Releases: adeptex/whispers
2.4.0
Whispers 2.4.0 release notes
- 💫 Remove Semgrep telemetry 💫
- Lazy-load parsers
- Severity levels reassignment
- Detection rule improvements
- URI credentials
- AWS Account ID
- Generalize default config
💫 Remove Semgrep telemetry 💫
It's a better world now that corporations build telemetry into every single piece of software... not really 😒... It was shoking to see telemetry packages installed as part of Whispers. But how did this happen?
As it turns out, Semgrep includes A LOT of code to support exfiltrating metadata and usage information from your machine. This Whispers release is largely dedicated to stripping out all unnecessary spyware garbage "required" by Semgrep. Apart from privacy, a nice side effect of this is that now Semgrep runs a lot faster when parsing ASTs! Win-win.
The following are 24 (out of 32.. wtf??) "required" Semgrep dependencies that are now excluded:
certifi==2024.8.30
charset-normalizer==3.3.2
Deprecated==1.2.14
googleapis-common-protos==1.65.0
idna==3.10
importlib_metadata==7.1.0
markdown-it-py==3.0.0
mdurl==0.1.2
opentelemetry-api==1.25.0
opentelemetry-exporter-otlp-proto-common==1.25.0
opentelemetry-exporter-otlp-proto-http==1.25.0
opentelemetry-instrumentation==0.46b0
opentelemetry-instrumentation-requests==0.46b0
opentelemetry-proto==1.25.0
opentelemetry-sdk==1.25.0
opentelemetry-semantic-conventions==0.46b0
opentelemetry-util-http==0.46b0
protobuf==4.25.5
Pygments==2.18.0
requests==2.32.3
rich==13.9.1
setuptools==75.1.0
urllib3==2.2.3
zipp==3.20.2
The confirmation of this great success can be seen in every pip3 install whispers log in the form of these amazing error messages:
ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
semgrep 1.85.0 requires attrs>=21.3, which is not installed.
semgrep 1.85.0 requires boltons~=21.0, which is not installed.
semgrep 1.85.0 requires click-option-group~=0.5, which is not installed.
semgrep 1.85.0 requires colorama~=0.4.0, which is not installed.
semgrep 1.85.0 requires defusedxml~=0.7.1, which is not installed.
semgrep 1.85.0 requires exceptiongroup~=1.2.0, which is not installed.
semgrep 1.85.0 requires glom~=22.1, which is not installed.
semgrep 1.85.0 requires opentelemetry-api~=1.25.0, which is not installed.
semgrep 1.85.0 requires opentelemetry-exporter-otlp-proto-http~=1.25.0, which is not installed.
semgrep 1.85.0 requires opentelemetry-instrumentation-requests~=0.46b0, which is not installed.
semgrep 1.85.0 requires opentelemetry-sdk~=1.25.0, which is not installed.
semgrep 1.85.0 requires peewee~=3.14, which is not installed.
semgrep 1.85.0 requires ruamel.yaml<0.18,>=0.16.0, which is not installed.
semgrep 1.85.0 requires tomli~=2.0.1, which is not installed.
semgrep 1.85.0 requires wcmatch~=8.3, which is not installed.
❌ Breaking changes ❌
❌ Severity levels reassignment ❌
Adjusted rule severity levels to add structure. New severity levels are the following:
| Group | Rule ID | Severity Before | Severity Now |
|---|---|---|---|
| keys | aws-secret | Critical | Critical |
| keys | aws-token | Critical | Critical |
| keys | privatekey | High | Critical |
| keys | apikey-known | High | Critical |
| keys | apikey | Medium | High |
| keys | aws-id | Critical | Medium |
| keys | aws-account | Low | Low |
| keys | apikey-maybe | Low | Low |
| passwords | password | High | High |
| passwords | uri | High | High |
| infra | dockercfg | High | High |
| infra | npmrc | High | High |
| infra | pip | High | High |
| infra | pypirc | High | High |
| infra | htpasswd | Medium | Medium |
| misc | webhook | Low | Medium |
| misc | creditcard | Low | Low |
| misc | secret | Low | Low |
| misc | comment | Info | Info |
| files | file-known | Low | Low |
Changelog
| Date | Version | Release notes |
|---|---|---|
| 2021-12-07 | 2.0.0 | https://github.com/adeptex/whispers/releases/tag/2.0.0 |
| 2022-07-29 | 2.1.0 | https://github.com/adeptex/whispers/releases/tag/2.1.0 |
| 2023-10-23 | 2.2.0 | https://github.com/adeptex/whispers/releases/tag/2.2.0 |
| 2024-06-16 | 2.3.0 | https://github.com/adeptex/whispers/releases/tag/2.3.0 |
| 2024-10-05 | 2.4.0 | https://github.com/adeptex/whispers/releases/tag/2.4.0 |
2.3.1
Summary
- Improved detection rules
- Fixed detection bugs
- Added Terraform detection support
What's Changed
- Update isort requirement from ~=5.9 to ~=5.13 by @dependabot in #140
