Releases: oracle/macaron
Releases · oracle/macaron
v0.16.0
v0.16.0 (2025-04-24)
Feat
- detect vulnerable GitHub Actions (#1021)
- check PyPI registry when deps.dev fails to find a source repository (#982)
- add callgraph and build cmd detection for Jenkins (#977)
Fix
- fix incorrect skip result evaluation causing false positives in PyPI malware reporting (#1031)
- use 'isDefault' version from deps dev api (#1019)
Refactor
- log the SLSA summary in verbose mode only (#1063)
- log relative paths for file (#1032)
- use problog for suspicious combinations (#997)
v0.15.0
v0.15.0 (2025-03-10)
Feat
- add Repo Finder and Commit Finder outcomes to database (#892)
- add in new metadata-based heuristic to pypi malware analyzer (#944)
- find repo from latest artifact when provided artifact has none (#931)
- obtain Java and Python artifacts from .m2 or Python virtual environment from input (#864)
- include inspector package urls as part of the malicious metadata facts for pypi packages (#935)
- add a new setup.py related heuristic in the pypi malware analyzer (#932)
Fix
- update already present repositories (#949)
- report known malware even when not labeled (#956)
Refactor
- replace unreachable project links heuristic with source code repo heuristic (#983)
- remove the deprecated --skip-deps command-line option. (#943)
v0.14.0
v0.14.0 (2024-11-26)
Feat
- report known malware for all ecosystems (#922)
- add command to run repo and commit finder without analysis (#827)
- add a new check to report the build tool (#914)
- verify whether the reported repository can be linked back to the artifact (#873)
- allow specifying the dependency depth resolution through CLI and make dependency resolution off by default (#840)
Fix
- block terminal prompts in find source (#918)
- fix a bug in GitHub Actions matrix variable resolution (#896)
- prevent endless loop on 403 GitHub response (#866)
Refactor
- accept provenance data in artifact pipeline check (#872)
- remove --config-path from CLI (#844)
v0.13.0
v0.13.0 (2024-09-16)
Feat
- add a script to check VSA (#858)
Fix
- use gnu-sed on mac instead of the built-in sed command (#853)
v0.12.0
v0.12.0 (2024-08-16)
Feat
- verify npm SLSA provenance against signed npm provenance (#747)
- add a check to analyze malicious Python packages (#750)
- add support for SLSA v1 provenance with OCI build type (#778)
Fix
- accept provenances that are not inferred in the provenance checks (#802)
- use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check (#796)
v0.11.0
v0.11.0 (2024-06-18)
Feat
- add dependency resolution for Python (#748)
- add checks to determine if repo and commit came from provenance (#704)
- add support for GitHub provenances passed as input (#732)
Fix
- modify verify-policy to exits succesfully if a passed policy exists and allow components having no repository to pass policies (#766)
- force docker to use linux/amd64 platform (#768)
- do not fetch from origin/HEAD for local repo targets (#734)
v0.10.0
v0.10.0 (2024-04-29)
Feat
- allow provenance files to be files containing a URL pointing to the actual provenance file which will be transparently downloaded (#710)
- allow defining a git service from defaults.ini (#694)
- improve VSA generation with digest for each subject (#685)
Fix
- improve run_macaron.sh bash and docker version compatibility (#717)
- store language in build as code check for non-GitHub CI services (#716)
- extract digest from provenance when repo path is provided but digest is not provided from the user (#711)
- fix a compatibility issue in run_macaron.sh for macOS (#701)
- make build script check fail when no repo is found (#699)
v0.9.0
v0.9.0 (2024-04-05)
Feat
- extend static analysis and compute confidence scores for deploy commands (#673)
- use provenance to find commits for supported PURL types. (#653)
Fix
- preserve the order of elements of lists extracted from defaults.ini (#660)
v0.8.0
v0.8.0 (2024-03-05)
Feat
- discover slsa v1 provenances for npm packages (#639)
- add exclude and include check in ini config (#254)
- introduce confidence scores for check facts (#620)
- follow indirect repository URLs (#629)
- use repository url provided as input for finding a commit (#622)
v0.7.0
v0.7.0 (2024-01-18)
Feat
- support tox to publish artifacts to PyPI (#599)
- generate Verification Summary Attestation (#592)
- map artifacts to commits via repo tags (#508)
- find SLSA provenance v0.2 published on npm registry (#551)
