Prep for Release 2.5.0

- Added release notes and freeze file.
- Updated the README with the new Release number and changed the list
  of releases to Previous Releases.
- Updated project roadmap.
- Bumped the dependency versions which addressed CVE-2021-28363.

Signed-off-by: Rose Judge <rjudge@vmware.com>

README.md

@@ -297,11 +297,13 @@ $ python tests/<test file>.py
 ```
 
 ## Project Status<a name="project-status"/>
-Release 2.4.0 is out! See the [release notes](docs/releases/v2_4_0.md) for more information.
+Release 2.5.0 is out! See the [release notes](docs/releases/v2_5_0.md) for more information.
 
 We try to keep the [project roadmap](./docs/project-roadmap.md) as up to date as possible. We are currently working on Release 3.0.0.
 
 ## Previous Releases
+Be advised: version 2.4.0 and below contain a high-severity security vulnerability (CVE-2021-28363). Please update to version 2.5.0
+* [v2.4.0](docs/releases/v2_4_0.md)
 * [v2.3.0](docs/releases/v2_3_0.md)
 * [v2.2.0](docs/releases/v2_2_0.md)
 * [v2.1.0](docs/releases/v2_1_0.md)

docs/project-roadmap.md

@@ -1,14 +1,13 @@
 # Project Road Map
 
 ## 2021
-We are getting very close to a beta release. Our beta release is targeted for the March-April timeframe.
+We are getting very close to a beta release. Our beta release is targeted for the summer timeframe.
 
 Our goal is to meet these requirements by the end of the year.
 - We are working towards enabling "live" analysis for a container. The idea is that if Tern could generate an SBoM at build time, the SBoM would then be available to package and distribute with the container image without the need for post scanning.
-- We are very close to enabling inventory for a single container layer which will be available in the next 3.0.0 release.
+- We are very close to enabling inventory for a single container layer which will be available in the next 2.5.0 release.
 - We will continue investigating how we can run Tern without root privileges.
 - We want to enable Tern to pull image digests and images using registry HTTP(s) APIs so that we can pull images from registries other than Dockerhub.
-- Enable analysis for OCI images.
 - Create a database backend with an associated API. We are hoping to have a GSoC intern help us tackle this issue.
 - Enable inventory of a Distroless image using some sort of custom script.
 

docs/releases/v2_5_0-requirements.txt

@@ -0,0 +1,166 @@
+#
+# This file is autogenerated by pip-compile
+# To update, run:
+#
+#    pip-compile --generate-hashes --output-file=v2_5_0-requirements.txt
+#
+attrs==20.3.0 \
+    --hash=sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6 \
+    --hash=sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700
+    # via debut
+certifi==2020.12.5 \
+    --hash=sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c \
+    --hash=sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830
+    # via requests
+chardet==4.0.0 \
+    --hash=sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa \
+    --hash=sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5
+    # via
+    #   debut
+    #   requests
+debut==0.9.9 \
+    --hash=sha256:3cc75b01fbdf553376d566027d54af4c957844cf4fc2456a426e658ea7b68588 \
+    --hash=sha256:a3a71e475295f4cf4292440c9c7303ebca0309d395536d2a7f86a5f4d7465dc1
+    # via -r requirements.in
+docker==4.4.4 \
+    --hash=sha256:d3393c878f575d3a9ca3b94471a3c89a6d960b35feb92f033c0de36cc9d934db \
+    --hash=sha256:f3607d5695be025fa405a12aca2e5df702a57db63790c73b927eb6a94aac60af
+    # via -r requirements.in
+dockerfile-parse==1.1.0 \
+    --hash=sha256:80ea4b88694ab014001e39e62335aa2f4feb695b80de751377e994a344fa5952 \
+    --hash=sha256:f37bfa327fada7fad6833aebfaac4a3aaf705e4cf813b737175feded306109e8
+    # via -r requirements.in
+gitdb==4.0.5 \
+    --hash=sha256:91f36bfb1ab7949b3b40e23736db18231bf7593edada2ba5c3a174a7b23657ac \
+    --hash=sha256:c9e1f2d0db7ddb9a704c2a0217be31214e91a4fe1dea1efad19ae42ba0c285c9
+    # via gitpython
+gitpython==3.1.14 \
+    --hash=sha256:3283ae2fba31c913d857e12e5ba5f9a7772bbc064ae2bb09efafa71b0dd4939b \
+    --hash=sha256:be27633e7509e58391f10207cd32b2a6cf5b908f92d9cd30da2e514e1137af61
+    # via -r requirements.in
+idna==2.10 \
+    --hash=sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6 \
