v1.0.0

Highlights

• Further OWASP Top 10 coverage on both Ruby and JavaScript.
• Reworked severity calculation see documentation for more details.
• Summary report renamed to Security report #682
• Secret scanning separated from security scanning with --scanner flag #679

Changelog

• af4650a chore(deps): bump github.com/go-enry/go-enry/v2 from 2.8.3 to 2.8.4 (#731)
• 1cdc390 chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#733)
• 0dd817f chore(deps): update dependencies (#740)
• 8308b5c chore(rule): yank dangerous_insert_html (#745)
• a625c5a feat(JS ruels): add insecure CORS rule for express (#707)
• 8fe75d7 feat(JS rules): Add CWE 916 weak password encryption (#689)
• e6a6246 feat(JS rules): Add more rules for hardcoded JWT secrets (#705)
• fc4e698 feat(JS rules): Extend expressjs insecure cookie rule (#696)
• b642439 feat(JS rules): add AWS dynamodb query injection (#664)
• ff9c4d9 feat(JS rules): add CWE to JS insecure cookie (#687)
• 0d94455 feat(JS rules): add CWE-525 bad caching policy for expressjs JWT not revoked (#695)
• f4ae336 feat(JS rules): add CWE-94 AWS Lambda code injection (#726)
• 004d2f9 feat(JS rules): add expressjs rule for missing HTTPS protocol (#715)
• 85650e1 feat(JS rules): add open redirect rule (#713)
• 7a4fe5c feat(JS rules): add template render rule patterns for express js (#712)
• 747bbf5 feat(JS rules): extend expressjs cookie rule (#700)
• 7658ca0 feat(express rule): detect missing usage within same file (#711)
• 4c80de7 feat(javascript rule): add dom purify lib (#721)
• f77ca4e feat(javascript rule): add support for react's dangerouslySetInnerHTML (#688)
• 72e7f07 feat(javascript rule): dangerous javvascript html inserts (#693)
• 11a1ba7 feat(js rule): enrich js axios rule (#686)
• 28d99ed feat(ruby rules): add rails rule for http verb confusion (#683)
• bd7bc3e feat(ruby rules): add rails rule for permissive regex validation (#723)
• c43f1a5 feat(ruby rules): add rails send_file to path rule (#709)
• 7222310 feat(ruby rules): rails rule for render using user input (#725)
• bf75b4e feat(ruby rules): rule for hardcoded secret (#699)
• b479804 feat(ruby rules): rule for reflection using user input (#710)
• 84ebfd9 feat(ruby rules): rule for regex using user input (#694)
• d7d784e feat: Separate secrets scanning and sast (#690)
• 97e8e40 feat: add jsonlines (#742)
• c011a71 feat: enrich dangerous insert html (#697)
• 86cdb46 feat: optimize report saving (#729)
• e8b8250 feat: rename summary report to security report (#684)
• b81e2c7 feat: simplify PDS key (#724)
• a68bd4f feat: update rules default severity (#730)
• 383492f fix(JS rules): make express eval rule stricter (#714)
• 3b65905 fix(JS tests): fix outdated testdata (#722)
• 9823386 fix(docs): broken links (#702)
• ada10d7 fix(ruby rules): set correct match node in hard coded secret rule (#708)
• 422989d fix(rules): Update missing rule documentation (#748)
• 77d701d fix(rules): special case warning severity (#749)
• 962e330 fix(security report): hide progress bar for built-in rules (#706)
• 08f8a15 fix: clean up superfluous YAML attributes in rules (#741)
• d48862a fix: ignore empty string literals (#720)

v0.26.0

Highlights

• Further OWASP Top 10 coverage on both Ruby and JavaScript
• Fix some false positives notably #673 and #675

