This release contains a handful of exciting new features. First, Tern is now able to run in an unprivileged container. This is beneficial from a security standpoint on platforms that do not allow privileged containers to run. It also removes the dependency on the overlay2fs storage driver. Next, there is now source package information reported in the JSON and YAML formats for rpm and dpkg based package managers. Source package information can be helpful when looking up known vulnerabilities or CVEs for packages. Additionally, Tern will now report Debian package license information in the default report table instead of users having to look at other formats like JSON for this information. Lastly, Tern removed its dependency on Docker for pulling containers in favor of Skopeo (the Docker requirement still exists for Dockerfile analysis). This huge change brings Tern one step closer to running on Kubernetes since it was announced that the Docker container runtime would be removed in favor of other runtimes that use CRI created for K8s.
- Run Tern in an unprivileged container: Tern now runs in an unprivileged container. This is possible due to a new method of applying the diff filesystem layers using bulk copying of the files and directories into the merge directory rather than using a storage driver like overlay2 or fuse as was previously used. The overlay2 and fuse drivers are still available to maintain backwards compatability by using the
--drivercommand line option. - Add source package information to reports: Tern now reports source package name (
src_name) and version (src_version) in the JSON and YAML reports. This source package information can be fed to security scanners to look up known vulnerabilities. - Use skopeo to pull container images: Tern now uses skopeo to pull container images for container analysis. This removes the dependency on Docker to pull container images.
- Report Debian package licenses in default report: Tern now reports Debian package licenses in the default report table for easy viewing.
- Fix deprecated values in setup.cfg
- Fix SPDX JSON format to match SPDX JSON schema
- Add 'document DESCRIBES container' relationship to SPDX report
- Run ScanCode with n-1 cores
- Remove unused clean_image_tars function
- Direct check for key in command_lib
- Direct check for key in os_release
- Change SPDX pkg download location to NOASSERTION
- Improve error message when docker is not running
- Add source package information to SPDX and CycloneDX reports
- Investigate running Tern in a Kubernetes admission controller
Note: This changelog will not include these release notes
Changelog generated by command: git log --pretty=format:"%h %s" v2.8.0..HEAD
e16a468 Use Skopeo to pull container images
3bdbd08 formats: Modify layer title based on manifest
3a0ac50 Modify environments to install skopeo
0891287 Change -i option to use OCIImage
1644456 Replace get_untar_dir with ImageLayer method
e340f66 classes: Add OCIImage class and use image_layout
6fcdcb9 classes: Move get_untar_dir to ImageLayer
fad5fb1 fix: unmount rootfs only for fuse and overlay2
0b87b0c Collect dpkg and rpm source pkg info
94aacb1 Collect dpkg and rpm source information
5b4bbde Add source package info to package data model
5011db0 Enable Tern to run in an unprivileged container
fb160a0 Update README.md with new Docker instructions
4fcae9b Use the default driver in Dockerfile
6c0d1e9 Fix application for multiple cached layers
ab13f1c Enable multi-layer analysis with no mount
7bcbf6c Remove unnecessary mounting and unshare commands
3911d04 classes: Add new property is_whiteout
1551162 Allow whiteout files to be accessed by fs_hash.sh
aecba38 Multiple checks for keys in check_sourcable func
f9d9669 updating setup.cfg fields
38d5c76 Report Debian package licenses in default report
9751f1b Add SPDX "document DESCRIBES image" relationship
ff9d71a Add DockerException when daemon not running
fd94b38 Fix for SPDX JSON format to match SPDX JSON schema
c3938c7 Scancode should run n-1 core
9534ac1 Remove unused clean_image_tars function
a3e76cd Change SPDX pkg download location to NOASSERTION
87e7cdd Remove unused functions from lock.py
99fdb5f Direct check for key in command_lib['snippets']
ce1c6d2 Update VS Code documentation for Mac/Windows
fcb367b Direct check for key in command['base'] dictionary
55a8a1e Change package download location to NOASSERTION
956a5e6 Fix CI status badge
33ffbeb Direct check for key in os_release_dict
ashmaajmera [email protected]
Debbie Leung [email protected]
Hannah Lumapas [email protected]
Jason Hall [email protected]
jayeritz [email protected]
Kerin Pithawala [email protected]
Mukul Taneja [email protected]
sayantani11 [email protected]
Vini Parimala [email protected]
vsoch [email protected]
Nisha Kumar: [email protected] Rose Judge: [email protected]