Releases: owasp-noir/noir
v0.18.3
What's Changed
- Fix URL Path Handling Issues in Django and Spring Analyzers by @ksg97031 in #450
- Add
completion:checkRake Task by @hahwul in #451 - Enhance deadlinks workflow by @hahwul in #452
- Fix documentation link for output formats in basic.md by @hahwul in #454
- Fix: Improve Java lexer and endpoint parsing to resolve crashes and newline issues by @ksg97031 in #455
- Update community articles and add DAST pipeline documentation by @hahwul in #457
- Enhance technology listing (--list-techs) output formatting and hierarchy by @hahwul in #460
- Prevent duplicate URL printing in output by @hahwul in #461
Full Changelog: v0.18.2...v0.18.3
Contributors
Assets 2
v0.18.2
v0.18.1
v0.18.0
What's Changed
New Features:
- Implement Passive Scan (flags:
-P--passive-scanand--passive-scan-path) - Introduce the following flags:
--status-codesand--exclude-codes
Improvements:
- Introduce a new detector and analyzer: ActixWeb (Rust)
- Add a path parameter to an endpoint
- Enhance performance
- Enhance shell completion
- Integrate fish shell completion
- Enhance completion for homebrew
Code Refactoring and Enhancement:
- Modularize codes
- Re-Design NoirOptions
- Enhance unit tests
- Update dependencies
Documentation
- Enhance documents
Full Changelog: v0.17.0...v0.18.0
v0.17.0
What's Changed
- Enhanced output formats for improved readability.
- Improved diff mode functionality.
- Added new output format option (
-only-tag). - We open documentation site and Expanded and updated documentation.
- Continuous Integration (CI) updates.
- Enhanced logging and application log features.
- Improved unit test code coverage and quality.
- Upgraded analyzer with new features:
- Java Spring: Added parsing logic for
application.propertiesfiles.
- Java Spring: Added parsing logic for
- Code refactoring for better performance and maintainability.
- Security Issue
- Re-builded snapcraft package for fix to https://ubuntu.com/security/notices/USN-6937-1/
Full Changelog: v0.16.1...v0.17.0
Enhanced output formats
We've made significant changes to the default output format to enhance readability, and we believe we've achieved that goal. We'll continue to research and make improvements as we go forward!
Documentation
Noir now has an official documentation page. Currently, it focuses on basic usage, but we plan to expand it to include tips and other content. Contributions to the documentation are always welcome.
Add new flag —only-tag
You can now gather only tags from Noir results, giving you insights into key risks and technologies used in the source code.
noir -b <TARGET> -T -f only-tag
# ....
# sqli
# oauth
# websocketThis feature helps you quickly identify the main risks and technologies in your code, improving efficiency in the initial analysis phase.
Next plan
Looking ahead, we're excited to announce our plans to expand the Tagger. We're aiming for a Rule(YAML)-based Passive Scan, and we've completed our internal discussions on its structure. Now it's time to build it. Stay tuned for v0.18.0! We also plan to improve MiniLexer and MiniParser.
Lastly, any contributions, from simple typo corrections to code modifications, are a great help in maintaining the project. We're open to all contributions, and Discussion and PRs are always welcome
cc @ksg97031
Contributors
Assets 2
v0.16.1
v0.16.0
What's Changed
- Add Config Home directory
- Noir now has a home directory under the user's Config directory (e.g.,
~/.config/noir). - A config.yaml file is automatically created in this directory, allowing you to easily specify configurations that will be persistently applied.
- Additionally, this directory will be used in the future to store rules for PassiveScan(Tagger).
- You can change the config home directory by setting the
NOIR_HOMEenvironment variable.
- Noir now has a home directory under the user's Config directory (e.g.,
- Improve Spring Kotlin Analyzers
- The Kotlin Spring analyzer now supports parameter analysis similarly to the Java Spring analyzer.
- Add support for generating completions (zsh, bash)
- Add diff mode
- Dependencies Update and Fixed bugs, Improve codes
- Add new flags
--diff-path: Specify the path to compare with the base path (-b). The scan results of the base path and the specified path will be compared.--build-info: Display build information, including versions of Crystal, LLVM, and other relevant components.--generate-completion: Generate completion scripts for shells like zsh and bash.
Preview
Config Home
Diff Mode
Full Changelog: v0.15.1...v0.16.0
v0.15.1
v0.15.0
What's Changed
- Support Restify(JS), Beego(Go) and Rocket(Rust)
- Support arm64 Docker image
- Add new tags: CORS, SOAP, WebSocket
- Improve Java Spring Analyzer (Add support for WebFlux base paths and fix RequestMethod parsing)
- Improve docker image, techs structure and codes
- Fixed bug (#276)
New Contributors
Full Changelog: v0.14.0...v0.15.0
Contributors
Assets 2
v0.14.0
What's Changed
Tagger
Automatically tags identified information during source code analysis to provide valuable insights for security engineers and Dynamic Application Security Testing (DAST) tools.
- Add new flags
-T (--use-all-taggers)--use-taggers--list-taggers - Available taggers:
huntoauth
Tags can be applied either to an Endpoint or to a Parameter within an Endpoint, and each tag includes both the name and description of the information.
Support HAR
We now support the HAR format. The HAR format works closely with the -u argument, identifying and processing as an Endpoint any URLs provided by the user that exist within the HAR data.
This integration with the
-uargument is essential, as the HAR file may contain numerous addresses beyond the domain of interest to the analyst.
ETC
- Update project description in snapcraft.yaml by @hahwul in #255
- Update SECURITY.md with improved vulnerability reporting instructions by @hahwul in #259
- Add public dir process in crystal-kemal by @hahwul in #258
- Update Crystal versions in CI workflow and shard.yml by @hahwul in #254
Full Changelog: v0.13.0...v0.14.0