Releases

Improvements

• Added the ability to rotate theme text boxes;
• Improved the positioning of the comment reply based on the event ordering;
• Clarified Cloudflare documentation;

Security

• Updated a third-party library to address a known vulnerability. It's important to note that this vulnerability did not impact Reporter, as the affected functionality was not in use.

Bugfixes

• Fixed a severe slowdown when listing findings after adding a new language;
• Fixed a bug where the table of contents would have the wrong font in the theme preview;
• Addressed several minor JavaScript issues associated with the new markdown editor.
• Fixed an exception after attaching a snippet;
• Resolved an issue where deleting an assessment comment would leave its child comments visible in the timeline until the page was refreshed.

Report translations

Write your pentest reports in the language of your choice! The following key components have been made translatable to enhance your reporting experience:

• Report Themes
• Assessment templates
• Snippets
• Finding templates

Easily add new languages by importing ready-made translations from our public GitHub repository.

With this feature, you're not limited to adding new languages, but it also offers the flexibility to modify the default English terms. For instance, you can personalize your reports by renaming terms like "Proof" to "Evidence" to better align with your organization's terminology or reporting style.

New markdown editor

The markdown editor in Reporter has been completely rebuilt, offering a more robust and user-friendly experience. This upgrade paves the way for new functionalities, including the planned addition of annotation tools.

Key enhancements of the editor:

• Improved Grammar Tool Support: Enjoy better integration with grammar assistance tools such as Grammarly for error-free writing.
• Image Previews on Hover: Easily preview images by hovering over their markdown tags, adding convenience to your editing process.
• Enhanced Syntax Highlighting: The editor now offers syntax highlighting for code blocks, making code more readable.
• Streamlined Document Handling: Quickly find and track your uploaded documents within the markdown, and easily see which documents haven't been added yet.

Other improvements

• In assessments and findings, comments can now be sorted to show the most recent either at the top or bottom of the list.
• Okta SSO support.
• New target types.
• Cloudflare documentation.
• Theme textboxes are now conveniently located under the theme settings tab, eliminating the need for page reloads for each textbox change.
• Amazon S3 library updates for improved IMDSv2 support.
• The default gray font color has been darkened, making text easier to read on the web portal.
• The loading of assessments and findings with many targets has been optimized. We'll add more improvements in the upcoming releases.
• Allow disabling the verification of SMTP TLS certificates.
• The built-in Reporter theme has transitioned to Noto Sans font, enhancing multi-language support and resolving rendering issues in Adobe Acrobat Reader. You can easily configure the Noto Sans font for your own (custom) themes.

Bug fixes

• Fixed broken PDF generation caused by using ^ in code tags.
• Fixed task links on the dashboard not setting the correct status filter.
• Addressed ID confirmation failures when SSO providers return emails in uppercase.
• Fixed problems in assessments with large uploads (e.g., videos) that hindered ZIP download functionality.

Improvements

• Added the ability to migrate multiple assessments to a new theme.
• Introduced a configuration option to sign AuthnRequest messages. For more details, please refer to the updated documentation.
• Severity labels are now more consistent with other labels.

Bugfixes

• Resolved an exception that occurred when attempting to create a finding template.
• Addressed an issue where credentials for targets were not imported accurately from past assessments.
• Long words should no longer overrun table cells and page margins in the PDF report.
• Fixed an inconsistency concerning the default settings for Two-Factor Authentication.

Upgrade Heads-up! Grab a coffee and sit back while you deploy this upgrade ☕ – this release will take a bit longer than usual due to database migrations. And as always, remember to create a backup before diving in.

Single Sign-on improvements

We have reworked the authentication logic to provide much more flexibility. Updated documentation is available to guide you through the new configuration options. The most notable changes are listed below.

Setting Renamed! To improve clarity, the environment variable GOOGLE2FA_ENABLED has been renamed to TOTP2FA_ENABLED. Please note that the former name is now deprecated and will not be supported in future releases.

Important: If you are using Google as an SSO provider and 2-factor authentication (2FA) is not enforced (MFA_ENFORCE is set to false), users may be unable to confirm their identity. We strongly recommend enforcing 2FA if you use Google SSO.

Authentication

• Passwords are now optional. New users can immediately log in using their SSO provider.
• Global deactivation of password usage is possible by configuring the environment variable: PASSWORD_LOGIN_ENABLED=false.

