oracle · behnazh-w · Aug 15, 2025 · Aug 8, 2025 · Aug 12, 2025 · Aug 12, 2025
@@ -85,34 +85,19 @@ venv:
 # So we create the dist dir if it doesn't exist in the setup target.
 # See https://packaging.python.org/en/latest/tutorials/packaging-projects/#generating-distribution-archives.
 # We also install cyclonedx-go to generate SBOM for Go, compile the Go modules,
-# install SLSA verifier binary, download mvnw, and gradlew.
+# and install SLSA verifier binary.
 .PHONY: setup
 setup: force-upgrade setup-go setup-binaries setup-schemastore
 	pre-commit install
 	mkdir -p dist
 	go install github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected]
 setup-go:
 	go build -o $(PACKAGE_PATH)/bin/ $(REPO_PATH)/golang/cmd/...
-setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier $(PACKAGE_PATH)/resources/mvnw $(PACKAGE_PATH)/resources/gradlew souffle gnu-sed
+setup-binaries: $(PACKAGE_PATH)/bin/slsa-verifier souffle gnu-sed
 $(PACKAGE_PATH)/bin/slsa-verifier:
 	git clone --depth 1 https://github.com/slsa-framework/slsa-verifier.git -b v2.7.1
 	cd slsa-verifier/cli/slsa-verifier && go build -o $(PACKAGE_PATH)/bin/
 	cd $(REPO_PATH) && rm -rf slsa-verifier
-$(PACKAGE_PATH)/resources/mvnw:
-	cd $(PACKAGE_PATH)/resources \
-		&& wget https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper-distribution/3.1.1/maven-wrapper-distribution-3.1.1-bin.zip \
-		&& unzip -o maven-wrapper-distribution-3.1.1-bin.zip \
-		&& rm -r maven-wrapper-distribution-3.1.1-bin.zip \
-		&& echo -e "distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.6/apache-maven-3.8.6-bin.zip\nwrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.1/maven-wrapper-3.1.1.jar" > .mvn/wrapper/maven-wrapper.properties \
-		&& cd $(REPO_PATH)
-$(PACKAGE_PATH)/resources/gradlew:
-	cd $(PACKAGE_PATH)/resources \
-		&& export GRADLE_VERSION=7.6 \
-		&& wget https://services.gradle.org/distributions/gradle-$$GRADLE_VERSION-bin.zip \
-		&& unzip -o gradle-$$GRADLE_VERSION-bin.zip \
-		&& rm -r gradle-$$GRADLE_VERSION-bin.zip \
-		&& gradle-$$GRADLE_VERSION/bin/gradle wrapper \
-		&& cd $(REPO_PATH)
 setup-schemastore: $(PACKAGE_PATH)/resources/schemastore/github-workflow.json $(PACKAGE_PATH)/resources/schemastore/LICENSE $(PACKAGE_PATH)/resources/schemastore/NOTICE
 $(PACKAGE_PATH)/resources/schemastore/github-workflow.json:
 	cd $(PACKAGE_PATH)/resources \
@@ -236,7 +221,7 @@ setup-integration-test-utility-for-docker:
 # Generate a Software Bill of Materials (SBOM).
 .PHONY: sbom
 sbom: requirements
-	cyclonedx-py requirements --output-format json --outfile dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json
+	cyclonedx-py requirements --output-format json --output-file dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom.json
 	$$HOME/go/bin/cyclonedx-gomod mod -json -output dist/$(PACKAGE_NAME)-$(PACKAGE_VERSION)-sbom-go.json $(REPO_PATH)
 
 # Generate a requirements.txt file containing version and integrity hashes for all
@@ -433,11 +418,7 @@ clean: dist-clean bin-clean docs-clean
 nuke-caches: clean
 	find src/ -type d -name __pycache__ -exec rm -fr {} +
 	find tests/ -type d -name __pycache__ -exec rm -fr {} +
-nuke-mvnw:
-	cd $(PACKAGE_PATH)/resources \
-	&& rm mvnw mvnw.cmd mvnwDebug mvnwDebug.cmd \
-	&& cd $(REPO_PATH)
-nuke: nuke-caches nuke-mvnw
+nuke: nuke-caches
 	if [ ! -z "${VIRTUAL_ENV}" ]; then \
 	  echo "Please deactivate the virtual environment first!" && exit 1; \
 	fi

@@ -11,7 +11,7 @@
 # Note that the local machine must login to ghcr.io so that Docker could pull the ghcr.io/oracle/macaron-base
 # image for this build.
 
