Releases

API Improvements

• Paginated responses now include total and last_page attributes.
• Fixed an issue where many booleans were returned as 0 and 1 instead of true and false.
• API routes now return empty objects ({}) instead of empty arrays ([]) for fields that contain objects.
• The API will return a 403 error if you request an include that your token does not have access to. It still returns a 400 error for invalid includes.
• Date and datetime fields can now be filtered with {fieldname}_before and {fieldname}_after. The exact filters for datetime fields have been removed. See the new section on timestamps in the API documentation.
• Assessment-related objects, such as findings, can now be filtered by client_id.

Features

• Multiple potential findings can now be linked to a finding at once.
• Multiple potential targets can now be linked to a target at once.
• Themes are no longer attached to Assessment Templates. Instead, you can select a theme when you create an assessment.
• A theme can now be set as the default theme for new assessments. The default theme is preselected and used when a theme is not specified while creating assessments through the API.
• The front page text can be set to uppercase for each item under Settings > Report Text Boxes > Contents.
• You can now select/deselect all assessments when importing findings from previous assessments.
• Tasks to answer client comments are now automatically completed when you unprivate a comment on that finding.
• There are now separate toggles for showing the Table of Contents for the management report and the full report.

Bug Fixes

• Fixed an issue where [mark] tags would cause PDF reports to generate much slower than expected.
• Fixed a bug where the automatic daily backups were not performed. The value of the env variable DAILY_BACKUP_ENABLED was ignored in previous versions.
• Fixed a spacing issue in the PDF version of the "started-on" component.
• Fixed an issue where the page to change your 2FA credentials could be opened when 2FA was disabled.
• Fixed an issue where pasting content copied from OneNote into a markdown editor would paste the text and upload a screenshot.
• Fixed a bug where the button to create custom assessment roles was missing.
• Fixed a bug where resolved findings had the wrong severity color in the results table in the PDF report.
• Fixed a bug where resolved findings in the results table did not display their targets if they only had one.
• The findings table components in the portal and the HTML report no longer wrap the number, status, and severity columns.

Report component options

We have added two new options to the report components:

• You can now hide the short (numeric) IDs in the results table component
• You can now hide the short (numeric) ID column in the findings table component

To use these options, you will need to re-add the components.

The results table displayed on the 'Findings tab' of an assessment can be configured via 'Edit Assessment > Display (tab)', and defaults can be set in 'Settings > General > Assessment Defaults (tab)'.

Improvements

• The compilation speed of PDF reports for assessments containing many code blocks has been greatly improved.
• We have implemented a new feature that logs authentication attempts as activity. This includes information such as the authentication method, 2FA attempts, and IP address. You can view these activities on the activities page or retrieve them using the API.
• Logged activities can now be filtered by one or more 'activity categories'. This filter is also available via the API (see API docs).
• Tagged assessment sections displayed in the portal now link to the online report (if available).
• Placeholder, badge, and icon report components are now available in more places, such as in findings and comments.
• We've added a new 'Smart' option to the 'Start sections on new page' setting in Report Themes. With this option, a page break will be added after any non-empty assessment section. The existing 'Smart' option has been renamed to 'Smart (up to H2)', bringing it in line with the documentation and clarifying that it only affects the first two heading levels.
• New settings have been added to the 'Report Themes':
  • Render PDF images as links: whether images included in markdown fields should be rendered as clickable links in the PDF report. These links allow the reader to view images in full-size via the browser for more details. We recommend disabling this option if you create PDF reports for clients that do not have access to the assessment in Reporter.
  • New page before findings: whether to insert a page break between a section's description and the first finding in the section.
• The CWE and CAPEC classifications have been updated to their latest versions. To ensure you are always working with the most current version, each new Reporter release will contain the latest available version of these classification systems.
• Assessments on the dashboard can now be filtered:
  • All: display all assessments you have access to.
  • Member (admin only): display all assessments where you are a team member.
  • Assigned: display assessments where you are assigned to the current assessment phase. 
• To ensure consistency between the online and PDF reports, we have increased the margins above and below markdown lists in PDF reports.

