v0.10.0
Changes by Kind
Feature
- Allows more options to be passed to the SPDX document builder
- File analysis is now done in parallel speeding the kubernetes bom generation significally
- When generating a SPDX package from a directory, file paths will now be relative to the dir root
- Golang packages that have local replacements will be honored saving a considerable amount of downloads
- Fixed a bug where we would erase the local golang package install
- Fixed a bug where license data would be saved in the download cache directory, resulting in the license classifier having a lower accuracy
- Golang packages will now include all license text in the SBOM as well as the SPDX license identifier
- New function
license.ReadTopLicense()
will scan and return only the most significant license in a directory, potentially avoiding thousands of operations in the classifier code. (#2096, @puerco) [SIG Release]
- Apache-2.0 is now defined as the default and expressed license in packages
- The SPDX package now supports ExternalDocRef making it possible to define external documents related to an SBOM
- Added functions to the
release
package to get the produced artifacts (ListBuildImages, ListBuildTarballs, ListBuildBinaries) - Added release tarballs (client, server, node) to artifacts SBOM
- Binaries are now listed with their correct relative paths in the artifacts SBOM
- FIxed a bug where SPDX Ids would clash when two packages shared the same base image
- The source code SBOM is now referenced by the artifacts sbom packages as GENERATED_FROM
- Added tests to ensure SPDX Relationships render correctly (#2156, @puerco) [SIG Release]
- Changed archived Kubernetes release sources to be compressed as tarball (#2130, @saschagrunert) [SIG Release]
- Debian-base: Build buster-v1.8.0 image (#2135, @jindijamie) [SIG Release]
- Debian-base: Build buster-v1.9.0 image (#2189, @justaugustus) [SIG Release]
- Debian-iptables: Build buster-v1.6.5 image
- setcap: Build buster-v2.0.3 image (#2142, @justaugustus) [SIG Release]
- Debian-iptables: Build buster-v1.6.6 image
- setcap: Build buster-v2.0.4 image (#2192, @justaugustus) [SIG Release]
- Fixed a bug that was causing errors downloading go packages, except for a few specific deps, we now have licensing data for all packages.
- Correct a bug where HTML entities were being introduced into the spdx licenses and output. The code was wrongly using html/template instead of text/template.
- There is now a new Relationship type and a better way to relate objects among themselves via a new
spdx.Object
interface - New SPDX object interface. This is important as we will start having functions that can take either packages or files, hence we create the interface to address them both
- Changes the way image references are treated when generating an SBOM from an image reference. Now, The spdx package will now fetch all images for all architectures found
- New function to generates a valid SPDX ID string, optionally it can take strings as seeds to generate a more intuitive ID for packages and files.
- Fixes a bug where month and day were in the wrong order in the SPDX document date. (#2147, @puerco) [SIG Release]
- K8s-ci-builder: Add 1.22 variant, drop 1.18 variant
- k8s-ci-builder: Add 1.23 variant
- k8s-ci-builder: Build go1.16.6 images
- k8s-cloud-builder: Build v1.17.0-rc.1-1 image (#2168, @justaugustus) [SIG Release]
- K8s-cloud-builder/k8s-ci-builder: Build image using go1.15.15 (#2200, @cpanato) [SIG Release]