-FROM ghcr.io/oracle/macaron-base:latest@sha256:79b3b8b03cb9b6a124c6450f4baa58f96f83ee9e37f572c88a97597b35c7bc51
+FROM ghcr.io/oracle/macaron-base:latest@sha256:3b1f5ab197ee4429c598712bb8abb555a094e879f69e35439061777ac3bcb138
 
 ENV HOME="/home/macaron"
 

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # We update the GID and UID of the existing macaron user in the container
@@ -16,35 +16,6 @@ else
     echo "Consider providing the GID and UID via the env variables USER_GID and USER_UID respectively."
 fi
 
-# Prepare settings.xml because
-# We mount .m2 dir to the host machine
-# We cannot copy those files while building the image
-# because they will be bypassed.
-if [[ ! -f "$HOME/.m2/settings.xml" ]] && [[ -n "$PACKAGE_PATH" ]];
-then
-    if [[ ! -d "$HOME/.m2" ]];
-    then
-        mkdir --parents "$HOME"/.m2
-    fi
-    cp "$PACKAGE_PATH"/resources/settings.xml "$HOME"/.m2/
-fi
-
-# Overwrite $HOME/.m2/settings.xml if the global settings.xml file is mounted from the host machine.
-if [[ -f "$HOME/settings.xml" ]];
-then
-    cp "$HOME/settings.xml" "$HOME/.m2/settings.xml"
-fi
-
-# Create $HOME/.gradle/gradle.properties if the global gradle.properties file is mounted from the host machine.
-if [[ ! -d "$HOME/.gradle" ]];
-then
-    mkdir --parents "$HOME"/.gradle
-fi
-if [[ -f "$HOME/gradle.properties" ]];
-then
-    cp "$HOME"/gradle.properties "$HOME/.gradle/gradle.properties"
-fi
-
 # Prepare the output directory. The output directory will be already existed
 # if we mount from the host machine.
 if [[ ! -d "$HOME/output" ]];
@@ -80,8 +51,6 @@ fi
 
 # The directory that could be mounted to the host machine file systems should
 # have the owner as the current user in the host machine.
-chown --recursive macaron:macaron "$HOME"/.m2
-chown --recursive macaron:macaron "$HOME"/.gradle
 chown --recursive macaron:macaron "$HOME"/output
 
 # Run the provided Macaron command with the user macaron.

@@ -17,22 +17,6 @@ macaron.dependency\_analyzer.cyclonedx module
    :show-inheritance:
    :undoc-members:
 
-macaron.dependency\_analyzer.cyclonedx\_gradle module
------------------------------------------------------
-
-.. automodule:: macaron.dependency_analyzer.cyclonedx_gradle
-   :members:
-   :show-inheritance:
-   :undoc-members:
-
-macaron.dependency\_analyzer.cyclonedx\_mvn module
---------------------------------------------------
-
-.. automodule:: macaron.dependency_analyzer.cyclonedx_mvn
-   :members:
-   :show-inheritance:
-   :undoc-members:
-
 macaron.dependency\_analyzer.cyclonedx\_python module
 -----------------------------------------------------
 

@@ -33,6 +33,14 @@ macaron.malware\_analyzer.pypi\_heuristics.metadata.empty\_project\_link module
    :show-inheritance:
    :undoc-members:
 
+macaron.malware\_analyzer.pypi\_heuristics.metadata.fake\_email module
+----------------------------------------------------------------------
+
+.. automodule:: macaron.malware_analyzer.pypi_heuristics.metadata.fake_email
+   :members:
+   :show-inheritance:
+   :undoc-members:
+
 macaron.malware\_analyzer.pypi\_heuristics.metadata.high\_release\_frequency module
 -----------------------------------------------------------------------------------
 