Changelog

• b978e90 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.204 to 1.44.209 (#669)
• 44cad85 chore(deps): bump github.com/open-policy-agent/opa from 0.49.0 to 0.49.2 (#668)
• cb33381 chore(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#670)
• 84fd36b chore(deps): bump github.com/weppos/publicsuffix-go from 0.20.0 to 0.30.0 (#671)
• ee20cb9 chore(deps): bump github.com/zricethezav/gitleaks/v8 from 8.15.3 to 8.16.0 (#672)
• 8bbf6bc chore: fix open redirect snapshot (#653)
• 92ef2f9 docs(action): update links and version of github action (#677)
• 5031541 docs(fix): readme broken link (#681)
• 4efef6b docs(rename): readme updates (#620)
• b0adc93 docs(update): Updating documentation (#663)
• a8606c4 feat(JS rules): Add CWE 89 SQL injection rule for AWS lambda (#655)
• b49b54a feat(JS rules): add CWE-78 AWS OS command injection (#661)
• 83b946d feat(JS rules): add express rule for UI redress / clickjacking (#651)
• c0d3f29 feat(JS rules): express sendFile with request data (#622)
• 8f94547 feat(javascript rule): hardcoded string support (#678)
• f018419 feat(ruby rule): add rails render to path rule (#656)
• 850933a feat(ruby rule): add rule for exec using user input (#654)
• e1d0859 feat: add js express knex sqli rule (#662)
• fb746ef feat: add rule for dangerous eval (#658)
• e98d439 feat: enrich eval user input rule (#667)
• 8c341ce feat: rails rule for insecure disabling callback (#657)
• ab95571 feat: update JS express rule descriptions (#660)
• 79bfd05 fix(rules): check languages in data types for missing encryption (#675)
• 3b78b05 fix(summary): fix display for summary (#680)
• 1ca0ad5 fix: fix false positives on req detection (#673)

v0.25.0

Highlights

• We now support Algolia, Airbrake, Bugsnag, Open Telemetry, New Relic, and Segment on JavaScript
• We now support ClickHouse, and Google Analytics on Ruby
• We increased our OWASP Top 10 coverage on both Ruby and JavaScript
• Project is renamed from Curio to Bearer
• We removed DSR (our own stuff) to use standard CWE instead.

Changelog

• f858b18 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.181 to 1.44.199 (#558)
• af614f5 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.199 to 1.44.204 (#614)
• 6b557e4 chore(deps): bump github.com/open-policy-agent/opa from 0.48.0 to 0.49.0 (#559)
• eb34366 chore(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 (#561)
• 2a74803 chore(deps): bump golang.org/x/net from 0.2.0 to 0.7.0 in /battle_tests/quickstart (#612)
• b04fdd4 chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#613)
• d7a80d0 chore(deps): bump golang.org/x/oauth2 from 0.4.0 to 0.5.0 (#560)
• e88963b chore(deps): bump google.golang.org/api from 0.109.0 to 0.110.0 (#615)
• acee9e2 chore(rename): codebase packages (#625)
• 87dedd6 chore(rename): curio to bearer banner (#609)
• 0561a77 chore(rename): vars, urls and arguments (#628)
• 528dd0b chore: redo rules tests (#603)
• 457310c chore: remove dataflow tests (#589)
• bcee4fe chore: update rule descriptions (#638)
• 5f64daa ci(battletest): fix json marshaling (#555)
• 7454623 ci(battletest): run summary output in all cases (#585)
• 3e63dc2 ci(goreleaser): update deprecated argument (#610)
• e226b87 docs(fix): Update remediation messages for js/ruby rules (#556)
• 64173bc docs(fix): resolve incomplete sitemap bug (#571)
• f774f10 docs(rename): Update doc site branding/colours (#635)
• 10388d2 docs(rename): change name curio to bearer (#611)
• c50c2cf docs(rename): let people know doc may be outdated (#616)
• b98110a docs(rename): update site logo (#631)
• 198eb3a docs(rule): rename rules (#627)
• 1c050d4 feat(JS rules): add CWE 548 for JS express (#617)
• c7ce0f9 feat(JS rules): add CWE 601 for express (Open Redirect) (#641)
• 9878f93 feat(JS rules): add check for no-entity flag in libXML calls (#619)
• 65c1f69 feat(JS rules): add express rule against server side request forgery (#636)
• 57f5d02 feat(JS rules): add express rule around unsafe deserialization (#630)
• 15b5b30 feat(JS rules): add express rule for insecure reference resolution (#634)
• c286ad0 feat(JS rules): add express rule for sql injection (#648)
• 7ef4369 feat(JS rules): add rule for express cross-site scripting (#643)
• 1725cf5 feat(JS rules): express.js path traversal (#645)
• 0625cae feat(JS rules): extend CWE-611 for express (#640)
• f1d5475 feat(js rules): add Algolia (#574)
• e4cb525 feat(js rules): add airbrake rule (#598)
• e03bab8 feat(js rules): add bugsnag rule (#593)
• 4f9b217 feat(js rules): add open telemetry rule (#597)
• 782ff6e feat(js rules): add rule for new relic (#578)
• 24a9cba feat(js rules): add segment rule (#582)
• 495232e feat(ruby rules): add ClickHouse (#568)
• 566ac52 feat(ruby rules): add google analytics (#564)
• eaaed72 feat(ruby rules): add ruby google dataflow rule (#553)
• 7e28dbe feat(summary): condense rule list and show CWE (#647)
• 45eadee feat: add "not" and regex filters (#575)
• 31a30e5 feat: add CWE ids to newer JS rules (#602)
• bed26f3 feat: add datadog browser rule (#581)
• 9e4f531 feat: add datadog(hot-shots) rule (#576)
• 53e7fe4 feat: add elasticsearch (#580)
• c9b815d feat: add google analytics rule (#566)
• b947c2c feat: add honeybadger js rule (#596)
• e71b235 feat: add javascript react google analytics rule (#567)
• bb06b74 feat: add javascript rule for google tag manager (#554)
• 02c751a feat: add jwt weak encryption (#652)
• fa8c122 feat: add rails open redirect rule (#649)
• ecebb04 feat: add rollbar (#595)
• 82092fa feat: insecure http password and weak encryption (#632)
• e4fc9ba feat: javascript http insecure rule (#551)
• e23dbcc feat: jwt hardcoded secret (#650)
• cf86bff feat: log when loading rules (#599)
• efb1037 feat: optimise compilation time (#618)
• e7ddfd7 feat: ruby BigQuery rule (#563)
• bef4292 feat: ruby CWE-502 deserialization of user input (#583)
• 3214c9a feat: ruby rule for CWE-94 eval using user input (#587)
• d49bf1b feat: ruby rule for ftp using user input (#626)
• f9ce066 feat: ruby rule for path using user input (#624)
• cd0eb22 feat: ruby rule for session key using user input (#590)
• af8a13f feat: ruby rule for user input in http url (#646)
• a8041cd feat: rules e2e (#621)
• 9309dbc fix: fix algolia JS client patterns (#586)
• a93c1c4 fix: fix algolia integration test (#579)
• 0e26e2d fix: fix severity and remove DSW for JS insecure XML ref rule (#623)
• 9c79e95 fix: flow and nested detections (#572)
• 4e941b9 fix: ruby file generation (#565)

