Releases: oracle/macaron
Releases · oracle/macaron
v0.20.0
v0.20.0 (2025-12-04)
Feat
- improve repo finder detection and report (#1251)
- add dockerfile output for Python builds (#1242)
- add github actions for macaron (#1241)
- add --existing-policy flag in verify-policy command for predefined policies (#1189)
Fix
- sanitize version specifier and handled generator name edge case for Python builds (#1247)
v0.19.0
v0.19.0 (2025-11-17)
Feat
- generate build specification for pure python wheels (#1221)
- add basic support for Python in gen-build-spec (#1203)
Fix
- added check for missing release information for anomalous version (#1235)
- gen-build-spec maven/gradle cli parsers failed to parse valid command lines with intermixed positional args and options (#1212)
Refactor
- show table headers in console and improve exits (#1216)
v0.18.0
v0.18.0 (2025-10-10)
Feat
- heuristics: add whitespace check to detect excessive spacing and invisible characters for malware check (#1086)
- add reproducible central buildspec generation (#1115)
- heuristics: improve differentiation between stub packages and dependency confusion attacks (#1174)
- heuristics: add two analyzers to detect dependency confusion and distinguish from stub packages (#1117)
Fix
- gen-build-spec SQL query to look up build-as-code check build command joins on incorrect column (#1207)
- handle all tarfile extract errors (#1206)
- ensure Python 3.11.13 is used to address GHSA-4xh5-x5gv-qwph (#1197)
- docs: path of script download example (#1193)
- improve build tool detection (#1169)
Refactor
- improve logging in console for macaron commands (#1160)
v0.17.0
v0.17.0 (2025-08-27)
Feat
- heuristics: add SimilarProjectAnalyzer to detect structural similarity across packages from same maintainer (#1089)
- heuristics: add Fake Email analyzer to validate maintainer email domain (#1106)
- add GitHub attestation discovery (#1020)
- security: add package name typosquatting detection (#1059)
- add pypi attestation discovery (#1067)
Fix
- catch defusedxml security errors (#1138)
- accept from-provenance repos as scm authentic (#1131)
- pypi: update get_maintainers_of_package to avoid request blocking (#1097)
- include inspector links with information on if they are reachable. (#1102)
Refactor
v0.16.0
v0.16.0 (2025-04-24)
Feat
- detect vulnerable GitHub Actions (#1021)
- check PyPI registry when deps.dev fails to find a source repository (#982)
- add callgraph and build cmd detection for Jenkins (#977)
Fix
- fix incorrect skip result evaluation causing false positives in PyPI malware reporting (#1031)
- use 'isDefault' version from deps dev api (#1019)
Refactor
v0.15.0
v0.15.0 (2025-03-10)
Feat
- add Repo Finder and Commit Finder outcomes to database (#892)
- add in new metadata-based heuristic to pypi malware analyzer (#944)
- find repo from latest artifact when provided artifact has none (#931)
- obtain Java and Python artifacts from .m2 or Python virtual environment from input (#864)
- include inspector package urls as part of the malicious metadata facts for pypi packages (#935)
- add a new setup.py related heuristic in the pypi malware analyzer (#932)
Fix
Refactor
v0.14.0
v0.14.0 (2024-11-26)
Feat
- report known malware for all ecosystems (#922)
- add command to run repo and commit finder without analysis (#827)
- add a new check to report the build tool (#914)
- verify whether the reported repository can be linked back to the artifact (#873)
- allow specifying the dependency depth resolution through CLI and make dependency resolution off by default (#840)
Fix
- block terminal prompts in find source (#918)
- fix a bug in GitHub Actions matrix variable resolution (#896)
- prevent endless loop on 403 GitHub response (#866)