Releases: DataDog/guarddog
Releases · DataDog/guarddog
v1.1.3
38105ae
This commit was signed with the committer’s verified signature.
christophetd
Christophe Tafani-Dereeper
What's Changed
Bug fixes:
- Fix integrity rule crash when a project does not have a homepage URL set (#190) by @christophetd in #199
- Fix 'potentially_compromised_email_domain' behavior when a package on… by @christophetd in #198
Chores:
- Bump colorama from 0.4.5 to 0.4.6 by @dependabot in #193
- Bump flake8 from 5.0.4 to 6.0.0 by @dependabot in #196
- Bump pytest from 7.2.1 to 7.2.2 by @dependabot in #192
- Bump tqdm from 4.64.0 to 4.65.0 by @dependabot in #194
- Bump pathspec from 0.9.0 to 0.11.0 by @dependabot in #195
Full Changelog: v1.1.2...v1.1.3
Contributors
christophetd and dependabot
Assets 2
v1.1.2
4ae5645
This commit was signed with the committer’s verified signature.
christophetd
Christophe Tafani-Dereeper
What's Changed
Bug fixes:
- Fix JSON output (#188)
Chores:
- Bump python-dotenv from 0.20.0 to 1.0.0 by @dependabot in #184
- Bump setuptools from 67.3.2 to 67.4.0 by @dependabot in #185
- Bump charset-normalizer from 2.1.0 to 2.1.1 by @dependabot in #181
- Bump wcmatch from 8.4 to 8.4.1 by @dependabot in #183
Full Changelog: v1.1.1...v1.1.2
Contributors
dependabot
Assets 2
v1.1.1
What's Changed
Enhancements:
- Catch code execution through exec(...(zlib.decompress(xxx)) by @christophetd in #164
- Remove incorrect double quotes from semgrep rule for code-execution (closes #178) by @christophetd in #179
Bug fixes:
- Fix duplicate bug in NPM typosquatting algorithm (fixes #131) by @christophetd in #165
- Consider 'guarddog xxx scan .' a local target (fixes #175) by @christophetd in #176
Chores:
- Bump setup-python versions and remove unused files by @christophetd in #167
- Bump setuptools from 65.7.0 to 67.3.2 by @dependabot in #173
- Bump urllib3 from 1.26.11 to 1.26.14 by @dependabot in #171
- Bump mypy-extensions from 0.4.3 to 1.0.0 by @dependabot in #172
Full Changelog: v1.1.0...v1.1.1
Contributors
christophetd and dependabot
Assets 2
v1.1.0
What's Changed
New features:
- Create new heuristic to identify PyPI packages with a single Python file (closes #160) by @christophetd in #162
Enhancements:
- Catch dynamic execution of base64-encoded code through
__import__(fixes #157) by @christophetd in #158
Bug fixes:
- Don't run Semgrep when no sourcecode rule should be run (fixes #161) by @christophetd in #163
- Fix package extraction for namespaced npm packages (fixes #155) by @christophetd in #156
Chores:
- Bump click-option-group from 0.5.3 to 0.5.5 by @dependabot in #152
- Bump docker from 6.0.0b1 to 6.0.1 by @dependabot in #149
- Bump idna from 3.3 to 3.4 by @dependabot in #151
- Bump platformdirs from 2.5.2 to 3.0.0 by @dependabot in #150
- Sync requirements.txt by @christophetd in #154
Full Changelog: v1.0.2...v1.1.0
Contributors
christophetd and dependabot
Assets 2
v1.0.2
What's Changed
Bug fixes:
- Fixed a bug where a local target could be considered a remote one by mistake (e.g.
guarddog pypi scan ../foo) (#147)
Full Changelog: v1.0.1...v1.0.2
v1.0.1
What's Changed
Bug fixes:
- Fix a bug where a remote target could be considered a local one by mistake (#144)
Chores:
- Bump ujson from 5.4.0 to 5.7.0 by @dependabot in #143
- Bump jsonschema from 4.9.1 to 4.17.3 by @dependabot in #142
- Bump websocket-client from 1.3.3 to 1.5.1 by @dependabot in #141
- Bump requests from 2.28.1 to 2.28.2 by @dependabot in #140
- Bump pathos from 0.2.9 to 0.3.0 by @dependabot in #139
Full Changelog: v1.0.0...v1.0.1
Contributors
dependabot
Assets 2
v1.0.0
This is a new major version with breaking changes.
What's Changed
Breaking changes:
- The commands
guarddog scanandguarddog verifyhave been deprecated and will be removed in an upcoming version. Useguarddog pypi scanandguarddog pypi verifyinstead
New features:
- Added support for scanning npm packages (
guarddog npm scan) and package.json (guarddog npm verify) - Support SARIF output to allow for easy use with GitHub Code Scanning
- Added commands
guarddog pypi list-rulesandguarddog npm list-rules - Support verbose debugging output through
guarddog --log-level debug ...
New heuristics:
- New Python heuristic
silent-process-executionto identify packages silently executing processes, similar to the Pytorch attack - New PyPI metadata heuristic:
repository_integrity_mismatchcompares the contents of a package on PyPI with its contents on GitHub, and flags packages that have extraneous or modified files not reflected on GitHub - New npm heuristic: typosquatting
- New npm heuristic: detecting silent process execution
- New npm heuristic: detecting post and pre-install hooks
- New npm heuristic: detecting when a npm package serializes
process.env
Cosmetics:
- GuardDog now has an official logo!
- README heuristics documentation is now automatically generated and injected in the README
Minor changes:
- chores: Bump certify version to fix GHSA-43fp-rhv2-5gv8
Full Changelog: v0.1.10...v1.0.0
v0.1.10
What's Changed
- Add pre-commit hooks configuration for local development by @christophetd in #107
- Fixing False Positives and Duplicate Errors in the Typosquatting Algorithm by @QuinceyJames in #108
New Contributors
- @QuinceyJames made their first contribution in #108
Full Changelog: v0.1.9...v0.1.10
Contributors
christophetd and QuinceyJames
Assets 2
v0.1.9
What's Changed
- Bug fix: scanning zip packages by @christophetd in #105
- Heuristic: identify usage of globals and import (closes #62) by @christophetd in #106
Full Changelog: v0.1.8...v0.1.9
Contributors
christophetd
Assets 2
v0.1.8
What's Changed
- Add python version pin for pyproject.toml and update README by @zmallen in #94
- pyproject.toml: Add repository url by @materro in #97
- Add Type checking and enforce lint by @vdeturckheim in #98
- Add Semgrep rule and run custom Semgrep rules in CI for SAST by @christophetd in #102
New Contributors
Full Changelog: v0.1.7...v0.1.8
Contributors
christophetd, zmallen, and 2 other contributors