+    --hash=sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0
+    # via requests
+importlib-metadata==3.7.3 \
+    --hash=sha256:742add720a20d0467df2f444ae41704000f50e1234f46174b51f9c6031a1bd71 \
+    --hash=sha256:b74159469b464a99cb8cc3e21973e4d96e05d3024d337313fedb618a6e86e6f4
+    # via stevedore
+pbr==5.5.1 \
+    --hash=sha256:5fad80b613c402d5b7df7bd84812548b2a61e9977387a80a5fc5c396492b13c9 \
+    --hash=sha256:b236cde0ac9a6aedd5e3c34517b423cd4fd97ef723849da6b0d2231142d89c00
+    # via
+    #   -r requirements.in
+    #   stevedore
+pyyaml==5.4.1 \
+    --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \
+    --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \
+    --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \
+    --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \
+    --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \
+    --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \
+    --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \
+    --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \
+    --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \
+    --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \
+    --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \
+    --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \
+    --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \
+    --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \
+    --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \
+    --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \
+    --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \
+    --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \
+    --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \
+    --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \
+    --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \
+    --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \
+    --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \
+    --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \
+    --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \
+    --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \
+    --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \
+    --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \
+    --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0
+    # via -r requirements.in
+regex==2021.3.17 \
+    --hash=sha256:07ef35301b4484bce843831e7039a84e19d8d33b3f8b2f9aab86c376813d0139 \
+    --hash=sha256:13f50969028e81765ed2a1c5fcfdc246c245cf8d47986d5172e82ab1a0c42ee5 \
+    --hash=sha256:14de88eda0976020528efc92d0a1f8830e2fb0de2ae6005a6fc4e062553031fa \
+    --hash=sha256:159fac1a4731409c830d32913f13f68346d6b8e39650ed5d704a9ce2f9ef9cb3 \
+    --hash=sha256:18e25e0afe1cf0f62781a150c1454b2113785401ba285c745acf10c8ca8917df \
+    --hash=sha256:201e2619a77b21a7780580ab7b5ce43835e242d3e20fef50f66a8df0542e437f \
+    --hash=sha256:360a01b5fa2ad35b3113ae0c07fb544ad180603fa3b1f074f52d98c1096fa15e \
+    --hash=sha256:39c44532d0e4f1639a89e52355b949573e1e2c5116106a395642cbbae0ff9bcd \
+    --hash=sha256:3d9356add82cff75413bec360c1eca3e58db4a9f5dafa1f19650958a81e3249d \
+    --hash=sha256:3d9a7e215e02bd7646a91fb8bcba30bc55fd42a719d6b35cf80e5bae31d9134e \
+    --hash=sha256:4651f839dbde0816798e698626af6a2469eee6d9964824bb5386091255a1694f \
+    --hash=sha256:486a5f8e11e1f5bbfcad87f7c7745eb14796642323e7e1829a331f87a713daaa \
+    --hash=sha256:4b8a1fb724904139149a43e172850f35aa6ea97fb0545244dc0b805e0154ed68 \
+    --hash=sha256:4c0788010a93ace8a174d73e7c6c9d3e6e3b7ad99a453c8ee8c975ddd9965643 \
+    --hash=sha256:4c2e364491406b7888c2ad4428245fc56c327e34a5dfe58fd40df272b3c3dab3 \
+    --hash=sha256:575a832e09d237ae5fedb825a7a5bc6a116090dd57d6417d4f3b75121c73e3be \
+    --hash=sha256:5770a51180d85ea468234bc7987f5597803a4c3d7463e7323322fe4a1b181578 \
+    --hash=sha256:633497504e2a485a70a3268d4fc403fe3063a50a50eed1039083e9471ad0101c \
+    --hash=sha256:63f3ca8451e5ff7133ffbec9eda641aeab2001be1a01878990f6c87e3c44b9d5 \
+    --hash=sha256:709f65bb2fa9825f09892617d01246002097f8f9b6dde8d1bb4083cf554701ba \
+    --hash=sha256:808404898e9a765e4058bf3d7607d0629000e0a14a6782ccbb089296b76fa8fe \
