2024.10.19

Updated API endpoint for listing finding events

Breaking change!

The API endpoint for listing finding events has been updated to make it consistent with other index routes. The endpoint has changed from: /api/v1/findings/{finding_id}/finding-events to /api/v1/finding-events.

Bug Fix: The old endpoint had a bug where it did not correctly filter by finding ID. This issue is resolved with the new endpoint and filtering method. To get all finding events associated with a particular finding, use the new endpoint with a filter parameter:

GET /api/v1/finding-events?filter[finding_id]={finding_id}

Webhook improvements

• Conditional Webhooks: You can now set conditions for each webhook using JMESPath syntax to determine whether it should be triggered, giving you more control over webhook execution.
• Assessment Completed Webhook: A new webhook has been added that triggers when an assessment is set to a completed state ('Completed' or 'Retest Completed'), allowing you to automate actions based on assessment completion.

New global user roles

Introduced new global user roles: 'Assessment Template Manager', 'Finding Template Manager', and 'Assessment Theme Manager':

• These roles are generally assigned alongside other roles like Researcher, Account manager, or Project admin.
• They can also be stand-alone roles for users needing limited access, such as theme designers without assessment access.

Limitations:

• Finding Template Managers cannot see suggestions for finding templates if they don't have access to the findings they are based on.
• Assessment Theme Managers cannot mass migrate assessments to a new theme unless they also have admin or project admin permissions.

Other improvements

• The Python API wrapper has received several updates; see https://github.com/dongit-org/python-reporter for details. 
• Added support for Microsoft Graph mail.
• Pipedream now offers integration with Security Reporter; see https://pipedream.com/apps/security-reporter for details.
• Added tagging functionality to clients; only account managers, project admins, and admins can see and filter by tags.
• The snippets feature has been enhanced with several updates: the index page now includes table hover effects, filtering, and sorting options; the insertion modal has been reformatted; tag functionality has been added for better organization; and snippets can now be inserted into other snippets.
• Introduced a new assessment setting to disable retesting functionality.
• Made it configurable for assessment sections whose subsections have the 'can have findings' setting enabled to appear in the results table.
• Updated the notification system to ensure that all associated users receive timely alerts whenever an assessment is rescheduled.
• Added the ability to sort finding templates by weight via the API.
• Activity related to assessment and finding templates are now logged and accessible via the activity page.
• Added a placeholder for the 'completed at date' of the initial assessment phase.
• Added a global setting for password-protecting report PDFs. This setting can be enabled under 'Settings > General > Miscellaneous > Generate a password for PDF Reports'.

Bug Fixes

• Fixed an issue where caution tags in references were ignored.
• Ensured client changes to shared information are recognized as a new version.
• Resolved a problem where linking many potential findings to a finding did not work.
• Referenced findings not present in the report are now rendered as plain text instead of links, allowing references to findings in the management summary even if they are not included.
• Fixed an error on the user view page that occurred if the current user didn't have a timezone set.
• Fixed a redirect issue when changing the status of a finding retest through the inline edit functionality.
• Resolved a '403 Unauthorized' error when using the Finding Templates Create API function, ensuring API keys with the correct permissions work as intended.
• Improved the assessment sections API update: researchers now receive clear validation errors when attempting to modify unauthorized fields, and fixed a bug preventing admins from setting a published review status via the API.
• Fixed the 'Copy to Clipboard' button not updating correctly after saving an inline edit.
• Restored the 'Submit for Review' button for assessment sections that required revisions.
• Fixed a bug in the inline editor of the HTML report that occasionally prevented the editor from being locked.
• Fixed a validation error on the vulnerability field when updating a finding with the status 'Retest Pending'.