Finding Import
This release adds the ability to import findings and targets from files generated by over 120 different scanners and tools!
Go to the 'Tool Import' section in the assessment dropdown to begin. Upload a file, select the matching tool (such as Nessus, Qualys, Nmap, or Burp Suite) and let Reporter work its magic. Be sure to check the export instructions for your particular tool.
Reporter parses these files into an intermediate format. Researchers can then choose which targets and findings they want to import into the assessment. You can import targets in one click, and when importing findings Reporter will fill in as much as possible to make importing a breeze.
Requires Attention
In nginx.conf the following setting must be added to HTTP: client_max_body_size 250M; to allow larger file uploads.
The default researcher and reviewer roles can now create targets. This is done so they can import targets from files. Custom roles are not updated automatically. They should be updated manually by granting them the 'Create Targets' permission.
As of this release, file storage is no longer encrypted by Reporter. The storage should be encrypted through a cloud storage provider or local encryption. See the Security chapter of the documentation. Because of this change, the update may take longer than usual when all existing files are decrypted.
Markdown Standard Changes
*italic* is now the default notation for italics. Underscores in words, such as in a_b_c are no longer interpreted as italics.
Newlines in paragraphs are now rendered as new lines. For example:
line 1.
line 2.
used to be rendered as:
line 1. line 2.
From now on, it will instead be rendered as:
line 1.
line 2.
Improvements
- Changing internal fields in the assessment, such as internal details, no longer regenerates the PDF reports.
- Setting an assessment to the status 'Scheduled' with a start date today or in the past now sets it to the status 'Active' instead.
Bugfixes
- Fixed a number of cases where new reports weren't generated when they should be.
- Fixed an issue where the researcher panel filter reappeared after being unset.
- Fixed a bug where the tasks assigned mail had an incorrect link.
- Fixed a bug where storing an 'Under Review' finding would fail to create a 'requested a review'-event and review task.
- Fixed a bug where storing a 'False Positive' retest would set the severity to 'OK' instead.
- Fixed a bug where the wrong tab would briefly start open on the assessment page.
- Fixed a bug where empty lines in non-highlighted code blocks did not appear in the pdf reports.
- Fixed a bug where clicking on a locked section in the researcher panel would redirect to the dashboard.
Supported Tools
- Acunetix
- Acunetix 360
- Anchore-Engine
- Anchore Enterprise
- Anchore Grype
- AppSpider
- Aqua
- Arachni
- AuditJs
- AWS Prowler
- AWS Security Hub
- Azure Security Center Recommendations
- Bandit
- Black Duck
- Black Duck Component Risk
- Brakeman
- Bugcrowd
- Bundler Audit
- Burp Enterprise
- Burp GraphQL
- Burp GraphQL API
- Burp XML
- CCVS Report
- Checkmarx OSA
- Checkov
- Choctaw Hog
- Clair
- Clair Klar
- CloudSploit (AquaSecurity)
- Cobalt.io
- Cobalt API Import
- Contrast
- Coverity API
- Crashtest Security
- CredScan
- CycloneDX
- DawnScanner
- DefectDojo Generic
- Dependency-Check (OWASP)
- Dependency-Track (OWASP)
- Detect-secrets (Yelp)
- Dockle
- DrHeader
- DSOP
- ESLint
- Fortify
- GitHub Vulnerability
- GitLab API Fuzzing
- GitLab Container Scan
- GitLab DAST
- GitLab Dependency Scan
- GitLab SAST
- GitLab Secret Detection Report
- Gitleaks
- Gosec Scanner
- HackerOne
- Hadolint
- Harbor Vulnerability
- Horusec
- huskyCI
- IBM AppScan DAST
- Immuniweb
- IntSights
- JFrog Xray
- KICS
- Kiuwan
- Kube-bench
- Micro Focus WebInspect
- MobSF
- Mobsfscan
- Mozilla Observatory
- Nessus (Tenable)
- Nessus WAS (Tenable)
- Netsparker
- Nexpose XML 2.0 (Rapid7)
- Nikto
- Nmap
- Node Security Platform
- NPM Audit
- Nuclei
- OpenSCAP
- OpenVAS CSV
- OssIndex Devaudit
- Oss Review Toolkit
- Outpost24
- PHP Security Audit v2
- PHP Symfony Security Check
- PMD
- Qualys
- Qualys InfraScan WebGUI
- Qualys Web App
- RetireJS
- RiskRecon API Importer
- SARIF
- Scantist
- ScoutSuite
- Security Knowledge Framework
- Semgrep JSON
- Snyk
- Solar appScreener
- SonarQube
- Sonatype
- SpotBugs
- SSL Labs
- SSLScan
- SSLyze
- Terrascan
- Testssl
- Tfsec
- Trivy
- TruffleHog
- TruffleHog3
- Trustwave
- Trustwave Fusion API
- Twistlock
- Veracode
- Visual Code Grepper (VCG)
- Wapiti
- Wfuzz
- WhiteHat Sentinel
- WhiteSource
- WPScan
- Xanitizer
- Yarn Audit
- Zed Attack Proxy