v4.0.0
This release has been a long time in the making and brings some awesome improvements to the system as a whole and the auto-discovery in general. Some of these changes required some minor breaking changes, you can find a sumamry of the most important breaking changes in the "💣 Breaking Changes" section below and a complete and detailed list in the Upgrading from 3.x - 4.x notes.
🚀 Features
- Allow multiple
scanTypes
to be used in the Service and Container AutoDiscovery @Ilyesbdlala (#1447) - Add Cluster Wide Custom Resources (ClusterScanType, ClusterParseDefinition & ClusterScanCompletionHook) @J12934 (#1662): See more in ADR-12
- Enable Container AutoDiscovery to scan images from private repos @the-simmon (#1374, #1557): See more in ADR-17
- Added new
references
attribute to the finding format with unified references to CVEs, CWEs and other external references @Ilyesbdlala (#1676) - Added optional
identified at
parameter to findings (for all scanners which include this info in their results) @Ilyesbdlala (#1434) - Added new DNS Scanner: Doggo @rseedorff (#1446)
- Added option to specify a go template to configure where in the s3 bucket the result files (raw scanner results and
findings.json
) should be stored. @the-simmon & @J12934 (#1389, #1734)
💣 Breaking Changes
You can find detailed upgrade notes on these braking changes in the upgrading documentation: Upgrading from 3.x - 4.x
Note some breaking changes are missing here and are only referenced in the linked upgrading notes.
- AutoDiscovery takes a list of scans in config file, allowing it to start more than one scan for a identified resource @the-simmon (#1447)
- Container AutoDiscovery enabled by default and more consistent behavior compared to Service AutoDiscovery @the-simmon (#1112)
- SSH-Scan (Mozilla ssh_scan) is now considered deprecated as the tool is no longer maintained by mozilla. As a replacement we've added integration for ssh-audit as a replacement. The ssh-scan integration is still in this release but will be removed in a upcoming release. @Reet00 & @sofi0071 (#1713)
- Improve Nmap Parser to handle multiple / ipv6 addresses and verbose output @J12934 (#1679)
- Findings Format: inconsistent ip address fields removed, replaced with standardized
ip_addresses
@J12934 (#1701, #1748) - Allow multiple
scanTypes
to be used in the Service and Container AutoDiscovery @Ilyesbdlala (#1447) - Added optional
mitigation
attribute to findings @Ilyesbdlala (#1639) - Remove AngularCSTI Integration @J12934 (#1649)
- Renamed Amass
attributes.name
toattributes.hostname
@Ilyesbdlala (#1605)
🚓 Security Scanner
- Added new DNS Scanner: Doggo @rseedorff (#1446)
- Added new SSH Scanner: ssh-audit @Reet00 & @sofi0071 (#1713)
- Remove AngularCSTI Scanner Integration @J12934 (#1649)
- Added optional
identified at
parameter to findings @Ilyesbdlala (#1434) - Added
zap-advanced
configuration option to change reportType @rseedorff (#1632) - Upgraded amass from v3.21.2 to v3.23.2 @secureCodeBoxBot (#1634, #1641, #1652, #1719)
- Upgraded ffuf from v1.5.0 to v2.0.0 @secureCodeBoxBot (#1579)
- Upgraded gitleaks from v8.15.2 to v8.16.3 @secureCodeBoxBot (#1559, #1614, #1615, #1643, #1665, #1697)
- Upgraded kubeaudit from 0.21.0 to 0.22.0 @secureCodeBoxBot (#1654)
- Upgraded nuclei from v2.8.3 to v2.9.6 @secureCodeBoxBot (#1527, #1544, #1561, #1590, #1648, #1671, #1698, #1712, #1721, #1735, #1743)
- Upgraded semgrep from 1.1.0 to 1.24.1 @secureCodeBoxBot (#1517, #1518, #1545, #1558, #1565, #1569, #1578, #1583, #1591, #1596, #1602, #1612, #1616, #1646, #1667, #1675, #1677, #1702, #1709, #1714, #1725, #1733, #1744)
