Releases

This bugfix release fixes an issue with the researcher panel and includes several other bug fixes.

Bug Fixes

• Fixed a bug where the researcher panel would break during the retest process
• Fixed an issue where the CVSS risk assessment table has two hyphens instead of a dash in the PDF report
• Fixed an issue in the HTML version of the findings table component. The severity column was hidden instead of the status column.
• Fixed a bug where the content of text files was pasted into markdown fields when you drag and drop them into the field.
• Draft sections now correctly have a draft icon in the researcher panel.

Self-hosted WebSockets, no third-party service required

Breaking change, read the upgrade guide!

WebSockets are now integrated directly into Reporter, eliminating the need for third-party services like Pusher.

WebSockets power some of our collaboration features, including the researcher panel state and form-locking functionalities. Built-in WebSockets capability allows all users, even those with stringent company policies prohibiting the use of third-party services, to utilize these features.

Moreover, this enhancement paves the way for many new and exciting features in the future. Stay tuned for upcoming updates!

Upgrade Guide

To use these features, you must update your Docker configuration. Additionally, we have dropped support for Pusher. Users who currently use Pusher are also required to update their configuration.

Upgrade Guide

Assessment sections review

Similarly to the review functionality of findings, assessment sections are now part of the review flow. The content of sections that have not yet been published is not visible to client users.

You can set the default review status of assessment sections within the assessment templates. When you create a new assessment using a template, all configured properties, including the review status, will be automatically applied. Additionally, you can update the review status for existing assessments directly through the assessment section edit function.

Other changes related to the review flow:

• A new review status, "Revision Requested," has been introduced. This status indicates that a revision is required before the review can be approved, making it clear when an item has undergone a review rather than just being drafted.
• Draft findings, retests, and assessment sections will now appear in draft reports. Previously, this feature was only available for findings. This change ensures that all draft components are included in draft reports.

Improvements

• The assessment template for "Azure Security Benchmark V3" (ASB) has been replaced with a template for its successor, "Microsoft Cloud Security Benchmark V1" (MCSB). To add the new template, use the 'Clone default template' button on the assessment templates overview page.
• The API documentation has been clarified to describe how filtering works with multiple possible values ("or" filtering).
• In the "Findings table" report component, you can now show or hide the status column or make it only appear when at least one retest has been requested.
• The API now has routes and includes that let you retrieve the entire finding timeline in one request. Support has been added for all types of finding events in the API. See the updated API documentation for details.
• More icons were added to the researcher panel to display better which sections need action. The documentation now has an extra section that explains these icons in more detail.

Bugfixes

• Fixed a regression in the researcher panel, where hidden sections were no longer indicated as such.
• The Tool Import functionality has been improved to better handle the import of very large findings.
• Fixed inconsistent capitalization in the "Risk summary table" component.
• The Okta SSO provider wasn't properly registered.
• The parsing logic for code block closing tags in the Markdown editor has been improved. This ensures that code blocks are now correctly identified and displayed as intended.
• The import process has been updated to ensure that the correct assessment is selected when importing findings from previous assessments.
• The deletion process for cloned findings with associated rejected events has been corrected.
• The task layout has been updated to handle large images in client comments more gracefully.
• Table captions now correctly display as "Table 1" without the colon if no caption text is present.
• The link in comment notifications now correctly directs to the comments tab.

Enhancements

• Add options to the report theme editor for configuring the layout of severity badges. The look of the two types of severity badges (the ones inside finding/retest metadata and the ones in different places) can now be configured separately. For CVSS badges it is also possible to configure the size of the severity score and the spacing between the severity score and severity description.

Bug Fixes

• Fixed a bug where clicking the "Quick inline edit" button on the "Account Details & Credentials" section on the assessment overview page would cause an error message to appear and the page to refresh;
• Fixed a bug that occurred when building the previous release image, that caused the latest tag to not be updated to point to the latest release image in the container registry.
• Fixed an inconsistency in the API where some of the new routes used a singular noun instead of the plural.

SCIM auto-provisioning  

Reporter now supports SCIM identity providers, such as Microsoft Entra ID and Okta, for user provisioning. SCIM groups can be used to quickly and automatically assign Reporter roles to users in those groups.

Zapier Integration Published

Seamlessly integrate popular applications into your workflow. For instance, connect systems like ServiceNow, Jira, Azure DevOps, or PowerBI. Over time, we'll add more one-click integrations, enhancing your productivity and connectivity.

https://zapier.com/apps/security-reporter

Account Manager Role

We have added an 'Account Manager' role. This role is perfect for delegating client-specific assessment management without granting access to all assessments in the application.

