Prep for Release 2.4.0

- Added release notes and freeze file.
- Updated the README with the new Release number and changed the list
  of releases to Previous Releases.
- Bumped the dependency versions.
- Updated release_checklist.md to reflect the fact that the master
  branch was renamed to main
- Moved 2020 project roadmap information to project-roadmap-archive.md
- Updated 2021 project roadmap

Signed-off-by: Rose Judge <rjudge@vmware.com>

README.md

@@ -296,11 +296,12 @@ $ python tests/<test file>.py
 ```
 
 ## Project Status<a name="project-status"/>
-Release 2.3.0 is out! See the [release notes](docs/releases/v2_3_0.md) for more information.
+Release 2.4.0 is out! See the [release notes](docs/releases/v2_4_0.md) for more information.
 
 We try to keep the [project roadmap](./docs/project-roadmap.md) as up to date as possible. We are currently working on Release 3.0.0.
 
 ## Previous Releases
+* [v2.3.0](docs/releases/v2_3_0.md)
 * [v2.2.0](docs/releases/v2_2_0.md)
 * [v2.1.0](docs/releases/v2_1_0.md)
 * [v2.0.0](docs/releases/v2_0_0.md)

docs/project-roadmap-archive.md

@@ -1,3 +1,20 @@
+## 2021-02-18
+### 2020
+
+We are getting very close to a beta release. The requirements for this release are:
+1. Support for language package managers.
+2. Ability to run on Mac and Windows using Docker.
+
+Our goal is to meet these requirements by the end of the year
+- We will work towards enabling language package managers like `pip`, `npm` and `gem` including support for golang which will be available in future releases slated for this year.
+- We will try to move away from using overlayfs to "debug" container images. This will allow us to move away from using a volume mount to a host linux system to make Tern work on Windows and Mac. However, this will not help towards running Tern in an unprivileged container (at least in the default environment).
+
+We will also continue to work on the following:
+- We will continue to support the SPDX format for container images. To that end, we will make changes to update the format of the document as the [spec](https://spdx.org/sites/cpstandard/files/pages/files/spdxversion2.1.pdf) evolves.
+- We will be working with the [Conan](https://github.com/nexB/conan) project to integrate some of the functionality needed by their use cases.
+- As usual, we will continue to work on our technical debt and bug fixes.
+
+
 ## 2020-04-15
 ### 2019
 

docs/project-roadmap.md

@@ -1,17 +1,20 @@
 # Project Road Map
 
-## 2020
-We are getting very close to a beta release. The requirements for this release are:
-1. Support for language package managers.
-2. Ability to run on Mac and Windows using Docker.
+## 2021
+We are getting very close to a beta release. Our beta release is targeted for the March-April timeframe.
+
+Our goal is to meet these requirements by the end of the year.
+- We are working towards enabling "live" analysis for a container. The idea is that if Tern could generate an SBoM at build time, the SBoM would then be available to package and distribute with the container image without the need for post scanning.
+- We are very close to enabling inventory for a single container layer which will be available in the next 3.0.0 release.
+- We will continue investigating how we can run Tern without root privileges.
+- We want to enable Tern to pull image digests and images using registry HTTP(s) APIs so that we can pull images from registries other than Dockerhub.
+- Enable analysis for OCI images.
+- Create a database backend with an associated API. We are hoping to have a GSoC intern help us tackle this issue.
+- Enable inventory of a Distroless image using some sort of custom script.
 
-Our goal is to meet these requirements by the end of the year
-- We will work towards enabling language package managers like `pip`, `npm` and `gem` including support for golang which will be available in future releases slated for this year.
-- We will try to move away from using overlayfs to "debug" container images. This will allow us to move away from using a volume mount to a host linux system to make Tern work on Windows and Mac. However, this will not help towards running Tern in an unprivileged container (at least in the default environment).
 
 We will also continue to work on the following:
 - We will continue to support the SPDX format for container images. To that end, we will make changes to update the format of the document as the [spec](https://spdx.org/sites/cpstandard/files/pages/files/spdxversion2.1.pdf) evolves.
-- We will be working with the [Conan](https://github.com/nexB/conan) project to integrate some of the functionality needed by their use cases.
 - As usual, we will continue to work on our technical debt and bug fixes.
