analyzer/2026.04.28.a5cb123

• 🐞 Fix AA cancellation (#108)

analyzer/latest

Floating release tracking the latest analyzer version (v2026.04.28.a5cb123)

v0.2.1

Changelog

• efc4fe3 fix(cli): Update bundled dependency versions (#106)

v0.2

Floating release tracking the latest CLI v0.2.x version (v0.2.1)

latest

Floating release tracking the latest CLI version (v0.2.1)

analyzer/2026.04.23.eabac92

• 🎁 More stable fingerprints (#105)

analyzer/2026.04.22.db77b75

• 🎁 Add source-sink fingerprint (without trace) (#103)

analyzer/2026.04.22.3d3d9a7

• 🐞 Fix throw inst handling in AA (#100)

v0.2.0

0.2.0 (2026-04-17)

A quality-of-life release: scans run with no flags, compiled project models are cached and shared safely
between processes, and the analysis engine got a substantial IFDS rework.

Scan: zero-friction defaults

• opentaint scan now defaults to the current directory — no path argument required.
• -o/--output is no longer mandatory; SARIF is written to a default location.
• New --project-model <path>: scan a pre-compiled project model and skip compilation.
• New --recompile: force a fresh build even when a cached model exists.
• New --log-file <path>: redirect logs explicitly.

Compilation model cache

• Compiled project models are cached under ~/.opentaint/. Repeated scans of the same project skip compilation
  unless --recompile is passed.

Safe concurrency

• New reader/writer lock API protects the model cache, prune operations, and install state.
• Concurrent scan, prune, and self-update invocations do not corrupt shared state — conflicting operations
  either wait or fail loudly with a clear message.

prune reworked

• Selective category flags: --artifacts, --rules, --jdk, --models, --logs, --install.
• --all for a full sweep including install-tier and logs.
• Default (no flags): artifacts + rules + jdk + models.
• Active compilations are surfaced as "Skipped" instead of silently touched.
• Auto-prune removed from self-update; users are nudged to run opentaint prune explicitly.

--debug replaces --verbosity

• Single boolean -d/--debug flag replaces the old --verbosity string.
• Streams JAR subprocess output and reveals debug-only fields.
• GitHub Action mirrors this: the verbosity input is now a boolean debug input (#97).

Analysis engine

• Major rework of the IFDS access-tree representation, access-graph, summary storage, and analysis runner —
  better scalability on large Spring applications.
• pass-rules handling reworked for correctness.

Install / upgrade

fresh install
curl -sSL https://opentaint.org/install.sh | sh

in-place upgrade
opentaint self-update

🎁 Features

• analyzer: Improve analysis engine (#96) (9421f80)
• cli: Add scan defaults and compilation model caching (#89) (bc65934)
• cli: Rework prune and self-update to respect installation style (#91) (862a871)

🐞 Bug Fixes

• cli: Implement reader/writer lock API and improve cache handling (#94) (b1eb579)
• cli: Refactor logging and CLI verbosity to debug flag (#95) (6cde010)
• cli: Update bundled dependency versions (#98) (38ef4f8)

github/v0.3.0

0.3.0 (2026-04-17)

🎁 Features

• github: Rename verbosity input to debug (boolean) (#97) (8ad10a0)