Releases

API improvements

 
API availability for client users

The API is now accessible to client users, enabling automation of their assessment processes for improved efficiency. 

To enable this feature, navigate to 'General Settings' from the main menu, proceed to the 'Functionality' tab, and under the 'Client Users' section, switch on 'Clients have API access'. Once activated, the API documentation becomes available to client users through the main menu for easy access.

API Wrapper update

The API wrapper has received a significant upgrade to include the latest endpoints to simplify your integration processes. It is now officially tagged as version 1.0 🎉. Using PyPI for distribution, we make it effortlessly simple for you to bring our wrapper into your projects: https://pypi.org/project/securityreporter/. For a deeper dive into what's new, swing by our GitHub page: https://github.com/dongit-org/python-reporter.

Future Integration: Zapier Support

Preparation is underway to introduce Zapier support, aimed at enhancing workflow integration capabilities with our platform.

Heads up! Breaking API changes

• Uploading a document for a model now requires the API token to have write permissions for that model.
• Downloading a document of a model now requires the API token to have read permissions for that model.

Private comments in assessment sections

For improved collaboration, it is now possible to add private comments to assessment sections. This functionality will be expanded in future releases to integrate fully into the assessment review flow.

Other Improvements

• Finding metadata in reports is now fully customizable via the Theme Editor under the tab 'Metadata'.
• Support for checkboxes (markdown task lists) has been added to the markdown editor. For more information, visit https://www.markdownguide.org/extended-syntax/#task-lists.
• Document margins can now be adjusted within the Theme Editor for enhanced layout control.
• Page numbering can now include total pages (e.g., '3 of 40') and can be configured in the Theme Editor. The format of the string is customizable through the translations feature to adopt different formats, such as 'Page 3/40'.
• A 'Versions' button has been added to finding retests when there are at least two versions, facilitating easier navigation through version history.
• Added a placeholder for the language of the report.
• Adding an image to a markdown field now inserts  [Caption_here] with an underscore, enabling double-click selection.

Bugfixes

• Fixed several bugs related to the PDF report, such as:
  • Corrected scaling of colored severity circles in results tables to match font size.
  • Ensured check marks align properly with text in results tables.
  • Resolved full-width tables extending beyond the right margins.
  • Fixed fields not being prefilled as expected.
• Corrected a glitch in the action plan table that previously resulted in an unnecessary empty line when titles or actions were on the verge of not fitting.
• Fixed an issue where tagged users in assessment would not always receive an email notification.

Upgrade Heads-up! Grab a coffee and sit back while you deploy this upgrade ☕ – this release will take a bit longer than usual due to database migrations. And as always, remember to create a backup before diving in.

Frequent assessment tabs

Your go-to assessments are now even more accessible! We've introduced a new feature that places your most frequently visited assessments at the top of the screen for quick navigation. For even faster access:

• Pin your favorites: Simply hover over a tab to pin assessments you frequently use.
• Discover more: Click the dropdown icon on any frequent assessment tab to view additional information and insights.

Display of findings with many targets

To enhance clarity and reduce clutter in areas of the application and reports that display finding targets, we've introduced a new approach:

• Simplified Target Lists: In reports, tables, and the researcher panel, we now show a concise list of targets (e.g., "target1, target2, target3, and 17 more"), providing a cleaner view without compromising on detail for findings with numerous targets.
• Detailed Reporting: Each report now efficiently lists up to 25 unresolved and 25 resolved targets, clearly indicating if more targets are not shown.
• Improved Navigation: The main findings page features paginated targets, making it easier to navigate and review extensive lists.
• Customization and Localization: Tailor the presentation to your needs by customizing and translating the "..., and x more" string for reports. This option is available under Settings > Languages, ensuring that the interface meets both your linguistic and functional preferences.

Other Improvements

• We've restructured how comments and status updates (finding events) are displayed under findings in the portal, leading to enhanced performance and reliability. This update also resolves a previous issue where the API was not returning certain comments.
• The review page now shows all finding events for reviewable findings instead of just some of them.
• We've updated our markdown editor shortcuts to avoid conflicts with common operating system shortcuts and enhance consistency with other tools like GitHub and Slack. The shortcuts have been added to the documentation.
• The markdown editor's ! character has been refined to make toggling the reference popover in the markdown editor smoother.

Bugfixes

• Fixed a bug where the CVSS 4 calculator did not correctly calculate a score of 0.
• Resolved a double HTML encoding issue affecting several values, particularly within task functionality.
• Fixed the drag-drop behavior of text in the markdown editor. 
• Fixed breaking side-by-side diff when long words were used.
• Fixed an issue where full-width tables were always aligned left.
• Fixed bug where date format was always added to component placeholders in the markdown editor.
• Fixed several minor bugs related to the theme text items and multi-language feature.
• Addressed inconsistent line wrapping in report PDFs.
• Empty comments now trigger a clear validation error.
• The correct radio button values are now set when editing an assessment role for the permission "edit internal details".

