Skip to content

Nosey Parker v0.22.0

Latest
Compare
Choose a tag to compare
@bradlarsen bradlarsen released this 20 Dec 19:41

Docker Images

A prebuilt multiplatform Docker image for this release is available for x86_64 and ARM64 architectures:

docker pull ghcr.io/praetorian-inc/noseyparker:v0.22.0

Additionally, a prebuilt Alpine-based image is also available for x86_64 and ARM64 architectures:

docker pull ghcr.io/praetorian-inc/noseyparker-alpine:v0.22.0

Breaking Changes

  • The JSON output format from report has changed slightly (#236).

    Now, the JSON representation of provenance entries from extensible enumerators (i.e., scan --enumerator=FILE, introduced in v0.20.0) includes an additional "payload" field around the actual provenance content. For example, an extended provenance entry that previously would look like this:

    {"kind": "extended", "filename": "input.txt"}
    

    is now represented like this:

    {"kind": "extended", "payload": {"filename": "input.txt"}}
    

    This fixes a bug in v0.20.0 where provenance entries from an extensible enumerator could only be JSON objects, instead of arbitrary JSON values as claimed by the documentation.

  • The datastore schema has changed in order to support a new finding deduplication mechanism (#239). Datastores from previous versions of Nosey Parker are not supported.

  • The report command now reports at most 3 provenenance entries per match by default (#239). This can be overridden with the new --max-provenance=N option.

  • The report command now includes finding and match IDs in its default "human" format (#239).

  • The scan command now prints a simplified summary at the end, without the unpopulated status columns (#239).

Fixes

  • The Blynk Organization Client Credentials rule now has a non-varying number of capture groups

  • Fixed a typo in the report command that could cause a diagnostic message about suppressed matches to be incorrect (#239).

  • Release binaries are no longer stripped of symbols, just of debug info. This should improve stack trace collection in the event of a crash on Linux systems.

Changes

  • The Slack Bot Token rule has been modified to match additional cases.
  • The rules check command now more thoroughly checks the number of capture groups of each rule.

Additions

  • A new finding deduplication mechanism is enabled by default when reporting (#239). This mechanism suppresses matches and findings that overlap with others if they are less specific. For example, a single blob might contain text that matches both the HTTP Bearer Token and Slack User Token rules; the less-specific HTTP Bearer Token match will be suppressed.

  • New rules have been added:

    • Connection String in .NET Configuration (#238)
    • Credentials in .NET System.DirectoryServices.DirectoryEntry (#234)
    • Credentials in .NET System.Net.NetworkCredential (#234)
    • Kubernetes Bootstrap Token (#235)
    • Sensitive Value in .NET Configuration (#237)
    • TeamCity API Token (#240)
  • Rules now contain an optional description string field. This is intended to be a message for human consumption that indicates (a) what was detected and (b) how an attacker might use it. Only a few rules have descriptions so far. Use rules list -f json to see.

  • The report command has a new --max-provenance=N option that limits the number of provenance entries displayed for any single match (#239). A negative number means "no limit". The default value is 3.