v0.24.0

Highlights

• Javascript alpha support: we are releasing the base work to support javascript. We will add more rules and fine-tune the results in the coming weeks.

• Curio Privacy Report: a generic compliance-oriented report to help engineering teams fulfill the requirements from security and legal regarding GDPR, CCPA, HIPAA, and various other privacy laws and regulations

• New logger supports for Ruby: #366

  • Bugsnag
  • Honeybadger
  • Rollbar
  • Airbrake
  • Scout APM
  • Open Telemetry

• New Analytics Environment Support #459

  • Algolia
  • Elasticsearch
  • Segment

• We are introducing "Warning" for less critical rules that shouldn't break CI/CD.

Changelog

• 7d2ba8e chore(deps): bump docker/build-push-action from 3 to 4 (#496)
• 16a5395 chore(deps): bump github.com/fatih/color from 1.14.0 to 1.14.1 (#465)
• 7f6646d chore(deps): bump github.com/go-git/go-billy/v5 from 5.4.0 to 5.4.1 (#495)
• f2bc4d6 chore(deps): bump google.golang.org/api from 0.108.0 to 0.109.0 (#497)
• faa5b94 chore: Run Ruby-only policies scan as part of battle testing (#391)
• 5c0b2b8 chore: clean up (#475)
• 63a61b2 chore: clean up common.rego (#530)
• c312804 chore: clean up rules (#498)
• f4eab08 chore: hardcode worker options and remove flags (#477)
• e3e2df0 ci(battletest): collect summary output for javascript (#552)
• 9e8ed9c ci(battletest): remove duplicates in JS repo list (#548)
• 54c841b docs(feat): add 404 page (#523)
• e289d29 docs(fix): change terminology on support page (#505)
• f050c4f docs(issues): update template (#534)
• 77b6a4d docs(privacy report): add privacy report and clean up reports docs (#494)
• c7bf7d5 docs(readme): update Debian installation step (#550)
• a55ff8c feat(classification): improve classification (#506)
• e86b4c0 feat(privacy report): Add subject name to datatype (#468)
• 52483c8 feat(privacy report): Subjects inventory (#472)
• 601a81d feat(privacy report): Third party inventory report (#476)
• 8fd0b5d feat(privacy report): merge subjects and third party reports (#488)
• 1fea8d8 feat(privacy report): pass flag option for subject mapping override (#478)
• 685179c feat(ruby rules): add third-party airbrake rule for notify methods (#514)
• a4493e4 feat(rules): Add warning level to severity (#491)
• e43255c feat(rules): add exception rule in ruby (#486)
• 56858f2 feat(rules): add file_generation rule for JS (#546)
• a5e8d74 feat(rules): add js rules for exceptions (#540)
• 80ad701 feat(rules): add sentry rules (#526)
• 2b68726 feat(summary report): Add flag for severity levels (#493)
• 432bfc6 feat(summary): improve output and fix some display issues (#537)
• e34ab52 feat: add bugsnag and honeybadger support (#509)
• b4de9e4 feat: add javascript jwt support (#549)
• 31c7c93 feat: add javascript support (#452)
• 76ed30f feat: add more level for logger (#492)
• 2f360bb feat: add ruby open telemetry rule (#520)
• 5f9935f feat: add ruby rollbar rule (#515)
• 2775636 feat: add ruby segment rule (#539)
• 616e581 feat: cookie rule (#517)
• d8aec7f feat: improve cookie rule (#521)
• 8293485 feat: improve report summary (#513)
• 456e82c feat: match equivalent ruby syntax (#474)
• 3130734 feat: ruby algolia rule (#522)
• 7a6de2e feat: ruby datadog rule (#516)
• 3c659e9 feat: ruby elasticsearch rule (#535)
• e683593 feat: ruby scout apm rule (#518)
• cbbf298 feat: warn when cached data is used (#500)
• 74b837a feat: weak encryption javascript (#525)
• b62642f fix(docs): add remediation message for newrelic (#481)
• d838b2f fix(privacy report): fix Rules Passed spacing (#507)
• d17d919 fix: add mapping for rule severity to category (#538)
• 2a9ce4c fix: consider severity flag for JSON and YAML format (#512)
• e198667 fix: fix failure ordering (#536)
• 9bd17e4 fix: improve ruby object detection (#542)
• c6c7bf5 fix: remove mention of dataflow from launch copy (#531)
• a83d7e7 fix: resolve homedir when loading external rules (#541)
• a821e2f fix: use snakecase in privacy report (#511)

