Releases

Webhooks

This release brings webhooks to Reporter for extra flexibility and extensibility! Webhooks are almost always faster than polling the API, and require less work on your end.

The following events are supported assessment:created, assessment:updated, finding:created, finding:updated and finding:published.

Bug fixes and minor improvements

• Users are no longer notified when they assign tasks to themselves.
• Fix NO_AUTO_CREATE_USER exception when using Azure managed MySQL.
• Fixed an issue where editing a task would break the ability to assign users to them.
• Publishing a retest now completes tasks to respond to client comments on that finding.
• Fixed an exception that was thrown when saving a new finding template.
• Search by assessment using the short ID.
• Fixed view exception for 2FA edit page.
• You can now use inline code tags in the caption of a code block.

New Markdown editor

This release dramatically improves the readability when writing your findings in the new context-aware editor of Reporter. The editor has many other improvements, such as a side-by-side feature that automatically updates the preview when writing your content.

Custom short IDs

Each assessment has a short ID. This is used to identify the assessment and the associated findings uniquely. It is now possible to use custom short IDs. Via the settings page, you can enable custom short IDs as the default.

Other improvements

• The weight of finding templates is now displayed. This is useful to evaluate which templates are underused and discuss that with researchers, modify them to improve the quality and the likelihood of being used or delete them if they are no longer useful.
• Added the ability to filter assessments by researcher.
• The target filter on the findings index in an assessment is now a multi-select.
• Increased the API rate limit to 120 requests per minute.
• Microsoft Azure managed MySQL instances are now supported, see the docs for the DB_SERVER_VERSION setting.

Bugs

• Fixed full-width researcher panel bug in Safari.
• Clicking on the 'Find template or clone finding' button doesn't open the modal.

Security

• Updated third-party libraries to fix CVE-2022-24775.

Automatic template suggestion logic

Previously, when a researcher selected a template to create a finding, the 'Template Suggestions-tab' showed templates attached to that specific section in the assessment type used. However, this relied on an admin user going over the sections of each assessment type and manually attaching templates. 

This process is now automated. When a researcher creates a finding using a template, this template will be suggested for that section in other assessments of that type. Templates that are often used appear more prominent, also recently used templates are slightly more prioritized.

Other improvements

• The performance of the 'assessment show' page and the 'researcher panel' has been improved by optimizing several database queries.

Bugfixes

• Fixed a button that was the wrong size in the dashboard tasks.
• Fixed a bug where validation errors for date fields were not shown on the assessment edit page.
• Fixed a bug where validation errors were not properly cleared when resubmitting certain forms.

Security

• Updated third-party library to mitigate CVE-2022-23638. The risk for Reporter is considered to be low given the affected functionality is only available for admin users, and would also have been blocked by the CSP.

Comment improvements

• Finding comments are now private by default.
• You can now reply to top-level finding comments.
• The comment reply form now appears where the posted comment will, at the bottom of the chain of replies.
• Posting a new comment, retest, or retest request now reloads the page and takes you to that event.
• The background colors of all finding events and finding event forms now change dynamically by if the edit form is open, whether Is private is toggled and whether review status is set to published.
• The child events of an unpublished finding or retest are now uncollapsed by default if the finding or retest has not been published.
• public replies to private events now show as "hidden" and in private-grey to indicate that clients can not see them.
• Warnings now appear when making public replies to private events that clients cannot see them.
• Fixed an issue where an admin very quickly editing another users' comment would not show "updated at ... by ..." in the event.

Other improvements

• Added a create documents API endpoint.
• Added a create finding templates API endpoint. 
• Assessment phases can now be retrieved through the API as an include/relationship when retrieving assessments.
• Added a placeholder component to reference fields such as the client name or assessment title in markdown fields.
• A notification is displayed when unevaluated potential findings are present from the tool import when setting the assessment to a completed status.
• The markdown textarea now resizes after pasting a document, if needed.
• Clarified target import from previous assessments on the import page and in the documentation.
• Users in the activity overview and client page are now grayed out if blocked.
• Smarter report generation for Assessment Users, not all activity triggers the generation of a new PDF report.
• Findings are now ordered by created_at field after severity. This is equivalent to sorting by number in an assessment context. The new sorting applies to the researcher panel, results lists, and the report. Findings on index pages are still sorted newest first, to avoid showing very old findings.
• Upgrade Elasticsearch in Docker example.
• Updated NPM packages that contain vulnerabilities.

Bugfixes

• The target sort modal now closes after saving.
• Fixed scrolling to and highlighting certain finding events. 
• Pressing Enter in global search no longer refreshes the page. The global search icon is now a loading icon while waiting for search results.
• Fixed an exception with clearing grouped mail for users who have never logged in.
• Fixed a bug in the API where the relation form Findings to Assessment Sections was incorrectly named section, which caused an exception when queried and caused the correct relation, assessmentSection to be unusable. 
• Target business_impact and target_type fields are now correctly listed as integers in the API docs.
• Fixed a bug where Researchers could not see the general docs in the navigation.
• Fix table of contents font for subsubsections.
• Fix missing contact info in PDF report if company_phone_1 is not set.

Documentation is now available in Reporter

The Reporter documentation has been added to the Reporter installation and is available to all admins and researchers from the main menu. In addition, all pages in Reporter now have a button that takes you directly to the most relevant section of the documentation for that page.

Documentation has been added for settings pages, and existing documentation on the use of Reporter has been expanded.

Linking potential findings

Added the ability to link potential findings to existing findings in an assessment. By linking a finding from an external tool to an existing finding, you can tell other researchers and reviewers that it does not need to be imported because the other finding already covers it. 

You should link potential findings when multiple tools detect the same vulnerability or when a tool finds similar issues that you want to combine into one.

Other improvements

• The report buttons now appear more prominently on the assessment page.
• Clients will now see a variety of notifications or warnings if reports are being generated or when they are potentially out-of-date.
• A user downloading a PDF report or ZIP export, or viewing the online report is now logged as activity.
• It is no longer possible to change the name of a snippet that is in use as this would break the snippet.
• The 'Submit assessment for review'-button now also appears when there is one finding, instead of requiring more.
• Sections of disabled assessment types now show a 'Disabled' badge when selecting them for finding templates.

Bugfixes

• The sorting of targets in the assessment overview is fixed.
• Fixed a bug where the sub-menus of the main navigation did not show when the menu was minimized.
• Fixed a bug where changes made to a newly created phase were not saved.
• Fixed an issue where it was not possible to select certain dates for phases.
• Fixed an issue where tooltips for the names of the sender of an in-app notification were hidden.
• Fixed an issue where long diffs took a very long time to load.
• Fixed an error when deleting an assessment.
• Fixed an error when creating a new text box item.
• Fixed a bug where creating an 'under review' retest would put the 'review requested' event in the wrong place.