+    --hash=sha256:882f53afe31ef0425b405a3f601c0009b44206ea7f55ee1c606aad3cc213a52c \
+    --hash=sha256:8bd4f91f3fb1c9b1380d6894bd5b4a519409135bec14c0c80151e58394a4e88a \
+    --hash=sha256:8e65e3e4c6feadf6770e2ad89ad3deb524bcb03d8dc679f381d0568c024e0deb \
+    --hash=sha256:976a54d44fd043d958a69b18705a910a8376196c6b6ee5f2596ffc11bff4420d \
+    --hash=sha256:a0d04128e005142260de3733591ddf476e4902c0c23c1af237d9acf3c96e1b38 \
+    --hash=sha256:a0df9a0ad2aad49ea3c7f65edd2ffb3d5c59589b85992a6006354f6fb109bb18 \
+    --hash=sha256:a2ee026f4156789df8644d23ef423e6194fad0bc53575534101bb1de5d67e8ce \
+    --hash=sha256:a59a2ee329b3de764b21495d78c92ab00b4ea79acef0f7ae8c1067f773570afa \
+    --hash=sha256:b97ec5d299c10d96617cc851b2e0f81ba5d9d6248413cd374ef7f3a8871ee4a6 \
+    --hash=sha256:b98bc9db003f1079caf07b610377ed1ac2e2c11acc2bea4892e28cc5b509d8d5 \
+    --hash=sha256:b9d8d286c53fe0cbc6d20bf3d583cabcd1499d89034524e3b94c93a5ab85ca90 \
+    --hash=sha256:bcd945175c29a672f13fce13a11893556cd440e37c1b643d6eeab1988c8b209c \
+    --hash=sha256:c66221e947d7207457f8b6f42b12f613b09efa9669f65a587a2a71f6a0e4d106 \
+    --hash=sha256:c782da0e45aff131f0bed6e66fbcfa589ff2862fc719b83a88640daa01a5aff7 \
+    --hash=sha256:cb4ee827857a5ad9b8ae34d3c8cc51151cb4a3fe082c12ec20ec73e63cc7c6f0 \
+    --hash=sha256:d47d359545b0ccad29d572ecd52c9da945de7cd6cf9c0cfcb0269f76d3555689 \
+    --hash=sha256:dc9963aacb7da5177e40874585d7407c0f93fb9d7518ec58b86e562f633f36cd \
+    --hash=sha256:ea2f41445852c660ba7c3ebf7d70b3779b20d9ca8ba54485a17740db49f46932 \
+    --hash=sha256:f5d0c921c99297354cecc5a416ee4280bd3f20fd81b9fb671ca6be71499c3fdf \
+    --hash=sha256:f85d6f41e34f6a2d1607e312820971872944f1661a73d33e1e82d35ea3305e14
+    # via -r requirements.in
+requests==2.25.1 \
+    --hash=sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804 \
+    --hash=sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e
+    # via
+    #   -r requirements.in
+    #   docker
+six==1.15.0 \
+    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
+    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+    # via
+    #   docker
+    #   dockerfile-parse
+    #   websocket-client
+smmap==3.0.5 \
+    --hash=sha256:7bfcf367828031dc893530a29cb35eb8c8f2d7c8f2d0989354d75d24c8573714 \
+    --hash=sha256:84c2751ef3072d4f6b2785ec7ee40244c6f45eb934d9e543e2c51f1bd3d54c50
+    # via gitdb
+stevedore==3.3.0 \
+    --hash=sha256:3a5bbd0652bf552748871eaa73a4a8dc2899786bc497a2aa1fcb4dcdb0debeee \
+    --hash=sha256:50d7b78fbaf0d04cd62411188fa7eedcb03eb7f4c4b37005615ceebe582aa82a
+    # via -r requirements.in
+typing-extensions==3.7.4.3 \
+    --hash=sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918 \
+    --hash=sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c \
+    --hash=sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f
+    # via importlib-metadata
+urllib3==1.26.4 \
+    --hash=sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df \
+    --hash=sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937
+    # via requests
+websocket-client==0.58.0 \
+    --hash=sha256:44b5df8f08c74c3d82d28100fdc81f4536809ce98a17f0757557813275fbb663 \
+    --hash=sha256:63509b41d158ae5b7f67eb4ad20fecbb4eee99434e73e140354dc3ff8e09716f
+    # via docker
+zipp==3.4.1 \
+    --hash=sha256:3607921face881ba3e026887d8150cca609d517579abe052ac81fc5aeffdbd76 \
+    --hash=sha256:51cb66cc54621609dd593d1787f286ee42a5c0adbb4b29abea5a63edc3e03098
+    # via importlib-metadata

docs/releases/v2_5_0.md

@@ -0,0 +1,81 @@
+# Release 2.5.0
+
+## Summary
+This release contains a mix of features, bug fixes and resolved technical debt. It also includes an update to a vulnerable package, urllib3, which addresses CVE-2021-28363. This release adds support for distroless containers and adds a new CLI option, `-y [LAYER_NUMBER]/--layer [LAYER_NUMBER]`, which will generate a default report SBoM for a specific layer instead of the entire container image. There is also a `-li/--layer_inclusive` flag that was added to the CLI which, when used in conjunction with the `-y/--layer` option, will include all of the preceding layers in the SBoM up until the specified layer number argument. This `-y/--layer` feature is currently only enabled for the default report format.
