Release v0.2.0

This is the first release of bom after the code move from kubernetes/release to its own repository! A big big thank you to all contributors that sent patches to the project.

Release Notes

Changes by Kind

Deprecation

• Added a few more unit tests to the spdx package to cover the following functions: spdx.GetImageReferences spdx.TestPullImagesToArchive spdx.TestGetDirectoryTree spdx.TestIgnorePatterns
  • bom: The --tarballs flag is now deprecated. It has been replaced with --image-archive during demos and chats, it proved to be confusing (it still works but will print a warning)
  • bom: There is a new flag: --archive. When enabled, bom adds archives (currently tars) as spdx packages to the doc. Its files are license-scanned and listed in the package
  • bom: Passing a flag defining the SPDX document namespace is not required anymore. The generator now defines it using the spdx.org public URL defined in the 2.2+ spec.
  • The spdx package now supports reading compressed tars (#4, @puerco)

Feature

• Add initial filetype support (#12, @cpanato)
• New container image layer scanner for checking inside of layers for OS data. The first version supports extracting packages from debian based OSs. (#31, @puerco)
• bom generate can now output provenance attestations along SBOMs. When specifying a json file using the new --provenance flag, bom will dump the SPDX data as an in-toto attestation with all the SBOM entities as in-toto subjects. The statement can then be picked up by later CI/CD stages to complete the rest of the build data. (#14, @puerco)

Failing Test

• Fixed flakes in TestWriteProvenance and TestToProvenance where the test would fail one every three runs (#25, @puerco)

Other (Cleanup or Flake)

• The provenance package now produces attestations conformant to the SLSA v0.2 specification. (#13, @puerco)

Uncategorized

• Use the default Docker keychain to leverage auth mechanisms so that we can allow users to work with non-public remote images. (#18, @jdolitsky)

Dependencies

Added

• github.com/DataDog/datadog-go: v3.2.0+incompatible
• github.com/cenkalti/backoff/v4: v4.1.1
• github.com/circonus-labs/circonus-gometrics: v2.3.1+incompatible
• github.com/circonus-labs/circonusllhist: v0.1.3
• github.com/hashicorp/go-hclog: v1.0.0
• github.com/hashicorp/go-retryablehttp: v0.5.3
• github.com/iancoleman/strcase: v0.2.0
• github.com/lyft/protoc-gen-star: v0.5.3
• github.com/sagikazarmark/crypt: v0.3.0
• github.com/secure-systems-lab/go-securesystemslib: v0.3.0
• github.com/tv42/httpunix: b75d861

Changed

• cloud.google.com/go/firestore: v1.1.0 → v1.6.1
• cloud.google.com/go: v0.97.0 → v0.99.0
• github.com/Microsoft/hcsshim: v0.8.21 → v0.8.23
• github.com/armon/go-metrics: f0300d1 → v0.3.10
• github.com/armon/go-radix: 7fddfc3 → v1.0.0
• github.com/census-instrumentation/opencensus-proto: v0.2.1 → v0.3.0
• github.com/cespare/xxhash/v2: v2.1.1 → v2.1.2
• github.com/cncf/xds/go: cb28da3 → a8f9461
• github.com/containerd/containerd: v1.5.7 → v1.5.8
• github.com/containerd/stargz-snapshotter/estargz: v0.10.0 → v0.10.1
• github.com/containerd/ttrpc: v1.0.2 → v1.1.0
• github.com/docker/cli: v20.10.10+incompatible → v20.10.12+incompatible
• github.com/docker/docker: v20.10.10+incompatible → v20.10.12+incompatible
• github.com/envoyproxy/go-control-plane: cf90f65 → v0.10.1
• github.com/envoyproxy/protoc-gen-validate: v0.1.0 → v0.6.2
• github.com/fatih/color: v1.7.0 → v1.13.0
• github.com/fsnotify/fsnotify: v1.4.9 → v1.5.1
• github.com/golang/groupcache: 8c9f03a → 41bb18b
• github.com/google/go-containerregistry: v0.7.0 → v0.8.0
• github.com/googleapis/gax-go/v2: v2.1.0 → v2.1.1
• github.com/hashicorp/consul/api: v1.1.0 → v1.11.0
• github.com/hashicorp/consul/sdk: v0.1.1 → v0.8.0
• github.com/hashicorp/go-cleanhttp: v0.5.1 → v0.5.2
• github.com/hashicorp/go-immutable-radix: v1.0.0 → v1.3.1
• github.com/hashicorp/go-multierror: v1.0.0 → v1.1.0
• github.com/hashicorp/go-rootcerts: v1.0.0 → v1.0.2
• github.com/hashicorp/golang-lru: v0.5.1 → v0.5.4
• github.com/hashicorp/mdns: v1.0.0 → v1.0.4
• github.com/hashicorp/memberlist: v0.1.3 → v0.3.0
• github.com/hashicorp/serf: v0.8.2 → v0.9.6
• github.com/in-toto/in-toto-golang: v0.3.3 → af1f9fb
• github.com/json-iterator/go: v1.1.11 → v1.1.12
• github.com/magefile/mage: v1.11.0 → v1.12.1
• github.com/mattn/go-colorable: v0.0.9 → v0.1.12
• github.com/mattn/go-isatty: v0.0.4 → v0.0.14
• github.com/miekg/dns: v1.0.14 → v1.1.41
• github.com/mitchellh/cli: v1.0.0 → v1.1.0
• github.com/mitchellh/mapstructure: v1.4.1 → v1.4.3
• github.com/modern-go/reflect2: v1.0.1 → v1.0.2
• github.com/opencontainers/image-spec: 8e42a01 → v1.0.2
• github.com/pascaldekloe/goe: 57f6aae → v0.1.0
• github.com/pelletier/go-toml: v1.9.3 → v1.9.4
• github.com/posener/complete: v1.1.1 → v1.2.3
• github.com/shibumi/go-pathspec: v1.2.0 → v1.3.0
• github.com/smartystreets/goconvey: v1.6.4 → 68dc04a
• github.com/spf13/cast: v1.3.1 → v1.4.1
• github.com/spf13/cobra: v1.2.1 → v1.3.0
• github.com/spf13/viper: v1.8.1 → v1.10.0
• github.com/yuin/goldmark: v1.4.0 → v1.4.1
• go.etcd.io/etcd/api/v3: v3.5.0 → v3.5.1
• go.etcd.io/etcd/client/pkg/v3: v3.5.0 → v3.5.1
• go.etcd.io/etcd/client/v2: v2.305.0 → v2.305.1
• golang.org/x/crypto: 83a5a9b → e495a2d
• golang.org/x/net: 58aab5e → fe4d628
• golang.org/x/sys: 99a5385 → 1d35b9e
• golang.org/x/text: v0.3.6 → v0.3.7
• golang.org/x/time: 3af7569 → f8bda1e
• golang.org/x/tools: v0.1.7 → v0.1.8
• google.golang.org/api: v0.57.0 → v0.62.0
• google.golang.org/genproto: 482062a → 3a66f56
• google.golang.org/grpc: v1.42.0 → v1.43.0
• gopkg.in/ini.v1: v1.62.0 → v1.66.2
• k8s.io/utils: 2afb431 → 7d6a63d

Removed

• github.com/bketelsen/crypt: v0.0.4
• github.com/hashicorp/go.net: v0.0.1
• github.com/mitchellh/gox: v0.4.0
• github.com/mitchellh/iochan: v1.0.0