- Upgraded sslyze from 5.0.6 to 5.1.3 @secureCodeBoxBot (#1555, #1637, #1670)
- Upgraded trivy from 0.35.0 to 0.42.0 @secureCodeBoxBot (#1546, #1572, #1587, #1599, #1617, #1622, #1636, #1644, #1668, #1681, #1695, #1706, #1745)
- Upgraded typo3scan from v1.1.1 to v1.1.2 @secureCodeBoxBot (#1653)
⚓️ Hooks
- Add Apikey in generic webhook @srburton (#1526)
- Make userid optional for defectdojo @the-simmon (#1412)
🐛 Bug Fixes
- Renames the hook.image.repository of update-field hook @Ilyesbdlala (#1685)
- Improve Nmap Parser to handle multiple / ipv6 addresses and verbose output @J12934 (#1679)
- Fixed Generic WebHook API Key not working correctly @Ilyesbdlala (#1673)
- Updated snapshot of typo3scan after upgrade @Ilyesbdlala (#1655)
- Added a check for empty Trivy
.Results
@Ilyesbdlala (#1640) - Fix the link in ADR-0017 in order to fix the Netlify build @Ilyesbdlala (#1631)
- Includes minio authentication in operator makefile @Ilyesbdlala (#1577)
- Adds error handling to remote version fetching for the scb-bot @Ilyesbdlala (#1509)
📚 Documentation
- Add Upgrading Notes for Nuclei Findings @J12934 (#1502)
- Added/fixed missing scantypes @rseedorff (#1628)
- Change ADR-0007 State to DRAFT @Weltraumschaf (#1548)
- Enforced the use of the node version in .nvmrc @Ilyesbdlala (#1645)
- Fix that ADR 17 Breaks Documentation @Weltraumschaf (#1580)
- One failing matrix job no longer stops other version compare jobs @Ilyesbdlala (#1570)
- Remove codeclimate from contributing docs @Weltraumschaf (#1464)
- Removed unnecessary dependencies @Ilyesbdlala (#1690)
- Removed unnecessary intializing of scannerVersions in scanner Dockerfiles @Ilyesbdlala (#1625)
- The DRAFT status does not have a link, only the SUPERSEDES does @Weltraumschaf (#1638)
- Multiple minor fixes @rseedorff (#1627)
- Add missing supported platforms (CPU Architectures, e.g.
amd64
orarm64
) for Scanners to their helm charts and their documentation pages. @snoopy-cat(#1739)
📌 Dependencies
- Bump cacheable-request and @kubernetes/client-node in /hooks/cascading-scans/hook @dependabot (#1593, #1594, #1595, #1592)
- Bump github.com/emicklei/go-restful to 2.16.0+incompatible @dependabot (#1584, #1585, #1586)
- Bump golang.org/x/crypto to 0.1.0 @dependabot (#1620)
- Bump golang.org/x/net 0.7.0 @dependabot (#1618, #1621, #1619)
- Bump golang.org/x/text 0.3.8 @dependabot (#1609, #1608, #1611)
- Bump http-cache-semantics from 4.1.0 to 4.1.1 @dependabot (#1575, #1576, #1573, #1574)
- Bump json5 to 2.2.3 @dependabot (#1531, #1533, #1535, #1534, #1536, #1537, #1538, #1532, #1530, #1539, #1540, #1543)
- Bump luxon from 2.0.2 to 2.5.2 in /hooks/persistence-elastic/hook @dependabot (#1542, #1688, #1686, #1682)
- Upgrade @kubernetes/client-node from 0.17.1 to 0.18.1 @snyk-bot (#1550, #1529, #1547, #1597, #1589, #1604)
- Upgrade ajv from 8.11.2 to 8.12.0 @snyk-bot (#1560)
- Upgrade axios to 1.4.0 @snyk-bot (#1524)
- Upgrade axios from 1.1.2 to 1.2.0 @snyk-bot (#1523, #1508, #1556, #1562, #1564, #1582, #1588, #1606, #1601, #1603, #1610, #1635, #1623, #1624, #1630, #1633, #1650, #1647, #1651, #1711, #1705, #1707, #1720, #1723, #1724, #1732, #1727, #1736)
- Upgrade ws from 8.11.0 to 8.13.0 @snyk-bot (#1566, #1568, #1669, #1672)
- Upgrading jest to 29.3.1 @Ilyesbdlala (#1567)
Distribution
Contributors
Thanks to all our contributors supporting this project 🤗
@Ilyesbdlala, @the-simmon, @Reet00, @sofi0071, @ManuelNeuer, @Weltraumschaf, @fphoer, @malexmave, @srburton, @snoopy-cat, @rseedorff and @J12934