v0.5.5
Security
- CodeQL SAST — static analysis with build-mode manual (100% source coverage), zero open alerts gate
- Shell injection elimination — replaced
system()calls withcbm_exec_no_shell()(fork+execvp), no tainted data reaches a shell - snprintf overflow fixes — 11 buffer overflow vulnerabilities fixed (clamp offset after each append)
- TOCTOU race fixes — atomic file permissions, open-then-fstat pattern
- 31 security defense tests — shell injection, SQLite authorizer, SQL injection via Cypher, path containment, shell-free exec
- Fuzz testing — random/mutated JSON-RPC + Cypher inputs on every build
- Native antivirus scanning — Windows Defender, ClamAV (Linux + macOS) on every build
- VirusTotal zero-tolerance gate — all release binaries scanned by 70+ engines before publish
- SLSA provenance + Sigstore cosign + SBOM (SPDX 2.3) + SHA-256 checksums
- GitHub Actions pinned to SHA with Dependabot
Antivirus false positive prevention
Added multi-layer AV scanning to the build pipeline to catch and prevent false positives before they reach users. Removed DLL resolve tracking strings that triggered heuristic detection. Every binary in this release has been verified clean by 70+ antivirus engines via VirusTotal. (Fixes #89)
New features
- Content-Length framed transport — OpenCode compatibility
- 10 agent detection — OpenClaw + VS Code support
- Dual MCP config location —
~/.claude/.mcp.json+~/.claude.json
Bug fixes
- Fix Swift call extraction: 0 CALLS edges (#43)
- Fix Laravel route false positives: extension scoping + path filter (PR #65)
- Port FastAPI Depends() edge tracking (PR #66)
- Keep WAL journal mode during bulk write (PR #72)
- Fix VS Code compatibility (PR #79)
- Remove DLL resolve tracking (Windows Defender false positive)
Contributors
Thanks to @halindrome, @bingh0, @mariomeyer, @kingchenc for code contributions, and @Maton-Nenoso for reporting #89 which led to the comprehensive AV scanning infrastructure in this release.
Security Verification
All release binaries have been independently verified:
VirusTotal — scanned by 70+ antivirus engines:
| Binary | Scan |
|---|---|
| codebase-memory-mcp-darwin-amd64 | View Report |
| codebase-memory-mcp-darwin-arm64 | View Report |
| codebase-memory-mcp-linux-amd64 | View Report |
| codebase-memory-mcp-linux-arm64 | View Report |
| codebase-memory-mcp-ui-darwin-amd64 | View Report |
| codebase-memory-mcp-ui-darwin-arm64 | View Report |
| codebase-memory-mcp-ui-linux-amd64 | View Report |
| codebase-memory-mcp-ui-linux-arm64 | View Report |
| codebase-memory-mcp-ui.exe | View Report |
| codebase-memory-mcp-windows-amd64.exe | View Report |
| LICENSE | View Report |
| Build Provenance (SLSA) — cryptographic proof each binary was built by GitHub Actions from this repo: |
gh attestation verify <downloaded-file> --repo DeusData/codebase-memory-mcp
Sigstore cosign — keyless signature verification:
cosign verify-blob --bundle <file>.bundle <file>
Native antivirus scans — all binaries passed these scans before this release was created (any detection would have blocked the release):
- Windows: Windows Defender with ML heuristics (the same engine end users run)
- Linux: ClamAV with daily signature updates
- macOS: ClamAV with daily signature updates
SBOM — Software Bill of Materials (sbom.json) lists all vendored dependencies.
See SECURITY.md for full details.
