v0.15.0

v0.15.0 (2025-03-10)

Feat

• add Repo Finder and Commit Finder outcomes to database (#892)
• add in new metadata-based heuristic to pypi malware analyzer (#944)
• find repo from latest artifact when provided artifact has none (#931)
• obtain Java and Python artifacts from .m2 or Python virtual environment from input (#864)
• include inspector package urls as part of the malicious metadata facts for pypi packages (#935)
• add a new setup.py related heuristic in the pypi malware analyzer (#932)

Fix

• update already present repositories (#949)
• report known malware even when not labeled (#956)

Refactor

• replace unreachable project links heuristic with source code repo heuristic (#983)
• remove the deprecated --skip-deps command-line option. (#943)

v0.14.0

v0.14.0 (2024-11-26)

Feat

• report known malware for all ecosystems (#922)
• add command to run repo and commit finder without analysis (#827)
• add a new check to report the build tool (#914)
• verify whether the reported repository can be linked back to the artifact (#873)
• allow specifying the dependency depth resolution through CLI and make dependency resolution off by default (#840)

Fix

• block terminal prompts in find source (#918)
• fix a bug in GitHub Actions matrix variable resolution (#896)
• prevent endless loop on 403 GitHub response (#866)

Refactor

• accept provenance data in artifact pipeline check (#872)
• remove --config-path from CLI (#844)

v0.13.0

v0.13.0 (2024-09-16)

Feat

• add a script to check VSA (#858)

Fix

• use gnu-sed on mac instead of the built-in sed command (#853)

v0.12.0

v0.12.0 (2024-08-16)

Feat

• verify npm SLSA provenance against signed npm provenance (#747)
• add a check to analyze malicious Python packages (#750)
• add support for SLSA v1 provenance with OCI build type (#778)

Fix

• accept provenances that are not inferred in the provenance checks (#802)
• use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check (#796)

v0.11.0

v0.11.0 (2024-06-18)

Feat

• add dependency resolution for Python (#748)
• add checks to determine if repo and commit came from provenance (#704)
• add support for GitHub provenances passed as input (#732)

Fix

• modify verify-policy to exits succesfully if a passed policy exists and allow components having no repository to pass policies (#766)
• force docker to use linux/amd64 platform (#768)
• do not fetch from origin/HEAD for local repo targets (#734)

v0.10.0

v0.10.0 (2024-04-29)

Feat

• allow provenance files to be files containing a URL pointing to the actual provenance file which will be transparently downloaded (#710)
• allow defining a git service from defaults.ini (#694)
• improve VSA generation with digest for each subject (#685)

Fix

• improve run_macaron.sh bash and docker version compatibility (#717)
• store language in build as code check for non-GitHub CI services (#716)
• extract digest from provenance when repo path is provided but digest is not provided from the user (#711)
• fix a compatibility issue in run_macaron.sh for macOS (#701)
• make build script check fail when no repo is found (#699)

v0.9.0

v0.9.0 (2024-04-05)

Feat

• extend static analysis and compute confidence scores for deploy commands (#673)
• use provenance to find commits for supported PURL types. (#653)

Fix

• preserve the order of elements of lists extracted from defaults.ini (#660)

v0.8.0

v0.8.0 (2024-03-05)

Feat

• discover slsa v1 provenances for npm packages (#639)
• add exclude and include check in ini config (#254)
• introduce confidence scores for check facts (#620)
• follow indirect repository URLs (#629)
• use repository url provided as input for finding a commit (#622)

v0.7.0

v0.7.0 (2024-01-18)

Feat

• support tox to publish artifacts to PyPI (#599)
• generate Verification Summary Attestation (#592)
• map artifacts to commits via repo tags (#508)
• find SLSA provenance v0.2 published on npm registry (#551)

v0.6.0

v0.6.0 (2023-11-03)

Feat

• add download timeout config (#483)
• support gzipped provenance files (#504)
• support running the analysis with SBOM and the main software component with no repository (#165)
• add support for Go, npm and Yarn build tools (#451)
• enable repo finder to support more languages via Open Source Insights (#388)

Fix

• resolve podman compatibility issues (#512)
• do not use git set-branches if the target branch is not currently available in the repository (#491)
• fix bash syntax error when running run_macaron.sh on MacOS (#528)

Refactor

• refactor interface of base check (#513)
• allow the branch name in the schema of a repository to be null (#532)

Perf

• use partial clone to reduce clone time (#389)