The long-awaited "Beta" release for Tern is now available! This release is the usual mix of new features, bugs and technical debt cleanup. Specifically, this release added several enhancements that enable Tern to run as a job on Kubernetes. Source package information is also now available in SPDX reports which enable SPDX document consumers to look up CVE information for rpm and deb based package managers using the Tern report. Additionally, Tern now collects Scancode extension information in conjunction with Tern's default metadata collection method. Previously, these two collection methods operated independently which led to inconsistent report output. Special thanks to our users for opening bugs that helped drive a significant number of bug fixes in this release.
- Add instructions for Kubernetes Job: Now that Tern uses skopeo to pull container images it can be run as a job on Kubernetes using volume mounts with minikube.
- Add option to use custom log file: This new CLI option enables users to direct the Tern log file to the mount directory when running Tern with minikube instead of leaving it in the container. Use
tern -l <absolute_path_to_log_file>to re-direct the log file. - Add source package info to SPDX reports: Source package information is now available in the SPDX report formats when source package metadata is available (currently for
rpmanddpkgbased package managers). It reports source packages on a per-layer basis for binary package objects that contain corresponding source package information. In order to represent the source information, the source package is presented as its own package element and described using aGENERATED_FROMrelationship with the corresponding binary package. This new feature makes it easier for SPDX document consumers to look up CVE information forrpmanddpkgpackage managers which currently report CVE information by source package. - Collect extension and default metadata together: Previously, if no cache file existed and you ran Tern with an extension like Scancode, the output report would only include Scancode extension information. This new feature changes the behavior of Tern to report default Tern package metadata information in addition to extension information as this is what was expected by users. This is also important because Tern now produces consistent results regardless of the existence of a cache file.
- Enable packages installed by 'python3 -m pip'
- Collect package information for SLES based images
- debug: Fix argument name and provide driver
- Allow explicitly turning off src-tls-verify
- Modification of package format for pip
- Make licenses data OWASP compatible
- Remove underscores from SPDXIDs
- Cyclonedx: Correctly lowercase purl package names
- Cyclonedx: Correction of the purl generation for apk package
- Fix logic error in binary detection
- Gracefully handle unknown/unsupported extension
- Install skopeo in Dockerfile.scancode
- Do not add selinux xattrs to file data
- Create an API to run Tern as a service in Kubernetes
- Report applicable package licenses as SPDX identifiers instead of LicenseRefs
- Improve test report validation
- The usual bug fixing/technical debt cleanup
Note: This changelog will not include these release notes
Changelog generated by command: git log --pretty=format:"%h %s" v2.9.1..HEAD
bee4ce5 Fix logic error in binary detection
dd8a062 Correction of the purl generation for apk package
a04208f Correctly lowercase purl package names
1a98be4 Update SPDX-2.1 references to SPDX-2.2
bebfe62 Update Scancode Python supported versions
3f00f8c Remove underscores from SPDXIDs
ad2b711 Remove community meeting info
ccf8f67 Make licenses data OWASP compatible
cdc6732 Modification of package format for pip
3f68e3c Do not add selinux xattrs to file data
ba56a93 linting: Rename pep8 and pep257
8bdd2bc Collect extension and default metadata together
e9a08bf Cleanup technical debt for multi layer analysis
08add04 Deprecate `run_extension` function
30296ac Collect extension and Tern metadata per layer
ec5f663 Allow explicitly turning off src-tls-verify
1d9f547 debug: Fix argument name and provide driver
c88d542 Collect package information for SLES based images
409a272 Add source package info to SPDX reports
27841f2 Add source package info to SPDX JSON report
140cea8 Add source package info to SPDX Tag Value report
63f6bf5 Add SPDX TV source comment and relationship type
8b77faa Add source package mapping to SPDX format
f468c1d Add instructions for Kubernetes Job
275e03b Enable packages installed by python3 -m pip
5bcc5c4 Handle unknown/unsupported extension
711014b Add sample SBOM output to the repo
8c6115d Add option to use custom log file
95a54ac Install skopeo in Dockerfile.scancode
Ivana Atanasova [email protected]
Kentaro Yamamoto [email protected]
Thiéfaine Mercier [email protected]
Marc-Etienne Vargenau [email protected]
Nisha Kumar: [email protected] Rose Judge: [email protected]