Releases: owasp-noir/noir
Releases · owasp-noir/noir
v0.28.0
What's Changed
New Features
- AI Agent Mode (@hahwul, @ksg97031)
- ACP (Agent Client Protocol) integration (@hahwul)
- CakePHP & Goyave detector + analyzer (@chei-l)
AI Agent Mode
Iterative tool-calling AI workflow for deeper, autonomous endpoint discovery (uses tools like list_directory, read_file, grep, semantic_search).
Example:
noir -b ./myapp --ai-agentACP (Agent Client Protocol)
With ACP integration, you can analyze using locally configured AI Agents even without API keys for AI Providers (local agent handles authentication).
Example:
noir -b ./myapp --ai-provider=acp:codexImprovements
- Cross-file Express.js router support (@fabiencheret)
- Enhanced analyzers: Kotlin Spring (static paths/body) (@chei-l), Flask (shortcut decorators/MethodView/async) (@fabiencheret), Tornado (cross-file handlers) (@fabiencheret), Chi (Group scope) (@fabiencheret)
- Detector performance optimization (Rocket, Kemal)
- Endpoint deduplication improved to O(N)
- Minimum Crystal version raised to 1.19 + CI updates
Bug Fixes
- Missing route patterns in JS/Express extractor (@fabiencheret)
- Flask & Tornado route parser fixes (@fabiencheret)
New Contributors
- @fabiencheret made their first contribution in #1000
Full Changelog: v0.27.1...v0.28.0
Contributors
fabiencheret, ksg97031, and 2 other contributors
Assets 8
v0.27.1
What's Changed
- Bump CI/CD workflows
- Fixed bug: Fix file extension removal bug when using dot base path (-b .) #980
Full Changelog: v0.27.0...v0.27.1
v0.27.0
What's Changed
All issues and pull requests in Milestone 31 have been included in this release. v0.27.0 is a major update that significantly expands support for new frameworks/technologies, greatly improves technology visibility, and adds more flexible output options.
✨ New Features
-
Enhanced technology information output
-
New framework/language support
-
Extended parameter analysis
- Java & Scala Play analyzer now supports body, header, and cookie parameters (#931)
-
New output format
- Added TOML output format (
-f toml) (#904)
- Added TOML output format (
-
LLM & reporting improvements
⚡ Enhancements
- Greatly improved visual readability of
--diff-pathoutput
→ Added icons, counts, and better separators (#925) - Updated technology metadata for Elixir Phoenix / Plug (#930)
- Added test coverage for
--only-techs&--exclude-techsflags (#917)
🐛 Bug Fixes
- Fixed analysis being skipped when project is located in
/tmpor similar paths (#912) - Fixed FastAPI detector missing
import fastapistyle imports (#935) - Fixed false positives in Go analyzer when HTTP method names (.Get, .Post, etc.) appeared on non-router objects (#941)
- Fixed file detection failure with
Dir.glob()when paths contain special characters (#964)
We sincerely thank all contributors for their awesome code and contributions in this release v0.27.0! Especially, the newly joined @4ICH4 and @Sija have made significant contributions at the code and feature levels. And a special shoutout to our co-leader @ksg97031 for always providing tremendous support. Thanks to you all, NOIR has taken a big step forward. We're grateful for your continued involvement!
v0.27.0 brings major improvements in frontend framework support (NuxtJS, TanStack Router), Swift server-side frameworks, and dramatically better technology stack visibility and output customization.
Happy scanning! 🚀
New Contributors
Full Changelog: v0.26.0...v0.27.0
Contributors
Sija, ksg97031, and 4ICH4
Assets 7
v0.26.0
What's Changed
Framework Support
- Added full detector and analyzer support for:
- Scala (Scalatra, Play, Akka)
- Swift (Vapor)
- TypeScript (NestJS)
- Expanded parameter detection (cookie, header, query, body, file) for:
- Symfony, Hanami, RWF, Rust (Rocket, Gotham), Koa, all JavaScript frameworks, Java (Armeria)
- Improved endpoint detection for multi-line definitions and case-insensitive HTTP methods in Go frameworks
- Added endpoint collection support for C# ASP.NET Core MVC
- Enhanced static path support for JavaScript frameworks
Output & CLI
- Added Postman Collection v2.1.0 output format (
-f postman) - Added HTML output format (
-f html) - Added PowerShell Invoke-WebRequest output format (
-f powershell) - Added new taggers: GraphQL, JWT, FileUpload
- Improved help output
Miscellaneous
- Added Nix packaging support (
nix profile add github:owasp-noir/noir) - Resolved performance issues on large projects
New Contributors
- @MohammedAnasNathani made their first contribution in #830
- @e-n-0 made their first contribution in #857
Full Changelog: v0.25.1...v0.26.0
Contributors
e-n-0 and MohammedAnasNathani
Assets 7
v0.25.1
What's Changed
- Add OWASP logo to documentation footer
- Add token limits for new AI models
- Expand ASP.NET MVC analyzer to support attribute routing and parameter binding
- Improve linting by
Full Changelog: v0.25.0...v0.25.1
v0.25.0
What's Changed
Framework Support
- Expanded parameter type support for:
Rust (Actix Web, Rocket, Tide, Warp, Loco, RWF), C#, Java, Go, Elixir (Phoenix/Plug), Ruby, PHP - Added support for Crystal 1.18
- Added Postman Collection JSON output
Output & CLI
- Added SARIF output format
- Improved OpenAPI 2.0 / 3.0 export
- Support for multiple
-b/--baseflags
Refactoring
- Reduced code duplication and improved design patterns
- Fixed Flask and Express framework detection
- Refactored AI analyzers using the adapter pattern
- General maintainability cleanup
Full Changelog: v0.24.0...v0.25.0
v0.24.0
Release Note
✨ New Features & Enhancements
🛠 Detectors & Analyzers
Added support for 17 new detectors and analyzers across multiple languages and frameworks:
| Language | Detectors & Analyzers |
|---|---|
| Crystal | marten, grip, amber |
| Elixir | plug |
| Go | go-zero, fasthttp, mix |
| Java | vertx |
| JavaScript | next |
| Kotlin | ktor |
| PHP | symfony, laravel |
| Python | tonado, sanic |
| Rust | gotham, tide, warp |
🔍 Passive Scan
- Severity Filter Flag: Introduced
--passive-scan-severityfor refined passive scan control. - Rule Update Check: Added automatic update checks and notifications for passive scan rules, with auto-update on Noir startup.
