Releases

Updated API endpoint for listing finding events

Breaking change!

The API endpoint for listing finding events has been updated to make it consistent with other index routes. The endpoint has changed from: /api/v1/findings/{finding_id}/finding-events to /api/v1/finding-events.

Bug Fix: The old endpoint had a bug where it did not correctly filter by finding ID. This issue is resolved with the new endpoint and filtering method. To get all finding events associated with a particular finding, use the new endpoint with a filter parameter:

GET /api/v1/finding-events?filter[finding_id]={finding_id}

Webhook improvements

• Conditional Webhooks: You can now set conditions for each webhook using JMESPath syntax to determine whether it should be triggered, giving you more control over webhook execution.
• Assessment Completed Webhook: A new webhook has been added that triggers when an assessment is set to a completed state ('Completed' or 'Retest Completed'), allowing you to automate actions based on assessment completion.

New global user roles

Introduced new global user roles: 'Assessment Template Manager', 'Finding Template Manager', and 'Assessment Theme Manager':

• These roles are generally assigned alongside other roles like Researcher, Account manager, or Project admin.
• They can also be stand-alone roles for users needing limited access, such as theme designers without assessment access.

Limitations:

• Finding Template Managers cannot see suggestions for finding templates if they don't have access to the findings they are based on.
• Assessment Theme Managers cannot mass migrate assessments to a new theme unless they also have admin or project admin permissions.

Other improvements

• The Python API wrapper has received several updates; see https://github.com/dongit-org/python-reporter for details. 
• Added support for Microsoft Graph mail.
• Pipedream now offers integration with Security Reporter; see https://pipedream.com/apps/security-reporter for details.
• Added tagging functionality to clients; only account managers, project admins, and admins can see and filter by tags.
• The snippets feature has been enhanced with several updates: the index page now includes table hover effects, filtering, and sorting options; the insertion modal has been reformatted; tag functionality has been added for better organization; and snippets can now be inserted into other snippets.
• Introduced a new assessment setting to disable retesting functionality.
• Made it configurable for assessment sections whose subsections have the 'can have findings' setting enabled to appear in the results table.
• Updated the notification system to ensure that all associated users receive timely alerts whenever an assessment is rescheduled.
• Added the ability to sort finding templates by weight via the API.
• Activity related to assessment and finding templates are now logged and accessible via the activity page.
• Added a placeholder for the 'completed at date' of the initial assessment phase.
• Added a global setting for password-protecting report PDFs. This setting can be enabled under 'Settings > General > Miscellaneous > Generate a password for PDF Reports'.

Bug Fixes

• Fixed an issue where caution tags in references were ignored.
• Ensured client changes to shared information are recognized as a new version.
• Resolved a problem where linking many potential findings to a finding did not work.
• Referenced findings not present in the report are now rendered as plain text instead of links, allowing references to findings in the management summary even if they are not included.
• Fixed an error on the user view page that occurred if the current user didn't have a timezone set.
• Fixed a redirect issue when changing the status of a finding retest through the inline edit functionality.
• Resolved a '403 Unauthorized' error when using the Finding Templates Create API function, ensuring API keys with the correct permissions work as intended.
• Improved the assessment sections API update: researchers now receive clear validation errors when attempting to modify unauthorized fields, and fixed a bug preventing admins from setting a published review status via the API.
• Fixed the 'Copy to Clipboard' button not updating correctly after saving an inline edit.
• Restored the 'Submit for Review' button for assessment sections that required revisions.
• Fixed a bug in the inline editor of the HTML report that occasionally prevented the editor from being locked.
• Fixed a validation error on the vulnerability field when updating a finding with the status 'Retest Pending'.

Improvements

• The action plan now has the 'Urgent' priority level and the 'Very Complex' complexity option, which provides a more precise categorization of critical and challenging tasks.

Bug Fixes

• Resolved an issue that prevented proper rendering of finding references in the PDF report.
• Fixed a rare migration error that occurred when a bold font was missing in one of the report themes.
• Removed the assessment template name from the breadcrumb path on the assessment section page.
• Fixed a bug on the finding details page where the status wasn't updated when a researcher updated the finding using the inline editor.

Audit functionalities

A new ISO 27001:2022 assessment template is now available, providing a standardized approach to compliance evaluations. We've also introduced a new audit scoring system with the categories Compliant, Opportunity for Improvement, Minor Non-Conformity, Major Non-Conformity, and Not Applicable. Additionally, a new audit scoring table component offers a clear overview of the number of findings for each score category:

You can add the new ISO 27001 template using the 'Clone default template' button on the 'Assessment Templates' page.

Improvements

• PDF Report Tables: Table headings now automatically repeat on every page when a table spans multiple pages, enhancing readability. This default behavior can be disabled if needed.
• Referenced Findings: Added severity circles wherever findings are referenced in markdown fields using the # key to link to other findings.
• Webhooks: OAuth2 connection support for webhooks.
• CVSS Metrics Linking: CVSS metrics in PDF and online reports are now linked to the CVSS calculator built into Reporter. It is also possible to link to the FIRST.org CVSS calculator instead or disable links altogether. This can be configured in the settings of a Reporter theme under the 'Miscellaneous' tab.
• Finding Section Titles: You can now configure the titles of finding sections independently from the headings in the report theme configuration.
• Notification documentation: Added new documentation detailing when notifications are sent and the specific types of notifications that are triggered.
• Activity Storage Retention: Added documentation on the ACTIVITY_LIFETIME environment variable, which determines how long the activity trail is retained.
• Targets Placeholder: Added a targets placeholder that, when rendered, displays a list of the assessment targets.
• Code Blocks: Added a copy button that appears when hovering over code blocks for easier copying of code snippets.
• Results Table Component: Sections that cannot have findings now appear in the results table if they contain child sections that can have findings.
• Action Plan and Findings Table Component: A new option is available to remove page numbers from the action plan and findings table components.
• Block Quote Styling: Added a gray border to the left side of block quotes in the PDF report. The color of this border can now be customized.
• Snippet Insertion Modal: The snippet insertion modal has been improved to include a rendered preview, allowing you to view the snippet before adding it.
• Snippets Management Page: Enhanced the snippets management page with new sorting, searching, and tagging functionalities. Tags can be created under 'Settings > Tags'.
• PDF Metadata: PDF metadata is now customizable, allowing for tailored document information.
• Tool Output Parser: Updated and improved several tool output parsers, including enhancements to the NMAP parser.
• Status Report: New checks have been added for the web sockets connectivity. 

