# Release 2.12.0 ## Summary This release is a mix of features, bug fixes, and technical debt cleanup. In accordance with [EO 14028](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/), this release added functionality to ensure that Tern's SPDX reports include all of the [NTIA's minimum elements for an SBOM](https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields). This release also adds [Package URL](https://github.com/package-url/purl-spec) (purl) [external references](https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field) to SPDX reports. Finally, this release includes an important security update for GitPython to address [CVE-2022-24439](https://nvd.nist.gov/vuln/detail/CVE-2022-24439). ## New Features * [Add purl ExternalRefs to SPDX reports](https://github.com/tern-tools/tern/issues/1206) * [Add package architecture info to data model](https://github.com/tern-tools/tern/commit/3624b3020773e5b2f51fa8f8e5aa01825355aff8) * [Add package supplier info to SPDX reports](https://github.com/tern-tools/tern/issues/1205) ## Bug Fixes * [Catch all invalid license key characters](https://github.com/tern-tools/tern/issues/1203) * [Fix container package version when no tag provided](https://github.com/tern-tools/tern/issues/1214) * [Fix container package name when analyzing local image](https://github.com/tern-tools/tern/issues/1212) * [Commas included in SPDX license expressions instead of 'AND'](https://github.com/tern-tools/tern/issues/1223) * [Remove slashes from SPDX package refs](https://github.com/tern-tools/tern/issues/1220) ## Technical Debt * [Add version info to layer Packages in SPDX reports](https://github.com/tern-tools/tern/issues/1205) * [Update SPDX LicenseListVersion to 3.20](https://github.com/tern-tools/tern/commit/ba67656e1672588094f7c5665bde1076ea31409c) ## Changelog Note: This changelog will not include these release notes Changelog generated by command: `git log --pretty=format:"%h %s" v2.11.0..HEAD` ``` ba67656 Update LicenseListVersion to 3.20 ea97fb6 Remove slashes from SPDX package refs 6be6976 Invalid chars included in SPDX declared licenses c4b3508 Add purl information to SPDX reports a5ebbc1 Add purl information to SPDX reports eec8761 Add pkg_supplier collection method for tdnf 3624b30 Add package architecture info to data model 5ab79f3 Change pacman and go pkg_format to mirror PURL df242ba Correctly parse and report local image names b45e584 Add package supplier info to Tern reports ede4645 Add package supplier info to SPDX reports bb2a724 Add package supplier info to package objects 2e51f67 Add version info to layer Packages in SPDX reports 700df46 Catch all invalid license key characters ``` ## Contributors ``` Marc-Etienne Vargenau marc-etienne.vargenau@nokia.com Ivana Atanasova iyovcheva@vmware.com ``` ## Contact the Maintainers Rose Judge: rjudge@vmware.com Nisha Kumar: nishak@vmware.com