Hipcheck 3.9.1 Release

Written by Julian Lanson

Posted on January 8, 2025

Hipcheck 3.9.1 introduces some bugfixes related to the auto-installer and binary releases, as well as some improvements to target resolution.

📦  Installation and Containerization Fixes

Thanks to an issue submitted by Aeva Black, we were made aware that running Hipcheck in our official Containerfile was not as effortless as we would like. Investigation of this issue led to further realization that key values used in installer script generation had not been updated in a couple versions, and so our installers shipped with versions 3.8.0 and 3.9.0 were still pulling down Hipcheck 3.7.0.

This release addresses the above issues, the installer with this release will properly download Hipcheck 3.9.1.

📦  Policy File Support for Relative Paths

The other main reason binary installations were not running properly was because the default policy file that ships with Hipcheck has plugin configurations that specify relative paths to plugin-specific configuration files.

When a policy file is loaded, the configurations specified for each plugin are sent to that plugin as-is; the hc binary is not expected to understand the parameters of a particular plugin's configuration at all. This means that relative paths specified in a plugin's configuration will be interpreted relative to the running plugin's current working directory, which is the same as the one from which hc was started. This is often nowhere near where the configuration files are stored.

It has become clear that our policy file needs to be able to specify paths relative to the policy file itself, which requires hc core to do a little more than basic file format processing. In this release we introduce the #rel() macro for use in policy files, which can be placed around a KDL string (e.g. #rel("Binary.toml"). When hc loads a policy from file, it will now run a pre-processing step to re-interpret the contents of #rel() as a path relative to the directory containing the policy file itself. In this way, #rel("Binary.toml") indicates a file in the same directory as the policy file. We have applied this macro to the default policy file that releases with Hipcheck, so now plugins that rely on config files can correctly locate them.

📦  Target Resolution Refactor

This release also includes the initial implementation of RFD #5, a refactor of our target resolution mechanism. While for now the changes are mostly internal, there are a few improvements for users. Firstly, there is better fuzzy-matching for finding the git repo tag associated with a given SemVer version string. Even more exciting, NPM and PyPI packages specified without a version will now cause Hipcheck to find the repo tag associated with the latest version of that package. Previously, a user would have to use the --ref flag and specify a Git reference or commit directly if a package version was not provided.

🗺️  How to Get Involved

We're always looking for new contributors! If you'd like to learn more about Hipcheck and get involved in contributing, please checkout our Roadmap and feel free to get in touch with us through our Discussions board!

⭐️  Thank You to Our Contributors and Supporters

As always, we want to say a big "Thank you!" to everyone who supports the project at MITRE, to CISA for sponsoring our current work on it, to our prior government sponsors who have helped advance Hipcheck, and to everyone who has contributed, given feedback, or encouraged us in building it.

The following team members contributed to this release: