Skip to content

Dev -> Stable 3.0#3079

Open
TheTechromancer wants to merge 1388 commits into
stablefrom
dev
Open

Dev -> Stable 3.0#3079
TheTechromancer wants to merge 1388 commits into
stablefrom
dev

Conversation

@TheTechromancer

@TheTechromancer TheTechromancer commented May 4, 2026

Copy link
Copy Markdown
Contributor

Architecture / Core

Vulnerability / Finding Rework

Blasthttp

DNS

Performance

Lightfuzz

New Modules

Module Fixes / Removals

Config / Presets / Targets

UX / Output

Bug Fixes

Misc

Merge Conflict Resolution

Comment thread bbot/test/test_step_1/test_presets.py Dismissed
Comment thread bbot/test/test_step_1/test_presets.py Dismissed
Comment thread bbot/test/test_step_1/test_presets.py Dismissed
Comment thread bbot/test/test_step_1/test_presets.py Dismissed
Comment thread bbot/test/test_step_1/test_presets.py Dismissed
Comment thread bbot/test/test_step_1/test_presets.py Dismissed
Comment thread bbot/test/test_step_1/test_presets.py Fixed
Comment thread bbot/test/test_step_1/test_target.py Dismissed
Comment thread bbot/test/test_step_1/test_target.py Dismissed
Comment thread bbot/test/test_step_1/test_target.py Dismissed
@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


0 out of 5 committers have signed the CLA.
@liquidsec
@TheTechromancer
@SpamFaux
@aconite33
@ausmaster
You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@ChrisJr404

Copy link
Copy Markdown

I have read the CLA Document and I hereby sign the CLA

@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

🚀 Performance Benchmark Report

ℹ️ No baseline benchmark data available

Showing current results for dev only.

📊 Current Results (dev) - Click to expand

Results

Test Name Mean Time Ops/sec Min Max
Bloom Filter Dns Mutation Tracking Performance 4.27ms 234.1 ops/sec 4.21ms 4.33ms
Bloom Filter Large Scale Dns Brute Force 17.63ms 56.7 ops/sec 17.39ms 18.44ms
Large Closest Match Lookup 365.07ms 2.7 ops/sec 360.31ms 368.92ms
Realistic Closest Match Workload 191.85ms 5.2 ops/sec 190.18ms 195.16ms
Event Memory Medium Scan 1.854s 0.5 ops/sec 1.728s 2.072s
Event Memory Large Scan 9.180s 0.1 ops/sec 9.057s 9.291s
Event Validation Full Scan Startup Small Batch 405.82ms 2.5 ops/sec 402.69ms 410.69ms
Event Validation Full Scan Startup Large Batch 545.57ms 1.8 ops/sec 541.65ms 548.56ms
Make Event Autodetection Small 25.52ms 39.2 ops/sec 25.35ms 25.76ms
Make Event Autodetection Large 258.34ms 3.9 ops/sec 257.70ms 258.81ms
Make Event Explicit Types 11.35ms 88.1 ops/sec 11.30ms 11.42ms
Excavate Single Thread Small 4.067s 0.2 ops/sec 4.019s 4.161s
Excavate Single Thread Large 10.015s 0.1 ops/sec 9.812s 10.192s
Excavate Parallel Tasks Small 4.240s 0.2 ops/sec 4.208s 4.325s
Excavate Parallel Tasks Large 6.417s 0.2 ops/sec 6.353s 6.512s
Intercept Throughput Small 884.84ms 1.1 ops/sec 879.00ms 895.58ms
Intercept Throughput Medium 875.68ms 1.1 ops/sec 871.70ms 878.03ms
Dns Throughput Quiet 2.741s 0.4 ops/sec 2.733s 2.753s
Dns Throughput Loaded 1.804s 0.6 ops/sec 1.789s 1.820s
Dns Throughput Inherited 2.340s 0.4 ops/sec 2.259s 2.470s
Is Ip Performance 2.31ms 432.0 ops/sec 2.13ms 3.13ms
Make Ip Type Performance 226.90µs 4.4K ops/sec 212.27µs 468.67µs
Mixed Ip Operations 2.29ms 437.0 ops/sec 2.22ms 3.13ms
Memory Use Web Crawl 511ns 1956.9K ops/sec 511ns 511ns
Memory Use Subdomain Enum 511ns 1956.9K ops/sec 511ns 511ns
Memory Use Deep Chain 921ns 1085.8K ops/sec 921ns 921ns
Memory Use Parallel Chains 621ns 1610.3K ops/sec 621ns 621ns
Scan Throughput 100 2.958s 0.3 ops/sec 2.872s 3.103s
Scan Throughput 1000 20.912s 0.0 ops/sec 20.728s 21.253s
Typical Queue Shuffle 5.41µs 184.9K ops/sec 5.07µs 32.30µs
Priority Queue Shuffle 25.91µs 38.6K ops/sec 24.89µs 67.59µs

🐍 Python Version 3.11.15

@N7WEra

N7WEra commented May 4, 2026 via email

Copy link
Copy Markdown

@shart123456

Copy link
Copy Markdown
Contributor

Code review

Found 1 issue:

  1. dnsresolve.py sets main_host_event.always_emit_tags = [] (no underscore prefix), but BaseEvent.always_emit reads from self._always_emit_tags (with underscore prefix) — the assignment is a no-op and has no effect on event emission behavior.

self.debug(
f"Skipping DNS children for {event} because their DNS resolve distances would be greater than the configured value for this scan ({self.helpers.dns.runaway_limit})"
)
main_host_event.add_tag(f"runaway-dns-{dns_resolve_distance}")
else:

The check in base.py that this is intended to override:

return self._always_emit or always_emit_tags or no_host_information
@property
def id(self):
"""
A uniquely identifiable hash of the event from the event type + a SHA1 of its data

The fix is either to use the correct underscore-prefixed name (_always_emit_tags) or to set main_host_event._always_emit = False directly.

