v0.18.0

v0.18.0 (2025-10-10)

Feat

• heuristics: add whitespace check to detect excessive spacing and invisible characters for malware check (#1086)
• add reproducible central buildspec generation (#1115)
• heuristics: improve differentiation between stub packages and dependency confusion attacks (#1174)
• heuristics: add two analyzers to detect dependency confusion and distinguish from stub packages (#1117)

Fix

• gen-build-spec SQL query to look up build-as-code check build command joins on incorrect column (#1207)
• handle all tarfile extract errors (#1206)
• ensure Python 3.11.13 is used to address GHSA-4xh5-x5gv-qwph (#1197)
• docs: path of script download example (#1193)
• improve build tool detection (#1169)

Refactor

• improve logging in console for macaron commands (#1160)

v0.17.0

v0.17.0 (2025-08-27)

Feat

• heuristics: add SimilarProjectAnalyzer to detect structural similarity across packages from same maintainer (#1089)
• heuristics: add Fake Email analyzer to validate maintainer email domain (#1106)
• add GitHub attestation discovery (#1020)
• security: add package name typosquatting detection (#1059)
• add pypi attestation discovery (#1067)

Fix

• catch defusedxml security errors (#1138)
• accept from-provenance repos as scm authentic (#1131)
• pypi: update get_maintainers_of_package to avoid request blocking (#1097)
• include inspector links with information on if they are reachable. (#1102)

Refactor

• remove the automatic sbom generation feature for Java (#1145)
• run source code analysis by default (#1107)
• improve experimental source code pattern analysis of pypi packages (#965)

v0.16.0

v0.16.0 (2025-04-24)

Feat

• detect vulnerable GitHub Actions (#1021)
• check PyPI registry when deps.dev fails to find a source repository (#982)
• add callgraph and build cmd detection for Jenkins (#977)

Fix

• fix incorrect skip result evaluation causing false positives in PyPI malware reporting (#1031)
• use 'isDefault' version from deps dev api (#1019)

Refactor

• log the SLSA summary in verbose mode only (#1063)
• log relative paths for file (#1032)
• use problog for suspicious combinations (#997)

v0.15.0

v0.15.0 (2025-03-10)

Feat

• add Repo Finder and Commit Finder outcomes to database (#892)
• add in new metadata-based heuristic to pypi malware analyzer (#944)
• find repo from latest artifact when provided artifact has none (#931)
• obtain Java and Python artifacts from .m2 or Python virtual environment from input (#864)
• include inspector package urls as part of the malicious metadata facts for pypi packages (#935)
• add a new setup.py related heuristic in the pypi malware analyzer (#932)

Fix

• update already present repositories (#949)
• report known malware even when not labeled (#956)

Refactor

• replace unreachable project links heuristic with source code repo heuristic (#983)
• remove the deprecated --skip-deps command-line option. (#943)

v0.14.0

v0.14.0 (2024-11-26)

Feat

• report known malware for all ecosystems (#922)
• add command to run repo and commit finder without analysis (#827)
• add a new check to report the build tool (#914)
• verify whether the reported repository can be linked back to the artifact (#873)
• allow specifying the dependency depth resolution through CLI and make dependency resolution off by default (#840)

Fix

• block terminal prompts in find source (#918)
• fix a bug in GitHub Actions matrix variable resolution (#896)
• prevent endless loop on 403 GitHub response (#866)

Refactor

• accept provenance data in artifact pipeline check (#872)
• remove --config-path from CLI (#844)

v0.13.0

v0.13.0 (2024-09-16)

Feat

• add a script to check VSA (#858)

Fix

• use gnu-sed on mac instead of the built-in sed command (#853)

v0.12.0

v0.12.0 (2024-08-16)

Feat

• verify npm SLSA provenance against signed npm provenance (#747)
• add a check to analyze malicious Python packages (#750)
• add support for SLSA v1 provenance with OCI build type (#778)

Fix

• accept provenances that are not inferred in the provenance checks (#802)
• use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check (#796)

v0.11.0

v0.11.0 (2024-06-18)

Feat

• add dependency resolution for Python (#748)
• add checks to determine if repo and commit came from provenance (#704)
• add support for GitHub provenances passed as input (#732)

Fix

• modify verify-policy to exits succesfully if a passed policy exists and allow components having no repository to pass policies (#766)
• force docker to use linux/amd64 platform (#768)
• do not fetch from origin/HEAD for local repo targets (#734)

v0.10.0

v0.10.0 (2024-04-29)

Feat

• allow provenance files to be files containing a URL pointing to the actual provenance file which will be transparently downloaded (#710)
• allow defining a git service from defaults.ini (#694)
• improve VSA generation with digest for each subject (#685)

Fix

• improve run_macaron.sh bash and docker version compatibility (#717)
• store language in build as code check for non-GitHub CI services (#716)
• extract digest from provenance when repo path is provided but digest is not provided from the user (#711)
• fix a compatibility issue in run_macaron.sh for macOS (#701)
• make build script check fail when no repo is found (#699)

v0.9.0

v0.9.0 (2024-04-05)

Feat

• extend static analysis and compute confidence scores for deploy commands (#673)
• use provenance to find commits for supported PURL types. (#653)

Fix

• preserve the order of elements of lists extracted from defaults.ini (#660)