Releases

Tool Findings API enhancements & new webhooks

We've enhanced the API and webhooks to provide greater control and automation over findings and targets extracted from supported scanning tools like Burp and Nessus. With these new capabilities, you can:

• Access & Manage Parsed Findings – Retrieve tool findings and targets, import them into assessments, and link them to existing findings or targets.
• Mark Findings – Mark findings or targets as 'out-of-scope' or 'ignored'.
• Automate Workflows – Use new webhooks to trigger actions when output file parsing is complete.
• List Output Files – Retrieve and manage parsed tool output files via the API.

See the updated API documentation for full details.

Other improvements

• Caution tags have been renamed to To-Do tags for clarity. All existing caution tags are automatically updated.
• When requesting a review, approval, or publishing a finding with To-Do tags, you’ll now receive a warning.
• An assessment’s research hours are displayed on the schedule page when assigning a phase.
• The spacing around code, table, and figure captions is now more consistent.
• You can now adjust the spacing between a code block, table, or figure and its caption.
• Findings, users, and sections can be tagged immediately after an opening brace or parenthesis. For example, typing "in another finding (#finding:...)" will trigger the selection menu.
• When importing findings from a previous assessment, references to findings or sections in the old assessment are automatically updated to their equivalents in the new assessment, whenever possible.

Bug Fixes

• Resolved an issue where findings imported from a previous assessment were always published.
• Fixed a bug where a published badge incorrectly appeared in retests in the PDF report.
• Addressed an issue where findings moved to new sections in the researcher panel could still be found in the old section via search.
• Fixed a bug where the 'Approve and publish' dropdown sometimes didn't appear.
• Corrected an issue with empty multi-select custom fields.
• Fixed a bug where videos attached to Markdown fields occasionally appeared twice in the online report.
• Resolved an error when loading certain rare notifications.
• Fixed an issue where non-custom short IDs on the assessment edit page were not automatically updated using the research start date.
• Adjusted table margins to correct excessive spacing above text in some tables.
• Fixed a rare exception when rendering the management results table to PDF.
• Resolved an exception when rendering VRT classifications to PDF.
• Fixed an issue in the results table component where resolved findings sometimes appeared in the wrong column.
• Prevent lengthy usernames from overflowing from the menu and onto the page content.
• The 'finding counts by severity' component (with the original severity option selected) now correctly links to the search page filtered by 'original severity' instead of 'current severity'.
• Sections in the researcher panel now correctly display their folder color based on retest status.

Improved researcher panel

We've revamped part of the researcher panel to make organizing your assessments easier and more efficient.

Rearrange sections and move findings between them with drag-and-drop simplicity in the new "reorder" view (accessible via the wrench icon).



Create and delete sections on the fly using the right-click context menu – no more page refreshes!

 

Access all section properties in a single, detailed view without leaving the page. Hover over icons for property details.



We have many more exciting improvements planned for the researcher panel to enhance your workflow further.

Highlight key details using callouts

Add visual emphasis to your content with callouts!  Callouts help you emphasize key information, making your reports clearer and more impactful. Plus, they're rendered perfectly in PDF exports for a professional look.

More control over publishing findings, sections, and retests

We've enhanced how you share information with clients, giving you greater flexibility and control. You can now publish findings, sections, and retests independently, regardless of the overall review status.

Previously, clients could see findings, sections, and retests in two ways: automatically when approved by a reviewer, or when manually set to "published" status. This happened even if the overall assessment wasn't set to a completed status, which sometimes caused confusion.

Now, you decide what clients see and when. Keep everything under wraps until the assessment is complete, or share critical findings, sections, or retests immediately – the choice is yours!

How it works:

• Publish individual findings, sections, or retests at any time, even if they're still in draft status. This allows for early collaboration and faster response to critical issues.
• When your assessment is finalized, you can publish everything with a single click.

Example: Share a critical "draft" finding with your client so they can begin mitigation right away. They'll see the "draft" status and understand that details may be refined later.

Enhanced control over automated backups

We've added greater flexibility and control to automated backups:

• Customize the size limits for your automated backups to optimize storage usage.
• Stay informed with email alerts for successful backup operations (previously only sent for failures).
• Set a warning threshold to be notified when backups approach the total size limit, allowing you to take proactive action.

For detailed information, see Documentation > General > Configuration > Backups for details.

Retests now available without client requests

You can now initiate retests without needing a client request. This new assessment setting is ideal if you don't plan on giving clients access to Reporter.

With this setting enabled, you can use all retest functionality, including the review process, with greater flexibility and without requiring client involvement.

Set your default preference for this setting in Settings > General > Assessment Defaults to apply it to all new assessments.