v0.23.0

Highlights

• For clarity, we changed the term Policy to Rule. This implies changes in the CLI as well as in the output format.
• New Relic support: Curio now detects sensitive data leaking in New Relic Loggers.

Changelog

• 4f8719c chore(deps): bump github.com/fatih/color from 1.13.0 to 1.14.0 (#425)
• 4dc7f53 chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 (#396)
• bd6a9a5 chore(deps): bump github.com/rs/zerolog from 1.28.0 to 1.29.0 (#464)
• d8bec86 chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#426)
• df52ab2 chore(deps): bump github.com/zricethezav/gitleaks/v8 from 8.15.2 to 8.15.3 (#427)
• 8073ec0 chore(deps): bump google.golang.org/api from 0.106.0 to 0.107.0 (#397)
• a83b763 chore(deps): bump google.golang.org/api from 0.107.0 to 0.108.0 (#428)
• 9af4c12 docs(chore): update cli output file (#453)
• e4ad4ef feat: add new relic rules and improve sentry rules (#471)
• 1d74d73 feat: detect at match node rather than root node (#466)
• 5f36760 feat: don't allow match node to expand to argument list (#458)
• 0b7157c feat: test framework for new detectors (#461)
• df77f19 fix(rules): move ftp rule to ruby lang folder (#470)
• dcafc29 fix: continue when file stat fails (#395)
• 364b99c fix: fix blowfish pattern (#460)
• e2e7d81 fix: fix rails encryption rule and reconciliation (#463)
• e711773 refactor: architecture (#308)

v0.22.0

Changelog

• 1913f8e chore(deps): bump docker/setup-qemu-action from 1 to 2 (#323)
• 52fee1e chore(deps): bump github.com/go-git/go-git/v5 from 5.5.1 to 5.5.2 (#342)
• 6e9de91 chore(deps): bump github.com/open-policy-agent/opa from 0.47.3 to 0.47.4 (#324)
• 005343d chore(deps): bump github.com/schollz/progressbar/v3 from 3.12.2 to 3.13.0 (#340)
• 210a550 chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 (#339)
• b09fc30 chore(deps): bump google.golang.org/api from 0.105.0 to 0.106.0 (#341)
• 82b89a6 chore(deps): bump liquidjs and @11ty/eleventy in /docs (#315)
• a5ff604 chore(deps): bump luxon from 3.1.1 to 3.2.1 in /docs (#351)
• d70efdf chore: Update dependabot.yml (#347)
• d09331a chore: debug brew publish
• b479ae0 ci: add discord announce to goreleaser config (#386)
• f83f735 ci: add docker login (#394)
• f421b2b ci: add missing env for ghcr (#392)
• 2087e63 ci: add missing login for ghcr (#390)
• 0413c58 ci: go releaser refactor (#355)
• fcaad31 doc(readme): update typo
• 795d07e feat(doc): Update message for policy with detailed context (#356)
• cc92f9d feat(doc): improve message when report dataflow is suggested (#373)
• 1d92154 feat(policies): Add support for secret leaks (#350)
• fd7aeb8 feat(recipes): add exclusion patterns when wildcard is used (#372)
• b926704 feat: Extend Ruby file custom detector to cover IO.open (#325)
• bdaf5fd feat: Support installation via the most common Linux package managers (#338)
• 1c23f93 feat: add curio ascii logo using ansi escape codes (#376)
• 2d63f2b feat: add dirs for loading custom detectors and policies (#322)
• bab0ef6 feat: enhance policy report for detailed context (#357)
• 474e064 fix: Do not report leakage policy breaches for unique identifiers (#326)
• 4eacf08 fix: Do not report policy breaches for encrypted Rails cookies (#333)
• 4b6a260 fix: Hide --workers CLI option and configuration file key (#327)
• 554a73e fix: Only reuse cached detections if the cached run completed (#348)
• e22109c fix: validate policy display IDs in policy options (#345)

