diff --git a/CHANGELOG.md b/CHANGELOG.md index cf5dd67..0d59119 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file. ## [v1.93.0] - **Access Map: added 21 new blast radius providers**, bringing the total to 39. New providers: Airtable, Algolia, Artifactory, Auth0, CircleCI, DigitalOcean, Fastly, HubSpot, IBM Cloud, Jira, MySQL, PayPal, Plaid, SendGrid, Sendinblue/Brevo, Shopify, Square, Stripe, Terraform Cloud, JFrog Xray, and Zendesk. Each provider maps leaked credentials to their effective identity, permissions, and exposed resources. - **Access Map: expanded provider depth** for existing integrations. AWS now enumerates SQS, SNS, RDS, ECR, and SSM Parameter Store in addition to the earlier core services; Azure Storage now maps Blob containers, File shares, and Queues from account keys; OpenAI now enumerates visible models, files, assistants, and fine-tuning jobs; Hugging Face now includes datasets and Spaces alongside models; Anthropic now surfaces visible organization API keys. +- Folded in a set of safe dependency bumps from open maintenance PRs, including `strum`, `sysinfo`, `hmac`, `sha1`, `sha2`, `gitlab`, and `oci-client`, with small compatibility fixes in runtime hashing, system memory detection, and Azure signing code. - Added Mermaid architecture documentation in `docs/ARCHITECTURE.md`, covering the main Kingfisher components, command paths, and scan flow at a high level. - Expanded `docs/LIBRARY.md` with Mermaid diagrams showing the relationships and internal structure of `kingfisher-core`, `kingfisher-rules`, and `kingfisher-scanner`. diff --git a/Cargo.toml b/Cargo.toml index ac8dc04..2b6daf0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -116,8 +116,8 @@ toon-format = { version = "0.4.4", default-features = false } lazy_static = "1.5.0" url = "2.5.7" include_dir = { version = "0.7", features = ["glob"] } -strum = { version = "0.26", features = ["derive"] } -sysinfo = "0.31.4" +strum = { version = "0.28", features = ["derive"] } +sysinfo = "0.38.4" webbrowser = "1.0.5" reqwest = { version = "0.12", default-features = false, features = [ "json", @@ -207,8 +207,8 @@ futures = "0.3.31" dashmap = "6.1.0" xxhash-rust = { version = "0.8.15", features = ["xxh3", "const_xxh3"] } serde_yaml = "0.9.34" -hmac = "0.12.1" -sha2 = "0.10.9" +hmac = "0.13.0" +sha2 = "0.11.0" strum_macros = "0.28.0" humantime = "2.3.0" path-dedot = "3.1.1" @@ -220,7 +220,7 @@ predicates = "3.1.3" assert_cmd = "2.1.1" proptest = "1.9.0" color-backtrace = "0.7.2" -gitlab = "0.1801.0" +gitlab = "0.1810.0" mimalloc = {version = "0.1.48", features = ["override"]} thread_local = "1.1.9" bloomfilter = "3.0.1" @@ -233,7 +233,7 @@ globset = "0.4.18" jsonwebtoken = { version = "10.2.0", features = ["aws-lc-rs"] } ipnet = "2.11.0" gouqi = { version = "0.20.0", features = ["async"] } -oci-client = { version = "0.15", default-features = false, features = ["rustls-tls"] } +oci-client = { version = "0.16", default-features = false, features = ["rustls-tls"] } walkdir = "2.5.0" p256 = "0.13.2" ed25519-dalek = { version = "2.2", features = ["pkcs8"] } @@ -261,10 +261,10 @@ tokio-rustls = "0.26.4" h2 = "0.4.13" [target.'cfg(not(windows))'.dependencies] -sha1 = { version = "0.10.6", features = ["asm"] } +sha1 = "0.11.0" [target.'cfg(windows)'.dependencies] -sha1 = "0.10.6" +sha1 = "0.11.0" [dependencies.tikv-jemallocator] version = "0.6" diff --git a/README.md b/README.md index 011c939..3787a4c 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,18 @@

Kingfisher Logo - -[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -[![Detection Rules](https://img.shields.io/badge/Detection%20Rules-601-2ea043.svg)](https://github.com/mongodb/kingfisher)
-[![ghcr downloads](https://ghcr-badge.elias.eu.org/shield/mongodb/kingfisher/kingfisher)](https://github.com/mongodb/kingfisher/pkgs/container/kingfisher)
- +
+ + License + + + Detection Rules + +
+ + ghcr downloads + +
Kingfisher is an open source secret scanner and **live secret validation** tool built in Rust. diff --git a/src/access_map/azure.rs b/src/access_map/azure.rs index 2fa6cd2..d2f9c6a 100644 --- a/src/access_map/azure.rs +++ b/src/access_map/azure.rs @@ -1,7 +1,7 @@ use anyhow::{anyhow, Context, Result}; use base64::{engine::general_purpose::STANDARD as b64, Engine as _}; use chrono::Utc; -use hmac::{Hmac, Mac}; +use hmac::{Hmac, KeyInit, Mac}; use quick_xml::{events::Event, Reader}; use reqwest::{header::HeaderValue, Client}; use serde_json::Value as JsonValue; diff --git a/src/cli/global.rs b/src/cli/global.rs index 36d9237..f4ca42b 100644 --- a/src/cli/global.rs +++ b/src/cli/global.rs @@ -91,7 +91,7 @@ pub enum Command { pub static RAM_GB: Lazy> = Lazy::new(|| { if sysinfo::IS_SUPPORTED_SYSTEM { let s = System::new_with_specifics( - RefreshKind::new().with_memory(MemoryRefreshKind::new().with_ram()), + RefreshKind::nothing().with_memory(MemoryRefreshKind::nothing().with_ram()), ); Some(s.total_memory() as f64 / 1024.0 / 1024.0 / 1024.0) } else { diff --git a/src/scanner/docker.rs b/src/scanner/docker.rs index 7ebb2d4..43d47f0 100644 --- a/src/scanner/docker.rs +++ b/src/scanner/docker.rs @@ -177,8 +177,15 @@ impl Docker { for p in layer_paths { let mut file = File::open(&p)?; let mut hasher = Sha256::new(); - std::io::copy(&mut file, &mut hasher)?; - let digest = format!("{:x}", hasher.finalize()); + let mut buf = [0_u8; 16 * 1024]; + loop { + let read = file.read(&mut buf)?; + if read == 0 { + break; + } + hasher.update(&buf[..read]); + } + let digest = hex::encode(hasher.finalize()); let new_path = out_dir.join(format!("layer_{digest}.tar")); std::fs::rename(&p, &new_path)?;