- K8s-cloud-builder/k8s-ci-builder: Build image using go1.16.7 (#2198, @cpanato) [SIG Release]
- K8s-cloud-builder: Build image using go1.16.6 (#2163, @puerco) [SIG Release]
- K8s-cloud-builder: Build v1.17.0-rc.2-1 image (#2190, @justaugustus) [SIG Release]
- Schedule-builder: add new field (#2173, @cpanato) [SIG Release]
- Stage now runs completely without setting the github token in the k/k clone remote configuration
- The
binary.Binary
object has a new methodContainsString()
that allows for searching inside the binary for one or more strings.- The release process now has a new step during staging:
VerifyArtifacts
. Where during which we will perform checks of the artifacts we produce. - Binaries are now checked to ensure they are of the expected platform/arch
- The version tag in binaries is now checked to ensure they match each release version tag
- Fixed a bug in
release.ListBuildBinaries
where server and client tarballs were wrongly included in the output. (#2160, @puerco) [SIG Release]
- The release process now has a new step during staging:
- Update
dependencies.yaml
1.15 to use Go 1.15.14 - When running release from a non-main branch, krel will now merge any commits before pushing the branch back to github, avoiding conflicts due to divergent branches. (#2128, @puerco) [SIG Release]
- When staging a new kubernetes build,
krel
will now prewarm the license cache to have the classifier data ready when generating the bill of materials.- The release process staging phase now has a
GenerateBillOfMaterials()
step that builds the SPDX documents. - We now create an SPDX SBOM describing the Kubernetes source during staging
- Each version in a release now features an SPDX bill of materials listing its binaries and images
- stage.GenerateBillOfMaterials() now has an integration test (#2095, @puerco) [SIG Release]
- The release process staging phase now has a
- [go1.15] Update kubernetes/kubernetes dependents to use Go 1.15.13
- k8s-cloud-builder: Build v1.15.13-legacy-1/v1.15.13-1 image
- k8s-ci-builder: Build image variants using Go 1.15.13 (#2122, @thejoycekung) [SIG Release]
- [go1.16] Update kubernetes/kubernetes dependents to use go1.16.5
- [go1.17] Build images for go1.17rc1 (#2117, @justaugustus) [SIG Release]
- [go1.17] Build images for go1.17rc2 (#2188, @justaugustus) [SIG Release]
- [go] go1.16.5 and go1.15.13 updates
- [go] go1.16.6 and go1.15.14 updates
- kube-cross: Build v1.16.6-1 and v1.15.14-1 images
- go-runner: Build v2.3.1-go1.16.6-buster.0 and v2.3.1-go1.15.14-buster.0
- releng-ci: build iamge for go1.16.6 and go1.15.14
- kubepkg/packages-deb: update base image to go1.16.6 (#2162, @mengjiao-liu) [SIG Release]
- [go] go1.16.7 and go1.15.15 updates
- go-runner: Build v2.3.1-go1.16.7-buster.0 and v2.3.1-go1.15.15-buster.0
- releng-ci: build image for go1.16.6 and go1.15.15
- kube-cross: Build v1.16.7-1 and v1.15.15-1 images
- kubepkg/packages-deb: update base image to go1.16.7
- k8s-cloud-builder: Build v1.16.7-1 / v1.15.15-1 / v1.15.15-legacy-1 images (#2197, @cpanato) [SIG Release]
PrerequisitesChecker
nos has options, currently the only one isCheckGitHubToken
. This bool allows us to run without setting the GITHUB_TOKEN variable when not needed (#2138, @puerco) [SIG Release]
Documentation
- Add documentation for the
bom
utility
Bug or Regression
- Debian-iptables: select nft mode if ntf lines > legacy lines, matching https://github.com/kubernetes-sigs/iptables-wrappers/ (#2106, @BenTheElder) [SIG Release]
- Fixed a bug where creating a PR would fail with a too many open files error. (#2180, @puerco) [SIG Release]