- Update flake8 requirement from ~=5.0 to ~=7.1 by @dependabot in #142
- Update autopep8 requirement from ~=1.7 to ~=2.3 by @dependabot in #143
- Update pytest requirement from ~=7.0 to ~=8.2 by @dependabot in #144
- Update pip-tools requirement from ~=6.2 to ~=7.4 by @dependabot in #141
- Update wheel requirement from ~=0.37 to ~=0.43 by @dependabot in #145
- Update twine requirement from ~=3.4 to ~=5.1 by @dependabot in #148
- Update autoflake requirement from ~=1.4 to ~=2.3 by @dependabot in #149
- Update coverage requirement from ~=4.5 to ~=7.5 by @dependabot in #147
- Update black requirement from ~=24.3 to ~=24.4 by @dependabot in #146
- Update build requirement from ~=1.0 to ~=1.2 by @dependabot in #151
- Update pytest-mock requirement from ~=3.6 to ~=3.14 by @dependabot in #153
- Bump semgrep from 1.68.0 to 1.76.0 by @dependabot in #150
- Update coverage-badge requirement from ~=1.0 to ~=1.1 by @dependabot in #152
- Update coverage requirement from ~=7.5 to ~=7.6 by @dependabot in #157
- Update pytest requirement from ~=8.2 to ~=8.3 by @dependabot in #159
- Bump jellyfish from 1.0.4 to 1.1.0 by @dependabot in #162
- Bump semgrep from 1.76.0 to 1.84.1 by @dependabot in #166
- Bump pyyaml from 6.0.1 to 6.0.2 by @dependabot in #167
- Update wheel requirement from ~=0.43 to ~=0.44 by @dependabot in #168
- Update black requirement from ~=24.4 to ~=24.8 by @dependabot in #169
- Bump lxml from 5.2.2 to 5.3.0 by @dependabot in #170
- Bump semgrep from 1.84.1 to 1.85.0 by @dependabot in #171
- 2.3.1 by @adeptex in #177
Full Changelog: 2.3.0...2.3.1
Contributors
Assets 8
2.3.0
Whispers 2.3.0 release notes
-
New Feature: 💫 Static Code Analysis 💫 is now supported!
- The present release complements classic Whispers' structured text analysis with Semgrep's AST generator for common programming languages like Python, PHP, Java/Scala/Kotlin, JavaScript/TypeScript, Go, etc etc.
- New argument
--astfor enabling this feature via the CLI (it is disabled by default) - New setting
ast: truefor enabling this feature via a custom config file (set toast: falseby default) - Replaced
astroidPython AST generator withsemgrep
-
Detection rule improvements
- Known API keys
- AWS account ID
- Passwords
- Creditcards
-
Drop end-of-life Python support
- Versions 3.6 and 3.7 are no longer supported. Oldest supported version is Python 3.8.
- Last release that supports Python 3.6 and 3.7 is Whispers 2.2.1
-
Dependency tracking improvements
- New
requirements-dev.txtfile allows Dependabot updates for dev dependencies - Modified
setup.pyto read fromrequirements.txtandrequirements-dev.txt - Updated build CI to use Python 3.12.3
- New
-
Debugging and troubleshooting
- Modified
config.ymlto exclude known false positives - Fixed
Dockerfileto work withdocker build -t whispers .or the samemake image - New arg
--dumpfor generating an AST of a file:whispers --dump src/example.ts
- Modified
💫 New Feature: Static Code Analysis 💫
With the release of Whispers 2.3, it is now possible to accurately apply Whispers' secret detection techniques for structured text to static code. Before this release, Whispers only supported structured text formats, such as JSON or XML. Semgrep is an open source SAST tool, which has a built-in feature for generating Abstract Structure Trees (ASTs) for many common programming languages. Generating an AST for static code yields an accurate structured text representation, which can be checked for secrets with Whispers' rules and plugins. As such, generating ASTs requires an additional "format conversion" step, which naturally affects runtime speed. When AST is enabled it will take longer to scan the same scope if any source code files are present. The increased amount of runtime time would be however long it takes to run the following command on all static code files in scope:
semgrep scan --metrics=off --quiet --dump-ast --json --lang $LANG $SRCFILEConsider the following benchmarks:
time whispers -F " " tests/fixtures
# 313 detected secrets
# 0,51s user 0,03s system 99% cpu 0,540 total
# 0,60s user 0,04s system 99% cpu 0,642 total
time whispers -a -F " " tests/fixtures
# 421 detected secrets
# 2,20s user 0,40s system 100% cpu 2,589 total
# 2,32s user 0,46s system 100% cpu 2,772 totalAST conversion is disabled by default - semgrep will not execute at all unless explicitly enabled. Custom config files that are missing ast: false or ast: true will default to false.