Other improvements

• Targets are now optional. You can now create findings without targets.
• Researchers can now edit each other's retests.
• You can now customize the vertical padding in tables in your report themes.
• Added functionality to import and export assessment templates as zip files.
• Improved logic for when new versions are created.
• Greatly improved performance of the API documentation page.
• You can now add the number of findings in each category to the labels of the finding severity chart report component.
• Added an option to show the original severities in the finding counts by severity components.
• You can now use most assessment custom fields as placeholders on the front page of your reports. 

Bug Fixes

• Fixed a bug where the status of an assessment was not automatically set to scheduled when you set dates.
• Fixed a bug where the markdown editor showed incorrect autocomplete suggestions when you are writing a code block caption.
• Fixed missing translations for health check emails about automated backups.
• Fixed a bug where you couldn't attach documents to a request for revision of an assessment section.

This is a security and bugfix release. We recommend updating as soon as possible.

Security

A security issue related to the reauthentication process has been resolved.

Bug Fixes

We have fixed various issues relating to the new custom fields feature. Thanks to everyone who submitted feedback and reported bugs.

• Fixed an issue where the names of finding fields (e.g., "Description") were not translatable. If you installed 2024.11.26 and are using multiple languages, please retranslate these field names.
• Fixed an issue where custom field labels were not translated in reports.
• Fixed an issue where creating webhooks from Zapier did not work.
• Fixed an issue where custom select and multi-select fields broke if more than one was present on the same form.
• Fixed suggesting a finding as a translation for a finding template.
• Fixed an issue where the original severity of a finding was not struck through in the online report.
• Fixed a bug where the header of a table was sometimes repeated on the next page, even after the caption.
• Fixed a front-end error that occurred after editing a finding on the review page.

Improvements and Enhancements

• Account managers now have limited access to all clients, allowing them to list all client names. This change addresses the issue where account managers unintentionally created duplicate clients due to not seeing that a client already existed.
• Added placeholders for additional dates from the initial assessment phase.
• Added a toggle to hide other assessments in the frequent assessment quick bar.

Introducing Custom Fields and Finding Layouts

Designed to put flexibility and control at your fingertips. Add highly customizable fields to users, clients, assessments, and findings, and tailor the layout of findings to your exact needs. Use custom fields with your integration with external services - see our blog for an example integration with GitHub that utilizes custom fields, webhooks, and the Reporter API.

Custom fields can be added to findings, assessments, clients, and users:

For example, add an "About me" field to user profiles:

Create Fields of Any Type: From simple text and number fields to specialized options like email, URL, markdown, and multiselect, you can build forms that precisely reflect your requirements.

Customize Every Aspect of a Custom Field: Design fields to fit your exact needs with extensive customization options. Customize labels, API names, and tooltips of each custom field. Set up many types of validation rules to enforce data consistency. Mark fields as required, and apply type-specific settings for an optimized data entry experience. Every aspect of your custom fields can be tailored, making them as adaptable and detailed as your application requires.

Effortless Custom Field Translation: Add multilingual support by translating custom field elements with ease. When a custom field appears in a pentest report, it automatically aligns with the report’s language, displaying the appropriate translation. Provide a localized experience for all your clients across the globe without additional effort.

API Integration: Access and manage custom fields through the API, just like any standard field. Retrieve and update custom field data effortlessly, integrating it directly into your workflows.

Customize Finding Layouts: Take full control over your findings by customizing which fields are visible, setting conditions for when they appear, and adjusting their display format. Define the order and structure to create clear, organized layouts that align with your reporting needs, ensuring every assessment is presented exactly as intended.

New report component: charts

It is now possible to insert charts with finding statistics to your reports. These charts are generated automatically based on the status of your findings. Simply insert the chart component in your preferred location, and Reporter takes care of all the technical details when it's generating the report. Of course, the look of these charts can be fully customized in the theme editor!

Other improvements

• Added a new option that allows findings to be shown as headers in the table of contents.
• Theme options were added for centering narrow tables and figures on the report page.
• When holding Ctrl to select multiple items in a multiselect form element, the scroll wheel now scrolls down the list of options, instead of zooming in or out.
• HTML IDs and classes were added to analytics chart and table blocks, so that they can be targeted with custom CSS.
• Tagged sections are now rendered as the name of the section in plain text if the section is not on the current report (just like findings).
• Page number columns in the findings and action plan tables are now automatically hidden when rendering a management report.
• The CWE list was updated to the latest version.