- Fixed bug that changelog table of contents have been generated before dependency changes. (#2194, @saschagrunert) [SIG Release]
- Git Pusher will now check for a remote branch before attempting to fetch + merge (#2177, @puerco) [SIG Release]
- Update
go-git
to v5.4.2 to fix a bug that prevented the release process to clone repositories (#2104, @puerco) [SIG Release]
Other (Cleanup or Flake)
-
Changed
krel --log-level=debug
output less verbose in terms of git commands. The previous behavior can be restored by
using thetrace
log level. (#2136, @saschagrunert) [SIG Release] -
Debian-iptables: Build buster-v1.6.3 image
-
Debian-iptables: Stop pinning the iptables version
- debian-iptables: Build buster-v1.6.4 image (#2134, @justaugustus) [SIG Release]
-
Gcb/stage: Add read-only GITHUB_TOKEN to enable relnotes generation (#2140, @justaugustus) [SIG Release]
-
Gcb/stage: Remove extraneous GITHUB_TOKEN from config
Given we no longer set an authenticated git environment in the staging
phase of the release, we no longer need to include the GitHub token in
the secrets environment. (#2137, @justaugustus) [SIG Release] -
Gcb: Update GITHUB_TOKEN to use new authentication token format (#2126, @justaugustus) [SIG Release]
-
Kube-cross: Build v1.16.5-canary-2 image without etcd (#2124, @justaugustus)
-
Namespaces for the SPDX documents now use the
sbom.k8s.io
URI as the final place for the Kubernetes SBOMs. (#2186, @puerco) [SIG Release] -
Packages/deb: Use ci/latest.txt as canonical cross build marker (#2153, @justaugustus) [SIG Release]
-
Push-build.sh defaults to k8s-release-dev instead of
kubernetes-release-dev (kubernetes/k8s.io#846) (#2158, @spiffxp) [SIG Release] -
When training the license classifier, the
license
package will now ignore deprecated license IDs from the SPDX catalog. (#2159, @puerco) [SIG Release]
Dependencies
Added
- bazil.org/fuse: 371fbbd
- github.com/Azure/azure-sdk-for-go: v16.2.1+incompatible
- github.com/Azure/go-autorest/autorest/adal: v0.9.5
- github.com/Azure/go-autorest/autorest/date: v0.3.0
- github.com/Azure/go-autorest/autorest/mocks: v0.4.1
- github.com/Azure/go-autorest/autorest: v0.11.1
- github.com/Azure/go-autorest/logger: v0.2.0
- github.com/Azure/go-autorest/tracing: v0.6.0
- github.com/Azure/go-autorest: v14.2.0+incompatible
- github.com/Microsoft/hcsshim/test: 43a75bb
- github.com/Microsoft/hcsshim: v0.8.16
- github.com/Shopify/logrus-bugsnag: 577dee2
- github.com/alexflint/go-filemutex: 72bdc8e
- github.com/antihax/optional: v1.0.0
- github.com/asaskevich/govalidator: f61b66f
- github.com/bitly/go-simplejson: v0.5.0
- github.com/bmizerany/assert: b7ed37b
- github.com/bshuster-repo/logrus-logstash-hook: v0.4.1
- github.com/buger/jsonparser: f4dd9f5
- github.com/bugsnag/bugsnag-go: b1d1530
- github.com/bugsnag/osext: 0dd3f91
- github.com/bugsnag/panicwrap: e2c2850
- github.com/cespare/xxhash/v2: v2.1.1
- github.com/checkpoint-restore/go-criu/v4: v4.1.0
- github.com/cilium/ebpf: v0.4.0
- github.com/cncf/xds/go: fbca930
- github.com/cockroachdb/datadriven: 80d97fb
- github.com/containerd/aufs: v1.0.0
- github.com/containerd/btrfs: v1.0.0
- github.com/containerd/cgroups: v1.0.1
- github.com/containerd/console: v1.0.2
- github.com/containerd/continuity: v0.1.0
- github.com/containerd/fifo: v1.0.0
- github.com/containerd/go-cni: v1.0.2
- github.com/containerd/go-runc: v1.0.0
- github.com/containerd/imgcrypt: v1.1.1
- github.com/containerd/nri: v0.1.0
- github.com/containerd/ttrpc: v1.0.2
- github.com/containerd/typeurl: v1.0.2
