Releases

New API functionality for comments

• The API now supports creation, modification, and retrieval of assessment comments, finding comments, finding retest requests, and finding retests.
• You can reply to finding comments, assessment comments, finding retest requests, and finding retests.
• You can retrieve these events as an include with a finding or assessment.
• Replies to comments can be retrieved as an include from corresponding comments, retests, etc. For example, you can GET a finding and include comments.replies.

Improvements

• Caution tags are now also rendered in the PDF report making it consistent with the online report.
• Updated CWE classifications to v4.12.
• The output file parsers have been updated for improved performance and data extraction.
• When encountering errors during output file parsing, error messages now provide more detailed context to facilitate troubleshooting.

Bugfixes

• Resolved an issue preventing the retrieval of PDF reports via the API.
• Fixed an issue where the 'Highest Risk' badge in CVSS assessments sometimes showed the highest category, but not the highest score.
• Fixed a bug where resolved retests could not be set back to unresolved.
• Fixed a bug where the 'General activity' link was not functioning correctly on the activities page.
• Fixed an issue where provisional events in the schedule had no associated users.
• Fixed an issue where assessment sections could not be emptied by editing them in the online report.
• Fixed an issue where the status of a retest was not shown in the researcher panel.
• Fixed an issue where caution tags, @tags and component tags were sometimes rendered incorrectly.
• Fixed a crash when evaluating findings suggested as new templates if the finding has resolvers.
• Fixed an issue where users were notified twice if output file parsing failed.
• Fixed a rare exception when deleting an assessment.
• Addressed a rendering issue for long words with Unicode characters in the PDF reports.
• Fixed an issue where the next_deadline field was sometimes set incorrectly.

Improvements

• Retrieve PDF reports via the API.
• The maximum height of images in PDF reports has been increased to match the size of the page, providing better visual representation.
• Importing findings from previous assessments has been improved for better clarity.
• Error messages have been clarified when uploading files with incorrect mime types.
• Breaking of words in the PDF report has been improved to prevent code blocks from overflowing.

Fixes

• Fixed defaults for the 'by'-parameter of the 'results table' component.
• Fix icon position in document components within the online report.
• Resolved a bug where users were not receiving notifications when the parsing of an output file failed.
• Fix an unexploitable open redirect issue.
• Fixed an issue where the API returned empty classifications as [] instead of {}.

Schedule Export

This new feature lets you conveniently move your Reporter schedule events into your go-to applications or calendars, including Google Calendar and Microsoft Outlook.

To get started:

1. Navigate to the Schedule page in your Reporter account.
2. Click on the Export Schedule button.

Refer to our updated documentation for more information about this new feature.

Bugfixes

• Fixed a rare issue that could cause "This is what you missed on <assessment>"-emails to be sent multiple times or not at all.
• Inline code blocks have been optimized to prevent running off the page. They now automatically continue onto the next line for better readability. 
• Corrected a problem with very long inline code sections disrupting PDF compilation. This issue is now fully resolved.
• Addressed an issue where deleting a document could delete all copies of that document. For example, removing a screenshot from a finding would also remove it from that finding's versions.
• Fixed a rendering problem where embedded images in SVG files were not displaying correctly in PDFs. 
• Fixed the "Add User" button on the client page.

Finding Template Tags 

You can now add tags to finding templates making it easier for you to categorize and organize your templates.

• Tags are not case-sensitive.
• You can filter by tag in the app and the API.
• Tags are automatically created when you add them to a template.
• Manage tags (index, create, edit, and delete) via Settings > Tags.
• Tags are remembered in finding template versions, even if they are subsequently deleted or renamed.
• Reverting a version of a template will recreate deleted tags and attach the updated version of existing tags.

Code Block Customization 

New customization options for code blocks in reports have been introduced, including:

• All colors used in syntax highlighting.
• Bold and italic settings for each syntax highlighting token.
• The color of the box.
• The color of the highlighting marker.

To access these customization options, navigate to Settings > Report Themes > {your theme} > Syntax highlighting. In addition, we have included several pre-designed syntax highlighting color schemes that you can apply with just one click.