Key Features of the Account Manager Role:

• Client-Specific Access: Account Managers can only access the clients and assessments they are assigned to manage, ensuring focused and secure management.
• Client Creation: Account Managers have the ability to create new clients. They are automatically assigned as the Account Manager for any client they create.
• Assessment Creation: Account Managers can create assessments for their assigned clients. They will automatically be designated as the manager for any assessments they initiate.

The existing 'Project Manager' role has been renamed to 'Project Admin' to highlight the admin-level access they have to all assessments.

Enhancements

• Give and receive quick feedback using Emoji Reactions, avoiding a long comment thread.
• Assessment versioning:
  • See what changes have been made by whom and at what time.
  • Adds the 'Last edited X% by/on' bar to the shared information, internal details, and researcher briefing tabs.
  • Users who can see the tab can see and compare versions of those fields.
• The researcher panel has been rebuilt from the ground up with a cleaner, more modern look, opening the doors to some exciting new features.
• The font casing for the severity scores is now customizable. See the theme options. 
• Finding templates can now be sorted by severity, weight, last used at, and created at.
• SAML2: support nameid-format:emailAddress. This improves the handling of SAML2 responses by attempting to read the user's email address from the NameId element rather than just the attributes. This behavior can be customized to only look for the NameId element or only look at attributes; see the updated documentation.
• Add comment functionality to more finding events, such as finding rejected events after a review.
• New parsers for output files of well-known tools, such as Tenable Nessus, have been added, and existing parsers have been updated.
• You can now add Authorization: Bearer tokens to webhooks.
• Made several performance tweaks for the report generation.

Bug Fixes

• Fixed missing language option in the evaluate new template suggestion form.
• Fixed an issue where headers above h6 would crash PDF report compilation.
• Fixed an issue where the 'reviewed at' timestamp was displayed incorrectly.
• Fixed an issue that would sometimes incorrectly show an 'Unspecified' badge in the findings table on the report.

API improvements

 
API availability for client users

The API is now accessible to client users, enabling automation of their assessment processes for improved efficiency. 

To enable this feature, navigate to 'General Settings' from the main menu, proceed to the 'Functionality' tab, and under the 'Client Users' section, switch on 'Clients have API access'. Once activated, the API documentation becomes available to client users through the main menu for easy access.

API Wrapper update

The API wrapper has received a significant upgrade to include the latest endpoints to simplify your integration processes. It is now officially tagged as version 1.0 🎉. Using PyPI for distribution, we make it effortlessly simple for you to bring our wrapper into your projects: https://pypi.org/project/securityreporter/. For a deeper dive into what's new, swing by our GitHub page: https://github.com/dongit-org/python-reporter.

Future Integration: Zapier Support

Preparation is underway to introduce Zapier support, aimed at enhancing workflow integration capabilities with our platform.

Heads up! Breaking API changes

• Uploading a document for a model now requires the API token to have write permissions for that model.
• Downloading a document of a model now requires the API token to have read permissions for that model.

Private comments in assessment sections

For improved collaboration, it is now possible to add private comments to assessment sections. This functionality will be expanded in future releases to integrate fully into the assessment review flow.

Other Improvements

• Finding metadata in reports is now fully customizable via the Theme Editor under the tab 'Metadata'.
• Support for checkboxes (markdown task lists) has been added to the markdown editor. For more information, visit https://www.markdownguide.org/extended-syntax/#task-lists.
• Document margins can now be adjusted within the Theme Editor for enhanced layout control.
• Page numbering can now include total pages (e.g., '3 of 40') and can be configured in the Theme Editor. The format of the string is customizable through the translations feature to adopt different formats, such as 'Page 3/40'.
• A 'Versions' button has been added to finding retests when there are at least two versions, facilitating easier navigation through version history.
• Added a placeholder for the language of the report.
• Adding an image to a markdown field now inserts  [Caption_here] with an underscore, enabling double-click selection.

Bugfixes

• Fixed several bugs related to the PDF report, such as:
  • Corrected scaling of colored severity circles in results tables to match font size.
  • Ensured check marks align properly with text in results tables.
  • Resolved full-width tables extending beyond the right margins.
  • Fixed fields not being prefilled as expected.
• Corrected a glitch in the action plan table that previously resulted in an unnecessary empty line when titles or actions were on the verge of not fitting.
• Fixed an issue where tagged users in assessment would not always receive an email notification.