- add a script to check VSA (#858)
- use gnu-sed on mac instead of the built-in sed command (#853)
- verify npm SLSA provenance against signed npm provenance (#747)
- add a check to analyze malicious Python packages (#750)
- add support for SLSA v1 provenance with OCI build type (#778)
- accept provenances that are not inferred in the provenance checks (#802)
- use artifact filenames as keys for verifying jfrog assets in provenance_witness_l1_check (#796)
- add dependency resolution for Python (#748)
- add checks to determine if repo and commit came from provenance (#704)
- add support for GitHub provenances passed as input (#732)
- modify verify-policy to exits succesfully if a passed policy exists and allow components having no repository to pass policies (#766)
- force docker to use linux/amd64 platform (#768)
- do not fetch from origin/HEAD for local repo targets (#734)
- allow provenance files to be files containing a URL pointing to the actual provenance file which will be transparently downloaded (#710)
- allow defining a git service from defaults.ini (#694)
- improve VSA generation with digest for each subject (#685)
- improve run_macaron.sh bash and docker version compatibility (#717)
- store language in build as code check for non-GitHub CI services (#716)
- extract digest from provenance when repo path is provided but digest is not provided from the user (#711)
- fix a compatibility issue in run_macaron.sh for macOS (#701)
- make build script check fail when no repo is found (#699)
- extend static analysis and compute confidence scores for deploy commands (#673)
- use provenance to find commits for supported PURL types. (#653)
- preserve the order of elements of lists extracted from defaults.ini (#660)
- discover slsa v1 provenances for npm packages (#639)
- add exclude and include check in ini config (#254)
- introduce confidence scores for check facts (#620)
- follow indirect repository URLs (#629)
- use repository url provided as input for finding a commit (#622)
- support tox to publish artifacts to PyPI (#599)
- generate Verification Summary Attestation (#592)
- map artifacts to commits via repo tags (#508)
- find SLSA provenance v0.2 published on npm registry (#551)
- add download timeout config (#483)
- support gzipped provenance files (#504)
- support running the analysis with SBOM and the main software component with no repository (#165)
- add support for Go, npm and Yarn build tools (#451)
- enable repo finder to support more languages via Open Source Insights (#388)
- resolve podman compatibility issues (#512)
- do not use git set-branches if the target branch is not currently available in the repository (#491)
- fix bash syntax error when running
run_macaron.shon macOS (#528)
- refactor interface of base check (#513)
- allow the branch name in the schema of a repository to be null (#532)
- use partial clone to reduce clone time (#389)
- add a new check to map artifacts to pipelines (#471)
- add docker build detection (#409)
- policy-engine: use component_id instead of repo_id in policy to find the check result (#473)
- check if repository is available in provenance available check (#467)
- encode PURL qualifiers as a normalized string (#466)
- fix
run_macaron.shscript to handle action arguments correctly (#461)
- support trusted SLSA L3 builders for Maven, Gradle, Node.js, and containers (#445)
- add purl as a CLI option (#401)
- add timeout to Gradle Group ID detection (#446)
- rename
domaintohostnamein Git service configuration (#453) - always pull latest docker image in run_macaron.sh (#448)
- by default, always pull latest version of docker image, but allow this behaviour to be overidden by setting the DOCKER_PULL env var
Signed-off-by: Nicholas Allen [email protected]
- proxy: use the host proxy settings for Maven and Gradle (#434)
- update justifications to be complete for multi build tool projects (#432)
- add support for JFrog Artifactory and witness provenances produced on GitLab CI (#349)
- introduce a new data model and software components based on PURL (#305)
- orm: use the host’s timezone when persisting datetime objects without a timezone, instead of forcing them to UTC (#397)
- handle cloning issues when repo is in an unexpected state (#395)
- orm: serialize datetime object’s timezone instead of always coercing to UTC when persisting to the SQLite db (#381)
- resolve Maven properties in found POMs (#271)
- add support for cloning GitLab repositories (#316)
- multi build tool detection (#179)
- check paths in an archive file before extracting (#366)
- fix CycloneDx Gradle automatic dependency resolver bug (#315)
- fix links as part of transition to oracle/macaron (#307)
- fixes the result summary for UNKNOWN check results (#299)
- separate provenance expectation from Datalog policies (#297)
- release: generate SLSA provenance for the Docker image (#265)
- add command-line flag for version (#262)
- add additional repo finding via parent POMs (#217)
- add repo finding via scm metadata in artefact poms (#155)
- run cue validator per analysis target (#90)
- add python as a supported build tool (#67)
- support an existing SBOM as input (#105)
- add check output to database and implement souffle policy engine (#46)
- add dependency analyzer for Gradle (#57)
- release: disable SLSA provenance for now (#277)
- do not skip rootProject in Gradle dependency resolution (#252)
- create the bin directory for syft (#245)
- add 'packages: read' permission to release workflow (#241)
- do not overwrite an existing check relationship when a check has no parent in the Registry (#238)
- upgrade requests to 2.31.0 to fix CVE-2023-32681 (#236)
- restore the runner if an uncaught exception happens in a check (#216)
- return error when defaults.ini provided by user does not exist (#208)
- fix undefined local variable in build_as_code check (#136)
- resolve the full name for a repo whose remote origin is a local path (#153)
- do not pull the latest when analyzing a target with local repo path (#125)
- do not use download script for Syft (#164)
- remove the topLevel packages permission (#160)
- initialize all DependencyInfo attributes (#139)
- check if build dir contains a valid build (#135)
- read configuration for recursion through bom file (#130)
- allow BOM component version and group be empty (#104)
- do not log check_module object to avoid info leakage (#96)
- run policy engine using macaron entrypoint (#192)