v0.19.1

What's Changed

• Fixed Not working exclude_techs by @hahwul
• Fixed Noir docker image latest version error by @Nameisjohn247, @hahwul
• Fixed Unhandled exception (JSON::ParseException) in AI Integration by @schniggie, @ksg97031
• Enhancing Accuracy of LLM Integration by @ksg97031

Note

The base image has been officially changed from Alpine to Debian. This decision was prompted by issues related to Crystal and ARM. For general use, this change should not cause any problems; however, if you are building additional images based on the Noir image, there may be impacts at the package level. While this change could introduce some issues, we believe it is a better choice in the long term. Once Alpine becomes ready in the future, we will provide it as a separate image tag.

Full Changelog: v0.19.0...v0.19.1

v0.19.0

What's Changed

• ✨ New Features
  • AI Integration: Introduced AI-based functionality with AI Analyzer and LLM integration.
  • New Analyzers Added:
    • ZAP Site Tree Analyzer for enhanced site tree analysis.
• 🔧 Improvements
  • Detector & Analyzer Enhancements:
    • Improved support for JavaScript Express and JavaScript Restify frameworks.
  • Logger Improvements: Enhanced logging capabilities for better debugging and traceability.
  • CLI Enhancements:
    • Improved --build-info flag to provide more detailed build information.
  • Performance Optimization:
    • Enhanced concurrency for Detectors, Analyzers, and Delivery Pipelines, improving overall performance.
  • Code Quality: Refactored and optimized codebase for better maintainability.
  • Documentation:
    • Upgraded Ruby version.
    • Improved clarity and structure of documentation.
    • Added documents for new features.
• 🐛 Bug Fixes
  • Resolved various bugs to enhance stability and functionality. (#478, #503, #504)
• 🛠 Other Updates
  • Dockerfile: Updated with metadata labels to improve container usability and traceability.

Special Thanks

We would like to extend our deepest gratitude to everyone who contributed to this release. Your efforts have been instrumental in making this update a success!

• @ksg97031 (co-lead): For your relentless effort in resolving numerous issues and propelling the project forward.
• @Nameisjohn247: For your insightful ideas and contributions that were instrumental in shaping this release.

Your dedication and collaboration are what make this project thrive. Thank you! ❤️

---

Full Changelog: v0.18.3...v0.19.0

v0.18.3

What's Changed

• Fix URL Path Handling Issues in Django and Spring Analyzers by @ksg97031 in #450
• Add completion:check Rake Task by @hahwul in #451
• Enhance deadlinks workflow by @hahwul in #452
• Fix documentation link for output formats in basic.md by @hahwul in #454
• Fix: Improve Java lexer and endpoint parsing to resolve crashes and newline issues by @ksg97031 in #455
• Update community articles and add DAST pipeline documentation by @hahwul in #457
• Enhance technology listing (--list-techs) output formatting and hierarchy by @hahwul in #460
• Prevent duplicate URL printing in output by @hahwul in #461

Full Changelog: v0.18.2...v0.18.3

v0.18.2

What's Changed

• Improve URL normalization to NoirRunner by @hahwul in #445
• Update shell completion (Add to missing flags) by @hahwul in #447
• Improve --no-log flag by @hahwul in #448

Full Changelog: v0.18.1...v0.18.2

v0.18.1

What's Changed

• Refactor config initializer and options parser by @hahwul in #441
• Fixed-440 by @hahwul in #442

Full Changelog: v0.18.0...v0.18.1

v0.18.0

What's Changed

New Features:

• Implement Passive Scan (flags: -P --passive-scan and --passive-scan-path)
• Introduce the following flags: --status-codes and --exclude-codes

Improvements:

• Introduce a new detector and analyzer: ActixWeb (Rust)
• Add a path parameter to an endpoint
• Enhance performance
• Enhance shell completion
  • Integrate fish shell completion
  • Enhance completion for homebrew

Code Refactoring and Enhancement:

• Modularize codes
• Re-Design NoirOptions
• Enhance unit tests
• Update dependencies

Documentation

• Enhance documents

Full Changelog: v0.17.0...v0.18.0

v0.17.0

What's Changed

• Enhanced output formats for improved readability.
• Improved diff mode functionality.
• Added new output format option (-only-tag).
• We open documentation site and Expanded and updated documentation.
• Continuous Integration (CI) updates.
• Enhanced logging and application log features.
• Improved unit test code coverage and quality.
• Upgraded analyzer with new features:
  • Java Spring: Added parsing logic for application.properties files.
• Code refactoring for better performance and maintainability.
• Security Issue
  • Re-builded snapcraft package for fix to https://ubuntu.com/security/notices/USN-6937-1/

Full Changelog: v0.16.1...v0.17.0

Enhanced output formats

We've made significant changes to the default output format to enhance readability, and we believe we've achieved that goal. We'll continue to research and make improvements as we go forward!

Documentation

https://owasp-noir.github.io/noir/introduction/

Noir now has an official documentation page. Currently, it focuses on basic usage, but we plan to expand it to include tips and other content. Contributions to the documentation are always welcome.

Add new flag —only-tag

You can now gather only tags from Noir results, giving you insights into key risks and technologies used in the source code.

noir -b <TARGET> -T -f only-tag

# ....
# sqli
# oauth
# websocket

This feature helps you quickly identify the main risks and technologies in your code, improving efficiency in the initial analysis phase.

Next plan

Looking ahead, we're excited to announce our plans to expand the Tagger. We're aiming for a Rule(YAML)-based Passive Scan, and we've completed our internal discussions on its structure. Now it's time to build it. Stay tuned for v0.18.0! We also plan to improve MiniLexer and MiniParser.

Lastly, any contributions, from simple typo corrections to code modifications, are a great help in maintaining the project. We're open to all contributions, and Discussion and PRs are always welcome ♥️

cc @ksg97031

v0.16.1

What's Changed

• Fixed bug (#330)
  • Implement endpoint comparison logic in diff analysis
• Update documents (noir-cr to owasp-noir)

Full Changelog: v0.16.0...v0.16.1

v0.16.0

What's Changed

• Add Config Home directory
  • Noir now has a home directory under the user's Config directory (e.g., ~/.config/noir).
  • A config.yaml file is automatically created in this directory, allowing you to easily specify configurations that will be persistently applied.
  • Additionally, this directory will be used in the future to store rules for PassiveScan(Tagger).
  • You can change the config home directory by setting the NOIR_HOME environment variable.
• Improve Spring Kotlin Analyzers
  • The Kotlin Spring analyzer now supports parameter analysis similarly to the Java Spring analyzer.
• Add support for generating completions (zsh, bash)
• Add diff mode
• Dependencies Update and Fixed bugs, Improve codes
• Add new flags
  • --diff-path: Specify the path to compare with the base path (-b). The scan results of the base path and the specified path will be compared.
  • --build-info: Display build information, including versions of Crystal, LLVM, and other relevant components.
  • --generate-completion: Generate completion scripts for shells like zsh and bash.

Preview

Config Home

Diff Mode

Full Changelog: v0.15.1...v0.16.0

v0.15.1

What's Changed

• Enhanced performance and quality of the analyzer and minilexer, including unit tests.
• Added examples to the help message in CLI and improved formatting of usage
• Fixed bugs #293 and #298.

Full Changelog: v0.15.0...v0.15.1