Bugfixes

• Resolved an issue where text dragging in the markdown editor had stopped working.
• Corrected a problem where the wrong status was set when requesting a section revision.
• Improved the rendering of components in markdown tables.
• Fixed an issue where the background line in the HTML report sometimes overlapped text in Chromium-based browsers.
• Added missing section M4 to the OWASP Mobile Top 10 assessment template.
• Updated the NCSC guidelines assessment template so that all sections at the deepest level now require findings.
• Fixed an exception in assessment versions when no classification system was enabled for one of the versions.
• Resolved an exception that occurred when adding a translation to an assessment template with no sections.
• Fixed a bug where the first page would always load when reviewing items via the review page.
• Corrected a bug where users tagged in a comment were emailed again when the comment was converted to a retest inquiry.
• Fixed the theme watermark transparency setting, ensuring that 0 is now opaque and 1 is fully transparent.
• Resolved an issue where snippets containing Unicode characters were not replaced correctly in the preview.
• Fixed an issue with rendering the findings table component outside of the assessment context.
• Optimized data loading when indexing potential findings and added an environment setting for chunk size.
• Fixed an exception on the finding templates index page when rendering templates that are not vulnerabilities.
• Improved the speed of assessment creation based on large assessment templates.
• Fixed form locking issues in assessment section templates when handling different translations.
• Resolved an issue where category names in the results table (rendered in the PDF) were not properly linked to their corresponding categories.
• Fixed a date formating issue for translated reports.

This bugfix release fixes an issue with the researcher panel and includes several other bug fixes.

Bug Fixes

• Fixed a bug where the researcher panel would break during the retest process
• Fixed an issue where the CVSS risk assessment table has two hyphens instead of a dash in the PDF report
• Fixed an issue in the HTML version of the findings table component. The severity column was hidden instead of the status column.
• Fixed a bug where the content of text files was pasted into markdown fields when you drag and drop them into the field.
• Draft sections now correctly have a draft icon in the researcher panel.

Self-hosted WebSockets, no third-party service required

Breaking change, read the upgrade guide!

WebSockets are now integrated directly into Reporter, eliminating the need for third-party services like Pusher.

WebSockets power some of our collaboration features, including the researcher panel state and form-locking functionalities. Built-in WebSockets capability allows all users, even those with stringent company policies prohibiting the use of third-party services, to utilize these features.

Moreover, this enhancement paves the way for many new and exciting features in the future. Stay tuned for upcoming updates!

Upgrade Guide

To use these features, you must update your Docker configuration. Additionally, we have dropped support for Pusher. Users who currently use Pusher are also required to update their configuration.

Upgrade Guide

Assessment sections review

Similarly to the review functionality of findings, assessment sections are now part of the review flow. The content of sections that have not yet been published is not visible to client users.

You can set the default review status of assessment sections within the assessment templates. When you create a new assessment using a template, all configured properties, including the review status, will be automatically applied. Additionally, you can update the review status for existing assessments directly through the assessment section edit function.

Other changes related to the review flow:

• A new review status, "Revision Requested," has been introduced. This status indicates that a revision is required before the review can be approved, making it clear when an item has undergone a review rather than just being drafted.
• Draft findings, retests, and assessment sections will now appear in draft reports. Previously, this feature was only available for findings. This change ensures that all draft components are included in draft reports.

Improvements

• The assessment template for "Azure Security Benchmark V3" (ASB) has been replaced with a template for its successor, "Microsoft Cloud Security Benchmark V1" (MCSB). To add the new template, use the 'Clone default template' button on the assessment templates overview page.
• The API documentation has been clarified to describe how filtering works with multiple possible values ("or" filtering).
• In the "Findings table" report component, you can now show or hide the status column or make it only appear when at least one retest has been requested.
• The API now has routes and includes that let you retrieve the entire finding timeline in one request. Support has been added for all types of finding events in the API. See the updated API documentation for details.
• More icons were added to the researcher panel to display better which sections need action. The documentation now has an extra section that explains these icons in more detail.

Bugfixes

• Fixed a regression in the researcher panel, where hidden sections were no longer indicated as such.
• The Tool Import functionality has been improved to better handle the import of very large findings.
• Fixed inconsistent capitalization in the "Risk summary table" component.
• The Okta SSO provider wasn't properly registered.
• The parsing logic for code block closing tags in the Markdown editor has been improved. This ensures that code blocks are now correctly identified and displayed as intended.
• The import process has been updated to ensure that the correct assessment is selected when importing findings from previous assessments.
• The deletion process for cloned findings with associated rejected events has been corrected.
• The task layout has been updated to handle large images in client comments more gracefully.
• Table captions now correctly display as "Table 1" without the colon if no caption text is present.
• The link in comment notifications now correctly directs to the comments tab.