Releases

This is a security and bugfix release. We recommend updating as soon as possible.

Security

A security issue related to the reauthentication process has been resolved.

Bug Fixes

We have fixed various issues relating to the new custom fields feature. Thanks to everyone who submitted feedback and reported bugs.

• Fixed an issue where the names of finding fields (e.g., "Description") were not translatable. If you installed 2024.11.26 and are using multiple languages, please retranslate these field names.
• Fixed an issue where custom field labels were not translated in reports.
• Fixed an issue where creating webhooks from Zapier did not work.
• Fixed an issue where custom select and multi-select fields broke if more than one was present on the same form.
• Fixed suggesting a finding as a translation for a finding template.
• Fixed an issue where the original severity of a finding was not struck through in the online report.
• Fixed a bug where the header of a table was sometimes repeated on the next page, even after the caption.
• Fixed a front-end error that occurred after editing a finding on the review page.

Improvements and Enhancements

• Account managers now have limited access to all clients, allowing them to list all client names. This change addresses the issue where account managers unintentionally created duplicate clients due to not seeing that a client already existed.
• Added placeholders for additional dates from the initial assessment phase.
• Added a toggle to hide other assessments in the frequent assessment quick bar.

Introducing Custom Fields and Finding Layouts

Designed to put flexibility and control at your fingertips. Add highly customizable fields to users, clients, assessments, and findings, and tailor the layout of findings to your exact needs. Use custom fields with your integration with external services - see our blog for an example integration with GitHub that utilizes custom fields, webhooks, and the Reporter API.

Custom fields can be added to findings, assessments, clients, and users:

For example, add an "About me" field to user profiles:

Create Fields of Any Type: From simple text and number fields to specialized options like email, URL, markdown, and multiselect, you can build forms that precisely reflect your requirements.

Customize Every Aspect of a Custom Field: Design fields to fit your exact needs with extensive customization options. Customize labels, API names, and tooltips of each custom field. Set up many types of validation rules to enforce data consistency. Mark fields as required, and apply type-specific settings for an optimized data entry experience. Every aspect of your custom fields can be tailored, making them as adaptable and detailed as your application requires.

Effortless Custom Field Translation: Add multilingual support by translating custom field elements with ease. When a custom field appears in a pentest report, it automatically aligns with the report’s language, displaying the appropriate translation. Provide a localized experience for all your clients across the globe without additional effort.

API Integration: Access and manage custom fields through the API, just like any standard field. Retrieve and update custom field data effortlessly, integrating it directly into your workflows.

Customize Finding Layouts: Take full control over your findings by customizing which fields are visible, setting conditions for when they appear, and adjusting their display format. Define the order and structure to create clear, organized layouts that align with your reporting needs, ensuring every assessment is presented exactly as intended.

New report component: charts

It is now possible to insert charts with finding statistics to your reports. These charts are generated automatically based on the status of your findings. Simply insert the chart component in your preferred location, and Reporter takes care of all the technical details when it's generating the report. Of course, the look of these charts can be fully customized in the theme editor!

Other improvements

• Added a new option that allows findings to be shown as headers in the table of contents.
• Theme options were added for centering narrow tables and figures on the report page.
• When holding Ctrl to select multiple items in a multiselect form element, the scroll wheel now scrolls down the list of options, instead of zooming in or out.
• HTML IDs and classes were added to analytics chart and table blocks, so that they can be targeted with custom CSS.
• Tagged sections are now rendered as the name of the section in plain text if the section is not on the current report (just like findings).
• Page number columns in the findings and action plan tables are now automatically hidden when rendering a management report.
• The CWE list was updated to the latest version.

Bug Fixes

• Re-added the upload button that went missing on the font page.
• In translated reports the correct translation of the word "Table" is now used in all captions.
• Fixed a bug when publishing a finding and changing its severity in the same request would cause the wrong original severity to be set if the finding had been published before.
• Do not reset the original severity when a finding is published again.
• Clicking links in the Table of Contents in the online report no longer reloads the page.
• Fixed some minor bugs in the (multi)select component.
• The assessment templates edit page now loads with the correct language for the sections.
• Inline code no longer overlaps with surrounding text in the Markdown editor.
• Used the correct font for inline code in image and table captions in the HTML report.
• Made margins in the side-by-side view of the markdown editor look more consistent.
• Malformed shortcode components in Markdown fields are handled better so that they don't cause report compilation to fail.
• Another report compilation issue that happened when captions or copy tags contained shortcode components was resolved.
• A visual bug was fixed where inline editing target credentials would cause the contents to float right.
• A bug was fixed where the application logo and custom stylesheet would sometimes be deleted when submitting changes to the application settings.
• When assessing a finding template suggestion, the tags are now copied correctly.
• When uploading an invalid file the proper error message is now displayed.
• The action plan inputs are no longer disabled when creating a new finding template suggestion.
• After adding a file to the file upload component and clicking the "Undo" button, the file is no longer uploaded in some cases when submitting the form.

