From 19c7e513f77312a93e0ede7ee0814f7bf89b21d8 Mon Sep 17 00:00:00 2001 From: Rose Judge Date: Tue, 28 Sep 2021 14:55:15 -0700 Subject: [PATCH] Prepare for Release 2.8.0 - Added release notes and freeze file - Bumped the dependency versions - Updated the README with the new Release number Signed-off-by: Rose Judge --- README.md | 16 +-- docs/releases/v2_8_0-requirements.txt | 169 ++++++++++++++++++++++++++ docs/releases/v2_8_0.md | 60 +++++++++ requirements.in | 1 + requirements.txt | 12 +- 5 files changed, 240 insertions(+), 18 deletions(-) create mode 100644 docs/releases/v2_8_0-requirements.txt create mode 100644 docs/releases/v2_8_0.md diff --git a/README.md b/README.md index fe8136d8..e9180d04 100644 --- a/README.md +++ b/README.md @@ -320,25 +320,17 @@ $ python tests/.py ``` ## Project Status -Release 2.7.0 is out! See the [release notes](docs/releases/v2_7_0.md) for more information. +Release 2.8.0 is out! See the [release notes](docs/releases/v2_8_0.md) for more information. -We try to keep the [project roadmap](./docs/project-roadmap.md) as up to date as possible. We are currently working on Release 2.8.0. +We try to keep the [project roadmap](./docs/project-roadmap.md) as up to date as possible. We are currently working on Release 2.9.0. -## Previous Releases +## Recent Past Releases Be advised: version 2.4.0 and below contain a high-severity security vulnerability (CVE-2021-28363). Please update to version 2.5.0 or later. +* [v2.7.0](docs/releases/v2_7_0.md) * [v2.6.1](docs/releases/v2_6_1.md) * [v2.5.0](docs/releases/v2_5_0.md) * [v2.4.0](docs/releases/v2_4_0.md) * [v2.3.0](docs/releases/v2_3_0.md) -* [v2.2.0](docs/releases/v2_2_0.md) -* [v2.1.0](docs/releases/v2_1_0.md) -* [v2.0.0](docs/releases/v2_0_0.md) -* [v1.0.1](docs/releases/v1_0_1.md) -* [v0.5.4](docs/releases/v0_5_4.md) -* [v0.4.0](docs/releases/v0_4_0.md) -* [v0.3.0](docs/releases/v0_3_0.md) -* [v0.2.0](docs/releases/v0_2_0.md) -* [v0.1.0](docs/releases/v0_1_0.md) ## Documentation Architecture, function blocks, code descriptions and the project roadmap are located in the docs folder. Contributions to the documentation are welcome! See the [contributing guide](/CONTRIBUTING.md) to find out how to submit changes. diff --git a/docs/releases/v2_8_0-requirements.txt b/docs/releases/v2_8_0-requirements.txt new file mode 100644 index 00000000..06f55481 --- /dev/null +++ b/docs/releases/v2_8_0-requirements.txt @@ -0,0 +1,169 @@ +# +# This file is autogenerated by pip-compile with python 3.8 +# To update, run: +# +# pip-compile --generate-hashes --output-file=v2_8_0-requirements.txt +# +attrs==21.2.0 \ + --hash=sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1 \ + --hash=sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb + # via debian-inspector +certifi==2021.5.30 \ + --hash=sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee \ + --hash=sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8 + # via requests +chardet==4.0.0 \ + --hash=sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa \ + --hash=sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5 + # via debian-inspector +charset-normalizer==2.0.6 \ + --hash=sha256:5d209c0a931f215cee683b6445e2d77677e7e75e159f78def0db09d68fafcaa6 \ + --hash=sha256:5ec46d183433dcbd0ab716f2d7f29d8dee50505b3fdb40c6b985c7c4f5a3591f + # via requests +debian-inspector==30.0.0 \ + --hash=sha256:d0f4f9b13e9a75aaa0610b568e4b35db2b34cf50b79f5d7a69e25a10a47f5b18 \ + --hash=sha256:f6b706be9c8087521fdd0226c92433f2405182cb16949fe3455805754e19b6ef + # via -r requirements.in +docker==5.0.2 \ + --hash=sha256:21ec4998e90dff7a7aaaa098ca8d839c7de412b89e6f6c30908372d58fecf663 \ + --hash=sha256:9b17f0723d83c1f3418d2aa17bf90b24dbe97deda06208dd4262fa30a6ee87eb + # via -r requirements.in +dockerfile-parse==1.2.0 \ + --hash=sha256:07e65eec313978e877da819855870b3ae47f3fac94a40a965b9ede10484dacc5 \ + --hash=sha256:c3fc8f491e1af8cb5f9e23ea6437a2913467b88a4be143095f150330b090be7e + # via -r requirements.in +gitdb==4.0.7 \ + --hash=sha256:6c4cc71933456991da20917998acbe6cf4fb41eeaab7d6d67fbc05ecd4c865b0 \ + --hash=sha256:96bf5c08b157a666fec41129e6d327235284cca4c81e92109260f353ba138005 + # via gitpython +gitpython==3.1.24 \ + --hash=sha256:dc0a7f2f697657acc8d7f89033e8b1ea94dd90356b2983bca89dc8d2ab3cc647 \ + --hash=sha256:df83fdf5e684fef7c6ee2c02fc68a5ceb7e7e759d08b694088d0cacb4eba59e5 + # via -r requirements.in +idna==3.2 \ + --hash=sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a \ + --hash=sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3 + # via requests +packageurl-python==0.9.4 \ + --hash=sha256:65f1eade0f3f412bdc77401e76725e9fc21d0c742ba0f2d066113cb19ccd8b61 \ + --hash=sha256:bd0e829260baff12055c47e1898e0f4014469d09bdb380ddcb102b5d2392fb56 + # via -r requirements.in +pbr==5.6.0 \ + --hash=sha256:42df03e7797b796625b1029c0400279c7c34fd7df24a7d7818a1abb5b38710dd \ + --hash=sha256:c68c661ac5cc81058ac94247278eeda6d2e6aecb3e227b0387c30d277e7ef8d4 + # via + # -r requirements.in + # stevedore +prettytable==2.2.1 \ + --hash=sha256:09fb2c7f93e4f93e0235f05ae199ac3f16da3a251b2cfa1c7108b34ede298fa3 \ + --hash=sha256:6d465005573a5c058d4ca343449a5b28c21252b86afcdfa168cdc6a440f0b24c + # via -r requirements.in +pyyaml==5.4.1 \ + --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \ + --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \ + --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \ + --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \ + --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \ + --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \ + --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \ + --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \ + --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \ + --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \ + --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \ + --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \ + --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \ + --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \ + --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \ + --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \ + --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \ + --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \ + --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \ + --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \ + --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \ + --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \ + --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \ + --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \ + --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \ + --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \ + --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \ + --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \ + --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 + # via -r requirements.in +regex==2021.9.24 \ + --hash=sha256:0628ed7d6334e8f896f882a5c1240de8c4d9b0dd7c7fb8e9f4692f5684b7d656 \ + --hash=sha256:09eb62654030f39f3ba46bc6726bea464069c29d00a9709e28c9ee9623a8da4a \ + --hash=sha256:0bba1f6df4eafe79db2ecf38835c2626dbd47911e0516f6962c806f83e7a99ae \ + --hash=sha256:10a7a9cbe30bd90b7d9a1b4749ef20e13a3528e4215a2852be35784b6bd070f0 \ + --hash=sha256:17310b181902e0bb42b29c700e2c2346b8d81f26e900b1328f642e225c88bce1 \ + --hash=sha256:1e8d1898d4fb817120a5f684363b30108d7b0b46c7261264b100d14ec90a70e7 \ + --hash=sha256:2054dea683f1bda3a804fcfdb0c1c74821acb968093d0be16233873190d459e3 \ + --hash=sha256:29385c4dbb3f8b3a55ce13de6a97a3d21bd00de66acd7cdfc0b49cb2f08c906c \ + --hash=sha256:295bc8a13554a25ad31e44c4bedabd3c3e28bba027e4feeb9bb157647a2344a7 \ + --hash=sha256:2cdb3789736f91d0b3333ac54d12a7e4f9efbc98f53cb905d3496259a893a8b3 \ + --hash=sha256:3baf3eaa41044d4ced2463fd5d23bf7bd4b03d68739c6c99a59ce1f95599a673 \ + --hash=sha256:4e61100200fa6ab7c99b61476f9f9653962ae71b931391d0264acfb4d9527d9c \ + --hash=sha256:6266fde576e12357b25096351aac2b4b880b0066263e7bc7a9a1b4307991bb0e \ + --hash=sha256:650c4f1fc4273f4e783e1d8e8b51a3e2311c2488ba0fcae6425b1e2c248a189d \ + --hash=sha256:658e3477676009083422042c4bac2bdad77b696e932a3de001c42cc046f8eda2 \ + --hash=sha256:6adc1bd68f81968c9d249aab8c09cdc2cbe384bf2d2cb7f190f56875000cdc72 \ + --hash=sha256:6c4d83d21d23dd854ffbc8154cf293f4e43ba630aa9bd2539c899343d7f59da3 \ + --hash=sha256:6f74b6d8f59f3cfb8237e25c532b11f794b96f5c89a6f4a25857d85f84fbef11 \ + --hash=sha256:7783d89bd5413d183a38761fbc68279b984b9afcfbb39fa89d91f63763fbfb90 \ + --hash=sha256:7e3536f305f42ad6d31fc86636c54c7dafce8d634e56fef790fbacb59d499dd5 \ + --hash=sha256:821e10b73e0898544807a0692a276e539e5bafe0a055506a6882814b6a02c3ec \ + --hash=sha256:835962f432bce92dc9bf22903d46c50003c8d11b1dc64084c8fae63bca98564a \ + --hash=sha256:85c61bee5957e2d7be390392feac7e1d7abd3a49cbaed0c8cee1541b784c8561 \ + --hash=sha256:86f9931eb92e521809d4b64ec8514f18faa8e11e97d6c2d1afa1bcf6c20a8eab \ + --hash=sha256:8a5c2250c0a74428fd5507ae8853706fdde0f23bfb62ee1ec9418eeacf216078 \ + --hash=sha256:8aec4b4da165c4a64ea80443c16e49e3b15df0f56c124ac5f2f8708a65a0eddc \ + --hash=sha256:8c268e78d175798cd71d29114b0a1f1391c7d011995267d3b62319ec1a4ecaa1 \ + --hash=sha256:8d80087320632457aefc73f686f66139801959bf5b066b4419b92be85be3543c \ + --hash=sha256:95e89a8558c8c48626dcffdf9c8abac26b7c251d352688e7ab9baf351e1c7da6 \ + --hash=sha256:9c371dd326289d85906c27ec2bc1dcdedd9d0be12b543d16e37bad35754bde48 \ + --hash=sha256:9c7cb25adba814d5f419733fe565f3289d6fa629ab9e0b78f6dff5fa94ab0456 \ + --hash=sha256:a731552729ee8ae9c546fb1c651c97bf5f759018fdd40d0e9b4d129e1e3a44c8 \ + --hash=sha256:aea4006b73b555fc5bdb650a8b92cf486d678afa168cf9b38402bb60bf0f9c18 \ + --hash=sha256:b0e3f59d3c772f2c3baaef2db425e6fc4149d35a052d874bb95ccfca10a1b9f4 \ + --hash=sha256:b15dc34273aefe522df25096d5d087abc626e388a28a28ac75a4404bb7668736 \ + --hash=sha256:c000635fd78400a558bd7a3c2981bb2a430005ebaa909d31e6e300719739a949 \ + --hash=sha256:c31f35a984caffb75f00a86852951a337540b44e4a22171354fb760cefa09346 \ + --hash=sha256:c50a6379763c733562b1fee877372234d271e5c78cd13ade5f25978aa06744db \ + --hash=sha256:c94722bf403b8da744b7d0bb87e1f2529383003ceec92e754f768ef9323f69ad \ + --hash=sha256:dcbbc9cfa147d55a577d285fd479b43103188855074552708df7acc31a476dd9 \ + --hash=sha256:fb9f5844db480e2ef9fce3a72e71122dd010ab7b2920f777966ba25f7eb63819 + # via -r requirements.in +requests==2.26.0 \ + --hash=sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24 \ + --hash=sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7 + # via + # -r requirements.in + # docker +six==1.16.0 \ + --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ + --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 + # via dockerfile-parse +smmap==4.0.0 \ + --hash=sha256:7e65386bd122d45405ddf795637b7f7d2b532e7e401d46bbe3fb49b9986d5182 \ + --hash=sha256:a9a7479e4c572e2e775c404dcd3080c8dc49f39918c2cf74913d30c4c478e3c2 + # via gitdb +stevedore==3.4.0 \ + --hash=sha256:59b58edb7f57b11897f150475e7bc0c39c5381f0b8e3fa9f5c20ce6c89ec4aa1 \ + --hash=sha256:920ce6259f0b2498aaa4545989536a27e4e4607b8318802d7ddc3a533d3d069e + # via -r requirements.in +typing-extensions==3.10.0.2 \ + --hash=sha256:49f75d16ff11f1cd258e1b988ccff82a3ca5570217d7ad8c5f48205dd99a677e \ + --hash=sha256:d8226d10bc02a29bcc81df19a26e56a9647f8b0a6d4a83924139f4a8b01f17b7 \ + --hash=sha256:f1d25edafde516b146ecd0613dabcc61409817af4766fbbcfb8d1ad4ec441a34 + # via gitpython +urllib3==1.26.7 \ + --hash=sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece \ + --hash=sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844 + # via requests +wcwidth==0.2.5 \ + --hash=sha256:beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784 \ + --hash=sha256:c4d647b99872929fdb7bdcaa4fbe7f01413ed3d98077df798530e5b04f116c83 + # via prettytable +websocket-client==1.2.1 \ + --hash=sha256:0133d2f784858e59959ce82ddac316634229da55b498aac311f1620567a710ec \ + --hash=sha256:8dfb715d8a992f5712fff8c843adae94e22b22a99b2c5e6b0ec4a1a981cc4e0d + # via docker diff --git a/docs/releases/v2_8_0.md b/docs/releases/v2_8_0.md new file mode 100644 index 00000000..f7ad3cf2 --- /dev/null +++ b/docs/releases/v2_8_0.md @@ -0,0 +1,60 @@ +# Release 2.8.0 + +## Summary +This release contains a new feature and several bug fixes. Tern now supports a CycloneDX JSON reporting format. This capability now gives users the option between two SBOM standards for output reports -- SPDX or CycloneDX. There were several Scancode related fixes that were resolved in this release. Additionally, a fix for the situation where Tern was yielding different results with the `-c` and `-r` command line options, which in theory should produce the same results. Lastly, six new contributors were a part of this release, many of whom were completely new to open source. + +## New Features +* [Add CycloneDX JSON Format](https://github.com/tern-tools/tern/issues/987): Tern can now generate [CycloneDX](https://cyclonedx.org/) JSON reports. + +## Bug Fixes +* [Duplicate scancode files being reported when cache is empty](https://github.com/tern-tools/tern/issues/1000) +* [Running Tern with -r and -c gives different results](https://github.com/tern-tools/tern/issues/999) +* [Add pkg_format values for missing package managers in base.yml](https://github.com/tern-tools/tern/issues/994) +* [Remove `/` from image SPDX Identifier Reference](https://github.com/tern-tools/tern/commit/f5eb1abdbc637005bbfb429127b056876c2d52c8) + +## Future Work +* Enable Tern to run without root privileges + +## Changelog +Note: This changelog will not include these release notes + +Changelog generated by command: `git log --pretty=format:"%h %s" v2.7.0..main` + +``` +5927427 Cleanup unecessary files +b32745e Add cyclonedxjson to help menu +c90cf6e Fix: duplicate scancode files being reported +6a2abfe Add Maintainer and Governance Info +5dbb44b Update docs around getting started in VS Code +2186c1a Suppress some pylint warnings +6855f1e Force prospector version 1.5.1 to be installed +dfc84d5 fix: Pass the redo flag to the executor +f5eb1ab Remove `/` from image SPDX Identifier Reference +4c4b2a8 Prospector 1.4.1 fixes +9bbb5dd Add CycloneDX JSON output support +a0c08ba Fix: Ignore newlines in os_release file +75bd6ac Explain commit message guidelines better +4719f62 Fix duplicate line in Dockerfile.scancode +e1ba6a5 formats: Add spdxjson consumer +3dce966 Remove requirements.scancode.txt +c6d26fa Add pkg_format values to base.yml +c8817fd Identify Distroless version in os-release file +fc4a876 Added test for the pkg_format property +2828ec7 Created a functional test suite for releases +0fd02ec Deprecate run_on_image() +``` + +## Contributors +``` +Daneshwari K. kankanwadidaneshwari55555@gmail.com +Jamila Ritter jamila.ritter@rutgers.edu +Kerin Pithawala kerinpithawala7@gmail.com +Patrick Dwyer patrick.dwyer@owasp.org +Sayantani Saha ii.sayantani.ii@gmail.com +Trang trangology@gmail.com +``` + +## Contact the Maintainers + +Nisha Kumar: nishak@vmware.com +Rose Judge: rjudge@vmware.com diff --git a/requirements.in b/requirements.in index b26a3618..d98e653d 100644 --- a/requirements.in +++ b/requirements.in @@ -16,3 +16,4 @@ debian-inspector regex GitPython prettytable +packageurl-python diff --git a/requirements.txt b/requirements.txt index 2eee4954..05ddb008 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,11 +9,11 @@ PyYAML>=5.4 docker~=5.0 dockerfile-parse~=1.2 -requests~=2.25 -stevedore>=3.3 +requests~=2.26 +stevedore>=3.4 pbr>=5.6 -debian-inspector>=21.5 -regex>=2021.7 +debian-inspector>=30.0 +regex>=2021.9 GitPython~=3.1 -prettytable~=2.1 -packageurl-python>=0.9.4 \ No newline at end of file +prettytable~=2.2 +packageurl-python>=0.9.4