Bug Fixes

• Re-added the upload button that went missing on the font page.
• In translated reports the correct translation of the word "Table" is now used in all captions.
• Fixed a bug when publishing a finding and changing its severity in the same request would cause the wrong original severity to be set if the finding had been published before.
• Do not reset the original severity when a finding is published again.
• Clicking links in the Table of Contents in the online report no longer reloads the page.
• Fixed some minor bugs in the (multi)select component.
• The assessment templates edit page now loads with the correct language for the sections.
• Inline code no longer overlaps with surrounding text in the Markdown editor.
• Used the correct font for inline code in image and table captions in the HTML report.
• Made margins in the side-by-side view of the markdown editor look more consistent.
• Malformed shortcode components in Markdown fields are handled better so that they don't cause report compilation to fail.
• Another report compilation issue that happened when captions or copy tags contained shortcode components was resolved.
• A visual bug was fixed where inline editing target credentials would cause the contents to float right.
• A bug was fixed where the application logo and custom stylesheet would sometimes be deleted when submitting changes to the application settings.
• When assessing a finding template suggestion, the tags are now copied correctly.
• When uploading an invalid file the proper error message is now displayed.
• The action plan inputs are no longer disabled when creating a new finding template suggestion.
• After adding a file to the file upload component and clicking the "Undo" button, the file is no longer uploaded in some cases when submitting the form.

Updated API endpoint for listing finding events

Breaking change!

The API endpoint for listing finding events has been updated to make it consistent with other index routes. The endpoint has changed from: /api/v1/findings/{finding_id}/finding-events to /api/v1/finding-events.

Bug Fix: The old endpoint had a bug where it did not correctly filter by finding ID. This issue is resolved with the new endpoint and filtering method. To get all finding events associated with a particular finding, use the new endpoint with a filter parameter:

GET /api/v1/finding-events?filter[finding_id]={finding_id}

Webhook improvements

• Conditional Webhooks: You can now set conditions for each webhook using JMESPath syntax to determine whether it should be triggered, giving you more control over webhook execution.
• Assessment Completed Webhook: A new webhook has been added that triggers when an assessment is set to a completed state ('Completed' or 'Retest Completed'), allowing you to automate actions based on assessment completion.

New global user roles

Introduced new global user roles: 'Assessment Template Manager', 'Finding Template Manager', and 'Assessment Theme Manager':

• These roles are generally assigned alongside other roles like Researcher, Account manager, or Project admin.
• They can also be stand-alone roles for users needing limited access, such as theme designers without assessment access.

Limitations:

• Finding Template Managers cannot see suggestions for finding templates if they don't have access to the findings they are based on.
• Assessment Theme Managers cannot mass migrate assessments to a new theme unless they also have admin or project admin permissions.

Other improvements

• The Python API wrapper has received several updates; see https://github.com/dongit-org/python-reporter for details. 
• Added support for Microsoft Graph mail.
• Pipedream now offers integration with Security Reporter; see https://pipedream.com/apps/security-reporter for details.
• Added tagging functionality to clients; only account managers, project admins, and admins can see and filter by tags.
• The snippets feature has been enhanced with several updates: the index page now includes table hover effects, filtering, and sorting options; the insertion modal has been reformatted; tag functionality has been added for better organization; and snippets can now be inserted into other snippets.
• Introduced a new assessment setting to disable retesting functionality.
• Made it configurable for assessment sections whose subsections have the 'can have findings' setting enabled to appear in the results table.
• Updated the notification system to ensure that all associated users receive timely alerts whenever an assessment is rescheduled.
• Added the ability to sort finding templates by weight via the API.
• Activity related to assessment and finding templates are now logged and accessible via the activity page.
• Added a placeholder for the 'completed at date' of the initial assessment phase.
• Added a global setting for password-protecting report PDFs. This setting can be enabled under 'Settings > General > Miscellaneous > Generate a password for PDF Reports'.

Bug Fixes

• Fixed an issue where caution tags in references were ignored.
• Ensured client changes to shared information are recognized as a new version.
• Resolved a problem where linking many potential findings to a finding did not work.
• Referenced findings not present in the report are now rendered as plain text instead of links, allowing references to findings in the management summary even if they are not included.
• Fixed an error on the user view page that occurred if the current user didn't have a timezone set.
• Fixed a redirect issue when changing the status of a finding retest through the inline edit functionality.
• Resolved a '403 Unauthorized' error when using the Finding Templates Create API function, ensuring API keys with the correct permissions work as intended.
• Improved the assessment sections API update: researchers now receive clear validation errors when attempting to modify unauthorized fields, and fixed a bug preventing admins from setting a published review status via the API.
• Fixed the 'Copy to Clipboard' button not updating correctly after saving an inline edit.
• Restored the 'Submit for Review' button for assessment sections that required revisions.
• Fixed a bug in the inline editor of the HTML report that occasionally prevented the editor from being locked.
• Fixed a validation error on the vulnerability field when updating a finding with the status 'Retest Pending'.