 
 This timetable is based on time, resources and feedback from you and will change accordingly.

docs/releases/release_checklist.md

@@ -3,11 +3,11 @@
 This is a checklist for cutting a release
 
 - [ ] Prepare Release PR.
-    * Freeze development on master.
-    * Prepare your local development environment by committing or stashing your changes. Work at the tip of master.
+    * Freeze development on main.
+    * Prepare your local development environment by committing or stashing your changes. Work at the tip of main.
     * Create a branch for the release: `git checkout -b <release branch name>`.
     * In a separate folder, create a fresh environment and activate it.
-    * Clone the `tern/master` repository by running `git clone --single-branch git@github.com:tern-tools/tern.git` and `cd` into it.
+    * Clone the `tern/main` repository by running `git clone --single-branch git@github.com:tern-tools/tern.git` and `cd` into it.
 
 - [ ] Update direct dependencies and run tests.
     * In the fresh environment, run `pip install wheel pip-tools twine`.
@@ -34,8 +34,8 @@ This is a checklist for cutting a release
       - Future Work
       - Changelog     
         * "Note: This changelog will not include these release notes"
-        * "Changelog produced by command: `git log --pretty=format:"%h %s" v<tag>..master`"
-      - Contributors (look at Authors in the changelog `git log --pretty=format:"%an %ae" v<tag>..master | sort | uniq`). Remove the maintainers name from the contributor list.
+        * "Changelog produced by command: `git log --pretty=format:"%h %s" v<tag>..main`"
+      - Contributors (look at Authors in the changelog `git log --pretty=format:"%an %ae" v<tag>..main | sort | uniq`). Remove the maintainers name from the contributor list.
       - Contact the Maintainers
 
     * Update the Project Status part of the README.md to reflect this release and add it to the list of releases.
@@ -50,7 +50,7 @@ This is a checklist for cutting a release
     * Provide a link to the release notes.
 
 - [ ] Deploy to PyPI
-    * Run the following steps in the fresh environment where you first cloned tern/master.
+    * Run the following steps in the fresh environment where you first cloned tern/main.
     * Run `git fetch --tags` to get the release tag.
     * Run `git checkout -b release <release_tag>`.
     * Run `pip-compile`.
@@ -69,4 +69,4 @@ This is a checklist for cutting a release
     * Run `tar cvzf tern-<release_tag>-vendor.tar.gz vendor/`.
     * Upload the vendor tarball to the GitHub release page.
 
-- [ ] Upload the wheel package to the GitHub release page. The wheel package can be found under the `dist/` directory in the environment where you first cloned tern/master or it can be downloaded for the PyPI release page.
+- [ ] Upload the wheel package to the GitHub release page. The wheel package can be found under the `dist/` directory in the environment where you first cloned tern/main or it can be downloaded for the PyPI release page.

docs/releases/v2_4_0-requirements.txt

@@ -0,0 +1,146 @@
+#
+# This file is autogenerated by pip-compile
+# To update, run:
+#
+#    pip-compile --generate-hashes --output-file=v2_4_0-requirements.txt
+#
+attrs==20.3.0 \
+    --hash=sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6 \
+    --hash=sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700
+    # via debut
+certifi==2020.12.5 \
+    --hash=sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c \
+    --hash=sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830
+    # via requests
+chardet==4.0.0 \
+    --hash=sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa \
+    --hash=sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5
+    # via
+    #   debut
+    #   requests
+debut==0.9.9 \
+    --hash=sha256:3cc75b01fbdf553376d566027d54af4c957844cf4fc2456a426e658ea7b68588 \
