Releases

Improvements

• The action plan now has the 'Urgent' priority level and the 'Very Complex' complexity option, which provides a more precise categorization of critical and challenging tasks.

Bug Fixes

• Resolved an issue that prevented proper rendering of finding references in the PDF report.
• Fixed a rare migration error that occurred when a bold font was missing in one of the report themes.
• Removed the assessment template name from the breadcrumb path on the assessment section page.
• Fixed a bug on the finding details page where the status wasn't updated when a researcher updated the finding using the inline editor.

Audit functionalities

A new ISO 27001:2022 assessment template is now available, providing a standardized approach to compliance evaluations. We've also introduced a new audit scoring system with the categories Compliant, Opportunity for Improvement, Minor Non-Conformity, Major Non-Conformity, and Not Applicable. Additionally, a new audit scoring table component offers a clear overview of the number of findings for each score category:

You can add the new ISO 27001 template using the 'Clone default template' button on the 'Assessment Templates' page.

Improvements

• PDF Report Tables: Table headings now automatically repeat on every page when a table spans multiple pages, enhancing readability. This default behavior can be disabled if needed.
• Referenced Findings: Added severity circles wherever findings are referenced in markdown fields using the # key to link to other findings.
• Webhooks: OAuth2 connection support for webhooks.
• CVSS Metrics Linking: CVSS metrics in PDF and online reports are now linked to the CVSS calculator built into Reporter. It is also possible to link to the FIRST.org CVSS calculator instead or disable links altogether. This can be configured in the settings of a Reporter theme under the 'Miscellaneous' tab.
• Finding Section Titles: You can now configure the titles of finding sections independently from the headings in the report theme configuration.
• Notification documentation: Added new documentation detailing when notifications are sent and the specific types of notifications that are triggered.
• Activity Storage Retention: Added documentation on the ACTIVITY_LIFETIME environment variable, which determines how long the activity trail is retained.
• Targets Placeholder: Added a targets placeholder that, when rendered, displays a list of the assessment targets.
• Code Blocks: Added a copy button that appears when hovering over code blocks for easier copying of code snippets.
• Results Table Component: Sections that cannot have findings now appear in the results table if they contain child sections that can have findings.
• Action Plan and Findings Table Component: A new option is available to remove page numbers from the action plan and findings table components.
• Block Quote Styling: Added a gray border to the left side of block quotes in the PDF report. The color of this border can now be customized.
• Snippet Insertion Modal: The snippet insertion modal has been improved to include a rendered preview, allowing you to view the snippet before adding it.
• Snippets Management Page: Enhanced the snippets management page with new sorting, searching, and tagging functionalities. Tags can be created under 'Settings > Tags'.
• PDF Metadata: PDF metadata is now customizable, allowing for tailored document information.
• Tool Output Parser: Updated and improved several tool output parsers, including enhancements to the NMAP parser.
• Status Report: New checks have been added for the web sockets connectivity. 

Bugfixes

• Resolved an issue where text dragging in the markdown editor had stopped working.
• Corrected a problem where the wrong status was set when requesting a section revision.
• Improved the rendering of components in markdown tables.
• Fixed an issue where the background line in the HTML report sometimes overlapped text in Chromium-based browsers.
• Added missing section M4 to the OWASP Mobile Top 10 assessment template.
• Updated the NCSC guidelines assessment template so that all sections at the deepest level now require findings.
• Fixed an exception in assessment versions when no classification system was enabled for one of the versions.
• Resolved an exception that occurred when adding a translation to an assessment template with no sections.
• Fixed a bug where the first page would always load when reviewing items via the review page.
• Corrected a bug where users tagged in a comment were emailed again when the comment was converted to a retest inquiry.
• Fixed the theme watermark transparency setting, ensuring that 0 is now opaque and 1 is fully transparent.
• Resolved an issue where snippets containing Unicode characters were not replaced correctly in the preview.
• Fixed an issue with rendering the findings table component outside of the assessment context.
• Optimized data loading when indexing potential findings and added an environment setting for chunk size.
• Fixed an exception on the finding templates index page when rendering templates that are not vulnerabilities.
• Improved the speed of assessment creation based on large assessment templates.
• Fixed form locking issues in assessment section templates when handling different translations.
• Resolved an issue where category names in the results table (rendered in the PDF) were not properly linked to their corresponding categories.
• Fixed a date formating issue for translated reports.

