v0.10.0

v0.10.0 (2024-04-29)

Feat

• allow provenance files to be files containing a URL pointing to the actual provenance file which will be transparently downloaded (#710)
• allow defining a git service from defaults.ini (#694)
• improve VSA generation with digest for each subject (#685)

Fix

• improve run_macaron.sh bash and docker version compatibility (#717)
• store language in build as code check for non-GitHub CI services (#716)
• extract digest from provenance when repo path is provided but digest is not provided from the user (#711)
• fix a compatibility issue in run_macaron.sh for macOS (#701)
• make build script check fail when no repo is found (#699)

v0.9.0

v0.9.0 (2024-04-05)

Feat

• extend static analysis and compute confidence scores for deploy commands (#673)
• use provenance to find commits for supported PURL types. (#653)

Fix

• preserve the order of elements of lists extracted from defaults.ini (#660)

v0.8.0

v0.8.0 (2024-03-05)

Feat

• discover slsa v1 provenances for npm packages (#639)
• add exclude and include check in ini config (#254)
• introduce confidence scores for check facts (#620)
• follow indirect repository URLs (#629)
• use repository url provided as input for finding a commit (#622)

v0.7.0

v0.7.0 (2024-01-18)

Feat

• support tox to publish artifacts to PyPI (#599)
• generate Verification Summary Attestation (#592)
• map artifacts to commits via repo tags (#508)
• find SLSA provenance v0.2 published on npm registry (#551)

v0.6.0

v0.6.0 (2023-11-03)

Feat

• add download timeout config (#483)
• support gzipped provenance files (#504)
• support running the analysis with SBOM and the main software component with no repository (#165)
• add support for Go, npm and Yarn build tools (#451)
• enable repo finder to support more languages via Open Source Insights (#388)

Fix

• resolve podman compatibility issues (#512)
• do not use git set-branches if the target branch is not currently available in the repository (#491)
• fix bash syntax error when running run_macaron.sh on MacOS (#528)

Refactor

• refactor interface of base check (#513)
• allow the branch name in the schema of a repository to be null (#532)

Perf

• use partial clone to reduce clone time (#389)

v0.5.0

v0.5.0 (2023-09-14)

Feat

• add a new check to map artifacts to pipelines (#471)
• add docker build detection (#409)

Fix

• policy-engine: use component_id instead of repo_id in policy to find the check result (#473)
• check if repository is available in provenance available check (#467)
• encode PURL qualifiers as a normalized string (#466)
• fix run_macaron.sh script to handle action arguments correctly (#461)

v0.4.0

v0.4.0 (2023-09-01)

Feat

• support trusted SLSA L3 builders for Maven, Gradle, Node.js, and containers (#445)
• add purl as a CLI option (#401)

Fix

• add timeout to Gradle Group ID detection (#446)
• rename domain to hostname in Git service configuration (#453)
• always pull latest docker image in run_macaron.sh (#448)
• proxy: use the host proxy settings for Maven and Gradle (#434)
• update justifications to be complete for multi build tool projects (#432)

v0.3.0

v0.3.0 (2023-08-22)

Feat

• add support for JFrog Artifactory and witness provenances produced on GitLab CI (#349)
• introduce a new data model and software components based on PURL (#305)

Fix

• orm: use the host’s timezone when persisting datetime objects without a timezone, instead of forcing them to UTC (#397)
• handle cloning issues when repo is in an unexpected state (#395)
• orm: serialize datetime object’s timezone instead of always coercing to UTC when persisting to the SQLite db (#381)

v0.2.0

v0.2.0 (2023-07-17)

Feat

• resolve Maven properties in found POMs (#271)
• add support for cloning GitLab repositories (#316)
• multi build tool detection (#179)

Fix

• check paths in an archive file before extracting (#366)
• fix CycloneDx Gradle automatic dependency resolver bug (#315)

v0.1.1

v0.1.1 (2023-06-14)

Fix

• fix links as part of transition to oracle/macaron (#307)
• fixes the result summary for UNKNOWN check results (#299)

Refactor

• separate provenance expectation from Datalog policies (#297)