Analytics Page

Dive into a comprehensive analytics page accessible from the main menu. Explore detailed insights, including findings, assessments, trend analyses, severity counts, remediation strategies, and the top 5 assigned classification categories for each classification system. Tailor the analytics to meet your needs with filters for each client.

The dashboard for client users has been refreshed, showcasing key analytics - findings categorized by severity and status, critical and high-risk remediation efforts, average resolution times, and the top 5 unresolved severe findings, including their age.

Action Plan 

Activate the Action Plan for an assessment to define a clear path forward for resolving findings. Customize each action plan with:

• Priority: Set the urgency levels.
• Complexity: Estimate the effort required for resolution.
• Action: Outline specific steps for mitigation.

With the Action Plan enabled, you can gain immediate access to a dedicated action tab from the assessment page and seamlessly integrate the action plan table into any report section. Simply select it from the component list in the markdown editor for seamless integration.

CVSS 4.0 Scoring System

Reporter now supports the latest Common Vulnerability Scoring System, Version 4.0 (CVSS 4), offering a more nuanced and precise approach to vulnerability scoring. This enhancement allows users to assess and prioritize vulnerabilities with greater accuracy. Alongside the integration of CVSS 4, we've implemented improvements across all scoring systems within Reporter.

Other Improvements

• A new global "Project manager" role. This role is tailor-made for those who oversee project progress and quality without altering core system configurations. 
• Users can now import findings from previous assessments with the status "draft" or "under review" instead of "published".
• To ensure the integrity of published findings, importing findings as "published" now requires review permissions.
• Improved text selection behavior in the markdown editor.
• Add researchers and reviewers to the report separately.

Security

Webhook secrets have been removed from the edit page.

Bugfixes

• Addressed an issue where users were unable to reset a finding's original severity and remove status change events if the current and original severities matched.
• Corrected the sorting order for resolved targets in finding events to ensure accuracy when displaying the most recent events first. Furthermore, the loading performance has been improved.
• Fixed a problem that prevented ordering first-level assessment sections within assessment templates.
• Fixed notification label sizing.
• Fix the 'enable password' checkbox on the setup page.
• Fixed inconsistent indentation of lists in the PDF report.
• Fixed a bug where tables that should appear indented in a list were not indented properly.
• Finding retests now have a versions button.
• Fixed an issue where date formats for placeholder components were not added to the shortcode.

Improvements

• Added the ability to rotate theme text boxes;
• Improved the positioning of the comment reply based on the event ordering;
• Clarified Cloudflare documentation;

Security

• Updated a third-party library to address a known vulnerability. It's important to note that this vulnerability did not impact Reporter, as the affected functionality was not in use.

Bugfixes

• Fixed a severe slowdown when listing findings after adding a new language;
• Fixed a bug where the table of contents would have the wrong font in the theme preview;
• Addressed several minor JavaScript issues associated with the new markdown editor.
• Fixed an exception after attaching a snippet;
• Resolved an issue where deleting an assessment comment would leave its child comments visible in the timeline until the page was refreshed.

Report translations

Write your pentest reports in the language of your choice! The following key components have been made translatable to enhance your reporting experience:

• Report Themes
• Assessment templates
• Snippets
• Finding templates

Easily add new languages by importing ready-made translations from our public GitHub repository.

With this feature, you're not limited to adding new languages, but it also offers the flexibility to modify the default English terms. For instance, you can personalize your reports by renaming terms like "Proof" to "Evidence" to better align with your organization's terminology or reporting style.

New markdown editor

The markdown editor in Reporter has been completely rebuilt, offering a more robust and user-friendly experience. This upgrade paves the way for new functionalities, including the planned addition of annotation tools.

Key enhancements of the editor:

• Improved Grammar Tool Support: Enjoy better integration with grammar assistance tools such as Grammarly for error-free writing.
• Image Previews on Hover: Easily preview images by hovering over their markdown tags, adding convenience to your editing process.
• Enhanced Syntax Highlighting: The editor now offers syntax highlighting for code blocks, making code more readable.
• Streamlined Document Handling: Quickly find and track your uploaded documents within the markdown, and easily see which documents haven't been added yet.

Other improvements

• In assessments and findings, comments can now be sorted to show the most recent either at the top or bottom of the list.
• Okta SSO support.
• New target types.
• Cloudflare documentation.
• Theme textboxes are now conveniently located under the theme settings tab, eliminating the need for page reloads for each textbox change.
• Amazon S3 library updates for improved IMDSv2 support.
• The default gray font color has been darkened, making text easier to read on the web portal.
• The loading of assessments and findings with many targets has been optimized. We'll add more improvements in the upcoming releases.
• Allow disabling the verification of SMTP TLS certificates.
• The built-in Reporter theme has transitioned to Noto Sans font, enhancing multi-language support and resolving rendering issues in Adobe Acrobat Reader. You can easily configure the Noto Sans font for your own (custom) themes.

Bug fixes

• Fixed broken PDF generation caused by using ^ in code tags.
• Fixed task links on the dashboard not setting the correct status filter.
• Addressed ID confirmation failures when SSO providers return emails in uppercase.
• Fixed problems in assessments with large uploads (e.g., videos) that hindered ZIP download functionality.