v1.0.2

What's Changed

Bug fixes:

• Fixed a bug where a local target could be considered a remote one by mistake (e.g. guarddog pypi scan ../foo) (#147)

Full Changelog: v1.0.1...v1.0.2

v1.0.1

What's Changed

Bug fixes:

• Fix a bug where a remote target could be considered a local one by mistake (#144)

Chores:

• Bump ujson from 5.4.0 to 5.7.0 by @dependabot in #143
• Bump jsonschema from 4.9.1 to 4.17.3 by @dependabot in #142
• Bump websocket-client from 1.3.3 to 1.5.1 by @dependabot in #141
• Bump requests from 2.28.1 to 2.28.2 by @dependabot in #140
• Bump pathos from 0.2.9 to 0.3.0 by @dependabot in #139

Full Changelog: v1.0.0...v1.0.1

v1.0.0

This is a new major version with breaking changes.

What's Changed

Breaking changes:

• The commands guarddog scan and guarddog verify have been deprecated and will be removed in an upcoming version. Use guarddog pypi scan and guarddog pypi verify instead

New features:

• Added support for scanning npm packages (guarddog npm scan) and package.json (guarddog npm verify)
• Support SARIF output to allow for easy use with GitHub Code Scanning
• Added commands guarddog pypi list-rules and guarddog npm list-rules
• Support verbose debugging output through guarddog --log-level debug ...

New heuristics:

• New Python heuristic silent-process-execution to identify packages silently executing processes, similar to the Pytorch attack
• New PyPI metadata heuristic: repository_integrity_mismatch compares the contents of a package on PyPI with its contents on GitHub, and flags packages that have extraneous or modified files not reflected on GitHub
• New npm heuristic: typosquatting
• New npm heuristic: detecting silent process execution
• New npm heuristic: detecting post and pre-install hooks
• New npm heuristic: detecting when a npm package serializes process.env

Cosmetics:

• GuardDog now has an official logo!
• README heuristics documentation is now automatically generated and injected in the README

Minor changes:

• chores: Bump certify version to fix GHSA-43fp-rhv2-5gv8

Full Changelog: v0.1.10...v1.0.0

v0.1.10

What's Changed

• Add pre-commit hooks configuration for local development by @christophetd in #107
• Fixing False Positives and Duplicate Errors in the Typosquatting Algorithm by @QuinceyJames in #108

New Contributors

• @QuinceyJames made their first contribution in #108

Full Changelog: v0.1.9...v0.1.10

v0.1.9

What's Changed

• Bug fix: scanning zip packages by @christophetd in #105
• Heuristic: identify usage of globals and import (closes #62) by @christophetd in #106

Full Changelog: v0.1.8...v0.1.9

v0.1.8

What's Changed

• Add python version pin for pyproject.toml and update README by @zmallen in #94
• pyproject.toml: Add repository url by @materro in #97
• Add Type checking and enforce lint by @vdeturckheim in #98
• Add Semgrep rule and run custom Semgrep rules in CI for SAST by @christophetd in #102

New Contributors

• @zmallen made their first contribution in #94
• @materro made their first contribution in #97

Full Changelog: v0.1.7...v0.1.8

v0.1.7

What's Changed

• Handle requirement file parsing errors by @vdeturckheim in #96, closes #88

Full Changelog: v0.1.6...v0.1.7

v0.1.5

What's Changed

• Adding exit codes by @Torxed in #76. GuardDog can now exit with a non-zero status code if --exit-non-zero-on-finding is provided
• Use tarsafe instead of built-in tarfile to extract archives by @christophetd in #89. Fixes security issue GHSA-rp2v-v467-q9vq

Full Changelog: v0.1.4...v0.1.5

v0.1.4

What's Changed

• Make GuardDog usable as a library rather than only a CLI by @vdeturckheim in #82
• Add simple integration test by @christophetd in #85

New Contributors

• @vdeturckheim made their first contribution in #82

Full Changelog: v0.1.3...v0.1.4

v0.1.3

What's Changed

• Publish to PyPI (closes #80) by @christophetd in #84
• Ignore packages that don't exist in PyPI (closes #78) by @christophetd in #83

Full Changelog: v0.1.1...v0.1.3