Release v0.21.1

What's Changed

• fix: use correct archives for brew by @cfabianski in #321

Full Changelog: v0.21.0...v0.21.1

Release v0.21.0

What's Changed

• chore: publish docker by @cfabianski in #312
• chore: use qemu to release by @cfabianski in #313
• feat: Do not visit Git-ignored files by @spdawson in #309
• docs: update datatype generation to handle parents by @markmichon in #307
• chore: separate publish and release process by @cfabianski in #314
• feat: Use encrypted_ column prefix to mark SQL detections encrypted by @spdawson in #302
• fix: keep existing release by @cfabianski in #320

Full Changelog: v0.20.1...v0.21.0

v0.20.1

What's Changed

• docs: updating README.md by @gmontard in #260
• chore: make install script work by @cfabianski in #265
• doc: remove license for now by @cfabianski in #267
• doc: remove warning from readme by @cfabianski in #268
• docs: fix policy id slugs for anchor links by @markmichon in #269
• docs: remove install warning from quickstart by @markmichon in #270
• fix: Temp file path on Linux is missing separator by @spdawson in #271
• chore: separate integration and unit tests by @cfabianski in #272
• chore: Add a wrapper script for running the tests by @spdawson in #275
• chore: fix typo for devise and improve test coverage by @cfabianski in #273
• feat: add homebrew tap by @cfabianski in #282
• docs: remove financial data from type list by @markmichon in #277
• feat: Add database information to policies report placeholder output by @spdawson in #274
• feat: harden integration tests by @vjerci in #276
• docs: add scan video to readme by @markmichon in #299
• chore(deps): bump goreleaser/goreleaser-action from 3 to 4 by @dependabot in #287
• chore(deps): bump google.golang.org/api from 0.103.0 to 0.105.0 by @dependabot in #288
• chore(deps): bump github.com/zricethezav/gitleaks/v8 from 8.15.1 to 8.15.2 by @dependabot in #293
• chore(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 by @dependabot in #289
• chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.3 by @dependabot in #290
• chore(deps): bump golang.org/x/oauth2 from 0.2.0 to 0.3.0 by @dependabot in #291
• chore(deps): bump github.com/schollz/progressbar/v3 from 3.12.1 to 3.12.2 by @dependabot in #292
• fix: Password reported by application-level encryption policy by @spdawson in #295
• feat: add static compilation flag to release by @vjerci in #298
• fix: Improve policy placeholder for empty scan results by @spdawson in #304
• feat: AMA-3307-fix-scan-usage-showing-on-error-vjeran by @vjerci in #305
• docs: update quickstart and readme w/ homebrew by @markmichon in #300
• docs: remove blocking from docs and set up sitemap by @markmichon in #301

New Contributors

• @gmontard made their first contribution in #260

Full Changelog: v0.19.0...v0.20.1

Release v0.19.0

What's Changed

• docs: update policy names, descriptions, doc output, and fix IDs by @markmichon in #251
• fix: update policy link by @elsapet in #255
• fix: Disable policy report entirely unless Ruby language detected by @spdawson in #262
• fix(policies): Update severity for CR-021 by @elsapet in #261
• feat: run integration tests with binary by @vjerci in #250
• feat(scan): cache and reuse the latest report to produce the dataflow… by @cfabianski in #243
• feat: Add external service count to policies report placeholder output by @spdawson in #259
• fix: fix bad flag examples by @elsapet in #263
• fix(policies): Expand encryption detectors by @elsapet in #264

Full Changelog: v0.18.0...v0.19.0