Report Back Page

You can now add a back page to the reports. To set a background image for the back page, go to Settings > Report Themes > {your theme} > Backgrounds, and you can add content for it by creating text boxes under Settings > Report Text Boxes.

A back page will only be displayed if it contains content or a background image.

Improvements

• The caption of the findings table component information about the ordering, providing more context and clarity.
• Users are now sorted by their full name by default.
• API: filters now match exact values, except for arrays, objects, and certain text fields.

Bugfixes

• Fixed a bug that caused struck-out "Unspecified" badges to appear on unpublished findings in online reports and draft PDF reports.
• Fixed several sorting issues in the Findings Table component:
  • CVSS findings are now sorted correctly by severity.
  • Non-vulnerable findings now appear last when sorting by status.
  • Resolved findings are no longer sorted last when sorting by severity.
• API: Fixed an issue where empty classifications were returned as [] instead of {}

Assessment comments

Similar to the existing commenting functionality for findings, you can now post comments regarding the entire assessment to enhance collaboration and communication. Furthermore, comments include events that display assessment status changes and the responsible individual, providing valuable context.

Assessment commenting key features:

• Private comments for researchers
• Replies to threads
• Tasks to reply to client comments
• User tagging with immediate notifications
• Other comments are added to the "this is what you missed on..." mail.

Online Report inline edit

You can now edit findings, sections, and retests directly inside the online report, making it easier than ever to update content quickly.

• The default Researcher and Reviewer roles can now access the online report. For custom roles, we recommend granting access to improve their experience.
• Enjoy a more responsive online report with reduced loading times, thanks to the implementation of caching.
• These changes introduce minor differences between the online and PDF reports, but only for users with report editing permissions. Client views are unaffected.
  • Empty sections now have more spacing to accommodate the edit button.
  • Finding fields, such as Risk, are now displayed even when empty.

Schedule assessments without an end date

• You can now schedule assessments with only a research start date.
• Assessments with only a research start date will appear in the schedule on that specified date.
• This feature is recommended for scheduling recurring (periodic) assessments well in advance.

Refined assessment deletion options

We have reworked the assessment deletion to provide more clarity and control. There are now two types of deletion:

• Soft Deletion: Removes all findings, retests, sections, and sensitive data while retaining metadata such as internal details, research hours, and scheduled dates.
• Hard Deletion: Completely deletes the assessment, excluding the activity log, which retains basic information (e.g., a user created a finding in a deleted assessment).

To enhance usability, we have made the following changes:

• Soft-deleted assessments are now visible in the assessment index for admins only, sorted last.
• Only soft-deleted assessments can be hard-deleted.
• Admins can hard-delete soft-deleted assessments via the assessment dropdown.
• Admins can soft-delete assessments without a client user request from the assessment dropdown (available on the larger assessment page dropdown).
• A new filter for deleted assessments has been added to the assessment index.
• Activity for hard-deleted assessments remains and is labeled with "deleted assessment."

API 

• Activity Retrieval: Activities can now be fetched as includes of assessments and findings for easier access.
• Activity Field Change: The data.finding_title field has been removed from activities. To obtain that information, retrieve the finding as an include. Titles of deleted findings are no longer accessible.
• Webhooks Creation: You can now create webhooks directly through the API for increased flexibility and integration.

Other improvements

• You can now find assessments by searching for the client's name.
• Assessment-related emails now include the client's name for better context and identification.
• The "current" version in the version comparison bar now displays additional information, such as author, date, and (review) status for improved clarity.

Bug Fixes

• CSV Export: Resolved an issue causing CSV exports of 'Severity Only'-assessments to fail.
• Review Buttons: Fixed the missing review buttons in the researcher panel.
• Retest Events: Corrected the placement of "... rejected a retest" events in the finding timeline.
• Online Report Styles: Addressed multiple issues where incorrect styles were applied to elements of the online report.
• Report Themes: Fixed the inability to delete report themes.
• Finding Edit Form: Resolved an issue preventing the submission of the finding edit form while a retest was pending.
• Findings Table Width: Adjusted the findings table component to match the width of other tables in the PDF report.
• API Documentation: Fixed the display of parameters, now correctly showing them as arrays of strings instead of arrays of objects.