Nosey Parker v0.22.0

[bradlarsen]

Breaking Changes

• The JSON output format from report has changed slightly (#236).

  Now, the JSON representation of provenance entries from extensible enumerators (i.e., scan --enumerator=FILE, introduced in v0.20.0) includes an additional "payload" field around the actual provenance content. For example, an extended provenance entry that previously would look like this:

  {"kind": "extended", "filename": "input.txt"}
  

  is now represented like this:

  {"kind": "extended", "payload": {"filename": "input.txt"}}
  

  This fixes a bug in v0.20.0 where provenance entries from an extensible enumerator could only be JSON objects, instead of arbitrary JSON values as claimed by the documentation.

• The datastore schema has changed in order to support a new finding deduplication mechanism (#239). Datastores from previous versions of Nosey Parker are not supported.

• The report command now reports at most 3 provenenance entries per match by default (#239). This can be overridden with the new --max-provenance=N option.

• The report command now includes finding and match IDs in its default "human" format (#239).

• The scan command now prints a simplified summary at the end, without the unpopulated status columns (#239).

Fixes

• The Blynk Organization Client Credentials rule now has a non-varying number of capture groups

• Fixed a typo in the report command that could cause a diagnostic message about suppressed matches to be incorrect (#239).

• Release binaries are no longer stripped of symbols, just of debug info. This should improve stack trace collection in the event of a crash on Linux systems.

Changes

• The Slack Bot Token rule has been modified to match additional cases.
• The rules check command now more thoroughly checks the number of capture groups of each rule.

Additions

• A new finding deduplication mechanism is enabled by default when reporting (#239). This mechanism suppresses matches and findings that overlap with others if they are less specific. For example, a single blob might contain text that matches both the HTTP Bearer Token and Slack User Token rules; the less-specific HTTP Bearer Token match will be suppressed.

• New rules have been added:

  • Connection String in .NET Configuration (#238)
  • Credentials in .NET System.DirectoryServices.DirectoryEntry (#234)
  • Credentials in .NET System.Net.NetworkCredential (#234)
  • Kubernetes Bootstrap Token (#235)
  • Sensitive Value in .NET Configuration (#237)
  • TeamCity API Token (#240)

• Rules now contain an optional description string field. This is intended to be a message for human consumption that indicates (a) what was detected and (b) how an attacker might use it. Only a few rules have descriptions so far. Use rules list -f json to see.

• The report command has a new --max-provenance=N option that limits the number of provenance entries displayed for any single match (#239). A negative number means "no limit". The default value is 3.

---

This discussion was created from the release Nosey Parker v0.22.0.