+
+A number of bugs were also resolved in this release. Namely, a bug where Tern was crashing when running on squashed images and an issue where Tern was incorrectly parsing image strings when the docker image name contained registry information about images hosted on a different port. Notable technical debt cleanup includes replacing npm parsing with the `jq` utility which drastically speeds up npm package metadata collection.
+
+## Security
+* [CVE-2021-28363](https://github.com/advisories/GHSA-5phf-pp7p-vc2r): v2.5.0 updated a vulnerable package, urllib3, to address a security concern. v2.4.0 and below contain a vulnerable package and we recommend updating to v2.5.0.
+
+## New Features
+* [Add support for distroless containers](https://github.com/tern-tools/tern/issues/864): Tern can now detect and report on packages in distroless containers.
+* [Generate SBoM for/until specific layer](https://github.com/tern-tools/tern/issues/840): Tern can now generate an SBoM for a specific layer of a container image. It can print the report for one specific layer, or a cumulitive report of all the layers up until a specific layer.
+
+## Bug Fixes
+* [Bug fix for Debian dockerfiles reporting duplicate packages](https://github.com/tern-tools/tern/issues/899)
+* [Fix image parsing for docker registries hosted on a different port](https://github.com/tern-tools/tern/issues/890)
+* [Correct parsing for Dockerfile enviornment variables that contain '{}'](https://github.com/tern-tools/tern/issues/913)
+* [Tern crashes with squashed images](https://github.com/tern-tools/tern/issues/838)
+* [Fix execution path for raw image tarballs](https://github.com/tern-tools/tern/pull/898)
+* [Fix go module collection](https://github.com/tern-tools/tern/issues/924)
+
+## Resolved Technical Debt
+* [Replace npm parsing with jq](https://github.com/tern-tools/tern/issues/903): This *significantly* speeds up the detection time for npm packages by removing the overhead of spinning up Node.js individually for each package. Thanks to @JamieMagee for his work on this!
+* [Use GitPython instead of subprocess](https://github.com/tern-tools/tern/issues/619)
+* [Increase timeout for pulling larger images](https://github.com/tern-tools/tern/pull/904)
+* [Pass arguments as a single object](https://github.com/tern-tools/tern/issues/868)
+
+## Future Work
+* "Live" analysis of a container image.
+* Enabling a distributed cache and database for Tern
+* Continuing code cleanup.
+
+## Changelog
+Note: This changelog will not include these release notes
+
+Changelog generated by command: `git log --pretty=format:"%h %s" v2.4.0..main`
+
+```
+2693eeb fix: Include information about layer's created_by
+83fa293 Use deepcopy to find key listing dictionary
+728f619 Fix duplicate OS notices
+911e368 Set WORKDIR directory to collect go modules
+98a12fc Refactor: Combine distroless into generic "host"
+e7a4a0a bugfix: Escape empty braces when parsing snippets
+452ab48 Add jq dependency to Dockerfiles and README
+e0785a0 Use jq to detect npm components
+9fa0a19 Add GitPython as a runtime dependency
+2405feb Update community meeting time to UTC time zone
+380e7e8 Add initial support for distroless containers
+d391f68 Compare ordered pkg_licenses for Package objects
+e01f826 Use GitPython for all git operations
+551a4e4 Timeout for pulling large images
+66822ef Fix execution path for raw image tarball
+1097ad3 Fix for docker registries hosted on different port
+733eb12 Refactor: pass arguments as a single object
+141b9b0 Fix error msg when no created_by info for layers
+29d16f6 Minimize complexity of do_main
+11fc8a3 Generate SBoM for single layer
+bae951f Warn user when he sets --layer too large
+06a16f9 Fix docstring in cache.py
+20ed612 Add layer support to default reporter
+c2d3817 Implement partial analysis
+46e6898 Add print_inclusive parameter to generate()
+e342cdd Add -li --layer-inclusive CLI argument
+580413b Prepare Image class for partial image loading
+d204d96 Add -y --layer option to command line
+```
+
+## Contributors
+```
+Alexander Mazuruk a.mazuruk@samsung.com
+Dhairya Jain jaindhairya2001@gmail.com
+Jamie Magee jamagee@microsoft.com
+Jeroen Knoops jeroen.knoops@philips.com
+```
+
+## Contact the Maintainers
+
+Nisha Kumar: nishak@vmware.com
+Rose Judge: rjudge@vmware.com

requirements.txt

@@ -13,5 +13,5 @@ requests~=2.25
 stevedore>=3.3
 pbr>=5.5
 debut>=0.9
-regex>=2020.11
+regex>=2021.3
 GitPython~=3.1