Skip to content

Release v0.2.0

Compare
Choose a tag to compare
@puerco puerco released this 27 Jan 02:05
· 977 commits to main since this release
a5640c2

This is the first release of bom after the code move from kubernetes/release to its own repository! A big big thank you to all contributors that sent patches to the project.

Release Notes

Changes by Kind

Deprecation

  • Added a few more unit tests to the spdx package to cover the following functions: spdx.GetImageReferences spdx.TestPullImagesToArchive spdx.TestGetDirectoryTree spdx.TestIgnorePatterns
    • bom: The --tarballs flag is now deprecated. It has been replaced with --image-archive during demos and chats, it proved to be confusing (it still works but will print a warning)
    • bom: There is a new flag: --archive. When enabled, bom adds archives (currently tars) as spdx packages to the doc. Its files are license-scanned and listed in the package
    • bom: Passing a flag defining the SPDX document namespace is not required anymore. The generator now defines it using the spdx.org public URL defined in the 2.2+ spec.
    • The spdx package now supports reading compressed tars (#4, @puerco)

Feature

  • Add initial filetype support (#12, @cpanato)
  • New container image layer scanner for checking inside of layers for OS data. The first version supports extracting packages from debian based OSs. (#31, @puerco)
  • bom generate can now output provenance attestations along SBOMs. When specifying a json file using the new --provenance flag, bom will dump the SPDX data as an in-toto attestation with all the SBOM entities as in-toto subjects. The statement can then be picked up by later CI/CD stages to complete the rest of the build data. (#14, @puerco)

Failing Test

  • Fixed flakes in TestWriteProvenance and TestToProvenance where the test would fail one every three runs (#25, @puerco)

Other (Cleanup or Flake)

  • The provenance package now produces attestations conformant to the SLSA v0.2 specification. (#13, @puerco)

Uncategorized

  • Use the default Docker keychain to leverage auth mechanisms so that we can allow users to work with non-public remote images. (#18, @jdolitsky)

Dependencies

Added

  • github.com/DataDog/datadog-go: v3.2.0+incompatible
  • github.com/cenkalti/backoff/v4: v4.1.1
  • github.com/circonus-labs/circonus-gometrics: v2.3.1+incompatible
  • github.com/circonus-labs/circonusllhist: v0.1.3
  • github.com/hashicorp/go-hclog: v1.0.0
  • github.com/hashicorp/go-retryablehttp: v0.5.3
  • github.com/iancoleman/strcase: v0.2.0
  • github.com/lyft/protoc-gen-star: v0.5.3
  • github.com/sagikazarmark/crypt: v0.3.0
  • github.com/secure-systems-lab/go-securesystemslib: v0.3.0
  • github.com/tv42/httpunix: b75d861

Changed

Removed

  • github.com/bketelsen/crypt: v0.0.4
  • github.com/hashicorp/go.net: v0.0.1
  • github.com/mitchellh/gox: v0.4.0
  • github.com/mitchellh/iochan: v1.0.0