Releases

Improvements

• Retrieve PDF reports via the API.
• The maximum height of images in PDF reports has been increased to match the size of the page, providing better visual representation.
• Importing findings from previous assessments has been improved for better clarity.
• Error messages have been clarified when uploading files with incorrect mime types.
• Breaking of words in the PDF report has been improved to prevent code blocks from overflowing.

Fixes

• Fixed defaults for the 'by'-parameter of the 'results table' component.
• Fix icon position in document components within the online report.
• Resolved a bug where users were not receiving notifications when the parsing of an output file failed.
• Fix an unexploitable open redirect issue.
• Fixed an issue where the API returned empty classifications as [] instead of {}.

Schedule Export

This new feature lets you conveniently move your Reporter schedule events into your go-to applications or calendars, including Google Calendar and Microsoft Outlook.

To get started:

1. Navigate to the Schedule page in your Reporter account.
2. Click on the Export Schedule button.

Refer to our updated documentation for more information about this new feature.

Bugfixes

• Fixed a rare issue that could cause "This is what you missed on <assessment>"-emails to be sent multiple times or not at all.
• Inline code blocks have been optimized to prevent running off the page. They now automatically continue onto the next line for better readability. 
• Corrected a problem with very long inline code sections disrupting PDF compilation. This issue is now fully resolved.
• Addressed an issue where deleting a document could delete all copies of that document. For example, removing a screenshot from a finding would also remove it from that finding's versions.
• Fixed a rendering problem where embedded images in SVG files were not displaying correctly in PDFs. 
• Fixed the "Add User" button on the client page.

Finding Template Tags 

You can now add tags to finding templates making it easier for you to categorize and organize your templates.

• Tags are not case-sensitive.
• You can filter by tag in the app and the API.
• Tags are automatically created when you add them to a template.
• Manage tags (index, create, edit, and delete) via Settings > Tags.
• Tags are remembered in finding template versions, even if they are subsequently deleted or renamed.
• Reverting a version of a template will recreate deleted tags and attach the updated version of existing tags.

Code Block Customization 

New customization options for code blocks in reports have been introduced, including:

• All colors used in syntax highlighting.
• Bold and italic settings for each syntax highlighting token.
• The color of the box.
• The color of the highlighting marker.

To access these customization options, navigate to Settings > Report Themes > {your theme} > Syntax highlighting. In addition, we have included several pre-designed syntax highlighting color schemes that you can apply with just one click.

Report Back Page

You can now add a back page to the reports. To set a background image for the back page, go to Settings > Report Themes > {your theme} > Backgrounds, and you can add content for it by creating text boxes under Settings > Report Text Boxes.

A back page will only be displayed if it contains content or a background image.

Improvements

• The caption of the findings table component information about the ordering, providing more context and clarity.
• Users are now sorted by their full name by default.
• API: filters now match exact values, except for arrays, objects, and certain text fields.

Bugfixes

• Fixed a bug that caused struck-out "Unspecified" badges to appear on unpublished findings in online reports and draft PDF reports.
• Fixed several sorting issues in the Findings Table component:
  • CVSS findings are now sorted correctly by severity.
  • Non-vulnerable findings now appear last when sorting by status.
  • Resolved findings are no longer sorted last when sorting by severity.
• API: Fixed an issue where empty classifications were returned as [] instead of {}

Assessment comments

Similar to the existing commenting functionality for findings, you can now post comments regarding the entire assessment to enhance collaboration and communication. Furthermore, comments include events that display assessment status changes and the responsible individual, providing valuable context.

Assessment commenting key features:

• Private comments for researchers
• Replies to threads
• Tasks to reply to client comments
• User tagging with immediate notifications
• Other comments are added to the "this is what you missed on..." mail.

Online Report inline edit

You can now edit findings, sections, and retests directly inside the online report, making it easier than ever to update content quickly.

• The default Researcher and Reviewer roles can now access the online report. For custom roles, we recommend granting access to improve their experience.
• Enjoy a more responsive online report with reduced loading times, thanks to the implementation of caching.
• These changes introduce minor differences between the online and PDF reports, but only for users with report editing permissions. Client views are unaffected.
  • Empty sections now have more spacing to accommodate the edit button.
  • Finding fields, such as Risk, are now displayed even when empty.

Schedule assessments without an end date

• You can now schedule assessments with only a research start date.
• Assessments with only a research start date will appear in the schedule on that specified date.
• This feature is recommended for scheduling recurring (periodic) assessments well in advance.

Refined assessment deletion options

We have reworked the assessment deletion to provide more clarity and control. There are now two types of deletion:

• Soft Deletion: Removes all findings, retests, sections, and sensitive data while retaining metadata such as internal details, research hours, and scheduled dates.
• Hard Deletion: Completely deletes the assessment, excluding the activity log, which retains basic information (e.g., a user created a finding in a deleted assessment).

