Nosey Parker v0.22.0 #243

bradlarsen · 2024-12-20T19:41:55Z

bradlarsen
Dec 20, 2024

The JSON output format from report has changed slightly (#236).

Now, the JSON representation of provenance entries from extensible enumerators (i.e., scan --enumerator=FILE, introduced in v0.20.0) includes an additional "payload" field around the actual provenance content. For example, an extended provenance entry that previously would look like this:
```
{"kind": "extended", "filename": "input.txt"}
```
is now represented like this:
```
{"kind": "extended", "payload": {"filename": "input.txt"}}
```
This fixes a bug in v0.20.0 where provenance entries from an extensible enumerator could only be JSON objects, instead of arbitrary JSON values as claimed by the documentation.
The datastore schema has changed in order to support a new finding deduplication mechanism (#239). Datastores from previous versions of Nosey Parker are not supported.
The report command now reports at most 3 provenenance entries per match by default (#239). This can be overridden with the new --max-provenance=N option.
The report command now includes finding and match IDs in its default "human" format (#239).
The scan command now prints a simplified summary at the end, without the unpopulated status columns (#239).

The Blynk Organization Client Credentials rule now has a non-varying number of capture groups
Fixed a typo in the report command that could cause a diagnostic message about suppressed matches to be incorrect (#239).
Release binaries are no longer stripped of symbols, just of debug info. This should improve stack trace collection in the event of a crash on Linux systems.

The Slack Bot Token rule has been modified to match additional cases.
The rules check command now more thoroughly checks the number of capture groups of each rule.

A new finding deduplication mechanism is enabled by default when reporting (#239). This mechanism suppresses matches and findings that overlap with others if they are less specific. For example, a single blob might contain text that matches both the HTTP Bearer Token and Slack User Token rules; the less-specific HTTP Bearer Token match will be suppressed.
New rules have been added:
- Connection String in .NET Configuration (#238)
- Credentials in .NET System.DirectoryServices.DirectoryEntry (#234)
- Credentials in .NET System.Net.NetworkCredential (#234)
- Kubernetes Bootstrap Token (#235)
- Sensitive Value in .NET Configuration (#237)
- TeamCity API Token (#240)
Rules now contain an optional description string field. This is intended to be a message for human consumption that indicates (a) what was detected and (b) how an attacker might use it. Only a few rules have descriptions so far. Use rules list -f json to see.
The report command has a new --max-provenance=N option that limits the number of provenance entries displayed for any single match (#239). A negative number means "no limit". The default value is 3.

This discussion was created from the release Nosey Parker v0.22.0.