@@ -49,6 +57,14 @@ macaron.malware\_analyzer.pypi\_heuristics.metadata.one\_release module
    :show-inheritance:
    :undoc-members:
 
+macaron.malware\_analyzer.pypi\_heuristics.metadata.similar\_projects module
+----------------------------------------------------------------------------
+
+.. automodule:: macaron.malware_analyzer.pypi_heuristics.metadata.similar_projects
+   :members:
+   :show-inheritance:
+   :undoc-members:
+
 macaron.malware\_analyzer.pypi\_heuristics.metadata.source\_code\_repo module
 -----------------------------------------------------------------------------
 

@@ -119,23 +119,3 @@ You can run the following command to make sure the proxy settings are updated:
 .. code-block:: shell
 
   sudo systemctl show --property=Environment docker
-
-'''''''''''''''''''''''''''''''
-Maven and Gradle proxy settings
-'''''''''''''''''''''''''''''''
-
-Maven and Gradle do not use the system proxy settings. If the target software component (repository)
-is using either of these build tools, make sure to set up the following environment variables:
-
-.. code-block:: shell
-
-  export MAVEN_OPTS="-Dhttp.proxyHost=wwww-example-proxy -Dhttp.proxyPort=80 -Dhttps.proxyHost=wwww-example-proxy -Dhttps.proxyPort=80"
-  export GRADLE_OPTS="-Dhttp.proxyHost=wwww-example-proxy -Dhttp.proxyPort=80 -Dhttps.proxyHost=wwww-example-proxy -Dhttps.proxyPort=80"
-
-In addition, Macaron uses the global settings files for Maven and Gradle if present on the host machine and copies them to
-the Docker container. You can set up your proxy settings in the following files:
-
-* ``~/.m2/settings.xml``
-* ``~/.gradle/gradle.properties``
-
-See the `Maven <https://maven.apache.org/settings.html#proxies>`_ and `Gradle <https://docs.gradle.org/current/userguide/build_environment.html#sec:accessing_the_web_via_a_proxy>`_ documentations for more information on setting up proxies.
@@ -20,8 +20,6 @@ Top level structure
 .. code-block::
 
     output/
-        ├── .gradle/
-        ├── .m2/
         ├── build_log/
         ├── git_repos/
         ├── reports/
@@ -182,18 +180,10 @@ This file stores the log messages from the latest run of Macaron.
 build_log
 ^^^^^^^^^
 
-This is the directory for storing the log from running external components such as `CycloneDx SBOM Maven plugin <https://github.com/CycloneDX/cyclonedx-maven-plugin>`_, `CycloneDx SBOM Gradle plugin <https://github.com/CycloneDX/cyclonedx-gradle-plugin>`_ or the `slsa-verifier <https://github.com/slsa-framework/slsa-verifier>`_.
+This is the directory for storing the log from running external components, such as `slsa-verifier <https://github.com/slsa-framework/slsa-verifier>`_.
 
 ^^^^^^^^^^^^^^^
 sbom_debug.json
 ^^^^^^^^^^^^^^^
 
 This file contain the debug information for running the SBOM generator to obtain dependencies of a repository.
-
-^^^^^^^^^^^^^^^
-.m2 and .gradle
-^^^^^^^^^^^^^^^
-
-These two directories cache the content of ``~/.m2`` and ``~/.gradle`` in the Docker container between different runs (which are
-mainly updated by the CycloneDX SBOM plugins).
-This will helps subsequent runs on the same target repository faster.
@@ -115,8 +115,6 @@ Automatic dependency resolution
 
 Currently, we support the following type of project for automatic dependency resolution.
 
-* Java Maven
-* Java Gradle
 * Python (with a Python virtual environment created and packages installed using Python3.11, see :ref:`providing Python virtual environment <python-venv-deps>`.)
 
 --------

@@ -66,11 +66,11 @@ Skip this section if you already know how to install Macaron.
 Run ``analyze`` command
 ***********************
 
-First, we need to run the ``analyze`` command of Macaron to run a number of :ref:`checks <checks>` and collect evidence for  ``example-maven-app`` and its dependencies.
+First, we need to run the ``analyze`` command of Macaron to run a number of :ref:`checks <checks>` and collect evidence for  ``example-maven-app`` and its dependencies. You need to generate the SBOM and provide it to Macaron. For more details see the instructions : :ref:`here <with-sbom>`.
 