ast: true # enable AST in config.ymlwhispers --ast target/dir/or/file # enable AST in CLI❌ Breaking changes ❌
❌ Replaced astroid with semgrep ❌
Before Whispers 2.3, only Python AST scanning was natively supported by astroid, and integrated via plugins/python.py. With the release of Whispers 2.3, this functionality is superseded by semgrep, and integrated via plugins/semgrep.py. As a base line, the new semgrep plugin detects the same findings as the astroid plugin, but supports more programming languages.
Unfortunately semgrep has telemetry enabled by default, but can be turned off via --metrics=off. In any case, semgrep will not execute unless explicitly enabled via args or config.
semgrep does not support Windows OS natively, and can only be installed through WSL. As such, compiled Whispers PE32+ executable comes without Static Code Analysis support. Installing Whispers on Windows via WSL with pip3 install whispers does have Static Code Analysis support.
Changelog
| Date | Version | Release notes |
|---|---|---|
| 2021-12-07 | 2.0.0 | https://github.com/adeptex/whispers/releases/tag/2.0.0 |
| 2022-07-29 | 2.1.0 | https://github.com/adeptex/whispers/releases/tag/2.1.0 |
| 2023-10-23 | 2.2.0 | https://github.com/adeptex/whispers/releases/tag/2.2.0 |
| 2024-06-16 | 2.3.0 | https://github.com/adeptex/whispers/releases/tag/2.3.0 |
What's Changed
- Bump lxml from 5.2.0 to 5.2.1 by @dependabot in #130
- 2.2.2 by @adeptex in #132
- Bump typing-extensions from 4.10.0 to 4.11.0 by @dependabot in #131
- 2.3.0 by @adeptex in #139
- Bump jellyfish from 1.0.3 to 1.0.4 by @dependabot in #136
- Bump lxml from 5.2.1 to 5.2.2 by @dependabot in #134
Full Changelog: 2.2.1...2.3.0
Contributors
Assets 8
2.2.1
What's Changed
- Bump wrapt from 1.15.0 to 1.16.0 by @dependabot in #114
- Bump jellyfish from 1.0.1 to 1.0.3 by @dependabot in #115
- Bump typing-extensions from 4.8.0 to 4.9.0 by @dependabot in #116
- Bump astroid from 2.15.6 to 3.0.2 by @dependabot in #117
- Bump lazy-object-proxy from 1.9.0 to 1.10.0 by @dependabot in #118
- Bump lxml from 4.9.3 to 4.9.4 by @dependabot in #119
- Bump lxml from 4.9.4 to 5.0.0 by @dependabot in #120
- Bump lxml from 5.0.0 to 5.1.0 by @dependabot in #121
- Bump beautifulsoup4 from 4.12.2 to 4.12.3 by @dependabot in #122
- Bump astroid from 3.0.2 to 3.0.3 by @dependabot in #124
- Bump astroid from 3.0.3 to 3.1.0 by @dependabot in #126
- Bump typing-extensions from 4.9.0 to 4.10.0 by @dependabot in #125
- 2.2.1 by @adeptex in #123
- Bump lxml from 5.1.0 to 5.1.1 by @dependabot in #128
- Bump lxml from 5.1.1 to 5.2.0 by @dependabot in #129
Full Changelog: 2.2.0...2.2.1
Contributors
Assets 8
2.2.0
Whispers 2.2.0 release notes
- License change
- Compatibility improvements
- Standardize severity levels
- Minor code refactor
- Detection improvements
- Add XML cases
- Add
apikey-mayberule
💫 Licensing changes (again) 💫
Version 2.1 was released under GNU General Public License v3.0, which is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users.
Version 2.2 is released under BSD 3-Clause License, which is a permissive license that prohibits others from using the name of the copyright holder or its contributors to promote derived products without written consent.
This change removes source code disclosure requirement 🕵️
❌ Breaking changes ❌
❌ Severity levels ❌
Severity level names have been adapted to a more common format. For example, BLOCKER is replaced by Critical and so on. The full list is as follows:
| Version 2.1 (before) | Version 2.2 (now) |
|---|---|
BLOCKER |
Critical |
CRITICAL |
High |
MAJOR |
Medium |
MINOR |
Low |
INFO |
Info |
Instead of
whispers -s BLOCKER dir/or/file
use
whispers -s Critical dir/or/file
See README for details and examples.
