Upgrade Heads-up! Grab a coffee and sit back while you deploy this upgrade ☕ – this release will take a bit longer than usual due to database migrations. And as always, remember to create a backup before diving in.
Single Sign-on improvements
We have reworked the authentication logic to provide much more flexibility. Updated documentation is available to guide you through the new configuration options. The most notable changes are listed below.
Setting Renamed! To improve clarity, the environment variable GOOGLE2FA_ENABLED has been renamed to TOTP2FA_ENABLED. Please note that the former name is now deprecated and will not be supported in future releases.
Important: If you are using Google as an SSO provider and 2-factor authentication (2FA) is not enforced (MFA_ENFORCE is set to false), users may be unable to confirm their identity. We strongly recommend enforcing 2FA if you use Google SSO.
Authentication
- Passwords are now optional. New users can immediately log in using their SSO provider.
- Global deactivation of password usage is possible by configuring the environment variable:
PASSWORD_LOGIN_ENABLED=false.
2-Factor Authentication
- SAML2 and Graph (Microsoft Azure) SSO login methods can configured to bypass Reporter's 2FA using
MFA_BYPASS_AFTER_SAML2=trueandMFA_BYPASS_AFTER_GRAPH=trueenvironment variables. This way you rely on the 2FA configuration of your SSO provider. - If 2FA is not enforced, users can now optionally enable 2FA. Users with 2FA enabled will be prompted for a code when they log in unless their login method is configured to bypass 2FA.
Identity confirmation
Identity confirmation has been reworked for improved flexibility and security. You can now use either your 2FA or SSO provider for identity verification. For a deeper dive into the specific authentication methods, please check the updated documentation.
Broadly usable snippets
- Snippets can now be used in all markdown fields throughout Reporter.
- Snippets used in templates are converted when the template is applied.
- Researchers can now also manage snippets.
- Users can only edit snippets used in templates if they have permission to edit the template.
- Snippets now have versioning for tracking modifications.
Review Improvements
When a researcher makes a change to an already reviewed (published) finding in an active assessment, its status will revert to 'Under Review' unless the researcher also has review permissions.
Users lacking review permissions cannot edit findings or retests in finalized assessments.
Improvements
- Assessment tagging functionality has been added.
- Added a
REDIS_SCHEMEconfiguration option so you can connect to remote Redis clusters over TLS. - Added markdown placeholders for the start and end date of the assessment.
- Added markdown placeholder for findings count (total or filtered by status or severity).
- Added date format option to the 'started-on' component.
- The clients overview page now displays 52 items on a page instead of 50, filling all rows.
- Added a references field for findings. This field was already present in the finding templates.
- On the finding detail page, if fields such as 'risk' are empty, they will not be displayed to users without editing permissions.
- Log whether activities were triggered via the API.
- Log whether activities were triggered by an impersonated user.
- For consistency in API behavior, all line endings are now converted to
\r\n.
Bugfixes
- Resolved an issue preventing editing of resolved retests.
- Fixed a bug where the custom deadline field was hidden when creating a task in a continuous assessment.
- Fixed a bug where task titles and descriptions were shown incorrectly in the edit form.
- Fixed a bug where the 'Add task' button was disabled on certain pages.
- Resolved an issue on the API token page where selecting any ability radio button incorrectly defaulted to the first option.
- Fixed an issue where roles could not be renamed.
- Admins can now download management reports when they are not available to clients.
- Tooltips for unavailable management reports now correctly say why it is not available.
- Fixed a bug where swapping the researcher panel version (full vs. management view) didn't work as expected.
- Resolved an issue preventing the unsetting of VRT classifications.
- Fixed a bug where empty markdown fields with documents were not displayed.
- Fixed an issue where attempting to retrieve a file using the API with an invalid token resulted in a redirect response to the login page.
- Fixed incorrect timestamps on the user index page.