+    --hash=sha256:a3a71e475295f4cf4292440c9c7303ebca0309d395536d2a7f86a5f4d7465dc1
+    # via -r requirements.in
+docker==4.4.3 \
+    --hash=sha256:d4625e70e3d5a12d7cbf1fd68cef2e081ac86b83889e00e5466d975f90e50dad \
+    --hash=sha256:de5753b7f6486dd541a98393e423e387579b8974a5068748b83f852cc76a89d6
+    # via -r requirements.in
+dockerfile-parse==1.1.0 \
+    --hash=sha256:80ea4b88694ab014001e39e62335aa2f4feb695b80de751377e994a344fa5952 \
+    --hash=sha256:f37bfa327fada7fad6833aebfaac4a3aaf705e4cf813b737175feded306109e8
+    # via -r requirements.in
+idna==2.10 \
+    --hash=sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6 \
+    --hash=sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0
+    # via requests
+importlib-metadata==3.4.0 \
+    --hash=sha256:ace61d5fc652dc280e7b6b4ff732a9c2d40db2c0f92bc6cb74e07b73d53a1771 \
+    --hash=sha256:fa5daa4477a7414ae34e95942e4dd07f62adf589143c875c133c1e53c4eff38d
+    # via stevedore
+pbr==5.5.1 \
+    --hash=sha256:5fad80b613c402d5b7df7bd84812548b2a61e9977387a80a5fc5c396492b13c9 \
+    --hash=sha256:b236cde0ac9a6aedd5e3c34517b423cd4fd97ef723849da6b0d2231142d89c00
+    # via
+    #   -r requirements.in
+    #   stevedore
+pyyaml==5.4.1 \
+    --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \
+    --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \
+    --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \
+    --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \
+    --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \
+    --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \
+    --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \
+    --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \
+    --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \
+    --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \
+    --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \
+    --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \
+    --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \
+    --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \
+    --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \
+    --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \
+    --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \
+    --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \
+    --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \
+    --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \
+    --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc
+    # via -r requirements.in
+regex==2020.11.13 \
+    --hash=sha256:02951b7dacb123d8ea6da44fe45ddd084aa6777d4b2454fa0da61d569c6fa538 \
+    --hash=sha256:0d08e71e70c0237883d0bef12cad5145b84c3705e9c6a588b2a9c7080e5af2a4 \
+    --hash=sha256:1862a9d9194fae76a7aaf0150d5f2a8ec1da89e8b55890b1786b8f88a0f619dc \
+    --hash=sha256:1ab79fcb02b930de09c76d024d279686ec5d532eb814fd0ed1e0051eb8bd2daa \
+    --hash=sha256:1fa7ee9c2a0e30405e21031d07d7ba8617bc590d391adfc2b7f1e8b99f46f444 \
+    --hash=sha256:262c6825b309e6485ec2493ffc7e62a13cf13fb2a8b6d212f72bd53ad34118f1 \
+    --hash=sha256:2a11a3e90bd9901d70a5b31d7dd85114755a581a5da3fc996abfefa48aee78af \
+    --hash=sha256:2c99e97d388cd0a8d30f7c514d67887d8021541b875baf09791a3baad48bb4f8 \
+    --hash=sha256:3128e30d83f2e70b0bed9b2a34e92707d0877e460b402faca908c6667092ada9 \
+    --hash=sha256:38c8fd190db64f513fe4e1baa59fed086ae71fa45083b6936b52d34df8f86a88 \
+    --hash=sha256:3bddc701bdd1efa0d5264d2649588cbfda549b2899dc8d50417e47a82e1387ba \
+    --hash=sha256:4902e6aa086cbb224241adbc2f06235927d5cdacffb2425c73e6570e8d862364 \
+    --hash=sha256:49cae022fa13f09be91b2c880e58e14b6da5d10639ed45ca69b85faf039f7a4e \
+    --hash=sha256:56e01daca75eae420bce184edd8bb341c8eebb19dd3bce7266332258f9fb9dd7 \
