2022.07.14 | Reporter

TL;DR

Many new API routes have been added, with unfortunately some breaking changes. A glimpse into the upcoming related releases; an open-source Python API wrapper will be published to make your developers happy! This is almost ready, and we’re working on some example integrations. This full-fledged API combined with the webhooks makes Reporter flexible for all kinds of integrations.
Customize the Reporter web portal by uploading a custom style sheet.
Clients can share information and documents within assessments.
Many bug fixes and other improvements!

Permissions for API tokens are now fine-grained per resource. Therefore, existing API tokens will only be able to access and write ‘Assessments’. A new API token with extra permissions should be generated to access other resources, such as ‘Findings’ or ‘Targets’.
Various POST API routes have been restructured to match the application structure and logic. For example the POST route /api/v1/assessments to create a new assessment has been changed to /api/v1/clients/<assessment_id>/assessments.
‘Finding Template’ API routes are made consistent via the new route /api/v1/finding-templates (dash) instead of /api/v1/finding_templates (underscore).
The following request headers are now required to be set (see the examples in the API documentation):
- Accept: application/json for all routes except downloading files;
- Content-Type: application/json for all PUT, PATCH, and POST routes that do not upload files;
- Content-Type: multipart/form-data for all POST routes that upload files.
Documents can now only be created and deleted using the dedicated /api/v1/documents routes, and not using other routes.
- The only exception is for the creation of ‘Output Files’ (scan results from tools like Burp Suite and Nessus).

API abilities/permissions are now split per resource.
‘Auto-assignments’, ‘assessment users’, ‘output files’, and ‘roles’ can now be accessed through the API.
Added POST routes for many resources, such as:
- Assessment Users (to attach users to assessments, assign them roles and automatically assign them tasks)
- User Groups
- Output Files (for uploading scans from tools like Burp Suite and Nessus)
Added PUT/PATCH routes for the following resources:
- Clients
- Assessments
- Assessment Sections
- Assessment Phases
- Findings
- Targets
- Finding Templates
- Users
- User Groups
Added DELETE routes for the following resources:
- Clients
- Assessment Users
- Findings
- Targets
- Finding Templates
- User Groups
- Documents
- Output Files (also deletes all ‘potential findings’ and ‘potential targets’, but not findings and targets that have been imported into the assessment)

Admins can now upload a custom style sheet (CSS) to customize the look of the Reporter portal. We recommend changing the primary colors, such as those used in buttons and labels, to match your organization’s branding.
The stylesheet does not affect the online or PDF reports.

Added a new ‘Shared information’ tab in assessments that clients and researchers can edit. Clients can use this to share instructions and files with the researchers directly.
Admins can add separate instructions for researchers and clients to the tab through the settings.
The tab can be enabled and disabled for individual assessments.
The tab is enabled by default for new assessments, not for existing assessments. You can change that default in the settings.
Researchers receive a notification when a client updates the shared information while the assessment is in progress.

Added a report customization option to insert page breaks after each finding.
Added settings to select which tab is open in the assessment overview. There are separate settings for researchers and clients.
The API rate limit can now be changed or removed on self-hosted Reporter instances.

An icon appears in the assessment tab if you have unread notifications when the ‘Researcher Briefing’ or ‘Shared Information’ has been updated. Opening the tab marks such notifications as read.
Wide tables no longer overrun the page in the PDF report. You can control the width of columns on wide tables. For details, see the updated documentation.
Changed the word ‘vulnerabilities’ to ‘findings’ in the ‘finding counts per severity’-component to be more consistent with the rest of the application.
The ‘Risk’, ‘Recommendation’, and ‘Proof’ fields are no longer required.
Findings in the ‘Search for examples’ dialog now show their original severity (and current severity if it has changed). Previously it showed the current severity, which was often ‘OK’ after a retest.
Findings can now be filtered based on if they have retests. The filter only counts published retests.
The display of the target search bar in an assessment has been optimized.
Added an ‘Assigned to me’ button to the dashboard for admins to show assessments where they are assigned.
All email addresses are now stored and displayed in lowercase.

Fixed a bug where the sections in the online report were numbered incorrectly.
Fixed a bug where the user wasn’t properly logged out after being idle.
Clicking a ‘Login with …’-button when already logged in now redirects to the correct page.
Fixed a bug where linking potential findings to existing findings did not work.
Fixed a bug where the wrong tab was sometimes opened in various places.
Fixed a bug where inline documents were incorrectly styled in the online report.
Fixed an issue where potential findings with CVSS scores were sorted by severity category (Critical, High, etc.) instead of score.
Fixed an issue where the same CVE was sometimes listed multiple times for a potential finding.
Fixed a bug where empty report customization settings could cause an exception
Fixed an issue where the ‘finding counts by severity’ report component would run off the page with larger fonts.
Fixed an issue where non-ASCII characters in titles were not rendered correctly in the PDF report.
Fixed a bug where some completed assessments could be shown before pending assessments.
Fixed a bug where a very long section title could make the researcher panel too wide.
Fixed a bug where tildes were sometimes displayed as dashes by updating Open Sans fonts.
… and probably more!