This bugfix release fixes an issue with the researcher panel and includes several other bug fixes.

Bug Fixes

• Fixed a bug where the researcher panel would break during the retest process
• Fixed an issue where the CVSS risk assessment table has two hyphens instead of a dash in the PDF report
• Fixed an issue in the HTML version of the findings table component. The severity column was hidden instead of the status column.
• Fixed a bug where the content of text files was pasted into markdown fields when you drag and drop them into the field.
• Draft sections now correctly have a draft icon in the researcher panel.

Self-hosted WebSockets, no third-party service required

Breaking change, read the upgrade guide!

WebSockets are now integrated directly into Reporter, eliminating the need for third-party services like Pusher.

WebSockets power some of our collaboration features, including the researcher panel state and form-locking functionalities. Built-in WebSockets capability allows all users, even those with stringent company policies prohibiting the use of third-party services, to utilize these features.

Moreover, this enhancement paves the way for many new and exciting features in the future. Stay tuned for upcoming updates!

Upgrade Guide

To use these features, you must update your Docker configuration. Additionally, we have dropped support for Pusher. Users who currently use Pusher are also required to update their configuration.

Upgrade Guide

Assessment sections review

Similarly to the review functionality of findings, assessment sections are now part of the review flow. The content of sections that have not yet been published is not visible to client users.

You can set the default review status of assessment sections within the assessment templates. When you create a new assessment using a template, all configured properties, including the review status, will be automatically applied. Additionally, you can update the review status for existing assessments directly through the assessment section edit function.

Other changes related to the review flow:

• A new review status, "Revision Requested," has been introduced. This status indicates that a revision is required before the review can be approved, making it clear when an item has undergone a review rather than just being drafted.
• Draft findings, retests, and assessment sections will now appear in draft reports. Previously, this feature was only available for findings. This change ensures that all draft components are included in draft reports.

Improvements

• The assessment template for "Azure Security Benchmark V3" (ASB) has been replaced with a template for its successor, "Microsoft Cloud Security Benchmark V1" (MCSB). To add the new template, use the 'Clone default template' button on the assessment templates overview page.
• The API documentation has been clarified to describe how filtering works with multiple possible values ("or" filtering).
• In the "Findings table" report component, you can now show or hide the status column or make it only appear when at least one retest has been requested.
• The API now has routes and includes that let you retrieve the entire finding timeline in one request. Support has been added for all types of finding events in the API. See the updated API documentation for details.
• More icons were added to the researcher panel to display better which sections need action. The documentation now has an extra section that explains these icons in more detail.

Bugfixes

• Fixed a regression in the researcher panel, where hidden sections were no longer indicated as such.
• The Tool Import functionality has been improved to better handle the import of very large findings.
• Fixed inconsistent capitalization in the "Risk summary table" component.
• The Okta SSO provider wasn't properly registered.
• The parsing logic for code block closing tags in the Markdown editor has been improved. This ensures that code blocks are now correctly identified and displayed as intended.
• The import process has been updated to ensure that the correct assessment is selected when importing findings from previous assessments.
• The deletion process for cloned findings with associated rejected events has been corrected.
• The task layout has been updated to handle large images in client comments more gracefully.
• Table captions now correctly display as "Table 1" without the colon if no caption text is present.
• The link in comment notifications now correctly directs to the comments tab.

Enhancements

• Add options to the report theme editor for configuring the layout of severity badges. The look of the two types of severity badges (the ones inside finding/retest metadata and the ones in different places) can now be configured separately. For CVSS badges it is also possible to configure the size of the severity score and the spacing between the severity score and severity description.

Bug Fixes

• Fixed a bug where clicking the "Quick inline edit" button on the "Account Details & Credentials" section on the assessment overview page would cause an error message to appear and the page to refresh;
• Fixed a bug that occurred when building the previous release image, that caused the latest tag to not be updated to point to the latest release image in the container registry.
• Fixed an inconsistency in the API where some of the new routes used a singular noun instead of the plural.