New Flags
PASSIVE SCAN:
--passive-scan-severity SEVERITY Set minimum severity level for passive scan (critical, high, medium, low). Default: high
--passive-scan-auto-update Automatically update passive scan rules from the remote repository at startup
--passive-scan-no-update-check Skip checking for passive scan rules updates at startup
🤖 AI Capabilities
- Enhanced AI Analyzer: Upgraded with a Unified LLM Adapter, disk caching, and a switch to system/user prompts for improved performance.
- Endpoint Optimization: New AI-driven features to optimize endpoint performance.
New Flags
CACHE:
--cache-disable Disable LLM cache for this run
--cache-clear Clear LLM cache directory before run
🛠 GitHub Action
- Noir GitHub Action: Official support for seamless integration with GitHub Actions.
- https://github.com/marketplace/actions/owasp-noir-action
🚀 Code & Performance
- Code Quality: Significant improvements to codebase reliability and maintainability.
- Test Functions: Enhanced test functionalities for better coverage and stability.
- Resource Limits: Added resource constraints for analyzers processing media files to optimize performance.
🧑💻 Developer Tools
- Prompt Testing: New hidden flag for streamlined PROMPT testing.
- Just Tasks: Improved task management for developers.
🔄 CI/CD
- Debian Package: Now building
.debpackages and uploading them to the release page. - SBOM Support: Added Software Bill of Materials (SBOM) generation for better dependency tracking.
📚 Documentation
- Korean Support: Added
ko(한국어) localization for documentation. - Updated Docs: Comprehensive updates to documentation for clarity and completeness.
🐾 Meet Our Mascot
- Hak: Introducing "Hak," our new mascot, bringing a fun vibe to the Noir community!
Full Changelog: v0.23.1...v0.24.0
v0.23.1
Contributors
hahwul and isacaya
Assets 4
v0.23.0
Features and Enhancements
- Added Loco framework detector and analyzer support
- Added rwf detector and analyzer
- Added support for FeignClient interface analysis
- Added mermaid mindmap visualization format for endpoint discovery
-f mermaid/ preview - Supported Dynamic Paths and recognized router.all in Express Endpoint Detection
- Enhanced Spring analyzer's HTTP header handling
- Improved annotation parsing and added TApiResponses controller
- Improved parameter extraction logic
Bug Fixes
- Added url_paths check to resolve #626 by @EvtDanya in #627
- Skipped unknown parameter type by @ksg97031 in #639
Documentation and Workflow Improvements
- Changed documentation from Hugo to Zola
- Added comprehensive GitHub Copilot instructions for development workflow
- Renamed AI.md to AGENTS.md
- Renamed variable in template substitution loop for clarity
Build and Dependency Updates
- Docker base image update (debian 12-slim to 13-slim)
- Dependencies Update
- Added GitHub Actions workflow for automated release binary builds
Full Changelog: v0.22.0...v0.23.0
Contributors
ksg97031 and EvtDanya
Assets 4
v0.22.0
What's Changed
- Add .graphql file analyzer by @hahwul in #605
- Update Road Map by @hahwul in #606
- Migrate Rakefile to justfile by @hahwul in #608
- feat: Add detector and analyzer for Koa.js by @hahwul in #610
- Add AI.md by @hahwul in #613
- Update
AI.mdby @hahwul in #614 - Improve AI.md by @hahwul in #616
- build(deps): Bump github.com/go-chi/chi/v5 from 5.2.0 to 5.2.2 in /spec/functional_test/fixtures/go/chi by @dependabot in #620
- Validate HTTP methods and default invalid ones to GET by @hahwul in #621
- Improve Performance by @hahwul in #623
- Bump version to 0.22.0 by @hahwul in #624
Full Changelog: v0.21.1...v0.22.0
Contributors
hahwul and dependabot