Releases

Note this update may take a little longer to complete than usual. Grab a ☕, and enjoy this last update of 2022 🍾

Timezones

Users can now configure their timezone. The user's timezone will be automatically set when the user first logs in after this update and can be changed from the user's profile. Users will see timestamps according to their local time, except in generated files such as PDF reports. Generated files use the application's timezone.

The application timezone can be configured via the Settings > General > Functionality page.

Reports

Any timestamps on reports, such as those in finding metadata and the generated_at placeholder you may have on the front page, are reported in the application's timezone. If you want to display the current timezone on the report, there are two options:

• If you have a generated_at timestamp on the front page of the report, we recommend adding the timezone to the format string. Either T for timezone or O for the difference to GMT. See https://www.php.net/manual/en/datetime.format.php under timezones for more options. See Settings > Report Text Boxes. For example, you can change the default [[GENERATED_AT|Y-m-d H:i:s]] to [[GENERATED_AT|Y-m-d H:i:s T]] to add your timezone at the end.
• Alternatively, you can use a placeholder component in an assessment section to add the timezone elsewhere in the report. Either by name (e.g., CET) or by difference to GMT (e.g., +0100). Use the + button when editing a section, select Placeholder and choose one of the timezone options.

API Changes

• All timestamps returned by the API are now in an ISO8601-compatible format, e.g., 2022-12-18T16:47:56.000000Z.
• Any timestamps posted to the API now expect an ISO8601-compatible format (currently only found_at).

Improvements

• More context about each finding is now displayed when importing findings from previous assessments, including the finding's status, severity, and the original assessment section.
• The severity legend is now also shown in the findings tab on the assessment page.

SAML Single Sign-On Support

We have added support for single sign-on using SAML2. See the documentation for instructions on enabling it and connecting Reporter to your SAML provider.

New API Routes

• Tasks can now be created, edited, assigned to users, and completed
• Task sets can now be created, edited, and added to assessments.
• You can now create findings from finding templates through the API

The python API wrapper has been updated with the new routes. Check the API documentation for details.

Results Table Options

New options are available for results table component:

• The green checkmark or red X that indicates if vulnerabilities are present in a category can now be disabled.
• Choose which risk severity flips a category from a green checkmark to a red X.

Moreover, you can now select options for the results table in the Findings tab of an assessment. Assessment-level settings are used as the default for any settings not explicitly set in the component. You can set a default for new assessments from Settings > General > Assessment Defaults.

Other Changes

• Uploaded images are now optimized.
• Updated tool output file parsers.
• The upload bar has been improved so that it no longer looks like an upload is finished when it is still processing.
• Added a webhook that fires when a new update for Reporter is available.
• Missing or inaccessible images in markdown fields now show an 'image not found' placeholder image.
• Optimized PDF report creation process.

Bugfixes

• Fixed an issue where 'edit severity' was always unchecked when editing a draft retest.
• Fixed broken image border color setting.
• Fixed an issue where the short ID field was too short to fit a short ID.
• Fixed an issue where the automatically suggested short ID would sometimes be too long.
• Fixed a rare exception when trying to download PDF reports.
• Fixed an issue where assessments were sometimes incorrectly sorted when deadlines were set using the API.
• Fixed a bug where completed assessments weren't sorted properly.
• Fixed an issue where documents for new findings, targets, and finding templates weren't read properly after a validation error.

Assessment Templates - Requires Attention

API breaking change! To improve clarity, 'Assessment Types' have been renamed to 'Assessment Templates'. Due to this, there are some breaking changes in the API:

• The assessment_type_id and assessment_type_name fields on assessments have been renamed respectively to assessment_template_id and assessment_template_name. Requests to retrieve assessment types (now templates) and to create assessments will need to be updated. Requests to update assessments may also need to be updated if they modify either of the renamed fields.
• Finding Templates now have a severity_metrics_all field that contains different metrics for each scoring system. See the updated API documentation for details, and note that finding templates may only have metrics for a subset of the scoring systems.

Client Leads

Admins can now assign client users as client leads within an assessment, similar to how they can assign researchers as managers.

Client leads are displayed more prominently on the assessment page and serve as primary contact for other client users. Besides this, leads can have additional privileges that can be configured via the main menu under Settings > General > Functionality. You can configure which client users can access the following functionality:

• Managing other client users.
• Requesting assessment deletion.

Note! For existing Reporter installations, these functionalities will be available for all client users after updating. We recommend limiting these functionalities to client leads only. Please note that by doing so, you are required to assign client leads for existing assessments to make these functionalities available.