Changelog
| Version | Release notes |
|---|---|
| 2.0.0 | https://github.com/adeptex/whispers/releases/tag/2.0.0 |
| 2.1.0 | https://github.com/adeptex/whispers/releases/tag/2.1.0 |
| 2.2.0 | https://github.com/adeptex/whispers/releases/tag/2.2.0 |
What's Changed
- Bump astroid from 2.12.9 to 2.12.10 by @dependabot in #62
- Bump typing-extensions from 4.3.0 to 4.4.0 by @dependabot in #63
- Bump astroid from 2.12.10 to 2.12.11 by @dependabot in #64
- Bump astroid from 2.12.11 to 2.12.12 by @dependabot in #65
- Bump astroid from 2.12.12 to 2.12.13 by @dependabot in #68
- Bump lxml from 4.9.1 to 4.9.2 by @dependabot in #69
- Bump astroid from 2.12.13 to 2.13.2 by @dependabot in #71
- Bump lazy-object-proxy from 1.7.1 to 1.9.0 by @dependabot in #70
- Bump astroid from 2.13.2 to 2.13.3 by @dependabot in #72
- Bump astroid from 2.13.3 to 2.14.1 by @dependabot in #73
- Bump beautifulsoup4 from 4.11.1 to 4.11.2 by @dependabot in #74
- Bump astroid from 2.14.1 to 2.14.2 by @dependabot in #75
- Bump typing-extensions from 4.4.0 to 4.5.0 by @dependabot in #77
- Bump soupsieve from 2.3.2.post1 to 2.4 by @dependabot in #76
- Bump wrapt from 1.14.1 to 1.15.0 by @dependabot in #79
- Bump astroid from 2.14.2 to 2.15.0 by @dependabot in #80
- Bump beautifulsoup4 from 4.11.2 to 4.12.0 by @dependabot in #81
- Bump astroid from 2.15.0 to 2.15.1 by @dependabot in #82
- Bump jellyfish from 0.9.0 to 0.11.0 by @dependabot in #83
- Bump astroid from 2.15.1 to 2.15.2 by @dependabot in #84
- Bump jellyfish from 0.11.0 to 0.11.2 by @dependabot in #85
- Bump beautifulsoup4 from 4.12.0 to 4.12.1 by @dependabot in #86
- Bump beautifulsoup4 from 4.12.1 to 4.12.2 by @dependabot in #87
- Bump astroid from 2.15.2 to 2.15.3 by @dependabot in #88
- Bump astroid from 2.15.3 to 2.15.4 by @dependabot in #90
- Bump soupsieve from 2.4 to 2.4.1 by @dependabot in #89
- Bump astroid from 2.15.4 to 2.15.5 by @dependabot in #91
- Bump typing-extensions from 4.5.0 to 4.6.1 by @dependabot in #94
- Bump typing-extensions from 4.6.1 to 4.6.2 by @dependabot in #95
- Bump typing-extensions from 4.6.2 to 4.6.3 by @dependabot in #96
- Bump jellyfish from 0.11.2 to 1.0.0 by @dependabot in #98
- Bump typing-extensions from 4.6.3 to 4.7.1 by @dependabot in #101
- Bump lxml from 4.9.2 to 4.9.3 by @dependabot in #102
- 2.2.0 by @adeptex in #106
- UTF8 Locale by @adeptex in #112
Full Changelog: 2.1.5...2.2.0
Contributors
Assets 8
2.1.5
Contributors
Assets 8
2.1.4
What's Changed
- Added nginx.conf parser and detection
- Improved Shell variables detection
- Updated Github Workflows to compile binaries as UTF-8
- Bump astroid from 2.12.5 to 2.12.8 by @dependabot in #56
- Bump astroid from 2.12.8 to 2.12.9 by @dependabot in #57
Full Changelog: 2.1.3...2.1.4
Contributors
Assets 8
2.1.3
What's Changed
- Added detection for default values in Shell variables
- Added detection for known Grafana keys
- Added SHA256 checksums for compiled binaries
- Bump astroid from 2.12.2 to 2.12.4 by @dependabot in #50
- Bump astroid from 2.12.4 to 2.12.5 by @dependabot in #52
Full Changelog: 2.1.2...2.1.3
Contributors
Assets 8
2.1.2
In order to compile the package with pyInstaller some minor adjustments were required. There are no functional changes in this release.
It is now possible to download and use Whispers as a binary for Linux, OSX and Windows. See releases page.
Full Changelog: 2.1.1...2.1.2