Releases

Add the client's logo to the report

You can now add the client's company logo to the report using text box items. You can set a maximum height and width, and the logo will automatically scale to fit.

Convert comments to retest requests

You can now convert a finding comment from a client into a retest request if a client accidentally submits a comment that was intended to be a request for a retest.

Improvements

• The loading of the researcher panel has been optimized.
• The form to request the deletion of an assessment has been improved to emphasize the fact that data will be permanently deleted.
• Closing a real-time notification is now instantly synced with other open Reporter tabs.
• If the description, risk, recommendation, or proof field of a finding is empty, the name of that field no longer appears in the PDF report, making it consistent with the online report.

Bugfixes

• Fixed some issues that could cause the PDF report compilation to fail.
• Fixed an issue where the review events of a retest did not appear as children of the retest.
• Fixed a bug where severity badges in retests did not display correctly in online reports.
• Fixed an issue where pasting binary payloads as text blocks would crash the PDF report compilation. We recommend attaching binary payloads as an attachment. In a future release, we will guide researchers to do so by optimizing the UI.

Features

• The researcher panel's state (filter and expanded/collapsed sections) is instantly synced between tabs.

Bug Fixes

• The 'Hide finding metadata' and 'Hide finding links' options did not work in the HTML report.
• Report compilation would fail if multiple (document) component tags were added in the markdown without spaces.
• Long titles in findings sometimes overlapped with buttons on the finding show page.
• The Report Text Boxes index listed unselectable themes.
• The 'download PDF report'-buttons sometimes displayed incorrect timestamps.
• The management report button was sometimes clickable when the management report was not accessible, resulting in a 'Forbidden' response.
• Fixed several bugs that were not visible to users.

Note this update may take a little longer to complete than usual. Grab a ☕, and enjoy this last update of 2022 🍾

Timezones

Users can now configure their timezone. The user's timezone will be automatically set when the user first logs in after this update and can be changed from the user's profile. Users will see timestamps according to their local time, except in generated files such as PDF reports. Generated files use the application's timezone.

The application timezone can be configured via the Settings > General > Functionality page.

Reports

Any timestamps on reports, such as those in finding metadata and the generated_at placeholder you may have on the front page, are reported in the application's timezone. If you want to display the current timezone on the report, there are two options:

• If you have a generated_at timestamp on the front page of the report, we recommend adding the timezone to the format string. Either T for timezone or O for the difference to GMT. See https://www.php.net/manual/en/datetime.format.php under timezones for more options. See Settings > Report Text Boxes. For example, you can change the default [[GENERATED_AT|Y-m-d H:i:s]] to [[GENERATED_AT|Y-m-d H:i:s T]] to add your timezone at the end.
• Alternatively, you can use a placeholder component in an assessment section to add the timezone elsewhere in the report. Either by name (e.g., CET) or by difference to GMT (e.g., +0100). Use the + button when editing a section, select Placeholder and choose one of the timezone options.

API Changes

• All timestamps returned by the API are now in an ISO8601-compatible format, e.g., 2022-12-18T16:47:56.000000Z.
• Any timestamps posted to the API now expect an ISO8601-compatible format (currently only found_at).

Improvements

• More context about each finding is now displayed when importing findings from previous assessments, including the finding's status, severity, and the original assessment section.
• The severity legend is now also shown in the findings tab on the assessment page.

SAML Single Sign-On Support

We have added support for single sign-on using SAML2. See the documentation for instructions on enabling it and connecting Reporter to your SAML provider.

New API Routes

• Tasks can now be created, edited, assigned to users, and completed
• Task sets can now be created, edited, and added to assessments.
• You can now create findings from finding templates through the API

The python API wrapper has been updated with the new routes. Check the API documentation for details.

Results Table Options

New options are available for results table component:

• The green checkmark or red X that indicates if vulnerabilities are present in a category can now be disabled.
• Choose which risk severity flips a category from a green checkmark to a red X.

Moreover, you can now select options for the results table in the Findings tab of an assessment. Assessment-level settings are used as the default for any settings not explicitly set in the component. You can set a default for new assessments from Settings > General > Assessment Defaults.

