Releases

2021.07.23

Download Show checksums

Breaking changes

The setting 2FA_ENFORCE is renamed to MFA_ENFORCE.

Activity improvements

Elaborate activity logging is available within the assessment and under the user view.

Retest request improvements

A new assessment status "Retest requested" has been added. Creating a retest inquiry in a completed assessment now sets the status to "Retest Requested". Assessments with this status are displayed on the dashboard so a manager can easily schedule them. 

Reporter retest requested

Other:

  • The ability to cancel a retest request for a finding has been added. The report is not updated when canceling a retest. Previously, the retest request had to be deleted whereby information is lost, or a researcher/manager had to answer the retest request whereby the report was updated.
  • Reviewers can no longer trigger "Review Completed" if draft findings are remaining in the assessment.
  • Under the main menu item "Findings" it is possible to click on the "Retest requested" badge to directly show the associated retest request.

Invite users to assessment improvements

  • The "invite user" functionality has been clarified by adding tabs to the modal that separates inviting new users from existing users.
  • Clarified adding new clients for an admin/manager. It is no longer required to select a role for the client.
  • Inviting existing users to an assessment no longer refreshes the page.

Other new and improved features

  • Users without job titles or not associated with clients, now have the title of "Researcher", "Administrator", "Client" or "Member" in that order based on roles.
  • It is possible to directly link to finding events (displayed under the finding) such as a comment or a retest by clicking on the event timestamp. In these displayed finding events, the avatar and name of users now also link to the user view, so it is, for example, easy to look up this user's activity.
  • Timezones are now shown in the status report. Also, checks if the timezone is valid.
  • Assessment section updated messages are no longer sent when nothing or only the order was updated.
  • Clients can no longer be deleted if they have assessments unless the assessments are soft-deleted.
  • CVSS metrics are clarified (temporal and environmental metrics).
  • Users that receive a notification of an assessment delete request now also get a new task assigned.

Bugfixes

  • Fixed opacity setting for watermarks in the online report.
  • Fixed a bug that caused SMS notifications not always to be sent.
  • Fixed a bug where rejecting a retest from the review page would not reload the tab.
  • Fixed a bug where approving multiple findings or retests would create a string of buttons on the page.
  • Fixed a bug where creating a newly published retest would sometimes resolve it.
  • Fixed a bug where retests for a finding were sorted in a random order in the report.
  • Fixed a bug with the is-private toggle when editing comments.
  • Fixed an issue where resolved targets were not unset when unticking "partially resolve" when editing a retest.
  • Fixed two rare edge cases when changing the targets of a finding that has status changes or retests. Adding a target to the finding now also adds it to the resolved targets of resolved status changes and retests. Removing a target from the finding now resolves status changes and retests that resolve all of the finding's remaining targets.
  • Fixed an issue where the old severity determined the new status of a finding.

 

Read more

2021.06.28

Download Show checksums

Resolve findings partially

Findings with multiple targets can now be resolved for some of the targets, instead of all or none. The timeline and report will show which targets were resolved and when.

Reporter resolve finding some targets

Other new and improved features

  • The interface for adding report components has been improved.
  • The results table in the online report now has also has a legend risk indications table.
  • Pasting a link to Reporter now creates a relative link. These links keep working if the URL of Reporter changes.
  • Admins can now choose 'My Tasks' or 'All Tasks' when opening the task page.
  • The MySQL setting sql_require_primary_key that is enforced by some managed databases is now supported.
  • Findings marked as an 'Accepted Risk' can now also be imported from previous assessments.

Bugfixes

  • Fixed a bug where modified settings were not applied to reports.
  • Fixed an issue where lists could be wider than text in markdown fields.
  • Fixed an issue that made it impossible to edit the Researcher Briefing and Target Credentials from their respective tabs on an assessment page.
  • Fixed an issue where dragging-and-dropping sections would generate multiple alerts.
  • It is once again possible to assign finding templates to assessment sections through the assessment section edit page. This includes full search functionality (with synonyms) and template source icons.
Read more

2021.06.01

Download Show checksums

CVSS 3.1 Scoring System

The Common Vulnerability Scoring System Version 3.1 (CVSS) is now supported in addition to the OWASP Risk Rating methodology.