 .. code-block:: shell
 
-  ./run_macaron.sh analyze -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar -rp https://github.com/behnazh-w/example-maven-app --deps-depth=1
+  ./run_macaron.sh analyze -purl pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar -rp https://github.com/behnazh-w/example-maven-app --deps-depth=1 -sbom sbom.json
 
 .. note:: By default, Macaron clones the repositories and creates output files under the ``output`` directory. To understand the structure of this directory please see :ref:`Output Files Guide <output_files_guide>`.
 
@@ -98,7 +98,7 @@ As you can see, some of the checks are passing and some are failing. In summary,
 * but it is not deploying any artifacts automatically (``mcn_build_as_code_1``)
 * and no CI workflow runs are detected that automatically publish artifacts (``mcn_find_artifact_pipeline_1``)
 
-As you scroll down in the HTML report, you will see a section for the dependencies that were automatically identified:
+As you scroll down in the HTML report, you will see a section for the dependencies that were identified from the provided ``sbom.json``:
 
 .. _fig_example-maven-app-deps:
 

@@ -32,8 +32,8 @@ dependencies = [
     "packageurl-python >= 0.11.1,<1.0.0",
     "ruamel.yaml >= 0.18.6,<1.0.0",
     "jsonschema >= 4.22.0,<5.0.0",
-    "cyclonedx-bom >=4.0.0,<5.0.0",
-    "cyclonedx-python-lib[validation] >=7.3.4,<8.0.0",
+    "cyclonedx-bom >=7.0.0,<8.0.0",
+    "cyclonedx-python-lib[validation] >=8.0.0,<11.0.0",
     "beautifulsoup4 >= 4.12.0,<5.0.0",
     "problog >= 2.2.6,<3.0.0",
     "cryptography >=44.0.0,<45.0.0",
@@ -78,7 +78,7 @@ dev = [
     "types-jsonschema >=4.22.0,<5.0.0",
     "pip-audit >=2.5.6,<3.0.0",
     "pylint >=3.0.3,<4.0.0",
-    "cyclonedx-bom >=4.0.0,<5.0.0",
+    "cyclonedx-bom >=7.0.0,<8.0.0",
     "types-beautifulsoup4 >= 4.12.0,<5.0.0",
 ]
 docs = [
@@ -274,5 +274,7 @@ filterwarnings = [
     # https://docs.pytest.org/en/latest/how-to/failures.html#warning-about-unraisable-exceptions-and-unhandled-thread-exceptions
     "error::pytest.PytestUnraisableExceptionWarning",
     "error::pytest.PytestUnhandledThreadExceptionWarning",
+    # Remove the following when this issue is fixed: https://github.com/CycloneDX/cyclonedx-python-lib/issues/870
+    "ignore::DeprecationWarning:cyclonedx.model.tool",
     "error::DeprecationWarning:pkg_resources",
 ]
@@ -380,13 +380,8 @@ else
     echo "Setting default output directory to ${output}."
 fi
 
-# Mount the necessary .m2 and .gradle directories.
-m2_dir="${output}/.m2"
-gradle_dir="${output}/.gradle"
-
+# Mount the output directory.
 mount_dir_rw_allow_create "" "$output" "${MACARON_WORKSPACE}/output"
-mount_dir_rw_allow_create "" "$m2_dir" "${MACARON_WORKSPACE}/.m2"
-mount_dir_rw_allow_create "" "$gradle_dir" "${MACARON_WORKSPACE}/.gradle"
 