Updated API endpoint for listing finding events

Breaking change!

The API endpoint for listing finding events has been updated to make it consistent with other index routes. The endpoint has changed from: /api/v1/findings/{finding_id}/finding-events to /api/v1/finding-events.

Bug Fix: The old endpoint had a bug where it did not correctly filter by finding ID. This issue is resolved with the new endpoint and filtering method. To get all finding events associated with a particular finding, use the new endpoint with a filter parameter:

GET /api/v1/finding-events?filter[finding_id]={finding_id}

Webhook improvements

• Conditional Webhooks: You can now set conditions for each webhook using JMESPath syntax to determine whether it should be triggered, giving you more control over webhook execution.
• Assessment Completed Webhook: A new webhook has been added that triggers when an assessment is set to a completed state ('Completed' or 'Retest Completed'), allowing you to automate actions based on assessment completion.

New global user roles

Introduced new global user roles: 'Assessment Template Manager', 'Finding Template Manager', and 'Assessment Theme Manager':

• These roles are generally assigned alongside other roles like Researcher, Account manager, or Project admin.
• They can also be stand-alone roles for users needing limited access, such as theme designers without assessment access.

Limitations:

• Finding Template Managers cannot see suggestions for finding templates if they don't have access to the findings they are based on.
• Assessment Theme Managers cannot mass migrate assessments to a new theme unless they also have admin or project admin permissions.

Other improvements

• The Python API wrapper has received several updates; see https://github.com/dongit-org/python-reporter for details. 
• Added support for Microsoft Graph mail.
• Pipedream now offers integration with Security Reporter; see https://pipedream.com/apps/security-reporter for details.
• Added tagging functionality to clients; only account managers, project admins, and admins can see and filter by tags.
• The snippets feature has been enhanced with several updates: the index page now includes table hover effects, filtering, and sorting options; the insertion modal has been reformatted; tag functionality has been added for better organization; and snippets can now be inserted into other snippets.
• Introduced a new assessment setting to disable retesting functionality.
• Made it configurable for assessment sections whose subsections have the 'can have findings' setting enabled to appear in the results table.
• Updated the notification system to ensure that all associated users receive timely alerts whenever an assessment is rescheduled.
• Added the ability to sort finding templates by weight via the API.
• Activity related to assessment and finding templates are now logged and accessible via the activity page.
• Added a placeholder for the 'completed at date' of the initial assessment phase.
• Added a global setting for password-protecting report PDFs. This setting can be enabled under 'Settings > General > Miscellaneous > Generate a password for PDF Reports'.

Bug Fixes

• Fixed an issue where caution tags in references were ignored.
• Ensured client changes to shared information are recognized as a new version.
• Resolved a problem where linking many potential findings to a finding did not work.
• Referenced findings not present in the report are now rendered as plain text instead of links, allowing references to findings in the management summary even if they are not included.
• Fixed an error on the user view page that occurred if the current user didn't have a timezone set.
• Fixed a redirect issue when changing the status of a finding retest through the inline edit functionality.
• Resolved a '403 Unauthorized' error when using the Finding Templates Create API function, ensuring API keys with the correct permissions work as intended.
• Improved the assessment sections API update: researchers now receive clear validation errors when attempting to modify unauthorized fields, and fixed a bug preventing admins from setting a published review status via the API.
• Fixed the 'Copy to Clipboard' button not updating correctly after saving an inline edit.
• Restored the 'Submit for Review' button for assessment sections that required revisions.
• Fixed a bug in the inline editor of the HTML report that occasionally prevented the editor from being locked.
• Fixed a validation error on the vulnerability field when updating a finding with the status 'Retest Pending'.