New Assessment Templates

Reporter ships with several built-in assessment templates you can use as a basis for your templates and reports.

We have added the following new default templates:

• OWASP Kubernetes top 10
• OWASP Docker top 10
• Azure Security Benchmark (v3)
• CWE SANS Top 25 - version 2022

These new templates, and fresh copies of the existing templates, can now be imported from the Assessment Template page. They are not automatically added to existing installations. More templates will be added in future releases.

CSV Export

Exporting an assessment's findings to a CSV file from the assessment overview page is now possible.

Other Changes

• Finding templates can now be set up using multiple scoring systems. Reporter uses the score from the appropriate scoring system when you use a template to create a finding.
• When you create an API token, you can now set a date/time for it to expire.
• The 'Findings Table' report component can now be sorted by severity, name, or one of several more options. If you want to use this feature, we recommend re-adding the component to your assessment templates and selecting the desired sorting option.
• Improved the way suggested changes to finding templates are compared to the original when evaluating the change.
• Improved the comparison between a finding and similar findings and finding templates when suggesting a finding as a new template or evaluating the suggestion.
• Third-party finding templates have been updated.
• Added the ability to import default assessment templates. Default templates were previously only seeded into new environments.
• To improve consistency with other scoring systems, saving a finding with CVSS score 0 will no longer set its severity to OK but to Info.
• The API wrapper (https://pypi.org/project/securityreporter/) has been updated to work with the latest API changes.

Bugfixes

• Fixed an issue where the front page was sometimes missing in PDF reports.
• When a user is blocked, they are no longer removed as researchers or reviewers from assessment phases, or from the front page of assessments.
• Fixed a bug where required markdown fields would block a form from being submitted without displaying any errors.
• Fixed an error where validation errors weren't always shown for markdown fields.
• Fixed a bug where automatically scrolling to the first error in a form would sometimes scroll too far.
• Fixed a bug where the online report did not show the content middle background image.
• Fixed a bug where non-vulnerable severities were not copied with templates.

Requires Attention

Breaking change! Environment variables related to the SMS configuration have been renamed. To prevent breaking functionality related to SMS (such as 2FA), the variables listed below should be renamed. See the documentation for more information.

Python API wrapper

We've released an API wrapper to simplify the interaction with the Reporter API:

• https://github.com/dongit-org/python-reporter
• https://pypi.org/project/securityreporter/

Multiple report themes

Major improvements have been added to the Report theming. You can now create multiple report themes that can be assigned to individual assessments or assessment types. Besides this, many other improvements are included, such as the exporting and importing of themes, the ability to upload or swap entire font families, and to change the font of code blocks.

Improved search 

Another major addition in this release is the improvement of the search functionality, including many new filters and a toggle for the 'AND'-search.

Other new and improved features

• Mobile phone numbers are now validated and stored according to international standards.
• Added examples for classifications in finding and finding template API docs.
• Added an option to the results table component to show the complete short ID for each finding.
• Invite client users by selecting a group on the assessments show page.
• Option to hide table of contents in reports.
• Allow SVG images for client logos.
• Add a button in user profiles that links to the user's activities.
• Make the assessment type name editable.

Bugfixes

• Fixed an issue where fonts with certain special characters in the file name (such as underscores) broke the PDF report.
• Fixed an issue where captions for syntax-highlighted code blocks were missing in the PDF report.
• Fixed an issue where captions of code blocks used the wrong font in the HTML report.
• Similar to the HTML report, inline images are rendered inline in the PDF reports.
• Header sizes in the PDF and HTML reports are now consistent. 
• Focus markdown area when clicking the input label.

Task Improvements

• Directly create new tasks from the researcher panel.
• Assign weights to custom tasks and tasks in task sets. Tasks with higher weights are displayed first in the overview.
• The deadline options for tasks have been clarified.
• Custom tasks are no longer required to have a deadline. Tasks without a deadline are never hidden.
• The visibility of the number of tasks has been improved in the researcher panel.
• More task activities are now being logged.
• Tasks created by using task sets now have a label with the name of the task set.
• The user who has completed a task is now displayed.

Bugfixes

• Fixed an issue where generating a preview report would fail when using the 'Researchers' component on the front page without (academic) titles.
• Fixed a bug where the 'Relevant for assessment status'-filter also filtered out completed tasks.
• Fixed an issue where tasks with no deadline were listed before tasks with a deadline.