 # Determine the local repos path to be mounted into ${MACARON_WORKSPACE}/output/git_repos/local_repos/
 if [[ -n "${arg_local_repos_path:-}" ]]; then
@@ -491,24 +486,6 @@ else
             argv_command+=("--local-maven-repo" "${MACARON_WORKSPACE}/analyze_local_maven_repo_readonly")
 
             mount_dir_ro "--local-maven-repo" "$HOME/.m2" "$local_maven_repo_in_container"
-        # If the host's $HOME/.m2 doesn't exist, we create and mount an empty directory ${output}/analyze_local_maven_repo_readonly
-        # into ${MACARON_WORKSPACE}/analyze_local_maven_repo_readonly. And then provide
-        # ${MACARON_WORKSPACE}/analyze_local_maven_repo_readonly into the --local-maven-repo
-        # flag.
-        # This is because:
-        #   - By default if --local-maven-repo is not used, Macaron uses $HOME/.m2 of the current
-        #     environment as the local maven repo.
-        #   - If --local-maven-repo is not set when Macaron is running in the Docker container, it will try to
-        #     use $HOME/.m2 WITHIN the container. This is not desirable as this $HOME/.m2 is being used
-        #     by the cyclonedx plugins for dependency resolution, which requires read write. We treat the local
-        #     maven repo as a read only directory, hence they cannot share.
-        else
-            local_maven_repo_in_container="${MACARON_WORKSPACE}/analyze_local_maven_repo_readonly"
-            output_local_maven_repo="${output}/analyze_local_maven_repo_readonly"
-            mkdir -p "$output_local_maven_repo"
-            argv_command+=("--local-maven-repo" "${MACARON_WORKSPACE}/analyze_local_maven_repo_readonly")
-
-            mount_dir_ro "--local-maven-repo" "$output_local_maven_repo" "$local_maven_repo_in_container"
         fi
     fi
 fi
@@ -535,21 +512,8 @@ if [[ -n "${arg_datalog_policy_file:-}" ]]; then
     mount_file "-f/--file" "$datalog_policy_file" "$datalog_policy_file_in_container" "ro,Z"
 fi
 
-# Determine that ~/.gradle/gradle.properties exists to be mounted into ${MACARON_WORKSPACE}/gradle.properties
-if [[ -f "$HOME/.gradle/gradle.properties" ]]; then
-    mounts+=("-v" "$HOME/.gradle/gradle.properties":"${MACARON_WORKSPACE}/gradle.properties:ro,Z")
-fi
-
-# Determine that ~/.m2/settings.xml exists to be mounted into ${MACARON_WORKSPACE}/settings.xml
-if [[ -f "$HOME/.m2/settings.xml" ]]; then
-    mounts+=("-v" "$HOME/.m2/settings.xml":"${MACARON_WORKSPACE}/settings.xml:ro,Z")
-fi
-
 # Set up proxy.
 # We respect the host machine's proxy environment variables.
-# For Maven and Gradle projects that Macaron needs to analyzes, the proxy configuration
-# for Maven wrapper `mvnw` and Gradle wrapper `gradlew` are set using `MAVEN_OPTS` and
-# `GRADLE_OPTS` environment variables.
 proxy_var_names=(
     "http_proxy"
     "https_proxy"
@@ -559,8 +523,6 @@ proxy_var_names=(
     "HTTPS_PROXY"
     "FTP_PROXY"
     "NO_PROXY"
-    "MAVEN_OPTS"
-    "GRADLE_OPTS"
 )
 
 for v in "${proxy_var_names[@]}"; do

@@ -33,12 +33,6 @@ timeout = 30
 
 # This is the dependency resolver tool to generate SBOM.
 [dependency.resolver]
-# Should be in <tool>:<version> format.
-# The supported tools for Maven is cyclonedx-maven.
-# The supported tools for Gradle is cyclonedx-gradle.
-# The version of the dependency resolver should conform with semantic versioning.
-dep_tool_maven = cyclonedx-maven:2.6.2
-dep_tool_gradle = cyclonedx-gradle:1.7.4
 # This is the timeout (in seconds) to run the dependency resolver.
 timeout = 2400
 # Determines whether the CycloneDX BOM file should be validated or not.

@@ -73,7 +73,7 @@ def load(
         local_repos_path : str
             The directory to look for local repositories.
         resources_path : str
-            The path to the resources files needed for the analysis (i.e. mvnw, gradlew, etc.)
+            The path to the resource files needed for the analysis.
         """
         self.macaron_path = macaron_path
         self.output_path = output_path