Bug Fixes

• Fixed an issue where adding multiple components or caution tags on the same line would cause some text or components to be rendered multiple times.
• Fixed an issue where mark tags within mark tags would cause text to be rendered multiple times.
• Fixed an issue where admins received 'Retest Performed' notifications.
• Fixed a crash when exporting findings as CSV for assessments with the 'Severity Only' scoring system.
• Fixed an issue where in-app notifications did not specify that you were tagged in comments, retests, etc.
• Fixed a bug where the 'badge highest risk'-component did not render inline.
• Fixed a bug where adding a newline after the 'badge highest risk'-component caused report compilation to fail.
• Fixed a crash when opening a finding as an admin in assessments where findings are restricted to resolvers.
• Fixed a bug where the 'scope' component in assessments without targets would cause report compilation to fail.
• Fixed a bug that prevented the deletion of client logos, avatars, and theme documents.

Add the client's logo to the report

You can now add the client's company logo to the report using text box items. You can set a maximum height and width, and the logo will automatically scale to fit.

Convert comments to retest requests

You can now convert a finding comment from a client into a retest request if a client accidentally submits a comment that was intended to be a request for a retest.

Improvements

• The loading of the researcher panel has been optimized.
• The form to request the deletion of an assessment has been improved to emphasize the fact that data will be permanently deleted.
• Closing a real-time notification is now instantly synced with other open Reporter tabs.
• If the description, risk, recommendation, or proof field of a finding is empty, the name of that field no longer appears in the PDF report, making it consistent with the online report.

Bugfixes

• Fixed some issues that could cause the PDF report compilation to fail.
• Fixed an issue where the review events of a retest did not appear as children of the retest.
• Fixed a bug where severity badges in retests did not display correctly in online reports.
• Fixed an issue where pasting binary payloads as text blocks would crash the PDF report compilation. We recommend attaching binary payloads as an attachment. In a future release, we will guide researchers to do so by optimizing the UI.

Features

• The researcher panel's state (filter and expanded/collapsed sections) is instantly synced between tabs.

Bug Fixes

• The 'Hide finding metadata' and 'Hide finding links' options did not work in the HTML report.
• Report compilation would fail if multiple (document) component tags were added in the markdown without spaces.
• Long titles in findings sometimes overlapped with buttons on the finding show page.
• The Report Text Boxes index listed unselectable themes.
• The 'download PDF report'-buttons sometimes displayed incorrect timestamps.
• The management report button was sometimes clickable when the management report was not accessible, resulting in a 'Forbidden' response.
• Fixed several bugs that were not visible to users.

Note this update may take a little longer to complete than usual. Grab a ☕, and enjoy this last update of 2022 🍾

Timezones

Users can now configure their timezone. The user's timezone will be automatically set when the user first logs in after this update and can be changed from the user's profile. Users will see timestamps according to their local time, except in generated files such as PDF reports. Generated files use the application's timezone.

The application timezone can be configured via the Settings > General > Functionality page.

Reports

Any timestamps on reports, such as those in finding metadata and the generated_at placeholder you may have on the front page, are reported in the application's timezone. If you want to display the current timezone on the report, there are two options:

• If you have a generated_at timestamp on the front page of the report, we recommend adding the timezone to the format string. Either T for timezone or O for the difference to GMT. See https://www.php.net/manual/en/datetime.format.php under timezones for more options. See Settings > Report Text Boxes. For example, you can change the default [[GENERATED_AT|Y-m-d H:i:s]] to [[GENERATED_AT|Y-m-d H:i:s T]] to add your timezone at the end.
• Alternatively, you can use a placeholder component in an assessment section to add the timezone elsewhere in the report. Either by name (e.g., CET) or by difference to GMT (e.g., +0100). Use the + button when editing a section, select Placeholder and choose one of the timezone options.

API Changes

• All timestamps returned by the API are now in an ISO8601-compatible format, e.g., 2022-12-18T16:47:56.000000Z.
• Any timestamps posted to the API now expect an ISO8601-compatible format (currently only found_at).

Improvements

• More context about each finding is now displayed when importing findings from previous assessments, including the finding's status, severity, and the original assessment section.
• The severity legend is now also shown in the findings tab on the assessment page.