Releases: oracle/macaron
Releases · oracle/macaron
v0.13.0
v0.13.0 (2024-09-16)
Feat
- add a script to check VSA (#858)
Fix
- use gnu-sed on mac instead of the built-in sed command (#853)
v0.12.0
v0.12.0 (2024-08-16)
Feat
- verify npm SLSA provenance against signed npm provenance (#747)
- add a check to analyze malicious Python packages (#750)
- add support for SLSA v1 provenance with OCI build type (#778)
Fix
- accept provenances that are not inferred in the provenance checks (#802)
- use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check (#796)
v0.11.0
v0.11.0 (2024-06-18)
Feat
- add dependency resolution for Python (#748)
- add checks to determine if repo and commit came from provenance (#704)
- add support for GitHub provenances passed as input (#732)
Fix
- modify verify-policy to exits succesfully if a passed policy exists and allow components having no repository to pass policies (#766)
- force docker to use linux/amd64 platform (#768)
- do not fetch from origin/HEAD for local repo targets (#734)
v0.10.0
v0.10.0 (2024-04-29)
Feat
- allow provenance files to be files containing a URL pointing to the actual provenance file which will be transparently downloaded (#710)
- allow defining a git service from defaults.ini (#694)
- improve VSA generation with digest for each subject (#685)
Fix
- improve run_macaron.sh bash and docker version compatibility (#717)
- store language in build as code check for non-GitHub CI services (#716)
- extract digest from provenance when repo path is provided but digest is not provided from the user (#711)
- fix a compatibility issue in run_macaron.sh for macOS (#701)
- make build script check fail when no repo is found (#699)
v0.9.0
v0.9.0 (2024-04-05)
Feat
- extend static analysis and compute confidence scores for deploy commands (#673)
- use provenance to find commits for supported PURL types. (#653)
Fix
- preserve the order of elements of lists extracted from defaults.ini (#660)
v0.8.0
v0.8.0 (2024-03-05)
Feat
- discover slsa v1 provenances for npm packages (#639)
- add exclude and include check in ini config (#254)
- introduce confidence scores for check facts (#620)
- follow indirect repository URLs (#629)
- use repository url provided as input for finding a commit (#622)
v0.7.0
v0.7.0 (2024-01-18)
Feat
- support tox to publish artifacts to PyPI (#599)
- generate Verification Summary Attestation (#592)
- map artifacts to commits via repo tags (#508)
- find SLSA provenance v0.2 published on npm registry (#551)
v0.6.0
v0.6.0 (2023-11-03)
Feat
- add download timeout config (#483)
- support gzipped provenance files (#504)
- support running the analysis with SBOM and the main software component with no repository (#165)
- add support for Go, npm and Yarn build tools (#451)
- enable repo finder to support more languages via Open Source Insights (#388)
Fix
- resolve podman compatibility issues (#512)
- do not use git set-branches if the target branch is not currently available in the repository (#491)
- fix bash syntax error when running
run_macaron.sh
on MacOS (#528)
Refactor
- refactor interface of base check (#513)
- allow the branch name in the schema of a repository to be null (#532)
Perf
- use partial clone to reduce clone time (#389)
v0.5.0
v0.5.0 (2023-09-14)
Feat
- add a new check to map artifacts to pipelines (#471)
- add docker build detection (#409)
Fix
- policy-engine: use component_id instead of repo_id in policy to find the check result (#473)
- check if repository is available in provenance available check (#467)
- encode PURL qualifiers as a normalized string (#466)
- fix
run_macaron.sh
script to handle action arguments correctly (#461)
v0.4.0
v0.4.0 (2023-09-01)
Feat
- support trusted SLSA L3 builders for Maven, Gradle, Node.js, and containers (#445)
- add purl as a CLI option (#401)
Fix
- add timeout to Gradle Group ID detection (#446)
- rename
domain
to hostname
in Git service configuration (#453)
- always pull latest docker image in run_macaron.sh (#448)
- proxy: use the host proxy settings for Maven and Gradle (#434)
- update justifications to be complete for multi build tool projects (#432)