Skip to content

3.5.0 - 2024-08-05
Compare
Choose a tag to compare
@github-actions github-actions released this 05 Aug 19:10
hipcheck-v3.5.0
652b4b8

Release Notes

Hipcheck 3.5.0 continues our focus on user experience improvements with
three major additions:

  • Improved target selection
  • The hc cache subcommand
  • Better progress reporting

Improved Target Selection

In Hipcheck 3.5.0 we've enhanced the ability to specify your target of
analysis. This is Hipcheck's term for "the thing you want to analyze."
With this new version, you can now provide:

  • Package URLs (pURLs): pURLs are a specification for a unified way of
    referencing packages on a variety of popular package hosts. For example,
    the pURL pkg:npm/foobar@12.3.1 refers to the package foobar version
    12.3.1 on NPM.
  • VCS URLs: VCS URLs come from the Python ecoystem, where they're used
    by PIP to refer to Git repositories with additional metadata embedded in
    the URL. They're also used by the SPDX Software Bill of Materials standard.
    A VCS URL looks like git+ssh://git@git.example.com/MyProject, with the
    VCS being used as a prefix to the rest of the protocol, separated by a +.
  • Git References: References are how Git refers to specific things you
    can checkout in a Git repository, including specific commits, branches,
    and tags. By default, Hipcheck checks out the latest (HEAD) commit of a
    repository, but you can now use the --ref flag to specify a different
    ref to check out.
  • CycloneDX SBOMs: Hipcheck can now accept CycloneDX Software Bills of
    Material in addition to SPDX ones, in either JSON or XML format.

Note that some of the methods above allow embedding some target-type
information directly, in ways that can contradict the --type flag when
running hc check. If the --type flag and the target specifier metadata
ever conflict, Hipcheck will produce an error rather than picking one option
over the other automatically.

The following commits were for this work:

  • remove use of Source, SourceRepo, Remote structs in favor of Target by @j-lanson in #229
  • added types for new target repo spec and resolution by @j-lanson in #210
  • add more robust 'target resolution' systemD by @mchernicoff in #227
  • add --ref support to remaining target seed kinds by @j-lanson in #244
  • CLI can infer target type from target pURL by @mchernicoff in #205
  • CLI can infer target type from target VCS URL by @mchernicoff in #209
  • Hipcheck can process SBOMs using CycloneDX (currently JSON only) standard by @mchernicoff in #237
  • Hipcheck can process SBOMs using CycloneDX XML files by @mchernicoff in #239
  • update remote-repo updating to support git refs by @j-lanson in #240
  • update local-repo copying to support git refs by @j-lanson in #242
  • distinguish TargetSeed and TargetSeedKind to transfer ref info from cli by @j-lanson in #243

hc cache subcommand

We've also added a new subcommand, hc cache, for managing the repository
cache that Hipcheck maintains. When Hipcheck runs, it creates a local clone
of the repository being analyzed (if the repository is already local, Hipcheck
still clones it into the repository cache to avoid mutating the original). Over
time, this repository cache will grow, and some repositories may be quite
large. The new hc cache subcommand lets the user see what's in the cache
with hc cache list, and delete elements in the cache with hc cache delete.

The following commits were for this work:

  • add hc cache subcommand for manually listing/deleting elements of the cache by @j-lanson in #224
  • add commit info to hc cache display and index file by @j-lanson in #245
  • local repos are also cloned to HC_CACHE by @j-lanson in #208
  • shortcut cache entry size calculation with cache index file by @j-lanson in #236

Progress Reporting

Hipcheck now shows a progress bar during execution, especially during
repository cloning, which can be quite slow for larger repositories. This is
intended to make it clearer how Hipcheck's time is being spent, and went it's
continuing to make progress vs. being stuck.

The following commits were for this work:

  • major refactor to enable better control of phases and progress bars by @vcfxb in #198
  • Variety of tweaks to the shell and phase infrastructure by @vcfxb in #213
  • Add progress bars when cloning repos (powered by the git2 crate). Integrate libgit2 trace messages into our logging by @vcfxb in #222

And More...

As always, there are more changes in a single version that can be adequately
described here. View the full changelog to see the rest:

Full Changelog: hipcheck-v3.4.0...hipcheck-v3.5.0

Install hipcheck 3.5.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/mitre/hipcheck/releases/download/hipcheck-v3.5.0/hipcheck-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -c "irm https://github.com/mitre/hipcheck/releases/download/hipcheck-v3.5.0/hipcheck-installer.ps1 | iex"

Download hipcheck 3.5.0

File Platform Checksum
hipcheck-aarch64-apple-darwin.tar.xz Apple Silicon macOS checksum
hipcheck-x86_64-apple-darwin.tar.xz Intel macOS checksum
hipcheck-x86_64-pc-windows-msvc.zip x64 Windows checksum
hipcheck-x86_64-unknown-linux-gnu.tar.xz x64 Linux checksum
Assets 19
Loading