Docker Images
A prebuilt multiplatform Docker image for this release is available for x86_64 and ARM64 architectures:
docker pull ghcr.io/praetorian-inc/noseyparker:v0.18.0
Additionally, a prebuilt Alpine-based image is also available for x86_64 and ARM64 architectures:
docker pull ghcr.io/praetorian-inc/noseyparker-alpine:v0.18.0
Additions
-
The README now includes several animated GIFs that demonstrate simple example use cases (#154).
-
The
reportcommand now offers a new--finding-status=STATUSfiltering option (#162). This option causes findings with an assigned status that does not matchSTATUSto be suppressed from the report. -
The
reportcommand now offers a new--min-score=SCOREfiltering option (#184). This option causes findings that have a mean score less thanSCOREto be suppressed from the report. This option is set by default with a value of 0.05. -
A new
datastore exportcommand has been added (#166). This command exports the essential content from a Nosey Parker datastore as a .tgz file that can be extracted wherever it is needed. -
New experimental
annotations exportandannotations importcommands have been added (#171). These commands allow annotations (finding comments, match comments, and match statuses) to be converted between JSON and datastore representations. -
New rules have been added:
-
Prebuilt releases now included separate debug symbols (.dSYM or .dwp files) (#191). Having the debug symbols available makes stack traces more useful in the rare event of a crash. The Alpine-based Docker image does not include these debug symbols, as its point of existing is to provide a small distribution.
-
The
summarizecommand now includes additional columns for the assigned finding status (#196).
Changes
-
The vendored copy of Boost included in the internal
vectorscan-syscrate has been removed in favor of using the system-provided Boost (#150 from @seqre). This change is only relevant to building Nosey Parker from source. -
The vendored copy of the Vectorscan regular expression library included in the internal
vectorscan-syscrate has been removed (#151 from @seqre). Instead, a copy of the Vectorscan 5.4.11 source tarball is included in this repository, and is extracted and patched during the build phase. -
SARIF reporting format is now listed as experimental.
-
In the
scanandrulescommand, the command-line option to load additional rules and rulesets from files has been renamed from--rulesto--rules-path. The old--rulesoption is still supported as an alias, but this is deprecated and will be removed in the v0.19 release. -
The
rules listcommand now includes additional fields when using JSON format (#161). -
The
vectorscanandvectorscan-syscrates have been split off into a separate project with crates published on crates.io (#168). -
The
scancommand is now more conservative in its default degree of parallelism (#174). Previously the default value was determined only by the number of available vCPUs. Now the default value is additionally limited to ensure at least 4 GiB of system RAM per job. -
The
scancommand now records its results incrementally to the datastore instead of in one enormous transaction (#189). Now, results are recorded in transactions about every second. This helps avoid complete loss of scan results in the rare event of a crash.
Fixes
-
A rare crash when parsing malformed Git commit timestamps has been fixed by updating the
gix-datedependency (#185). -
Upon
noseyparkerstartup, if resource limits cannot be adjusted, instead of crashing, a warning is printed and the process attempts to continue (#170). -
The prepackaged releases and binaries produced by the default settings of
cargo buildshould now be more portable across microarchitectures (#175). Previously, the builds would be tied to the microarchitecture of the build system; this would sometimes result in binaries that were not portable across machines, particularly on x86_64. -
The
--ignore-certscommand-line option is now a global option and can be specified anywhere on the command line.