aa016d7 Run extensions with sudo +28be825 Update copyright dates for 2020 +1b76f65 analyze: use passthrough command full path +4583c5f utils: Update shell_command calls +241fbd0 Allow cve-bin-tool and scancode to run as root +0ea14f0 Allow plugin provided commands to run as root +c90a14f utils: Move check for userid to general +0a33246 circleci: Update prospector profile +2805884 merge: pep8/pylint fixes +b59b3b4 Fix pylint cyclic-import error +821dc08 Fix no-else-continue pylint error from prospector +08f2d7c Fix pep8 E121 linting error from prospector +6e7ae88 Remove semicolon from end of line +2c7150d Fix unnecessary-pass pylint error from prospector +a28f49c Fix N805 pep8 error from prospector +6b33637 Fix pep8 E126 and W293 errors from prospector +2c41e5a executor: scancode: Use pip package +2d1d12c docs: Update README project status +cc65fcb Corrections to release chklist and v101 rel. notes +``` + +## Contributors + +``` +abhay abhay.katheria1998@gmail.com +Malini Bhandaru mbhandaru@vmware.com +mukultaneja mukultaneja91@gmail.com +PrajwalM2212 prajwalmmath@gmail.com +Radmir Mukhambetov radmirnovii@gmail.com +WangJL hazard15020@gmail.com +``` + +## Contact the Maintainers + +Nisha Kumar: nishak@vmware.com +Rose Judge: rjudge@vmware.com diff --git a/requirements.in b/requirements.in index c82795b3..172ff3b7 100644 --- a/requirements.in +++ b/requirements.in @@ -11,3 +11,4 @@ docker requests stevedore pbr +dockerfile-parse diff --git a/requirements.txt b/requirements.txt index 9b057943..36e0c53f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,9 +6,9 @@ # transitive dependencies listed make it more difficult to figure out # what should be updated. -PyYAML>=5.2 -docker~=4.1 +PyYAML>=5.3 +docker~=4.2 dockerfile-parse~=0.0 -requests~=2.22 -stevedore>=1.31 +requests~=2.23 +stevedore>=1.32 pbr>=5.4