Improvements

• The action plan now has the 'Urgent' priority level and the 'Very Complex' complexity option, which provides a more precise categorization of critical and challenging tasks.

Bug Fixes

• Resolved an issue that prevented proper rendering of finding references in the PDF report.
• Fixed a rare migration error that occurred when a bold font was missing in one of the report themes.
• Removed the assessment template name from the breadcrumb path on the assessment section page.
• Fixed a bug on the finding details page where the status wasn't updated when a researcher updated the finding using the inline editor.

Audit functionalities

A new ISO 27001:2022 assessment template is now available, providing a standardized approach to compliance evaluations. We've also introduced a new audit scoring system with the categories Compliant, Opportunity for Improvement, Minor Non-Conformity, Major Non-Conformity, and Not Applicable. Additionally, a new audit scoring table component offers a clear overview of the number of findings for each score category:

You can add the new ISO 27001 template using the 'Clone default template' button on the 'Assessment Templates' page.

Improvements

• PDF Report Tables: Table headings now automatically repeat on every page when a table spans multiple pages, enhancing readability. This default behavior can be disabled if needed.
• Referenced Findings: Added severity circles wherever findings are referenced in markdown fields using the # key to link to other findings.
• Webhooks: OAuth2 connection support for webhooks.
• CVSS Metrics Linking: CVSS metrics in PDF and online reports are now linked to the CVSS calculator built into Reporter. It is also possible to link to the FIRST.org CVSS calculator instead or disable links altogether. This can be configured in the settings of a Reporter theme under the 'Miscellaneous' tab.
• Finding Section Titles: You can now configure the titles of finding sections independently from the headings in the report theme configuration.
• Notification documentation: Added new documentation detailing when notifications are sent and the specific types of notifications that are triggered.
• Activity Storage Retention: Added documentation on the ACTIVITY_LIFETIME environment variable, which determines how long the activity trail is retained.
• Targets Placeholder: Added a targets placeholder that, when rendered, displays a list of the assessment targets.
• Code Blocks: Added a copy button that appears when hovering over code blocks for easier copying of code snippets.
• Results Table Component: Sections that cannot have findings now appear in the results table if they contain child sections that can have findings.
• Action Plan and Findings Table Component: A new option is available to remove page numbers from the action plan and findings table components.
• Block Quote Styling: Added a gray border to the left side of block quotes in the PDF report. The color of this border can now be customized.
• Snippet Insertion Modal: The snippet insertion modal has been improved to include a rendered preview, allowing you to view the snippet before adding it.
• Snippets Management Page: Enhanced the snippets management page with new sorting, searching, and tagging functionalities. Tags can be created under 'Settings > Tags'.
• PDF Metadata: PDF metadata is now customizable, allowing for tailored document information.
• Tool Output Parser: Updated and improved several tool output parsers, including enhancements to the NMAP parser.
• Status Report: New checks have been added for the web sockets connectivity. 

Bugfixes

• Resolved an issue where text dragging in the markdown editor had stopped working.
• Corrected a problem where the wrong status was set when requesting a section revision.
• Improved the rendering of components in markdown tables.
• Fixed an issue where the background line in the HTML report sometimes overlapped text in Chromium-based browsers.
• Added missing section M4 to the OWASP Mobile Top 10 assessment template.
• Updated the NCSC guidelines assessment template so that all sections at the deepest level now require findings.
• Fixed an exception in assessment versions when no classification system was enabled for one of the versions.
• Resolved an exception that occurred when adding a translation to an assessment template with no sections.
• Fixed a bug where the first page would always load when reviewing items via the review page.
• Corrected a bug where users tagged in a comment were emailed again when the comment was converted to a retest inquiry.
• Fixed the theme watermark transparency setting, ensuring that 0 is now opaque and 1 is fully transparent.
• Resolved an issue where snippets containing Unicode characters were not replaced correctly in the preview.
• Fixed an issue with rendering the findings table component outside of the assessment context.
• Optimized data loading when indexing potential findings and added an environment setting for chunk size.
• Fixed an exception on the finding templates index page when rendering templates that are not vulnerabilities.
• Improved the speed of assessment creation based on large assessment templates.
• Fixed form locking issues in assessment section templates when handling different translations.
• Resolved an issue where category names in the results table (rendered in the PDF) were not properly linked to their corresponding categories.
• Fixed a date formating issue for translated reports.