New Scoring System: PASSI
We’ve added support for the PASSI scoring system, developed by the French national cybersecurity agency ANSSI. This system uses a 4-point 'Impact' scale and a 4-point 'Ease of Exploitation' scale to determine the severity of findings, similar in approach to the OWASP Risk Rating Methodology.
Alongside this, we’ve introduced:
- A new risk assessment table component for your reports.
- A reusable scoring system description snippet to explain PASSI in your assessments.
Colored tables
You can now create tables in Markdown with custom background and text colors. Define styling rules based on row and column numbers by going to Templates > Table Styles. Once set up, users can easily apply these table styles when adding tables in the Markdown editor.
Highlights:
- When making your table styles, you can use many of Reporter’s named colors (like critical severity) that automatically follow the report’s theme.
- We have added two new colors: light table stripe and dark table stripe. You can customize them in your themes and use striped tables for readability.
- You can also use custom colors that are independent of the theme.
- We have added a 'Table style manager' role so you can control who can create and edit table styles.
- When you apply a table style in a Markdown field, all style data is saved into the Markdown itself. This means you can safely delete unused table styles later without affecting existing reports.
Renumbering Findings
Findings in Reporter have a number that is unique and used as part of their short ID. Those numbers are assigned sequentially, and any deleted findings can cause gaps in the numbering. Since short IDs are used in client communication, we don't want to renumber findings automatically. But we recognize that many of you don't want gaps in the finding numbering and that you want to number them based on the order they appear in the report.
With all that in mind, we have added a feature to let you renumber the findings in an assessment. When you do, the findings are renumbered at that moment, but any new findings are added with the next available number. This ensures that finding numbers stay consistent unless you decide you want to change them. You can access this functionality from the assessment dropdown on the main assessment page:
Findings can be reordered based on:
- Oldest finding first
- Report order (by section, then severity)
- Highest severity first
For more details, check out the documentation.
Improvements
- You can now tag targets in markdown fields using
$, similar to sections, users, and findings. - Client custom fields can now be added to the report using placeholders and a theme's text boxes.
- Custom fields of the type ‘File’, created for assessments or clients, can now be rendered as images inside text boxes in your report themes. For example, this allows you to easily display the client’s logo on the cover page of your assessment reports.
- You can now customize the front page and back page backgrounds for each assessment individually, directly from the assessment edit page.
- The CWE classifications have been updated.
- Added an environment variable called
WEBHOOK_SSRF_HOST_WHITELISTto whitelist hosts for webhooks that can bypass SSRF header checks. This should be used for webhooks to external services like Slack where you can not control response headers. See Documentation > General > Settings > Webhooks for details. - You can now upload multiple tool output files in a single request, making it faster and easier to import results.
- Added more details about account managers, including how they can be selected and linked under clients.
- Added documentation about finding statuses.
- Added instructions for using SFTP to connect to your storage for backups.
Bug Fixes
- Fixed a bug where reactions showed the wrong emojis. Unfortunately, the bug caused the incorrect emojis to be saved in the database, so reactions to timeline events may now show different emojis than they did before.
- Fixed a bug where the targets tab on the assessments page for completed or on-hold assessments was only visible to admins.
- Fixed a bug where findings did not appear in the CSV export if they had no targets.
- Fixed an exception when exporting findings to CSV if there were no findings to export.
- Fixed an exception when using webhooks targeting an IP address.