-
-
Notifications
You must be signed in to change notification settings - Fork 244
/
Changelog
305 lines (275 loc) · 9.21 KB
/
Changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
3.6 2024 Apr 09
Updated ruby rules
Updated JavaScript rules
Updated PHP rules
Updated supression rules
Updated android rules
Updated dotnet rules
Updated nim rules
Added Kotlin rules
Updated golang rules
Updated python rules
Updated c rules
Updated xss rules
Updated sqli rules
Updated exec rules
Updated default rules
Updated fruit rules
3.5 2022 Dec 09
Added Eiffel rules (@bcoles)
Updated secret rules
Reduced false positives in php rules
Reduced false positives in nim rules
Added typescript rules
Fixed path issue in misc/gitscan
Bugfix for actionscript, asp and ios rules
Rule correctness adjustments to asp rules
Minor documentation updates
3.4 2022 Mar 01
Fixed a path issue in misc/taintfind.sh
Changed installation instructions for better usage
Added link to tutorial video in documentation
Updated PHP rules
Updated dotnet rules
Updated xss rules
Updated secrets rules
Added support for setting default arguments via env vars
Added test cases for environment variables
Fixed a bug in database listing function
Updated misc/phptaint.sh
3.3 2022 Jan 20
Fixed false positive rate in compressed js files
More secret rules
Restructured and updated classic asp rules
Updated fruit rules
Updated SQL rules
Updated spsqli rules
Updated ruby rules (@r3zk0n)
Updated android rules
Updated java rules
Updated dotnet rules
Fixed greedyness in perl super global rules
Improved test case
Bug fixes for dotnet and sql rulesets
Added test case for bad quantifiers in rules
Changed test cases for consistency and portability
Rule set for auditing SCA exclusions
Updated ampscript rules
Added .github/ files for sponsorship/issues/pull requests
3.2 2021 Oct 29
Fixed a compatibilty bug in misc/serializephp.sh
Updated PHP rules
Updated Java rules
Updated fruit rules
Updated secret rules
Updated default
Updated android rules (@r3zk0n)
Updated dotnet rules
Changed misc/gitlog.sh to an interactive format
Added *.map to files that are ignored unless -A is used
Fixed line endings in some rule files
Altered some error handling slightly
3.1 2021 Jun 21
Updated secret rules
Updated dotnet rules
Updated C rules
Updated Java and Mongose rules (@IoannisMatzaris)
Added ~/graudit/signatures to database locations
Updated documentation (@Montycarlo)
3.0 2021 Apr 29
Fixed broken Java rule causing massive false positives
Additional PHP fruit rules
2.9 2021 Apr 09
Fix for GRDIR by @micharu123
Improved C fruit rules
Improved js fruit rules
Started python fruit rules
Updated documentation
Fixed typo in dotnet rules (@0x10f2c)
Reformatted parts of graudit for readability
misc/onlyfiles.sh filescanning with only files matching globs
2.8 2020 Oct 30
Updated Electron rules
Updated PHP rules
More scala rules and a scala signature set
Updated C rules
Updated Java rules
Updated fruit rules
Documentation tweaks
Improved error handling
Updated gitscan script
AMPscript and ssjs example rules
git log scanner example script
2.7 2020 Sep 23
Carriage return tolerance fixed for non GNU sed versions
Updated PHP rules
Updated C rules
Updated dotnet rules
Updated android rules
Added Electron rules
Additional PHP and secret rules from @beyefendi
2.6 2020 Jun 19
Fixed carriage return tolerance in graudit
Added basic scala rules
Updated Java rules
QoL tweaks to Nim rules
dotnet fruit rules
dotnet rules overhauled
Added more unit tests
Updated PHP rules
Improved PHP stream rules
Fixed bug for PHP stream rules
Fixed bug when listing databases in empty directories
2.5 2020 May 08
Default ruleset is now generated from languages
Retired rough rules
Cleaned up whitespace in files
Added misc to signature path
Added basic language support for Nim
Added language support for QB64
Fixed a mistake with C database from version 2.4
Tweaked fruit rules for C
Improved C rules
Updated secret detection rules
PHP rules added/updated, including PSR for HTTP
Improved JS and JS fruit rules
Added PoC rules for wordpress
Updated rules for Java
Updated Go rules
Updated Python rules
Fixed check-db.sh to work under WSL
Updated Makefile
Updated documentation
2.4 2020 Mar 28
Updated documentation
Seafruit.db removed (now in fruit.db)
Added low hanging fruit databases for several languages
Added basic support for Go language
Added basic support for COBOL (@_bcoles)
Fixed faulty rules in Python and Java (@quakehead, @l0ss)
Updated C rules
Updated PHP rules (FFI and more)