- github.com/containerd/zfs: v1.0.0
- github.com/containernetworking/cni: v0.8.1
- github.com/containernetworking/plugins: v0.9.1
- github.com/containers/ocicrypt: v1.1.1
- github.com/coreos/go-iptables: v0.5.0
- github.com/coreos/go-oidc: v2.1.0+incompatible
- github.com/coreos/go-systemd/v22: v22.3.2
- github.com/cyphar/filepath-securejoin: v0.2.2
- github.com/d2g/dhcp4: a1d1b6c
- github.com/d2g/dhcp4client: v1.0.0
- github.com/d2g/dhcp4server: 7d4a0a7
- github.com/d2g/hardwareaddr: e7d9fbe
- github.com/denverdino/aliyungo: a747050
- github.com/dnaeon/go-vcr: v1.0.1
- github.com/docker/go-events: e31b211
- github.com/docker/go-metrics: v0.0.1
- github.com/docker/libtrust: fa56704
- github.com/docker/spdystream: 449fdfc
- github.com/dustin/go-humanize: v1.0.0
- github.com/elazarl/goproxy: 947c36d
- github.com/evanphx/json-patch: v4.9.0+incompatible
- github.com/form3tech-oss/jwt-go: v3.2.2+incompatible
- github.com/frankban/quicktest: v1.11.3
- github.com/fullsailor/pkcs7: d7302db
- github.com/garyburd/redigo: 535138d
- github.com/go-ini/ini: v1.25.4
- github.com/godbus/dbus/v5: v5.0.4
- github.com/godbus/dbus: ade71ed
- github.com/gogo/googleapis: v1.4.0
- github.com/gorilla/handlers: 60c7bfd
- github.com/gregjones/httpcache: 9cad4c3
- github.com/j-keck/arping: 2cf9dc6
- github.com/kr/fs: v0.1.0
- github.com/marstr/guid: v1.1.0
- github.com/mattn/go-shellwords: v1.0.3
- github.com/miekg/pkcs11: v1.0.3
- github.com/mistifyio/go-zfs: f784269
- github.com/mitchellh/osext: 5e2d6d4
- github.com/moby/locker: v1.0.1
- github.com/moby/sys/mountinfo: v0.4.1
- github.com/moby/sys/symlink: v0.1.0
- github.com/mrunalp/fileutils: v0.5.0
- github.com/mxk/go-flowrate: cca7078
- github.com/ncw/swift: v1.0.47
- github.com/opencontainers/runc: v1.0.0-rc93
- github.com/opencontainers/runtime-spec: e6143ca
- github.com/opencontainers/runtime-tools: 1d69bd0
- github.com/opencontainers/selinux: v1.8.0
- github.com/peterbourgon/diskv: v2.0.1+incompatible
- github.com/pkg/sftp: v1.10.1
- github.com/pquerna/cachecontrol: 0dec1b3
- github.com/safchain/ethtool: 42ed695
- github.com/satori/go.uuid: v1.2.0
- github.com/seccomp/libseccomp-golang: v0.9.1
- github.com/stefanberger/go-pkcs11uri: 78d3cae
- github.com/syndtr/gocapability: 42c35b4
- github.com/tchap/go-patricia: v2.2.6+incompatible
- github.com/urfave/cli: v1.22.2
- github.com/vishvananda/netlink: d40f988
- github.com/vishvananda/netns: db3c7e5
- github.com/willf/bitset: v1.1.11
- github.com/xeipuuv/gojsonpointer: 4e3ac27
- github.com/xeipuuv/gojsonreference: bd5ef7b
- github.com/xeipuuv/gojsonschema: 1d52303
- github.com/yvasiyarov/go-metrics: 57bccd1
- github.com/yvasiyarov/gorelic: a9bba5b
- github.com/yvasiyarov/newrelic_platform_go: b21fdbd
- go.etcd.io/etcd/api/v3: v3.5.0
- go.etcd.io/etcd/client/pkg/v3: v3.5.0
- go.etcd.io/etcd/client/v2: v2.305.0
- go.etcd.io/etcd: dd1b699
- go.mozilla.org/pkcs7: 432b235
- go.opentelemetry.io/proto/otlp: v0.7.0
- google.golang.org/cloud: 975617b
- google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.1.0
- gopkg.in/airbrake/gobrake.v2: v2.0.9
- gopkg.in/cheggaaa/pb.v1: v1.0.25
- gopkg.in/gemnasium/logrus-airbrake-hook.v2: v2.1.2
- gopkg.in/inf.v0: v0.9.1
- gopkg.in/natefinch/lumberjack.v2: v2.0.0
- gopkg.in/square/go-jose.v2: v2.5.1
- k8s.io/api: v0.20.6
- k8s.io/apimachinery: v0.20.6
- k8s.io/apiserver: v0.20.6
- k8s.io/client-go: v0.20.6
- k8s.io/component-base: v0.20.6
- k8s.io/cri-api: v0.20.6
- k8s.io/kubernetes: v1.13.0
- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.15