Releases

Upgrade Heads-up! Grab a coffee and sit back while you deploy this upgrade ☕ – this release will take a bit longer than usual due to database migrations. And as always, remember to create a backup before diving in.

Single Sign-on improvements

We have reworked the authentication logic to provide much more flexibility. Updated documentation is available to guide you through the new configuration options. The most notable changes are listed below.

Setting Renamed! To improve clarity, the environment variable GOOGLE2FA_ENABLED has been renamed to TOTP2FA_ENABLED. Please note that the former name is now deprecated and will not be supported in future releases.

Important: If you are using Google as an SSO provider and 2-factor authentication (2FA) is not enforced (MFA_ENFORCE is set to false), users may be unable to confirm their identity. We strongly recommend enforcing 2FA if you use Google SSO.

Authentication

• Passwords are now optional. New users can immediately log in using their SSO provider.
• Global deactivation of password usage is possible by configuring the environment variable: PASSWORD_LOGIN_ENABLED=false.

2-Factor Authentication

• SAML2 and Graph (Microsoft Azure) SSO login methods can configured to bypass Reporter's 2FA using MFA_BYPASS_AFTER_SAML2=true and MFA_BYPASS_AFTER_GRAPH=true environment variables. This way you rely on the 2FA configuration of your SSO provider.
• If 2FA is not enforced, users can now optionally enable 2FA. Users with 2FA enabled will be prompted for a code when they log in unless their login method is configured to bypass 2FA.

Identity confirmation

Identity confirmation has been reworked for improved flexibility and security. You can now use either your 2FA or SSO provider for identity verification. For a deeper dive into the specific authentication methods, please check the updated documentation.

Broadly usable snippets

• Snippets can now be used in all markdown fields throughout Reporter.
• Snippets used in templates are converted when the template is applied.
• Researchers can now also manage snippets.
• Users can only edit snippets used in templates if they have permission to edit the template.
• Snippets now have versioning for tracking modifications.

Review Improvements

When a researcher makes a change to an already reviewed (published) finding in an active assessment, its status will revert to 'Under Review' unless the researcher also has review permissions.

Users lacking review permissions cannot edit findings or retests in finalized assessments.

Improvements

• Assessment tagging functionality has been added.
• Added a REDIS_SCHEME configuration option so you can connect to remote Redis clusters over TLS.
• Added markdown placeholders for the start and end date of the assessment.
• Added markdown placeholder for findings count (total or filtered by status or severity).
• Added date format option to the 'started-on' component.
• The clients overview page now displays 52 items on a page instead of 50, filling all rows.
• Added a references field for findings. This field was already present in the finding templates.
• On the finding detail page, if fields such as 'risk' are empty, they will not be displayed to users without editing permissions.
• Log whether activities were triggered via the API.
• Log whether activities were triggered by an impersonated user.
• For consistency in API behavior, all line endings are now converted to \r\n.

Bugfixes

• Resolved an issue preventing editing of resolved retests.
• Fixed a bug where the custom deadline field was hidden when creating a task in a continuous assessment.
• Fixed a bug where task titles and descriptions were shown incorrectly in the edit form.
• Fixed a bug where the 'Add task' button was disabled on certain pages.
• Resolved an issue on the API token page where selecting any ability radio button incorrectly defaulted to the first option.
• Fixed an issue where roles could not be renamed.
• Admins can now download management reports when they are not available to clients.
• Tooltips for unavailable management reports now correctly say why it is not available.
• Fixed a bug where swapping the researcher panel version (full vs. management view) didn't work as expected.
• Resolved an issue preventing the unsetting of VRT classifications.
• Fixed a bug where empty markdown fields with documents were not displayed.
• Fixed an issue where attempting to retrieve a file using the API with an invalid token resulted in a redirect response to the login page.
• Fixed incorrect timestamps on the user index page.

New API functionality for comments

• The API now supports creation, modification, and retrieval of assessment comments, finding comments, finding retest requests, and finding retests.
• You can reply to finding comments, assessment comments, finding retest requests, and finding retests.
• You can retrieve these events as an include with a finding or assessment.
• Replies to comments can be retrieved as an include from corresponding comments, retests, etc. For example, you can GET a finding and include comments.replies.

Improvements

• Caution tags are now also rendered in the PDF report making it consistent with the online report.
• Updated CWE classifications to v4.12.
• The output file parsers have been updated for improved performance and data extraction.
• When encountering errors during output file parsing, error messages now provide more detailed context to facilitate troubleshooting.

