Releases

Update with many changes 🥳

TL;DR

• Many new API routes have been added, with unfortunately some breaking changes. A glimpse into the upcoming related releases; an open-source Python API wrapper will be published to make your developers happy! This is almost ready, and we’re working on some example integrations. This full-fledged API combined with the webhooks makes Reporter flexible for all kinds of integrations.
• Customize the Reporter web portal by uploading a custom style sheet.
• Clients can share information and documents within assessments.
• Many bug fixes and other improvements!

API Improvements

Some breaking changes Warning

• Permissions for API tokens are now fine-grained per resource. Therefore, existing API tokens will only be able to access and write ‘Assessments’. A new API token with extra permissions should be generated to access other resources, such as ‘Findings’ or ‘Targets’.
• Various POST API routes have been restructured to match the application structure and logic. For example the POST route /api/v1/assessments to create a new assessment has been changed to /api/v1/clients/<assessment_id>/assessments.
• ‘Finding Template’ API routes are made consistent via the new route /api/v1/finding-templates (dash) instead of /api/v1/finding_templates (underscore).
• The following request headers are now required to be set (see the examples in the API documentation):
  • Accept: application/json for all routes except downloading files;
  • Content-Type: application/json for all PUT, PATCH, and POST routes that do not upload files;
  • Content-Type: multipart/form-data for all POST routes that upload files.
• Documents can now only be created and deleted using the dedicated /api/v1/documents routes, and not using other routes.
  • The only exception is for the creation of ‘Output Files’ (scan results from tools like Burp Suite and Nessus).

Additions

• API abilities/permissions are now split per resource.
• ‘Auto-assignments’, ‘assessment users’, ‘output files’, and ‘roles’ can now be accessed through the API.
• Added POST routes for many resources, such as:
  • Assessment Users (to attach users to assessments, assign them roles and automatically assign them tasks)
  • User Groups
  • Output Files (for uploading scans from tools like Burp Suite and Nessus)
• Added PUT/PATCH routes for the following resources:
  • Clients
  • Assessments
  • Assessment Sections
  • Assessment Phases
  • Findings
  • Targets
  • Finding Templates
  • Users
  • User Groups
• Added DELETE routes for the following resources:
  • Clients
  • Assessment Users
  • Findings
  • Targets
  • Finding Templates
  • User Groups
  • Documents
  • Output Files (also deletes all ‘potential findings’ and ‘potential targets’, but not findings and targets that have been imported into the assessment)

Custom Style Sheets

• Admins can now upload a custom style sheet (CSS) to customize the look of the Reporter portal. We recommend changing the primary colors, such as those used in buttons and labels, to match your organization’s branding.
• The stylesheet does not affect the online or PDF reports.

Shared Information Tab

• Added a new ‘Shared information’ tab in assessments that clients and researchers can edit. Clients can use this to share instructions and files with the researchers directly.
• Admins can add separate instructions for researchers and clients to the tab through the settings.
• The tab can be enabled and disabled for individual assessments.
• The tab is enabled by default for new assessments, not for existing assessments. You can change that default in the settings.
• Researchers receive a notification when a client updates the shared information while the assessment is in progress.

Other Additions

• Added a report customization option to insert page breaks after each finding.
• Added settings to select which tab is open in the assessment overview. There are separate settings for researchers and clients.
• The API rate limit can now be changed or removed on self-hosted Reporter instances.

Improvements

• An icon appears in the assessment tab if you have unread notifications when the ‘Researcher Briefing’ or ‘Shared Information’ has been updated. Opening the tab marks such notifications as read.
• Wide tables no longer overrun the page in the PDF report. You can control the width of columns on wide tables. For details, see the updated documentation.
• Changed the word ‘vulnerabilities’ to ‘findings’ in the ‘finding counts per severity’-component to be more consistent with the rest of the application.
• The ‘Risk’, ‘Recommendation’, and ‘Proof’ fields are no longer required.
• Findings in the ‘Search for examples’ dialog now show their original severity (and current severity if it has changed). Previously it showed the current severity, which was often ‘OK’ after a retest.
• Findings can now be filtered based on if they have retests. The filter only counts published retests.
• The display of the target search bar in an assessment has been optimized.
• Added an ‘Assigned to me’ button to the dashboard for admins to show assessments where they are assigned.
• All email addresses are now stored and displayed in lowercase.

