diff --git a/docs/releases/release_checklist.md b/docs/releases/release_checklist.md index 6d2579e2..c24ebf97 100644 --- a/docs/releases/release_checklist.md +++ b/docs/releases/release_checklist.md @@ -9,8 +9,8 @@ This is a checklist for cutting a release * Create a PR branch for the release. - [ ] Update direct dependencies and run tests. - * Run `pip install wheel pip-tools`. - * Run `pip-compile --upgrade --output-file docs/releases/v-requirements.txt`. + * Run `pip install wheel pip-tools twine`. + * Run `pip-compile --upgrade --output-file docs/releases/v-requirements.txt` where is of the form `major_minor_patch`. * Compare the release versions of the requirements to the current requirements.txt file. Upgrade if necessary. * Run `pip install .` to install tern. * Run appropriate tests. Roll back requirements if necessary. @@ -25,13 +25,23 @@ This is a checklist for cutting a release * Future Work * Changelog * "Note: This changelog will not include these release notes" - * "Changelog produced by command: `git log --pretty=format:"%h %s" v0.3.0..master`" - * Contributors (look at Authors in the changelog `git log --pretty=format:"%an %ae" v0.3.0..master | uniq`) + * "Changelog produced by command: `git log --pretty=format:"%h %s" v..master`" + * Contributors (look at Authors in the changelog `git log --pretty=format:"%an %ae" v..master | uniq`) * Contact the Maintainers - [ ] Commit release notes, `v-requirements.txt`, and any changes to `requirements.txt`. -- [ ] Tag release on GitHub. Check to see if release automation works. +- [ ] Tag release on GitHub. + * Add new tag + * Provide a link to the release notes. + +- [ ] Deploy to PyPI + * Run `git fetch --tags` to get the release tag + * Run `git checkout -b release + * Overwrite `requirements.txt` with `docs/releases/v-requirements.txt` + * Run `python setup.py sdist bdist_wheel` + * Run `twine check dist/*` + * Run `twine upload dist/*`. Here enter username and password and verify via 2FA. - [ ] Test pip package. * Create a fresh environment. diff --git a/docs/releases/v1_0_0-requirements.txt b/docs/releases/v1_0_0-requirements.txt new file mode 100644 index 00000000..d27f1ce3 --- /dev/null +++ b/docs/releases/v1_0_0-requirements.txt @@ -0,0 +1,56 @@ +# +# This file is autogenerated by pip-compile +# To update, run: +# +# pip-compile --generate-hashes --output-file=docs/releases/v1_0_0-requirements.txt +# +certifi==2019.9.11 \ + --hash=sha256:e4f3620cfea4f83eedc95b24abd9cd56f3c4b146dd0177e83a21b4eb49e21e50 \ + --hash=sha256:fd7c7c74727ddcf00e9acd26bba8da604ffec95bf1c2144e67aff7a8b50e6cef \ + # via requests +chardet==3.0.4 \ + --hash=sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae \ + --hash=sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691 \ + # via requests +docker==4.1.0 \ + --hash=sha256:6e06c5e70ba4fad73e35f00c55a895a448398f3ada7faae072e2bb01348bafc1 \ + --hash=sha256:8f93775b8bdae3a2df6bc9a5312cce564cade58d6555f2c2570165a1270cd8a7 +idna==2.8 \ + --hash=sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407 \ + --hash=sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c \ + # via requests +pbr==5.4.3 \ + --hash=sha256:2c8e420cd4ed4cec4e7999ee47409e876af575d4c35a45840d59e8b5f3155ab8 \ + --hash=sha256:b32c8ccaac7b1a20c0ce00ce317642e6cf231cf038f9875e0280e28af5bf7ac9 +pyyaml==5.1.2 \ + --hash=sha256:0113bc0ec2ad727182326b61326afa3d1d8280ae1122493553fd6f4397f33df9 \ + --hash=sha256:01adf0b6c6f61bd11af6e10ca52b7d4057dd0be0343eb9283c878cf3af56aee4 \ + --hash=sha256:5124373960b0b3f4aa7df1707e63e9f109b5263eca5976c66e08b1c552d4eaf8 \ + --hash=sha256:5ca4f10adbddae56d824b2c09668e91219bb178a1eee1faa56af6f99f11bf696 \ + --hash=sha256:7907be34ffa3c5a32b60b95f4d95ea25361c951383a894fec31be7252b2b6f34 \ + --hash=sha256:7ec9b2a4ed5cad025c2278a1e6a19c011c80a3caaac804fd2d329e9cc2c287c9 \ + --hash=sha256:87ae4c829bb25b9fe99cf71fbb2140c448f534e24c998cc60f39ae4f94396a73 \ + --hash=sha256:9de9919becc9cc2ff03637872a440195ac4241c80536632fffeb6a1e25a74299 \ + --hash=sha256:a5a85b10e450c66b49f98846937e8cfca1db3127a9d5d1e31ca45c3d0bef4c5b \ + --hash=sha256:b0997827b4f6a7c286c01c5f60384d218dca4ed7d9efa945c3e1aa623d5709ae \ + --hash=sha256:b631ef96d3222e62861443cc89d6563ba3eeb816eeb96b2629345ab795e53681 \ + --hash=sha256:bf47c0607522fdbca6c9e817a6e81b08491de50f3766a7a0e6a5be7905961b41 \ + --hash=sha256:f81025eddd0327c7d4cfe9b62cf33190e1e736cc6e97502b3ec425f574b3e7a8 +requests==2.22.0 \ + --hash=sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4 \ + --hash=sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31 +six==1.12.0 \ + --hash=sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c \ + --hash=sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73 \ + # via docker, stevedore, websocket-client +stevedore==1.31.0 \ + --hash=sha256:01d9f4beecf0fbd070ddb18e5efb10567801ba7ef3ddab0074f54e3cd4e91730 \ + --hash=sha256:e0739f9739a681c7a1fda76a102b65295e96a144ccdb552f2ae03c5f0abe8a14 +urllib3==1.25.6 \ + --hash=sha256:3de946ffbed6e6746608990594d08faac602528ac7015ac28d33cee6a45b7398 \ + --hash=sha256:9a107b99a5393caf59c7aa3c1249c16e6879447533d0887f4336dde834c7be86 \ + # via requests +websocket-client==0.56.0 \ + --hash=sha256:1151d5fb3a62dc129164292e1227655e4bbc5dd5340a5165dfae61128ec50aa9 \ + --hash=sha256:1fd5520878b68b84b5748bb30e592b10d0a91529d5383f74f4964e72b297fd3a \ + # via docker diff --git a/docs/releases/v1_0_0.md b/docs/releases/v1_0_0.md new file mode 100644 index 00000000..b4fd6ea5 --- /dev/null +++ b/docs/releases/v1_0_0.md @@ -0,0 +1,129 @@ +# Release 1.0.0 + +## Summary +This is Tern's first major release. Our CLI has changed since the last release to account for two added features: +* The ability to add custom report formats using plugins (`-f,--format` option) +* The ability to add tool extensions using plugins (`-x, --extend` option) + +We are still in alpha development mode, so the CLI might change in the future, in which case, expect another major release bump. + +Apart from the addition of the above two major features, we have also included some bug fixes that have greatly improved the stability and robustness of the tool. We have also modified the default report format such that it gives you package and license information at a glance, as well as information regarding the container image itself. We find this format to be useful as a first pass evaluation of the contents and "reasonableness" of the container image. + +We'd like to thank all those who contributed to this release, which is a significant milestone for the project. + +## New Features +* [Report format plugins](/docs/creating-custom-templates.md): This allows data collected by Tern to be formatted in a custom way such that the tool can accomodate any team's internal automation and auditing processes. +* [Extending container analysis with external tools](/docs/creating-tool-extensions.md): This allows Tern to leverage license and other scanning tools to scan filesystems in a container image rather than building such scanning from scratch. + +## Bug Fixes +* [Gracefully exit when an incorrect Python version is being used](https://github.com/vmware/tern/issues/362) +* [Fix incorrect reporting for filesystem where a package manager exists](https://github.com/vmware/tern/issues/362) +* [Extract tarballs where files are owned by root](https://github.com/vmware/tern/issues/433) +* [Workaround for Python tarfile not checking malicious tarballs](https://github.com/vmware/tern/issues/226) +* [Fix incorrect SPDX formatting for empty licenses](https://github.com/vmware/tern/issues/431) +* [Fix incorrect SPDX package download location](https://github.com/vmware/tern/issues/451) +* [Fix incorrect SPDX formatting for license reference](https://github.com/vmware/tern/issues/465) +* [Fix cleaning up after a keyboard interrupt](https://github.com/vmware/tern/issues/464) +* [Fix overwriting of notice messages in the cache](https://github.com/vmware/tern/issues/466) +* [Continue to analyze base image if Dockerfile build fails](https://github.com/vmware/tern/issues/450) +* [Gracefully exit if Docker is not installed or appropriately set up](https://github.com/vmware/tern/issues/207) +* [Remove hardcoded version string](https://github.com/vmware/tern/issues/432) + +## Resolved Technical Debt +* [Refactor for allowing other types of container images](https://github.com/vmware/tern/issues/212) +* [CLI updates](https://github.com/vmware/tern/issues/390) +* [Replaced broken DockerImage class unit test with a functional test](https://github.com/vmware/tern/issues/458) + +## Future Work +* We will be working on including file level metadata and support for language package managers. +* We will add a 'Dockerfile freeze' option that may be a new sub-command for the CLI. This is not a breaking change so the next release will be a minor bump. +* As usual, we will be refactoring code, addressing