Assessment Templates - Requires Attention
API breaking change! To improve clarity, 'Assessment Types' have been renamed to 'Assessment Templates'. Due to this, there are some breaking changes in the API:
- The
assessment_type_id
andassessment_type_name
fields on assessments have been renamed respectively toassessment_template_id
andassessment_template_name
. Requests to retrieve assessment types (now templates) and to create assessments will need to be updated. Requests to update assessments may also need to be updated if they modify either of the renamed fields. - Finding Templates now have a
severity_metrics_all
field that contains different metrics for each scoring system. See the updated API documentation for details, and note that finding templates may only have metrics for a subset of the scoring systems.
Client Leads
Admins can now assign client users as client leads within an assessment, similar to how they can assign researchers as managers.
Client leads are displayed more prominently on the assessment page and serve as primary contact for other client users. Besides this, leads can have additional privileges that can be configured via the main menu under Settings > General > Functionality
. You can configure which client users can access the following functionality:
- Managing other client users.
- Requesting assessment deletion.
Note! For existing Reporter installations, these functionalities will be available for all client users after updating. We recommend limiting these functionalities to client leads only. Please note that by doing so, you are required to assign client leads for existing assessments to make these functionalities available.
New Assessment Templates
Reporter ships with several built-in assessment templates you can use as a basis for your templates and reports.
We have added the following new default templates:
- OWASP Kubernetes top 10
- OWASP Docker top 10
- Azure Security Benchmark (v3)
- CWE SANS Top 25 - version 2022
These new templates, and fresh copies of the existing templates, can now be imported from the Assessment Template page. They are not automatically added to existing installations. More templates will be added in future releases.
CSV Export
Exporting an assessment's findings to a CSV file from the assessment overview page is now possible.
Other Changes
- Finding templates can now be set up using multiple scoring systems. Reporter uses the score from the appropriate scoring system when you use a template to create a finding.
- When you create an API token, you can now set a date/time for it to expire.
- The 'Findings Table' report component can now be sorted by severity, name, or one of several more options. If you want to use this feature, we recommend re-adding the component to your assessment templates and selecting the desired sorting option.
- Improved the way suggested changes to finding templates are compared to the original when evaluating the change.
- Improved the comparison between a finding and similar findings and finding templates when suggesting a finding as a new template or evaluating the suggestion.
- Third-party finding templates have been updated.
- Added the ability to import default assessment templates. Default templates were previously only seeded into new environments.
- To improve consistency with other scoring systems, saving a finding with CVSS score 0 will no longer set its severity to
OK
but toInfo
. - The API wrapper (https://pypi.org/project/securityreporter/) has been updated to work with the latest API changes.
Bugfixes
- Fixed an issue where the front page was sometimes missing in PDF reports.
- When a user is blocked, they are no longer removed as researchers or reviewers from assessment phases, or from the front page of assessments.
- Fixed a bug where required markdown fields would block a form from being submitted without displaying any errors.
- Fixed an error where validation errors weren't always shown for markdown fields.
- Fixed a bug where automatically scrolling to the first error in a form would sometimes scroll too far.
- Fixed a bug where the online report did not show the content middle background image.
- Fixed a bug where non-vulnerable severities were not copied with templates.