Skip to content

Nosey Parker v0.18.0

Compare
Choose a tag to compare
@bradlarsen bradlarsen released this 27 Jun 20:53
· 108 commits to main since this release
b5eb7b7

Docker Images

A prebuilt multiplatform Docker image for this release is available for x86_64 and ARM64 architectures:

docker pull ghcr.io/praetorian-inc/noseyparker:v0.18.0

Additionally, a prebuilt Alpine-based image is also available for x86_64 and ARM64 architectures:

docker pull ghcr.io/praetorian-inc/noseyparker-alpine:v0.18.0

Additions

  • The README now includes several animated GIFs that demonstrate simple example use cases (#154).

  • The report command now offers a new --finding-status=STATUS filtering option (#162). This option causes findings with an assigned status that does not match STATUS to be suppressed from the report.

  • The report command now offers a new --min-score=SCORE filtering option (#184). This option causes findings that have a mean score less than SCORE to be suppressed from the report. This option is set by default with a value of 0.05.

  • A new datastore export command has been added (#166). This command exports the essential content from a Nosey Parker datastore as a .tgz file that can be extracted wherever it is needed.

  • New experimental annotations export and annotations import commands have been added (#171). These commands allow annotations (finding comments, match comments, and match statuses) to be converted between JSON and datastore representations.

  • New rules have been added:

    • AWS API Credentials (#190)
    • AWS AppSync API Key (#176)
    • Azure Personal Access Token (#193)
    • Base64-PEM-Encoded Private Key (#192)
    • Databricks Personal Access Token (#187 from @tobiasgyoerfi)
    • Google OAuth Credentials (#193)
    • Password Hash (Kerberos 5, etype 23, AS-REP) (#176)
  • Prebuilt releases now included separate debug symbols (.dSYM or .dwp files) (#191). Having the debug symbols available makes stack traces more useful in the rare event of a crash. The Alpine-based Docker image does not include these debug symbols, as its point of existing is to provide a small distribution.

  • The summarize command now includes additional columns for the assigned finding status (#196).

Changes

  • The vendored copy of Boost included in the internal vectorscan-sys crate has been removed in favor of using the system-provided Boost (#150 from @seqre). This change is only relevant to building Nosey Parker from source.

  • The vendored copy of the Vectorscan regular expression library included in the internal vectorscan-sys crate has been removed (#151 from @seqre). Instead, a copy of the Vectorscan 5.4.11 source tarball is included in this repository, and is extracted and patched during the build phase.

  • SARIF reporting format is now listed as experimental.

  • In the scan and rules command, the command-line option to load additional rules and rulesets from files has been renamed from --rules to --rules-path. The old --rules option is still supported as an alias, but this is deprecated and will be removed in the v0.19 release.

  • The rules list command now includes additional fields when using JSON format (#161).

  • The vectorscan and vectorscan-sys crates have been split off into a separate project with crates published on crates.io (#168).

  • The scan command is now more conservative in its default degree of parallelism (#174). Previously the default value was determined only by the number of available vCPUs. Now the default value is additionally limited to ensure at least 4 GiB of system RAM per job.

  • The scan command now records its results incrementally to the datastore instead of in one enormous transaction (#189). Now, results are recorded in transactions about every second. This helps avoid complete loss of scan results in the rare event of a crash.

Fixes

  • A rare crash when parsing malformed Git commit timestamps has been fixed by updating the gix-date dependency (#185).

  • Upon noseyparker startup, if resource limits cannot be adjusted, instead of crashing, a warning is printed and the process attempts to continue (#170).

  • The prepackaged releases and binaries produced by the default settings of cargo build should now be more portable across microarchitectures (#175). Previously, the builds would be tied to the microarchitecture of the build system; this would sometimes result in binaries that were not portable across machines, particularly on x86_64.

  • The --ignore-certs command-line option is now a global option and can be specified anywhere on the command line.