Skip to content

Nosey Parker v0.17.0

Compare
Choose a tag to compare
@bradlarsen bradlarsen released this 05 Mar 15:00
· 162 commits to main since this release

Docker Images

A prebuilt multiplatform Docker image for this release is available for x86_64 and ARM64 architectures:

docker pull ghcr.io/praetorian-inc/noseyparker:v0.17.0

Additionally, a prebuilt Alpine-based image is also available for x86_64 and ARM64 architectures:

docker pull ghcr.io/praetorian-inc/noseyparker-alpine:v0.17.0

Additions

  • A new --ignore-certs command-line option has been added to the scan and github commands. This option causes TLS certificate validation to be skipped (#125; thank you @seqre).

  • The scan and github commands now support the --all-organizations flag. When supplied along with a custom GitHub API URL, Nosey Parker will scan the provided GitHub instance for all organizations to be further enumerated for additional repositories (#126; thank you @seqre).

  • New rules have been added (thank you @gemesa):

    • Adafruit IO Key (#114)
    • Blynk Device Access Token (#117)
    • Blynk Organization Access Token (URL first) (#117)
    • Blynk Organization Access Token (URL last) (#117)
    • Blynk Organization Client ID (URL first) (#117)
    • Blynk Organization Client ID (URL last) (#117)
    • Blynk Organization Client Secret (URL first) (#117)
    • Blynk Organization Client Secret (URL last) (#117)
    • Docker Hub Personal Access Token (#108)
    • Doppler CLI Token (#111)
    • Doppler Personal Token (#111)
    • Doppler Service Token (#111)
    • Doppler Service Account Token (#111)
    • Doppler SCIM Token (#111)
    • Doppler Audit Token (#111)
    • Dropbox Access Token (#106)
    • particle.io Access Token (URL first) (#113)
    • particle.io Access Token (URL last) (#113)
    • ThingsBoard Access Token (#112)
    • ThingsBoard Provision Device Key (#112)
    • ThingsBoard Provision Device Secret (#112)
    • TrueNAS API Key (WebSocket) (#110)
    • TrueNAS API Key (REST API) (#110)
    • WireGuard Private Key (#104)
    • WireGuard Preshared Key (#104)
  • A new generate command has been added, which generates various assets that are included in prebuilt releases:

    • Shell completion scripts via generate shell-completions
    • A JSON Schema for the report -f json output via generate json-schema (#128)
    • Manpages via generate manpages (#88)

Fixes

  • Several rules have been fixed that in certain circumstances would fail to match and produce a runtime error message:

    • Google API Key
    • ODBC Connection String
    • Sauce Token
  • The netrc Credentials rule has been modified to avoid a runtime message about an empty capture group.

  • The JSON Web Token (base64url-encoded) rule has been improved to reduce false positives. Thank you @saullocarvalho for the bug report.

  • The prebuilt releases now include shell completion scripts for bash, fish, elvish, powershell, and zsh, instead of 5 copies of the zsh completions (#132; thank you @Marcool04).

Changes

  • The minimum supported Rust version has been changed from 1.70 to 1.76.

  • The data model and datastore have been significantly overhauled:

    • The rules used during scanning are now explicitly recorded in the datastore. Each rule is additionally accompanied by a content-based identifier that uniquely identifies the rule based on its pattern.

    • Each match is now associated with the rule that produced it, rather than just the rule's name (which can change as rules are modified).

    • Each match is now assigned a unique content-based identifier.

    • Findings (i.e., groups of matches with the same capture groups, produced by the same rule) are now represented explicitly in the datastore. Each finding is assigned a unique content-based identifier.

    • Now, each time a rule matches, a single match object is produced. Each match in the datastore is now associated with an array of capture groups. Previously, a rule whose pattern had multiple capture groups would produce one match object for each group, with each one being associated with a single capture group.

    • Provenance metadata for blobs is recorded in a much simpler way than before. The new representation explicitly records file and git-based provenance, but also adds explicit support for extensible provenance. This change will make it possible in the future to have Nosey Parker scan and usefully report blobs produced by custom input data enumerators (e.g., a Python script that lists files from the Common Crawl WARC files).

    • Scores are now associated with matches instead of findings.

    • Comments can now be associated with both matches and findings, instead of just findings.

  • The JSON and JSONL report formats have changed. These will stabilize in a future release (#101).

    • The matching_input field for matches has been removed and replaced with a new groups field, which contains an array of base64-encoded bytestrings.

    • Each match now includes additional rule_text_id, rule_structural_id, and structural_id fields.

    • The provenance field of each match is now slightly different.

  • Schema migration of older Nosey Parker datastores is no longer performed. Previously, this would automatically and silently be done when opening a datastore from an older version. Explicit support for datastore migration may be added back in a future release.

  • The shell-completions command has been moved from the top level to a subcommand of generate.