Releases

Requires Attention

Breaking change! Environment variables related to the SMS configuration have been renamed. To prevent breaking functionality related to SMS (such as 2FA), the variables listed below should be renamed. See the documentation for more information.

Python API wrapper

We've released an API wrapper to simplify the interaction with the Reporter API:

• https://github.com/dongit-org/python-reporter
• https://pypi.org/project/securityreporter/

Multiple report themes

Major improvements have been added to the Report theming. You can now create multiple report themes that can be assigned to individual assessments or assessment types. Besides this, many other improvements are included, such as the exporting and importing of themes, the ability to upload or swap entire font families, and to change the font of code blocks.

Improved search 

Another major addition in this release is the improvement of the search functionality, including many new filters and a toggle for the 'AND'-search.

Other new and improved features

• Mobile phone numbers are now validated and stored according to international standards.
• Added examples for classifications in finding and finding template API docs.
• Added an option to the results table component to show the complete short ID for each finding.
• Invite client users by selecting a group on the assessments show page.
• Option to hide table of contents in reports.
• Allow SVG images for client logos.
• Add a button in user profiles that links to the user's activities.
• Make the assessment type name editable.

Bugfixes

• Fixed an issue where fonts with certain special characters in the file name (such as underscores) broke the PDF report.
• Fixed an issue where captions for syntax-highlighted code blocks were missing in the PDF report.
• Fixed an issue where captions of code blocks used the wrong font in the HTML report.
• Similar to the HTML report, inline images are rendered inline in the PDF reports.
• Header sizes in the PDF and HTML reports are now consistent. 
• Focus markdown area when clicking the input label.

Task Improvements

• Directly create new tasks from the researcher panel.
• Assign weights to custom tasks and tasks in task sets. Tasks with higher weights are displayed first in the overview.
• The deadline options for tasks have been clarified.
• Custom tasks are no longer required to have a deadline. Tasks without a deadline are never hidden.
• The visibility of the number of tasks has been improved in the researcher panel.
• More task activities are now being logged.
• Tasks created by using task sets now have a label with the name of the task set.
• The user who has completed a task is now displayed.

Bugfixes

• Fixed an issue where generating a preview report would fail when using the 'Researchers' component on the front page without (academic) titles.
• Fixed a bug where the 'Relevant for assessment status'-filter also filtered out completed tasks.
• Fixed an issue where tasks with no deadline were listed before tasks with a deadline.

Bugfixes

• Fixed a bug where report generation would break when rendering images without a caption.
• Fixed an issue where the 'new page after findings'-toggle in the settings was always off.
• Fixed incorrect styling for some green buttons.
• Fixed an exception related to setting non-custom assessment short IDs through the API.

Improvements

• The 'Preview report' functionality that is available under the 'Report Customization' now generates the report in the background.

Update with many changes 🥳

TL;DR

• Many new API routes have been added, with unfortunately some breaking changes. A glimpse into the upcoming related releases; an open-source Python API wrapper will be published to make your developers happy! This is almost ready, and we’re working on some example integrations. This full-fledged API combined with the webhooks makes Reporter flexible for all kinds of integrations.
• Customize the Reporter web portal by uploading a custom style sheet.
• Clients can share information and documents within assessments.
• Many bug fixes and other improvements!

API Improvements

Some breaking changes Warning

• Permissions for API tokens are now fine-grained per resource. Therefore, existing API tokens will only be able to access and write ‘Assessments’. A new API token with extra permissions should be generated to access other resources, such as ‘Findings’ or ‘Targets’.
• Various POST API routes have been restructured to match the application structure and logic. For example the POST route /api/v1/assessments to create a new assessment has been changed to /api/v1/clients/<assessment_id>/assessments.
• ‘Finding Template’ API routes are made consistent via the new route /api/v1/finding-templates (dash) instead of /api/v1/finding_templates (underscore).
• The following request headers are now required to be set (see the examples in the API documentation):
  • Accept: application/json for all routes except downloading files;
  • Content-Type: application/json for all PUT, PATCH, and POST routes that do not upload files;
  • Content-Type: multipart/form-data for all POST routes that upload files.
• Documents can now only be created and deleted using the dedicated /api/v1/documents routes, and not using other routes.
  • The only exception is for the creation of ‘Output Files’ (scan results from tools like Burp Suite and Nessus).

Additions

• API abilities/permissions are now split per resource.
• ‘Auto-assignments’, ‘assessment users’, ‘output files’, and ‘roles’ can now be accessed through the API.
• Added POST routes for many resources, such as:
  • Assessment Users (to attach users to assessments, assign them roles and automatically assign them tasks)
  • User Groups
  • Output Files (for uploading scans from tools like Burp Suite and Nessus)
• Added PUT/PATCH routes for the following resources:
  • Clients
  • Assessments
  • Assessment Sections
  • Assessment Phases
  • Findings
  • Targets
  • Finding Templates
  • Users
  • User Groups
• Added DELETE routes for the following resources:
  • Clients
  • Assessment Users
  • Findings
  • Targets
  • Finding Templates
  • User Groups
  • Documents
  • Output Files (also deletes all ‘potential findings’ and ‘potential targets’, but not findings and targets that have been imported into the assessment)

Custom Style Sheets

• Admins can now upload a custom style sheet (CSS) to customize the look of the Reporter portal. We recommend changing the primary colors, such as those used in buttons and labels, to match your organization’s branding.
• The stylesheet does not affect the online or PDF reports.

Shared Information Tab

• Added a new ‘Shared information’ tab in assessments that clients and researchers can edit. Clients can use this to share instructions and files with the researchers directly.
• Admins can add separate instructions for researchers and clients to the tab through the settings.
• The tab can be enabled and disabled for individual assessments.
• The tab is enabled by default for new assessments, not for existing assessments. You can change that default in the settings.
• Researchers receive a notification when a client updates the shared information while the assessment is in progress.

Other Additions

• Added a report customization option to insert page breaks after each finding.
• Added settings to select which tab is open in the assessment overview. There are separate settings for researchers and clients.
• The API rate limit can now be changed or removed on self-hosted Reporter instances.

Improvements

• An icon appears in the assessment tab if you have unread notifications when the ‘Researcher Briefing’ or ‘Shared Information’ has been updated. Opening the tab marks such notifications as read.
• Wide tables no longer overrun the page in the PDF report. You can control the width of columns on wide tables. For details, see the updated documentation.
• Changed the word ‘vulnerabilities’ to ‘findings’ in the ‘finding counts per severity’-component to be more consistent with the rest of the application.
• The ‘Risk’, ‘Recommendation’, and ‘Proof’ fields are no longer required.
• Findings in the ‘Search for examples’ dialog now show their original severity (and current severity if it has changed). Previously it showed the current severity, which was often ‘OK’ after a retest.
• Findings can now be filtered based on if they have retests. The filter only counts published retests.
• The display of the target search bar in an assessment has been optimized.
• Added an ‘Assigned to me’ button to the dashboard for admins to show assessments where they are assigned.
• All email addresses are now stored and displayed in lowercase.

Bugfixes

• Fixed a bug where the sections in the online report were numbered incorrectly.
• Fixed a bug where the user wasn’t properly logged out after being idle.
• Clicking a ‘Login with …’-button when already logged in now redirects to the correct page.
• Fixed a bug where linking potential findings to existing findings did not work.
• Fixed a bug where the wrong tab was sometimes opened in various places.
• Fixed a bug where inline documents were incorrectly styled in the online report.
• Fixed an issue where potential findings with CVSS scores were sorted by severity category (Critical, High, etc.) instead of score.
• Fixed an issue where the same CVE was sometimes listed multiple times for a potential finding.
• Fixed a bug where empty report customization settings could cause an exception
• Fixed an issue where the ‘finding counts by severity’ report component would run off the page with larger fonts.
• Fixed an issue where non-ASCII characters in titles were not rendered correctly in the PDF report.
• Fixed a bug where some completed assessments could be shown before pending assessments.
• Fixed a bug where a very long section title could make the researcher panel too wide.
• Fixed a bug where tildes were sometimes displayed as dashes by updating Open Sans fonts.
• … and probably more!

Security

• Fix CVE-2022-29248.

Improvements

• Add SSO configuration option for Microsoft Graph tenant ID.
• Do not show the assigned icon for a manager when the assessment status is 'Completed'.