Other Changes

• Uploaded images are now optimized.
• Updated tool output file parsers.
• The upload bar has been improved so that it no longer looks like an upload is finished when it is still processing.
• Added a webhook that fires when a new update for Reporter is available.
• Missing or inaccessible images in markdown fields now show an 'image not found' placeholder image.
• Optimized PDF report creation process.

Bugfixes

• Fixed an issue where 'edit severity' was always unchecked when editing a draft retest.
• Fixed broken image border color setting.
• Fixed an issue where the short ID field was too short to fit a short ID.
• Fixed an issue where the automatically suggested short ID would sometimes be too long.
• Fixed a rare exception when trying to download PDF reports.
• Fixed an issue where assessments were sometimes incorrectly sorted when deadlines were set using the API.
• Fixed a bug where completed assessments weren't sorted properly.
• Fixed an issue where documents for new findings, targets, and finding templates weren't read properly after a validation error.

Assessment Templates - Requires Attention

API breaking change! To improve clarity, 'Assessment Types' have been renamed to 'Assessment Templates'. Due to this, there are some breaking changes in the API:

• The assessment_type_id and assessment_type_name fields on assessments have been renamed respectively to assessment_template_id and assessment_template_name. Requests to retrieve assessment types (now templates) and to create assessments will need to be updated. Requests to update assessments may also need to be updated if they modify either of the renamed fields.
• Finding Templates now have a severity_metrics_all field that contains different metrics for each scoring system. See the updated API documentation for details, and note that finding templates may only have metrics for a subset of the scoring systems.

Client Leads

Admins can now assign client users as client leads within an assessment, similar to how they can assign researchers as managers.

Client leads are displayed more prominently on the assessment page and serve as primary contact for other client users. Besides this, leads can have additional privileges that can be configured via the main menu under Settings > General > Functionality. You can configure which client users can access the following functionality:

• Managing other client users.
• Requesting assessment deletion.

Note! For existing Reporter installations, these functionalities will be available for all client users after updating. We recommend limiting these functionalities to client leads only. Please note that by doing so, you are required to assign client leads for existing assessments to make these functionalities available.

New Assessment Templates

Reporter ships with several built-in assessment templates you can use as a basis for your templates and reports.

We have added the following new default templates:

• OWASP Kubernetes top 10
• OWASP Docker top 10
• Azure Security Benchmark (v3)
• CWE SANS Top 25 - version 2022

These new templates, and fresh copies of the existing templates, can now be imported from the Assessment Template page. They are not automatically added to existing installations. More templates will be added in future releases.

CSV Export

Exporting an assessment's findings to a CSV file from the assessment overview page is now possible.

Other Changes

• Finding templates can now be set up using multiple scoring systems. Reporter uses the score from the appropriate scoring system when you use a template to create a finding.
• When you create an API token, you can now set a date/time for it to expire.
• The 'Findings Table' report component can now be sorted by severity, name, or one of several more options. If you want to use this feature, we recommend re-adding the component to your assessment templates and selecting the desired sorting option.
• Improved the way suggested changes to finding templates are compared to the original when evaluating the change.
• Improved the comparison between a finding and similar findings and finding templates when suggesting a finding as a new template or evaluating the suggestion.
• Third-party finding templates have been updated.
• Added the ability to import default assessment templates. Default templates were previously only seeded into new environments.
• To improve consistency with other scoring systems, saving a finding with CVSS score 0 will no longer set its severity to OK but to Info.
• The API wrapper (https://pypi.org/project/securityreporter/) has been updated to work with the latest API changes.

Bugfixes

• Fixed an issue where the front page was sometimes missing in PDF reports.
• When a user is blocked, they are no longer removed as researchers or reviewers from assessment phases, or from the front page of assessments.
• Fixed a bug where required markdown fields would block a form from being submitted without displaying any errors.
• Fixed an error where validation errors weren't always shown for markdown fields.
• Fixed a bug where automatically scrolling to the first error in a form would sometimes scroll too far.
• Fixed a bug where the online report did not show the content middle background image.
• Fixed a bug where non-vulnerable severities were not copied with templates.