+    --hash=sha256:5862975b45d451b6db51c2e654990c1820523a5b07100fc6903e9c86575202a0 \
+    --hash=sha256:6a8ce43923c518c24a2579fda49f093f1397dad5d18346211e46f134fc624e31 \
+    --hash=sha256:6c54ce4b5d61a7129bad5c5dc279e222afd00e721bf92f9ef09e4fae28755683 \
+    --hash=sha256:6e4b08c6f8daca7d8f07c8d24e4331ae7953333dbd09c648ed6ebd24db5a10ee \
+    --hash=sha256:717881211f46de3ab130b58ec0908267961fadc06e44f974466d1887f865bd5b \
+    --hash=sha256:749078d1eb89484db5f34b4012092ad14b327944ee7f1c4f74d6279a6e4d1884 \
+    --hash=sha256:7913bd25f4ab274ba37bc97ad0e21c31004224ccb02765ad984eef43e04acc6c \
+    --hash=sha256:7a25fcbeae08f96a754b45bdc050e1fb94b95cab046bf56b016c25e9ab127b3e \
+    --hash=sha256:83d6b356e116ca119db8e7c6fc2983289d87b27b3fac238cfe5dca529d884562 \
+    --hash=sha256:8b882a78c320478b12ff024e81dc7d43c1462aa4a3341c754ee65d857a521f85 \
+    --hash=sha256:8f6a2229e8ad946e36815f2a03386bb8353d4bde368fdf8ca5f0cb97264d3b5c \
+    --hash=sha256:9801c4c1d9ae6a70aeb2128e5b4b68c45d4f0af0d1535500884d644fa9b768c6 \
+    --hash=sha256:a15f64ae3a027b64496a71ab1f722355e570c3fac5ba2801cafce846bf5af01d \
+    --hash=sha256:a3d748383762e56337c39ab35c6ed4deb88df5326f97a38946ddd19028ecce6b \
+    --hash=sha256:a63f1a07932c9686d2d416fb295ec2c01ab246e89b4d58e5fa468089cab44b70 \
+    --hash=sha256:b2b1a5ddae3677d89b686e5c625fc5547c6e492bd755b520de5332773a8af06b \
+    --hash=sha256:b2f4007bff007c96a173e24dcda236e5e83bde4358a557f9ccf5e014439eae4b \
+    --hash=sha256:baf378ba6151f6e272824b86a774326f692bc2ef4cc5ce8d5bc76e38c813a55f \
+    --hash=sha256:bafb01b4688833e099d79e7efd23f99172f501a15c44f21ea2118681473fdba0 \
+    --hash=sha256:bba349276b126947b014e50ab3316c027cac1495992f10e5682dc677b3dfa0c5 \
+    --hash=sha256:c084582d4215593f2f1d28b65d2a2f3aceff8342aa85afd7be23a9cad74a0de5 \
+    --hash=sha256:d1ebb090a426db66dd80df8ca85adc4abfcbad8a7c2e9a5ec7513ede522e0a8f \
+    --hash=sha256:d2d8ce12b7c12c87e41123997ebaf1a5767a5be3ec545f64675388970f415e2e \
+    --hash=sha256:e32f5f3d1b1c663af7f9c4c1e72e6ffe9a78c03a31e149259f531e0fed826512 \
+    --hash=sha256:e3faaf10a0d1e8e23a9b51d1900b72e1635c2d5b0e1bea1c18022486a8e2e52d \
+    --hash=sha256:f7d29a6fc4760300f86ae329e3b6ca28ea9c20823df123a2ea8693e967b29917 \
+    --hash=sha256:f8f295db00ef5f8bae530fc39af0b40486ca6068733fb860b42115052206466f
+    # via -r requirements.in
+requests==2.25.1 \
+    --hash=sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804 \
+    --hash=sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e
+    # via
+    #   -r requirements.in
+    #   docker
+six==1.15.0 \
+    --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
+    --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced
+    # via
+    #   docker
+    #   dockerfile-parse
+    #   websocket-client
+stevedore==3.3.0 \
+    --hash=sha256:3a5bbd0652bf552748871eaa73a4a8dc2899786bc497a2aa1fcb4dcdb0debeee \
+    --hash=sha256:50d7b78fbaf0d04cd62411188fa7eedcb03eb7f4c4b37005615ceebe582aa82a
+    # via -r requirements.in
+typing-extensions==3.7.4.3 \
+    --hash=sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918 \
+    --hash=sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c \
+    --hash=sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f
+    # via importlib-metadata
+urllib3==1.26.3 \
+    --hash=sha256:1b465e494e3e0d8939b50680403e3aedaa2bc434b7d5af64dfd3c958d7f5ae80 \
+    --hash=sha256:de3eedaad74a2683334e282005cd8d7f22f4d55fa690a2a1020a416cb0a47e73
+    # via requests
+websocket-client==0.57.0 \
+    --hash=sha256:0fc45c961324d79c781bab301359d5a1b00b13ad1b10415a4780229ef71a5549 \
+    --hash=sha256:d735b91d6d1692a6a181f2a8c9e0238e5f6373356f561bb9dc4c7af36f452010
+    # via docker
+zipp==3.4.0 \
+    --hash=sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108 \
+    --hash=sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb
+    # via importlib-metadata