Releases

Activity Functionality

New Activity functionality is now available via the main menu. An overview screen shows the activity per assessment in the last seven days. Besides this, it is possible to filter and search in all logged assessment activities. The activity pages have been polished, so it is easier to keep an overview.

Other new and improved features

• Versioning for finding templates.
• Via a new button in the researcher panel, a researcher can now easily change the assessment to "Under Review" when the active research stage has been completed.
• Via a new button in the researcher panel, a reviewer can now easily change the assessment status to "Review Completed" when the review has been completed.
• Docs are now available via docs.securityreporter.app.
• PHP-FPM directives are now configurable via env vars.
• The researcher tree will now show an icon when a caution tag is present.
• Fix order of finding version fields to be consistent with the ordering everywhere else.
• Improved notifications are presented to client users when viewing an assessment that has not been completed yet.
• The Reporter Docker container has been improved. 
• Added a CVSS risk assessment table (component).
• Breadcrumbs have been shortened to increase readability.
• In target import, importable targets are now shown with the assessment title and date.

Bugfixes

• Fixed broken links in assessment result tables of the HTML report.
• Deduplicate VulnDB templates.
• Fix links to Reporter settings in new environments.
• Fixed exception in email-address-changed email.
• Fixed a forbidden redirect when editing an assessment section as a researcher.

Breaking changes

The setting 2FA_ENFORCE is renamed to MFA_ENFORCE.

Activity improvements

Elaborate activity logging is available within the assessment and under the user view.

Retest request improvements

A new assessment status "Retest requested" has been added. Creating a retest inquiry in a completed assessment now sets the status to "Retest Requested". Assessments with this status are displayed on the dashboard so a manager can easily schedule them. 

Other:

• The ability to cancel a retest request for a finding has been added. The report is not updated when canceling a retest. Previously, the retest request had to be deleted whereby information is lost, or a researcher/manager had to answer the retest request whereby the report was updated.
• Reviewers can no longer trigger "Review Completed" if draft findings are remaining in the assessment.
• Under the main menu item "Findings" it is possible to click on the "Retest requested" badge to directly show the associated retest request.

Invite users to assessment improvements

• The "invite user" functionality has been clarified by adding tabs to the modal that separates inviting new users from existing users.
• Clarified adding new clients for an admin/manager. It is no longer required to select a role for the client.
• Inviting existing users to an assessment no longer refreshes the page.

Other new and improved features

• Users without job titles or not associated with clients, now have the title of "Researcher", "Administrator", "Client" or "Member" in that order based on roles.
• It is possible to directly link to finding events (displayed under the finding) such as a comment or a retest by clicking on the event timestamp. In these displayed finding events, the avatar and name of users now also link to the user view, so it is, for example, easy to look up this user's activity.
• Timezones are now shown in the status report. Also, checks if the timezone is valid.
• Assessment section updated messages are no longer sent when nothing or only the order was updated.
• Clients can no longer be deleted if they have assessments unless the assessments are soft-deleted.
• CVSS metrics are clarified (temporal and environmental metrics).
• Users that receive a notification of an assessment delete request now also get a new task assigned.

Bugfixes

• Fixed opacity setting for watermarks in the online report.
• Fixed a bug that caused SMS notifications not always to be sent.
• Fixed a bug where rejecting a retest from the review page would not reload the tab.
• Fixed a bug where approving multiple findings or retests would create a string of buttons on the page.
• Fixed a bug where creating a newly published retest would sometimes resolve it.
• Fixed a bug where retests for a finding were sorted in a random order in the report.
• Fixed a bug with the is-private toggle when editing comments.
• Fixed an issue where resolved targets were not unset when unticking "partially resolve" when editing a retest.
• Fixed two rare edge cases when changing the targets of a finding that has status changes or retests. Adding a target to the finding now also adds it to the resolved targets of resolved status changes and retests. Removing a target from the finding now resolves status changes and retests that resolve all of the finding's remaining targets.
• Fixed an issue where the old severity determined the new status of a finding.

Resolve findings partially

Findings with multiple targets can now be resolved for some of the targets, instead of all or none. The timeline and report will show which targets were resolved and when.

Other new and improved features

• The interface for adding report components has been improved.
• The results table in the online report now has also has a legend risk indications table.
• Pasting a link to Reporter now creates a relative link. These links keep working if the URL of Reporter changes.
• Admins can now choose 'My Tasks' or 'All Tasks' when opening the task page.
• The MySQL setting sql_require_primary_key that is enforced by some managed databases is now supported.
• Findings marked as an 'Accepted Risk' can now also be imported from previous assessments.

Bugfixes

• Fixed a bug where modified settings were not applied to reports.
• Fixed an issue where lists could be wider than text in markdown fields.
• Fixed an issue that made it impossible to edit the Researcher Briefing and Target Credentials from their respective tabs on an assessment page.
• Fixed an issue where dragging-and-dropping sections would generate multiple alerts.
• It is once again possible to assign finding templates to assessment sections through the assessment section edit page. This includes full search functionality (with synonyms) and template source icons.

CVSS 3.1 Scoring System

The Common Vulnerability Scoring System Version 3.1 (CVSS) is now supported in addition to the OWASP Risk Rating methodology.

When starting a new assessment you can choose which scoring system you would like to use. It is possible to build a CVSS metric string by using the buttons or paste an existing CVSS metric string that will set the state of the buttons. The CVSS scoring system can be set as the default scoring system via the global settings.

Assessment access control improvements

• Better support for the assessment manager role. The assessment manager is displayed on the assessment page.
• Separated team access and client access into separate tabs.
• It is possible to specify which clients receive notifications from the "Client Access" tab. Clients with notifications disabled do not receive notifications about finding events unless they were directly tagged.
• Under the tab "Status and Phases"  the button "Autofill users" has a new option to autofill based on current permissions. Researchers who can review findings or retests are assigned as a reviewer. Anyone who can create findings or retests is assigned as a researcher if not already assigned as a reviewer.
• Removed permissions "show as researcher", "show as client", "publish on report as researcher", and "comment as researcher". These are now handled based on the new options.

Other improvements

• The global findings search has been improved. Search for the (partial) name of a target and filter by assessment type, author, and target.
• Caching of assessment users for performance improvements.

Bugfixes

• The researcher panel search terms would sometimes reappear.

Delete assessments on client's request

Clients can now request the deletion of an assessment. The assessment manager is required to confirm these requests. All associated findings, sections, targets, and documents are deleted. The assessment will be listed with a 'Deleted' status and only contain some metadata such as who requested the deletion. 

The delete functionality is not visible in the UI for a client, the assessment manager should provide the URL for the client. This link can be found on the assessment show page under the settings wrench icon.

Other improvements

• The loading speed of the findings page has been improved.
• Improved notifications for available Reporter updates. The users that are notified and assigned to an update task can be set from the settings page. If no users are specified, all admins are notified.
• Added a separate syntax highlighting button in the markdown editor.
• Pull pre-build packages from Reporter's Docker container registry.
• Changed RAM requirement (8GB) of Docker host in the readme. Default PHP settings have been changed accordingly.

Bugfixes

• Finding templates now properly set the severity based on impact/likelihood.