Releases

New Summary Tables

Two new components are available to render summary tables:

Improvements

• Large output from tools is now imported more efficiently to avoid memory issues.
• The 'Pending Assessments' section on the dashboard has been renamed to 'Open Assessments'.

Requires Attention

The default value for the MAIL_ENCRYPTION setting has changed from tls to the more secure value ssl. Set the value of MAIL_ENCRYPTION to tls if your SMTP server makes use of STARTTLS. See the documentation for more information.

Continuous Assessments

A new status 'Continuous' has been added for assessments that are always open and have no specific end date and phases. This status is helpful in enabling bug bounty style assessments.

Client User Groups

Client users can now be organized in groups. These groups can be used to grant access to assessments or to assign resolvers to findings. Adding a user to a group also grants them access to findings and assessments for which that group has access, and removing a user revokes that access.

Assign Findings to Resolvers

Specific client users or groups can be assigned to a finding as resolvers. A resolver is a user responsible for fixing the finding and requesting retests for it. Resolvers are notified when they are assigned.

Access to findings can be restricted to resolvers. When this setting is enabled in an assessment, client users can only see a finding if they, or a group they belong to, is explicitly assigned as a resolver for that finding.

Other Improvements

• The tool output parsers have been updated. Several new tools are supported, and this update includes a fix so CVSS 3 strings from the Nessus output are correctly parsed.
• On the assessment show page, user icons now show more context about the role or permission of users.
• Researcher display options for an assessment have been improved. For example, only users that have been assigned to a phase can be put on the cover of the report.
• The quality of scaled images has been improved for Chromium-based browsers.
• Improved update notifications for new Reporter releases.
• Markdown headers are no longer numbered or listed in the report's table of contents.
• SMTP configuration options have been clarified.
• Simultaneous edit functionality has been improved to detect changes of the same user in other tabs or browser screens. For example, if a user has a particular finding open in several tabs, edit functionality is locked in all non-active tabs when the finding is updated.

Bugfixes

• Fixed several target filter bugs on the assessment page.
• Fixed a bug that caused forms not to lock when simultaneously editing a form when Pusher is enabled.
• Fixed several links with an incorrect filter instruction for targets.
• Fixed a bug where the default scoring system wasn't set when creating an assessment.
• Fixed a bug where expired users couldn't be removed from assessments.

Bugfixes

• Fixed an issue where file uploads not related to markdown fields were broken.
• Fixed an issue where changing the client of an assessment would cause some tasks and notifications to throw an exception.

Webhooks

This release brings webhooks to Reporter for extra flexibility and extensibility! Webhooks are almost always faster than polling the API, and require less work on your end.

The following events are supported assessment:created, assessment:updated, finding:created, finding:updated and finding:published.

Bug fixes and minor improvements

• Users are no longer notified when they assign tasks to themselves.
• Fix NO_AUTO_CREATE_USER exception when using Azure managed MySQL.
• Fixed an issue where editing a task would break the ability to assign users to them.
• Publishing a retest now completes tasks to respond to client comments on that finding.
• Fixed an exception that was thrown when saving a new finding template.
• Search by assessment using the short ID.
• Fixed view exception for 2FA edit page.
• You can now use inline code tags in the caption of a code block.

New Markdown editor

This release dramatically improves the readability when writing your findings in the new context-aware editor of Reporter. The editor has many other improvements, such as a side-by-side feature that automatically updates the preview when writing your content.

Custom short IDs

Each assessment has a short ID. This is used to identify the assessment and the associated findings uniquely. It is now possible to use custom short IDs. Via the settings page, you can enable custom short IDs as the default.

Other improvements

• The weight of finding templates is now displayed. This is useful to evaluate which templates are underused and discuss that with researchers, modify them to improve the quality and the likelihood of being used or delete them if they are no longer useful.
• Added the ability to filter assessments by researcher.
• The target filter on the findings index in an assessment is now a multi-select.
• Increased the API rate limit to 120 requests per minute.
• Microsoft Azure managed MySQL instances are now supported, see the docs for the DB_SERVER_VERSION setting.

Bugs

• Fixed full-width researcher panel bug in Safari.
• Clicking on the 'Find template or clone finding' button doesn't open the modal.

Security

• Updated third-party libraries to fix CVE-2022-24775.