🤖 Generated with Claude Code

- If this code review was useful, please react with 👍. Otherwise, react with 👎.

Comment thread bbot/test/test_step_1/test_presets.py Dismissed
@codecov

codecov Bot commented May 18, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 87.97521% with 582 lines in your changes missing coverage. Please review.
✅ Project coverage is 90%. Comparing base (370102e) to head (5243115).
⚠️ Report is 33 commits behind head on stable.

Files with missing lines Patch % Lines
bbot/modules/virtualhost.py 73% 122 Missing ⚠️
bbot/core/helpers/web/web.py 77% 72 Missing ⚠️
bbot/modules/waf_bypass.py 80% 33 Missing ⚠️
bbot/modules/lightfuzz/submodules/crypto.py 83% 29 Missing ⚠️
bbot/modules/http.py 91% 27 Missing ⚠️
bbot/cli.py 63% 25 Missing ⚠️
bbot/core/event/base.py 85% 21 Missing ⚠️
bbot/core/modules.py 92% 21 Missing ⚠️
bbot/modules/lightfuzz/submodules/sqli.py 80% 19 Missing ⚠️
bbot/modules/gowitness.py 82% 16 Missing ⚠️
... and 43 more
Additional details and impacted files
@@           Coverage Diff            @@
##           stable   #3079     +/-   ##
========================================
- Coverage      91%     90%     -0%     
========================================
  Files         441     450      +9     
  Lines       37720   46019   +8299     
========================================
+ Hits        34122   41282   +7160     
- Misses       3598    4737   +1139     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Comment thread bbot/test/conftest.py Dismissed
liquidsec added 17 commits June 9, 2026 09:47
…ity cache poisoning

- crypto: filter structured hex IDs (Mongo ObjectIds, hex timestamps,
  sequential counters) from keystream-reuse detector via tail analysis
- cmdi: reject leading-zero arithmetic multiplicands (bash octal divergence)
- lightfuzz: restore event type/flags after try_get_as_post conversion passes
- lightfuzz: don't cache None connectivity responses (transient failure)
- Add 16 regression tests covering all four fixes
More stable because it doesn't depend on nuclei installation,
which is tested elsewhere.
…/griffe-gte-1-and-lt-3

Update griffe requirement from <2,>=1 to >=1,<3
Handle malformed YAML gracefully instead of crashing
…actions/dev/github-actions-484570b1b1

Bump codecov/codecov-action from 6 to 7 in the github-actions group
…ents-mar-26

Lightfuzz Overhaul (False-positive reductions, False-negative reductions, many new techniques)
Deduplicate children per parent (set instead of list) so duplicates
from the chaos API don't inflate the per-parent cap count and silently
drop legitimate subdomains.
collapse PTR-style floods in chaos response
@liquidsec

Copy link
Copy Markdown
Collaborator

recheck

liquidsec and others added 30 commits June 25, 2026 15:17
…h-db

gowitness: ephemeral per-batch database
…ceful

Graceful cloudcheck error handling + SSL verify passthrough
…imeout-settings

Consolidate HTTP timeout settings
Add E2E tests, bump cloudcheck to 11.x
Add optional API key + cursor pagination to certspotter
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.18 to 0.15.20.
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.18...0.15.20)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.15.20
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the github-actions group with 1 update: [actions/cache](https://github.com/actions/cache).


Updates `actions/cache` from 5 to 6
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v5...v6)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
…actions/dev/github-actions-6d1c06d137

Bump actions/cache from 5 to 6 in the github-actions group
The bbot.core.engine framework (EngineBase/EngineClient/EngineServer) is unused since DNS and HTTP moved to blastdns/blasthttp. Reparent WebError/DNSError onto BBOTError and drop the engine doc page.
Run bbot/scripts/docs.py to refresh all generated tables (modules, presets, events, config, flags, output, help, TOC) and the chord-graph data. Sweeps removed modules (wpscan, httpx, ffuf, azure_realm, etc.) and adds new ones (http, webbrute, censys_dns/ip, mongo/kafka/...).
Drop removed VULNERABILITY event type, --allow-deadly flag, and httpx module reference; rename nuclei-intense/lightfuzz-superheavy presets to nuclei-heavy/lightfuzz-max; INFORMATIONAL severity to INFO; wappalyzer dep example to pyOpenSSL.
Regenerate docs/scanning/advanced.md under Python 3.12. Python 3.13+ argparse collapses repeated metavars (-H, --custom-headers CUSTOM_HEADERS), dropping the placeholder after the short flag.
README and CONTRIBUTIONS are GitHub-rendered root files with no docs-site version context; mike publishes only versioned deep links (default: Stable), so these must name a version. Stable matches the rest of the README's links.
Note bbot.core.engine / BBOTEngineError / CurlError removal and WebError/DNSError reparenting; add redact_secrets and waf_bypass; sync cloudcheck/asndb dep bounds.
event.md linked to ../../scanning/events (outside docs root); correct to ../scanning/events.md to match other dev pages. Wire the orphaned webbrute deep-dive page into the Modules nav.
…/ruff-0.15.20

Bump ruff from 0.15.18 to 0.15.20
- filter with is_global instead of is_private so CGNAT/reserved space (no public ASN) isn't looked up
- serialize asndb requests via NamedLock so concurrent callers don't stampede the rate-limited bbot.io API
asn: filter non-global IPs and serialize asndb lookups
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants