Releases

Enhancements

• Add options to the report theme editor for configuring the layout of severity badges. The look of the two types of severity badges (the ones inside finding/retest metadata and the ones in different places) can now be configured separately. For CVSS badges it is also possible to configure the size of the severity score and the spacing between the severity score and severity description.

Bug Fixes

• Fixed a bug where clicking the "Quick inline edit" button on the "Account Details & Credentials" section on the assessment overview page would cause an error message to appear and the page to refresh;
• Fixed a bug that occurred when building the previous release image, that caused the latest tag to not be updated to point to the latest release image in the container registry.
• Fixed an inconsistency in the API where some of the new routes used a singular noun instead of the plural.

SCIM auto-provisioning  

Reporter now supports SCIM identity providers, such as Microsoft Entra ID and Okta, for user provisioning. SCIM groups can be used to quickly and automatically assign Reporter roles to users in those groups.

Zapier Integration Published

Seamlessly integrate popular applications into your workflow. For instance, connect systems like ServiceNow, Jira, Azure DevOps, or PowerBI. Over time, we'll add more one-click integrations, enhancing your productivity and connectivity.

https://zapier.com/apps/security-reporter

Account Manager Role

We have added an 'Account Manager' role. This role is perfect for delegating client-specific assessment management without granting access to all assessments in the application.

Key Features of the Account Manager Role:

• Client-Specific Access: Account Managers can only access the clients and assessments they are assigned to manage, ensuring focused and secure management.
• Client Creation: Account Managers have the ability to create new clients. They are automatically assigned as the Account Manager for any client they create.
• Assessment Creation: Account Managers can create assessments for their assigned clients. They will automatically be designated as the manager for any assessments they initiate.

The existing 'Project Manager' role has been renamed to 'Project Admin' to highlight the admin-level access they have to all assessments.

Enhancements

• Give and receive quick feedback using Emoji Reactions, avoiding a long comment thread.
• Assessment versioning:
  • See what changes have been made by whom and at what time.
  • Adds the 'Last edited X% by/on' bar to the shared information, internal details, and researcher briefing tabs.
  • Users who can see the tab can see and compare versions of those fields.
• The researcher panel has been rebuilt from the ground up with a cleaner, more modern look, opening the doors to some exciting new features.
• The font casing for the severity scores is now customizable. See the theme options. 
• Finding templates can now be sorted by severity, weight, last used at, and created at.
• SAML2: support nameid-format:emailAddress. This improves the handling of SAML2 responses by attempting to read the user's email address from the NameId element rather than just the attributes. This behavior can be customized to only look for the NameId element or only look at attributes; see the updated documentation.
• Add comment functionality to more finding events, such as finding rejected events after a review.
• New parsers for output files of well-known tools, such as Tenable Nessus, have been added, and existing parsers have been updated.
• You can now add Authorization: Bearer tokens to webhooks.
• Made several performance tweaks for the report generation.

Bug Fixes

• Fixed missing language option in the evaluate new template suggestion form.
• Fixed an issue where headers above h6 would crash PDF report compilation.
• Fixed an issue where the 'reviewed at' timestamp was displayed incorrectly.
• Fixed an issue that would sometimes incorrectly show an 'Unspecified' badge in the findings table on the report.

API improvements

 
API availability for client users

The API is now accessible to client users, enabling automation of their assessment processes for improved efficiency. 

To enable this feature, navigate to 'General Settings' from the main menu, proceed to the 'Functionality' tab, and under the 'Client Users' section, switch on 'Clients have API access'. Once activated, the API documentation becomes available to client users through the main menu for easy access.

API Wrapper update

The API wrapper has received a significant upgrade to include the latest endpoints to simplify your integration processes. It is now officially tagged as version 1.0 🎉. Using PyPI for distribution, we make it effortlessly simple for you to bring our wrapper into your projects: https://pypi.org/project/securityreporter/. For a deeper dive into what's new, swing by our GitHub page: https://github.com/dongit-org/python-reporter.

Future Integration: Zapier Support

Preparation is underway to introduce Zapier support, aimed at enhancing workflow integration capabilities with our platform.

Heads up! Breaking API changes

• Uploading a document for a model now requires the API token to have write permissions for that model.
• Downloading a document of a model now requires the API token to have read permissions for that model.

Private comments in assessment sections

For improved collaboration, it is now possible to add private comments to assessment sections. This functionality will be expanded in future releases to integrate fully into the assessment review flow.

Other Improvements

• Finding metadata in reports is now fully customizable via the Theme Editor under the tab 'Metadata'.
• Support for checkboxes (markdown task lists) has been added to the markdown editor. For more information, visit https://www.markdownguide.org/extended-syntax/#task-lists.
• Document margins can now be adjusted within the Theme Editor for enhanced layout control.
• Page numbering can now include total pages (e.g., '3 of 40') and can be configured in the Theme Editor. The format of the string is customizable through the translations feature to adopt different formats, such as 'Page 3/40'.
• A 'Versions' button has been added to finding retests when there are at least two versions, facilitating easier navigation through version history.
• Added a placeholder for the language of the report.
• Adding an image to a markdown field now inserts  [Caption_here] with an underscore, enabling double-click selection.

Bugfixes

• Fixed several bugs related to the PDF report, such as:
  • Corrected scaling of colored severity circles in results tables to match font size.
  • Ensured check marks align properly with text in results tables.
  • Resolved full-width tables extending beyond the right margins.
  • Fixed fields not being prefilled as expected.
• Corrected a glitch in the action plan table that previously resulted in an unnecessary empty line when titles or actions were on the verge of not fitting.
• Fixed an issue where tagged users in assessment would not always receive an email notification.

Upgrade Heads-up! Grab a coffee and sit back while you deploy this upgrade ☕ – this release will take a bit longer than usual due to database migrations. And as always, remember to create a backup before diving in.

Frequent assessment tabs

Your go-to assessments are now even more accessible! We've introduced a new feature that places your most frequently visited assessments at the top of the screen for quick navigation. For even faster access:

• Pin your favorites: Simply hover over a tab to pin assessments you frequently use.
• Discover more: Click the dropdown icon on any frequent assessment tab to view additional information and insights.

Display of findings with many targets

To enhance clarity and reduce clutter in areas of the application and reports that display finding targets, we've introduced a new approach:

• Simplified Target Lists: In reports, tables, and the researcher panel, we now show a concise list of targets (e.g., "target1, target2, target3, and 17 more"), providing a cleaner view without compromising on detail for findings with numerous targets.
• Detailed Reporting: Each report now efficiently lists up to 25 unresolved and 25 resolved targets, clearly indicating if more targets are not shown.
• Improved Navigation: The main findings page features paginated targets, making it easier to navigate and review extensive lists.
• Customization and Localization: Tailor the presentation to your needs by customizing and translating the "..., and x more" string for reports. This option is available under Settings > Languages, ensuring that the interface meets both your linguistic and functional preferences.

Other Improvements

• We've restructured how comments and status updates (finding events) are displayed under findings in the portal, leading to enhanced performance and reliability. This update also resolves a previous issue where the API was not returning certain comments.
• The review page now shows all finding events for reviewable findings instead of just some of them.
• We've updated our markdown editor shortcuts to avoid conflicts with common operating system shortcuts and enhance consistency with other tools like GitHub and Slack. The shortcuts have been added to the documentation.
• The markdown editor's ! character has been refined to make toggling the reference popover in the markdown editor smoother.

Bugfixes

• Fixed a bug where the CVSS 4 calculator did not correctly calculate a score of 0.
• Resolved a double HTML encoding issue affecting several values, particularly within task functionality.
• Fixed the drag-drop behavior of text in the markdown editor. 
• Fixed breaking side-by-side diff when long words were used.
• Fixed an issue where full-width tables were always aligned left.
• Fixed bug where date format was always added to component placeholders in the markdown editor.
• Fixed several minor bugs related to the theme text items and multi-language feature.
• Addressed inconsistent line wrapping in report PDFs.
• Empty comments now trigger a clear validation error.
• The correct radio button values are now set when editing an assessment role for the permission "edit internal details".

Analytics Page

Dive into a comprehensive analytics page accessible from the main menu. Explore detailed insights, including findings, assessments, trend analyses, severity counts, remediation strategies, and the top 5 assigned classification categories for each classification system. Tailor the analytics to meet your needs with filters for each client.

The dashboard for client users has been refreshed, showcasing key analytics - findings categorized by severity and status, critical and high-risk remediation efforts, average resolution times, and the top 5 unresolved severe findings, including their age.

Action Plan 

Activate the Action Plan for an assessment to define a clear path forward for resolving findings. Customize each action plan with:

• Priority: Set the urgency levels.
• Complexity: Estimate the effort required for resolution.
• Action: Outline specific steps for mitigation.

With the Action Plan enabled, you can gain immediate access to a dedicated action tab from the assessment page and seamlessly integrate the action plan table into any report section. Simply select it from the component list in the markdown editor for seamless integration.

CVSS 4.0 Scoring System

Reporter now supports the latest Common Vulnerability Scoring System, Version 4.0 (CVSS 4), offering a more nuanced and precise approach to vulnerability scoring. This enhancement allows users to assess and prioritize vulnerabilities with greater accuracy. Alongside the integration of CVSS 4, we've implemented improvements across all scoring systems within Reporter.

Other Improvements

• A new global "Project manager" role. This role is tailor-made for those who oversee project progress and quality without altering core system configurations. 
• Users can now import findings from previous assessments with the status "draft" or "under review" instead of "published".
• To ensure the integrity of published findings, importing findings as "published" now requires review permissions.
• Improved text selection behavior in the markdown editor.
• Add researchers and reviewers to the report separately.

Security

Webhook secrets have been removed from the edit page.

Bugfixes

• Addressed an issue where users were unable to reset a finding's original severity and remove status change events if the current and original severities matched.
• Corrected the sorting order for resolved targets in finding events to ensure accuracy when displaying the most recent events first. Furthermore, the loading performance has been improved.
• Fixed a problem that prevented ordering first-level assessment sections within assessment templates.
• Fixed notification label sizing.
• Fix the 'enable password' checkbox on the setup page.
• Fixed inconsistent indentation of lists in the PDF report.
• Fixed a bug where tables that should appear indented in a list were not indented properly.
• Finding retests now have a versions button.
• Fixed an issue where date formats for placeholder components were not added to the shortcode.