Bugfixes

• Resolved an issue preventing the retrieval of PDF reports via the API.
• Fixed an issue where the 'Highest Risk' badge in CVSS assessments sometimes showed the highest category, but not the highest score.
• Fixed a bug where resolved retests could not be set back to unresolved.
• Fixed a bug where the 'General activity' link was not functioning correctly on the activities page.
• Fixed an issue where provisional events in the schedule had no associated users.
• Fixed an issue where assessment sections could not be emptied by editing them in the online report.
• Fixed an issue where the status of a retest was not shown in the researcher panel.
• Fixed an issue where caution tags, @tags and component tags were sometimes rendered incorrectly.
• Fixed a crash when evaluating findings suggested as new templates if the finding has resolvers.
• Fixed an issue where users were notified twice if output file parsing failed.
• Fixed a rare exception when deleting an assessment.
• Addressed a rendering issue for long words with Unicode characters in the PDF reports.
• Fixed an issue where the next_deadline field was sometimes set incorrectly.

Improvements

• Retrieve PDF reports via the API.
• The maximum height of images in PDF reports has been increased to match the size of the page, providing better visual representation.
• Importing findings from previous assessments has been improved for better clarity.
• Error messages have been clarified when uploading files with incorrect mime types.
• Breaking of words in the PDF report has been improved to prevent code blocks from overflowing.

Fixes

• Fixed defaults for the 'by'-parameter of the 'results table' component.
• Fix icon position in document components within the online report.
• Resolved a bug where users were not receiving notifications when the parsing of an output file failed.
• Fix an unexploitable open redirect issue.
• Fixed an issue where the API returned empty classifications as [] instead of {}.

Schedule Export

This new feature lets you conveniently move your Reporter schedule events into your go-to applications or calendars, including Google Calendar and Microsoft Outlook.

To get started:

1. Navigate to the Schedule page in your Reporter account.
2. Click on the Export Schedule button.

Refer to our updated documentation for more information about this new feature.

Bugfixes

• Fixed a rare issue that could cause "This is what you missed on <assessment>"-emails to be sent multiple times or not at all.
• Inline code blocks have been optimized to prevent running off the page. They now automatically continue onto the next line for better readability. 
• Corrected a problem with very long inline code sections disrupting PDF compilation. This issue is now fully resolved.
• Addressed an issue where deleting a document could delete all copies of that document. For example, removing a screenshot from a finding would also remove it from that finding's versions.
• Fixed a rendering problem where embedded images in SVG files were not displaying correctly in PDFs. 
• Fixed the "Add User" button on the client page.

Finding Template Tags 

You can now add tags to finding templates making it easier for you to categorize and organize your templates.

• Tags are not case-sensitive.
• You can filter by tag in the app and the API.
• Tags are automatically created when you add them to a template.
• Manage tags (index, create, edit, and delete) via Settings > Tags.
• Tags are remembered in finding template versions, even if they are subsequently deleted or renamed.
• Reverting a version of a template will recreate deleted tags and attach the updated version of existing tags.

Code Block Customization 

New customization options for code blocks in reports have been introduced, including:

• All colors used in syntax highlighting.
• Bold and italic settings for each syntax highlighting token.
• The color of the box.
• The color of the highlighting marker.

To access these customization options, navigate to Settings > Report Themes > {your theme} > Syntax highlighting. In addition, we have included several pre-designed syntax highlighting color schemes that you can apply with just one click.

Report Back Page

You can now add a back page to the reports. To set a background image for the back page, go to Settings > Report Themes > {your theme} > Backgrounds, and you can add content for it by creating text boxes under Settings > Report Text Boxes.

A back page will only be displayed if it contains content or a background image.

Improvements

• The caption of the findings table component information about the ordering, providing more context and clarity.
• Users are now sorted by their full name by default.
• API: filters now match exact values, except for arrays, objects, and certain text fields.

Bugfixes

• Fixed a bug that caused struck-out "Unspecified" badges to appear on unpublished findings in online reports and draft PDF reports.
• Fixed several sorting issues in the Findings Table component:
  • CVSS findings are now sorted correctly by severity.
  • Non-vulnerable findings now appear last when sorting by status.
  • Resolved findings are no longer sorted last when sorting by severity.
• API: Fixed an issue where empty classifications were returned as [] instead of {}