Updated Node rules
Reworked Makefile for signatures
2.3 2019 Oct 15
Added database for finding sensitive information (secrets)
C database no longer deprecated
Created low hanging fruit rules for C/C++ (seafruit.db)
Added more test cases to avoid some past mistakes
Updated make and make install rules to match new version changes
Removed the all rules database
Updated documentation
Improved bsdgrep/OSX support
Improved PHP rules for stream/wrapper bugs (ie: phar://) (@manasmbellani)
Added and updated python rules
More Java rules and cleanup of Java rules
More DotNet rules
More Android rules
More iOS rules
Added basic JavaScript rules
Added additional script to show C taint analysis (misc/b0ftaint.sh)
Added script for finding low hanging/high impact PHP bugs (misc/flatline.*)
Added script for using flatline rules in taint analysis (misc/vulntaint.sh)
Added script for scanning github repos with flatline (misc/gitscan)
Added script for finding interesting files and secrets (misc/graufflehog.sh)
2.2 2018 Dec 20
Added another demo script
Adde signatures from OWASP code review guide
Various bugfixes and code quality updates
Renamed aux/ to misc/
Colour blind mode added
Updated documentation
More rule updates
2.1 2017 Apr 05
Fixed broken test cases
Added multi argument support to -x
Added banner
Added banner supression switch
Replaced ./configure; make installation steps with make and variables (issue #9)
2.0 2016 Jan 25
Added option include several common binary files (ignored by default) [-A flag]
Ignoring more binary files by default
Updated PHP rules
Updated Perl rules
Updated default rules
Updated dotnet rules
Updated and deprecating c rules
Added JSP taint checking PoC script to aux/
Added some basic ruby rules from @bcoles
Added ios rules (from Samuel Reed)
Added android rules (from Samuel Reed)
Added actionscript rules (from Samuel Reed)
Ruby reflection rules (from Samuel Reed)
Bugfix for graudit on Mac (from Samuel Reed)
Added java exceptions signatures (from Samuel Reed)
Jsp signatures more correctly represented as java.db
Added strings database to look for important text strings
Added aux script for finding suitable php files to use in unserialize() exploits
1.9 2011 Jan 11
Fixed php (php/xss.db) database which had a blank line at the end, causing everything to match. (Thx @jodymelbourne)
Added test case for blank lines in signature scripts
Added database validating aux script
Updated Makefile file manifest
Fixed bug in test script template (t/blank-test.sh)
1.8 2010 Dec 24 //Happy xmas edition!
-L operator does vim friendly line numbers
Man pages and documentation updates
PHP signature updates
JSP signature updates
Dotnet signature updates
Perl signature updates and bug fixes
Python signature updates
Bug fixes for aux/ scripts
More aux/ scripts
Fixed ignore CVS directories by default
1.7 2010 Jul 31
New PHP signatures
Improved C signatures for fewer false positives
Improved dotnet signatures
Whitespace neutrality for all signatures
-l operator lists available databases
-x operator for excluding files
configure script added to make chain
Makefile install targets changed, install is now server wide
1.6 2010 May 14
Bugfix for greedy separator code (thx to Chillman)
Imported C rules from RATS
Started test suite transition to the Junio C Hamano Git inspired one
Added case insensitive switch (thx to Chillman for patch)
Dotnet signatures (thx to Chillman again)
Discontinued the rough database
Added the combined database "all"
Support for the GRDIR enviroment variable
1.5 2009 December 06
New features for server wide install
Source distro file for package maintainers
Signature bug fixes
New php, python and perl signatures
Deprecating the rough signature set
Fixed graudit usage text
Improved documentation
Several color modes supported
1.4 2009 November 23
New and improved signatures
Graceful detection of grep version < 2.5.3
Preparing for version 1.5
1.3 2009 October 31
Some signatures added to existing databases
Signature improvements to existing databases
Added JSP ruleset
Added ASP ruleset
Improved testing
1.2 2009 September 18
Default signatures aimed at low hanging fruit
Improved documentation
Bug fixes to graudit and signatures
1.1 2009 July 29
Improved custom db options
Improved signatures for several languages
A few minor tweaks
1.0 2009 June 14
Initial release on github
Older versions
The initial concept is something I have used for a long time, I can't
quite remember when I decided to make it into a more structured
script, but here we are anyway.