Bugfixes

• Fixed a bug where the sections in the online report were numbered incorrectly.
• Fixed a bug where the user wasn’t properly logged out after being idle.
• Clicking a ‘Login with …’-button when already logged in now redirects to the correct page.
• Fixed a bug where linking potential findings to existing findings did not work.
• Fixed a bug where the wrong tab was sometimes opened in various places.
• Fixed a bug where inline documents were incorrectly styled in the online report.
• Fixed an issue where potential findings with CVSS scores were sorted by severity category (Critical, High, etc.) instead of score.
• Fixed an issue where the same CVE was sometimes listed multiple times for a potential finding.
• Fixed a bug where empty report customization settings could cause an exception
• Fixed an issue where the ‘finding counts by severity’ report component would run off the page with larger fonts.
• Fixed an issue where non-ASCII characters in titles were not rendered correctly in the PDF report.
• Fixed a bug where some completed assessments could be shown before pending assessments.
• Fixed a bug where a very long section title could make the researcher panel too wide.
• Fixed a bug where tildes were sometimes displayed as dashes by updating Open Sans fonts.
• … and probably more!

Security

• Fix CVE-2022-29248.

Improvements

• Add SSO configuration option for Microsoft Graph tenant ID.
• Do not show the assigned icon for a manager when the assessment status is 'Completed'.

New Summary Tables

Two new components are available to render summary tables:

Improvements

• Large output from tools is now imported more efficiently to avoid memory issues.
• The 'Pending Assessments' section on the dashboard has been renamed to 'Open Assessments'.

Requires Attention

The default value for the MAIL_ENCRYPTION setting has changed from tls to the more secure value ssl. Set the value of MAIL_ENCRYPTION to tls if your SMTP server makes use of STARTTLS. See the documentation for more information.

Continuous Assessments

A new status 'Continuous' has been added for assessments that are always open and have no specific end date and phases. This status is helpful in enabling bug bounty style assessments.

Client User Groups

Client users can now be organized in groups. These groups can be used to grant access to assessments or to assign resolvers to findings. Adding a user to a group also grants them access to findings and assessments for which that group has access, and removing a user revokes that access.

Assign Findings to Resolvers

Specific client users or groups can be assigned to a finding as resolvers. A resolver is a user responsible for fixing the finding and requesting retests for it. Resolvers are notified when they are assigned.

Access to findings can be restricted to resolvers. When this setting is enabled in an assessment, client users can only see a finding if they, or a group they belong to, is explicitly assigned as a resolver for that finding.

Other Improvements

• The tool output parsers have been updated. Several new tools are supported, and this update includes a fix so CVSS 3 strings from the Nessus output are correctly parsed.
• On the assessment show page, user icons now show more context about the role or permission of users.
• Researcher display options for an assessment have been improved. For example, only users that have been assigned to a phase can be put on the cover of the report.
• The quality of scaled images has been improved for Chromium-based browsers.
• Improved update notifications for new Reporter releases.
• Markdown headers are no longer numbered or listed in the report's table of contents.
• SMTP configuration options have been clarified.
• Simultaneous edit functionality has been improved to detect changes of the same user in other tabs or browser screens. For example, if a user has a particular finding open in several tabs, edit functionality is locked in all non-active tabs when the finding is updated.

Bugfixes

• Fixed several target filter bugs on the assessment page.
• Fixed a bug that caused forms not to lock when simultaneously editing a form when Pusher is enabled.
• Fixed several links with an incorrect filter instruction for targets.
• Fixed a bug where the default scoring system wasn't set when creating an assessment.
• Fixed a bug where expired users couldn't be removed from assessments.

Bugfixes

• Fixed an issue where file uploads not related to markdown fields were broken.
• Fixed an issue where changing the client of an assessment would cause some tasks and notifications to throw an exception.