Releases

CVSS 3.1 Scoring System

The Common Vulnerability Scoring System Version 3.1 (CVSS) is now supported in addition to the OWASP Risk Rating methodology.

When starting a new assessment you can choose which scoring system you would like to use. It is possible to build a CVSS metric string by using the buttons or paste an existing CVSS metric string that will set the state of the buttons. The CVSS scoring system can be set as the default scoring system via the global settings.

Assessment access control improvements

• Better support for the assessment manager role. The assessment manager is displayed on the assessment page.
• Separated team access and client access into separate tabs.
• It is possible to specify which clients receive notifications from the "Client Access" tab. Clients with notifications disabled do not receive notifications about finding events unless they were directly tagged.
• Under the tab "Status and Phases"  the button "Autofill users" has a new option to autofill based on current permissions. Researchers who can review findings or retests are assigned as a reviewer. Anyone who can create findings or retests is assigned as a researcher if not already assigned as a reviewer.
• Removed permissions "show as researcher", "show as client", "publish on report as researcher", and "comment as researcher". These are now handled based on the new options.

Other improvements

• The global findings search has been improved. Search for the (partial) name of a target and filter by assessment type, author, and target.
• Caching of assessment users for performance improvements.

Bugfixes

• The researcher panel search terms would sometimes reappear.

Delete assessments on client's request

Clients can now request the deletion of an assessment. The assessment manager is required to confirm these requests. All associated findings, sections, targets, and documents are deleted. The assessment will be listed with a 'Deleted' status and only contain some metadata such as who requested the deletion. 

The delete functionality is not visible in the UI for a client, the assessment manager should provide the URL for the client. This link can be found on the assessment show page under the settings wrench icon.

Other improvements

• The loading speed of the findings page has been improved.
• Improved notifications for available Reporter updates. The users that are notified and assigned to an update task can be set from the settings page. If no users are specified, all admins are notified.
• Added a separate syntax highlighting button in the markdown editor.
• Pull pre-build packages from Reporter's Docker container registry.
• Changed RAM requirement (8GB) of Docker host in the readme. Default PHP settings have been changed accordingly.

Bugfixes

• Finding templates now properly set the severity based on impact/likelihood.

Tagging of findings and sections

Easily reference findings and sections by adding tags. Tagged sections and findings are rendered as links that point to the exact section/finding in the report. Use # to tag a finding and ! to tag a section.

Only findings and sections in the same assessment can be tagged.

Improved syntax highlighting

The syntax highlighting for code blocks has been improved by adding new languages.

The following languages are currently supported:

abc, actionscript, ada, agda, apache, asn, asp, ats, awk, bash, bibtex, boo, c, changelog, clojure, cmake, coffee, coldfusion, comments, commonlisp, cpp, cs, css, curry, d, default, diff, djangotemplate, dockerfile, dot, doxygen, doxygenlua, dtd, eiffel, elixir, elm, email, erlang, fasm, fortranfixed, fortranfree, fsharp, gcc, glsl, gnuassembler, go, graphql, groovy, hamlet, haskell, haxe, html, idris, ini, isocpp, j, java, javadoc, javascript, javascriptreact, json, jsp, julia, kotlin, latex, lex, lilypond, literatecurry, literatehaskell, llvm, lua, m, makefile, mandoc, markdown, mathematica, matlab, maxima, mediawiki, metafont, mips, modelines, modula, modula, monobasic, mustache, nasm, nim, noweb, objectivec, objectivecpp, ocaml, octave, opencl, pascal, perl, php, pike, postscript, povray, powershell, prolog, protobuf, pure, purebasic, python, qml, r, raku, relaxng, relaxngcompact, rest, rhtml, roff, ruby, rust, scala, scheme, sci, sed, sgml, sml, spdxcomments, sql, sqlmysql, sqlpostgresql, stata, tcl, tcsh, texinfo, toml, typescript, verilog, vhdl, xml, xorg, xslt, xul, yacc, yaml, zsh

Bugfixes

• Some finding templates were stored twice.
• Fixed 500 errors on several pages.
• API resources now return true or false for booleans instead of 1 or 0.
• Collapsed resolved findings would only uncollapse if there were an odd number of results tables.
• Targets results table resolved findings would not uncollapse at all due to missing script.

Temporary assessment permissions

Give users temporary access to assessments by setting an expiration date (see screenshot below).

Short ID

Added a unique identifier called “Short ID” for all findings for quick reference.

Snippets

Reusable text fragments that can be added to sections for assessment types.

Improved task filters

• Admins now see all tasks by default outside assessment.
• Admins can now filter tasks by a user (or unassigned).
• Filter by type.
• Notifications and tasks can now be filtered using “Older Than” and “Newer Than” with predefined values.

Other

• Added an installation status report page.
• Improved clarity of 'Request retest' functionality.
• 'Submissions' have been renamed to 'Findings'.