technical debt, and fixing bugs. + +We expect that due to the winter holidays (US), the next release will be a small one which may include a subset of the changes we are working on. Watch the [project roadmap](/docs/project-roadmap.md) for updates. + +## Changelog + +Note: This changelog will not include these release notes + +Changelog produced by command: `git log --pretty=format:"%h %s" 9d1cb9c..master` + +``` +692389b circleci: Remove auto deploy to PyPI +c9a0c83 merge: Documentation updates for Extensions +151222e docs: Added extensions to navigating the code doc +20cd677 docs: Update Contributing section in README +8606aed docs: Added link back to README in individual docs +80bf070 docs: Updates to architecture +1da1e75 docs: Updates to glossary +2e260d0 README: Added content for using tool extensions +8df8cf1 docs: Added creating extensions and data model +a041a8d docs: Update directions to activate venv +68cb125 docs: Update custom formats documentation +1edd813 extensions: Added initial scancode extension +a1ed695 tools: Fix imports for container_debug +edd8a0f Catch exceptions when docker is not set up +720142b docs: Fix lab tutorial formatting typo +568e18a docs: Add Strigo lab tutorial for Tern +bfde488 Soldier on if Dockerfile build fails +ecb225f Fix-up license summary for Dockerfile built images +e1d998e Fix soldiering on if Dockerfile build fails +8fa2f40 Fix info overwriting when retrieving from cache +7dae5bf merge: Create external tool extensions +332d22b analyze: docker: Refactor to reduce complexity +73c1cc2 extentions: Enable cve-bin-tool +8f67601 extensions: Add cve-bin-tool extension +3b3baf4 extensions: Added setup for extension plugins +1255eb1 Enable cli to use raw container image +32c95c6 Merge: Precautions against external interference +19cffcd spdx: Remove invalid characters from LicenseRef +4efcb12 cache: move cache file to dot folder +03a7f6d tools: switch debug directory to hidden folder +6c8e581 Move working directory into hidden dot folder +ff535dc Safely unmount on keyboard interrupt +bd1f238 merge: Refactor docker image analysis to new module +e8ef5fb Refactor: deprecate tern/helpers folder +d62187d Refactor docker-specific analysis to new module +eefd676 docs: Update references in navigating-the-code.md +ae49494 Report package information by layer +7c3bbf2 Add analyzed_output property +4138384 Set PackageDownloadLocation as NOASSERTION +0d23324 ci: Replace unit test for DockerImage class +4d72f5e Create default report plugin and deprecate verbose +05a6689 Add files_analyzed property to ImageLayer +3dbde96 report: Add external tool passthrough +8fbc300 report: Add missing copyright and license header +98737a8 CLI: update command line 'report' options +0271b9d cli: Update "report" help info to be more useful +608705a Check tarballs before extracting +026e0a7 spdx: Handle reporting for empty license metadata +c095b73 merge: Untar tarballs files with root permissions +0e307ac utils: Added extra checks for extracting archives +551ec3c Extract tarballs in Ubuntu:14.04 +871af9d Allow Tern to pull by digest +12b306f Check for binary after base image layer is mounted +864a00e docs: Updates based on current project status +ffb851d Refactor analyze_docker_image +3c5e2a2 fix: Remove hardcoded version string +3217fe6 ci/cd: Stop prospector errors for imports +79adc2f docs: update README to call yaml report correctly +a90bc66 Dockerfile: install tern using pip +f2e5888 requirements: Add stevedore +a46939b Wrap python2.7 error message +b853635 docs: Update README to call json report correctly +e596ff9 Separate YAML formatting into its own plugin +1a69aef Separate json formatting into its own plugin +9ce1d94 Remove dev-requirements.txt and redundancy in circleci +bf8d62d release: Modify deployment steps +``` + +## Contributors + +``` +PrajwalM2212 prajwalmmath@gmail.com +Manaswini Das dasmanaswini10@gmail.com +``` + +## Contact the Maintainers + +Nisha Kumar: nishak@vmware.com +Rose Judge: rjudge@vmware.com diff --git a/requirements.in b/requirements.in index bc393598..c82795b3 100644 --- a/requirements.in +++ b/requirements.in @@ -9,3 +9,5 @@ PyYAML docker requests +stevedore +pbr diff --git a/requirements.txt b/requirements.txt index 69cb9a5b..0b2809ae 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,7 @@ # what should be updated. PyYAML>=5.1 -docker~=4.0 +docker~=4.1 requests~=2.22 -stevedore>=1.30 +stevedore>=1.31 pbr>=5.4