2-Factor Authentication

• SAML2 and Graph (Microsoft Azure) SSO login methods can configured to bypass Reporter's 2FA using MFA_BYPASS_AFTER_SAML2=true and MFA_BYPASS_AFTER_GRAPH=true environment variables. This way you rely on the 2FA configuration of your SSO provider.
• If 2FA is not enforced, users can now optionally enable 2FA. Users with 2FA enabled will be prompted for a code when they log in unless their login method is configured to bypass 2FA.

Identity confirmation

Identity confirmation has been reworked for improved flexibility and security. You can now use either your 2FA or SSO provider for identity verification. For a deeper dive into the specific authentication methods, please check the updated documentation.

Broadly usable snippets

• Snippets can now be used in all markdown fields throughout Reporter.
• Snippets used in templates are converted when the template is applied.
• Researchers can now also manage snippets.
• Users can only edit snippets used in templates if they have permission to edit the template.
• Snippets now have versioning for tracking modifications.

Review Improvements

When a researcher makes a change to an already reviewed (published) finding in an active assessment, its status will revert to 'Under Review' unless the researcher also has review permissions.

Users lacking review permissions cannot edit findings or retests in finalized assessments.

Improvements

• Assessment tagging functionality has been added.
• Added a REDIS_SCHEME configuration option so you can connect to remote Redis clusters over TLS.
• Added markdown placeholders for the start and end date of the assessment.
• Added markdown placeholder for findings count (total or filtered by status or severity).
• Added date format option to the 'started-on' component.
• The clients overview page now displays 52 items on a page instead of 50, filling all rows.
• Added a references field for findings. This field was already present in the finding templates.
• On the finding detail page, if fields such as 'risk' are empty, they will not be displayed to users without editing permissions.
• Log whether activities were triggered via the API.
• Log whether activities were triggered by an impersonated user.
• For consistency in API behavior, all line endings are now converted to \r\n.

Bugfixes

• Resolved an issue preventing editing of resolved retests.
• Fixed a bug where the custom deadline field was hidden when creating a task in a continuous assessment.
• Fixed a bug where task titles and descriptions were shown incorrectly in the edit form.
• Fixed a bug where the 'Add task' button was disabled on certain pages.
• Resolved an issue on the API token page where selecting any ability radio button incorrectly defaulted to the first option.
• Fixed an issue where roles could not be renamed.
• Admins can now download management reports when they are not available to clients.
• Tooltips for unavailable management reports now correctly say why it is not available.
• Fixed a bug where swapping the researcher panel version (full vs. management view) didn't work as expected.
• Resolved an issue preventing the unsetting of VRT classifications.
• Fixed a bug where empty markdown fields with documents were not displayed.
• Fixed an issue where attempting to retrieve a file using the API with an invalid token resulted in a redirect response to the login page.
• Fixed incorrect timestamps on the user index page.

New API functionality for comments

• The API now supports creation, modification, and retrieval of assessment comments, finding comments, finding retest requests, and finding retests.
• You can reply to finding comments, assessment comments, finding retest requests, and finding retests.
• You can retrieve these events as an include with a finding or assessment.
• Replies to comments can be retrieved as an include from corresponding comments, retests, etc. For example, you can GET a finding and include comments.replies.

Improvements

• Caution tags are now also rendered in the PDF report making it consistent with the online report.
• Updated CWE classifications to v4.12.
• The output file parsers have been updated for improved performance and data extraction.
• When encountering errors during output file parsing, error messages now provide more detailed context to facilitate troubleshooting.

Bugfixes

• Resolved an issue preventing the retrieval of PDF reports via the API.
• Fixed an issue where the 'Highest Risk' badge in CVSS assessments sometimes showed the highest category, but not the highest score.
• Fixed a bug where resolved retests could not be set back to unresolved.
• Fixed a bug where the 'General activity' link was not functioning correctly on the activities page.
• Fixed an issue where provisional events in the schedule had no associated users.
• Fixed an issue where assessment sections could not be emptied by editing them in the online report.
• Fixed an issue where the status of a retest was not shown in the researcher panel.
• Fixed an issue where caution tags, @tags and component tags were sometimes rendered incorrectly.
• Fixed a crash when evaluating findings suggested as new templates if the finding has resolvers.
• Fixed an issue where users were notified twice if output file parsing failed.
• Fixed a rare exception when deleting an assessment.
• Addressed a rendering issue for long words with Unicode characters in the PDF reports.
• Fixed an issue where the next_deadline field was sometimes set incorrectly.