To enhance usability, we have made the following changes:

• Soft-deleted assessments are now visible in the assessment index for admins only, sorted last.
• Only soft-deleted assessments can be hard-deleted.
• Admins can hard-delete soft-deleted assessments via the assessment dropdown.
• Admins can soft-delete assessments without a client user request from the assessment dropdown (available on the larger assessment page dropdown).
• A new filter for deleted assessments has been added to the assessment index.
• Activity for hard-deleted assessments remains and is labeled with "deleted assessment."

API 

• Activity Retrieval: Activities can now be fetched as includes of assessments and findings for easier access.
• Activity Field Change: The data.finding_title field has been removed from activities. To obtain that information, retrieve the finding as an include. Titles of deleted findings are no longer accessible.
• Webhooks Creation: You can now create webhooks directly through the API for increased flexibility and integration.

Other improvements

• You can now find assessments by searching for the client's name.
• Assessment-related emails now include the client's name for better context and identification.
• The "current" version in the version comparison bar now displays additional information, such as author, date, and (review) status for improved clarity.

Bug Fixes

• CSV Export: Resolved an issue causing CSV exports of 'Severity Only'-assessments to fail.
• Review Buttons: Fixed the missing review buttons in the researcher panel.
• Retest Events: Corrected the placement of "... rejected a retest" events in the finding timeline.
• Online Report Styles: Addressed multiple issues where incorrect styles were applied to elements of the online report.
• Report Themes: Fixed the inability to delete report themes.
• Finding Edit Form: Resolved an issue preventing the submission of the finding edit form while a retest was pending.
• Findings Table Width: Adjusted the findings table component to match the width of other tables in the PDF report.
• API Documentation: Fixed the display of parameters, now correctly showing them as arrays of strings instead of arrays of objects.

Report component options

We have added two new options to the report components:

• You can now hide the short (numeric) IDs in the results table component
• You can now hide the short (numeric) ID column in the findings table component

To use these options, you will need to re-add the components.

The results table displayed on the 'Findings tab' of an assessment can be configured via 'Edit Assessment > Display (tab)', and defaults can be set in 'Settings > General > Assessment Defaults (tab)'.

Improvements

• The compilation speed of PDF reports for assessments containing many code blocks has been greatly improved.
• We have implemented a new feature that logs authentication attempts as activity. This includes information such as the authentication method, 2FA attempts, and IP address. You can view these activities on the activities page or retrieve them using the API.
• Logged activities can now be filtered by one or more 'activity categories'. This filter is also available via the API (see API docs).
• Tagged assessment sections displayed in the portal now link to the online report (if available).
• Placeholder, badge, and icon report components are now available in more places, such as in findings and comments.
• We've added a new 'Smart' option to the 'Start sections on new page' setting in Report Themes. With this option, a page break will be added after any non-empty assessment section. The existing 'Smart' option has been renamed to 'Smart (up to H2)', bringing it in line with the documentation and clarifying that it only affects the first two heading levels.
• New settings have been added to the 'Report Themes':
  • Render PDF images as links: whether images included in markdown fields should be rendered as clickable links in the PDF report. These links allow the reader to view images in full-size via the browser for more details. We recommend disabling this option if you create PDF reports for clients that do not have access to the assessment in Reporter.
  • New page before findings: whether to insert a page break between a section's description and the first finding in the section.
• The CWE and CAPEC classifications have been updated to their latest versions. To ensure you are always working with the most current version, each new Reporter release will contain the latest available version of these classification systems.
• Assessments on the dashboard can now be filtered:
  • All: display all assessments you have access to.
  • Member (admin only): display all assessments where you are a team member.
  • Assigned: display assessments where you are assigned to the current assessment phase. 
• To ensure consistency between the online and PDF reports, we have increased the margins above and below markdown lists in PDF reports.

Bug Fixes

• Fixed an issue where adding multiple components or caution tags on the same line would cause some text or components to be rendered multiple times.
• Fixed an issue where mark tags within mark tags would cause text to be rendered multiple times.
• Fixed an issue where admins received 'Retest Performed' notifications.
• Fixed a crash when exporting findings as CSV for assessments with the 'Severity Only' scoring system.
• Fixed an issue where in-app notifications did not specify that you were tagged in comments, retests, etc.
• Fixed a bug where the 'badge highest risk'-component did not render inline.
• Fixed a bug where adding a newline after the 'badge highest risk'-component caused report compilation to fail.
• Fixed a crash when opening a finding as an admin in assessments where findings are restricted to resolvers.
• Fixed a bug where the 'scope' component in assessments without targets would cause report compilation to fail.
• Fixed a bug that prevented the deletion of client logos, avatars, and theme documents.