Reporter CVSS input

When starting a new assessment you can choose which scoring system you would like to use. It is possible to build a CVSS metric string by using the buttons or paste an existing CVSS metric string that will set the state of the buttons. The CVSS scoring system can be set as the default scoring system via the global settings.

Assessment access control improvements

  • Better support for the assessment manager role. The assessment manager is displayed on the assessment page.
  • Separated team access and client access into separate tabs.
  • It is possible to specify which clients receive notifications from the "Client Access" tab. Clients with notifications disabled do not receive notifications about finding events unless they were directly tagged.
  • Under the tab "Status and Phases"  the button "Autofill users" has a new option to autofill based on current permissions. Researchers who can review findings or retests are assigned as a reviewer. Anyone who can create findings or retests is assigned as a researcher if not already assigned as a reviewer.
  • Removed permissions "show as researcher", "show as client", "publish on report as researcher", and "comment as researcher". These are now handled based on the new options.

Reporter access control improvements 202105

Other improvements

  • The global findings search has been improved. Search for the (partial) name of a target and filter by assessment type, author, and target.
  • Caching of assessment users for performance improvements.

Bugfixes

  • The researcher panel search terms would sometimes reappear.
Read more

2021.04.26

Download Show checksums

Delete assessments on client's request

Clients can now request the deletion of an assessment. The assessment manager is required to confirm these requests. All associated findings, sections, targets, and documents are deleted. The assessment will be listed with a 'Deleted' status and only contain some metadata such as who requested the deletion. 

Reporter assessment deleted

The delete functionality is not visible in the UI for a client, the assessment manager should provide the URL for the client. This link can be found on the assessment show page under the settings wrench icon.

Other improvements

  • The loading speed of the findings page has been improved.
  • Improved notifications for available Reporter updates. The users that are notified and assigned to an update task can be set from the settings page. If no users are specified, all admins are notified.
  • Added a separate syntax highlighting button in the markdown editor.
  • Pull pre-build packages from Reporter's Docker container registry.
  • Changed RAM requirement (8GB) of Docker host in the readme. Default PHP settings have been changed accordingly.

Bugfixes

  • Finding templates now properly set the severity based on impact/likelihood.
Read more

2021.04.13

Tagging of findings and sections

Easily reference findings and sections by adding tags. Tagged sections and findings are rendered as links that point to the exact section/finding in the report. Use # to tag a finding and ! to tag a section.

Reporter tag finding

Only findings and sections in the same assessment can be tagged.

Improved syntax highlighting

The syntax highlighting for code blocks has been improved by adding new languages.

The following languages are currently supported:

abc, actionscript, ada, agda, apache, asn, asp, ats, awk, bash, bibtex, boo, c, changelog, clojure, cmake, coffee, coldfusion, comments, commonlisp, cpp, cs, css, curry, d, default, diff, djangotemplate, dockerfile, dot, doxygen, doxygenlua, dtd, eiffel, elixir, elm, email, erlang, fasm, fortranfixed, fortranfree, fsharp, gcc, glsl, gnuassembler, go, graphql, groovy, hamlet, haskell, haxe, html, idris, ini, isocpp, j, java, javadoc, javascript, javascriptreact, json, jsp, julia, kotlin, latex, lex, lilypond, literatecurry, literatehaskell, llvm, lua, m, makefile, mandoc, markdown, mathematica, matlab, maxima, mediawiki, metafont, mips, modelines, modula, modula, monobasic, mustache, nasm, nim, noweb, objectivec, objectivecpp, ocaml, octave, opencl, pascal, perl, php, pike, postscript, povray, powershell, prolog, protobuf, pure, purebasic, python, qml, r, raku, relaxng, relaxngcompact, rest, rhtml, roff, ruby, rust, scala, scheme, sci, sed, sgml, sml, spdxcomments, sql, sqlmysql, sqlpostgresql, stata, tcl, tcsh, texinfo, toml, typescript, verilog, vhdl, xml, xorg, xslt, xul, yacc, yaml, zsh

Bugfixes

  • Some finding templates were stored twice.
  • Fixed 500 errors on several pages.
  • API resources now return true or false for booleans instead of 1 or 0.
  • Collapsed resolved findings would only uncollapse if there were an odd number of results tables.
  • Targets results table resolved findings would not uncollapse at all due to missing script.
Read more