Release notes for Canopy 3.10

Upgrading steps.

3.10.7 (2024-08-07)

This patch release addresses a regression introduced in 3.10.6. The bug prevented editing of the table component in the report section of the UI.

The release also corrects some minor visual issues in the report section. Certain action buttons rendered when the user did not have access to them. The backend enforced the correct permissions, irrespective of which actions (buttons) rendered.

Bug

• [CAN-3582] Permissions are incorrectly enforced on report section’s actions

• [CAN-3584] Report tables beyond the first don’t render correctly

3.10.6 (2024-07-12)

This patch release address two security issues and a number of bugs around the report view, and permission caching.

Upgrading is strongly recommended for security and performance reasons.

Note: CVEs have been requested for the two security issues and will be added here once they are assigned.

Datastore API phase insecure access controls

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5 - Medium)

The Dataview API allows users to export data from Canopy. The phase handler did not check permissions correctly on the phase objects, which could allow an authenticated malicious user to gain access to findings in phases they did not have access to.

This issue was introduced in Canopy 3.9.0 and affects all versions up to 3.10.5.

Stored/Persistent Cross-site Scripting (XSS) in Comment activity log

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N (6.4 - Medium)

Canopy failed to apply sufficient sanitisation to markdown returned by the turndown library, which could expose a user to XSS via the Comment activity log entry.

This issue was introduced in Canopy 3.10.5 and only affects version 3,10.5.

Bug

• [CAN-3548] get_ui_events event results in permissions cache invalidation

• [CAN-3552] Report view fails to load when user doesn’t have project access

• [CAN-3553] Recent Reports endpoint result doesn’t overlap with the set of reports the user has access to

• [CAN-3554] Datastore API phase endpoint fail to enforce per object permissions

• [CAN-3555] Comment activity log entries fail to santinise comment bodies

Improvement

• [CAN-3558] Increase permissions cache timeout from 1min to 5min

• [CAN-3560] Improve permissions cache to handle more edge cases

3.10.5 (2024-04-26)

This is a minor patch release addressing a small regression introduced in the previous release (3.10.4).

Users which had conditionals in their reports that check for empty elements may have been affected.

This would also have visually affected how null values are represented in reports.

Bug

• [CAN-3531] Report XML contains “None” string values instead of empty strings/elements where it previously did not

• [CAN-3532] Frontend validation on project creation view did not report field errors in toast notification

3.10.4 (2024-04-19)

This patch release addresses a number of bugs. Upgrading is recommended.

The patch release also introduces text patterns. These allow for quicker formatting of content, without the need to use the toolbar. The following text patterns are currently supported:

• Italic is supported by wrapping text in single *

• Bold is supported by wrapping text in double **

• Unordered lists can be inserted by adding a * or - followed by text and a new line

• Ordered lists (numeric and lower-roman) can be inserted by adding a 1. or a i. followed by text and a new line

Bug

• [CAN-3514] Null and control characters break XML and XLSX generation

• [CAN-3515] Too many open files errors

• [CAN-3518] Field configuration endpoints generate too many queries

• [CAN-3519] Comments view does not handle “wide” content correctly

• [CAN-3520] Report view project description field missing

• [CAN-3521] Finding’s Insert Images modal lists non-image files

• [CAN-3523] Phase uploads from pasted images have the same name

• [CAN-3524] React bundle gets cached by browser across updates

• [CAN-3525] Phase uploads of xlsx files that aren’t Canopy XLSX files result in a processing error

• [CAN-3527] Comment notification sometimes fails on invalid anchor tags

• [CAN-3528] XLSX parser doesn’t handle checkbox fields

• [CAN-3529] Activity log renders comments as bare html

New Feature

• [CAN-3526] Text pattern support in rich text fields

3.10.3 (2024-02-23)

The patch release addresses a few minor bugs and upgrading is recommended.

Bug

• [CAN-3494] Some UI components sometimes fail with “Maximum update depth exceeded”

• [CAN-3501] Tool importer removes anchor tags

• [CAN-3502] Remote User authentication fails when creating users

• [CAN-3503] Frontend exception occurs when editing cvss3 field without cvss version string

• [CAN-3505] Missing distribution list in SoW XML

• [CAN-3507] Upgrading is very slow during Version Foreign key cache generation step

• [CAN-3508] Correct sorting order of findings where cvss scores were reversed

Improvement

• [CAN-3510] Examples are set to output in reports by default

3.10.2 (2023-12-20)

The patch release addresses a number of bugs introduced during front-end improvements that were made in 3.10. Upgrading is recommended.

This patch release also contains a schema migration. However, it only affects Oracle users.

Bug

• [CAN-3490] Existing examples cannot be saved

• [CAN-3491] Field configurations are not applied to finding view

• [CAN-3492] custom_rating_sum field type change fails on Oracle

• [CAN-3493] Missing translations from new finding view

• [CAN-3496] Comments cannot be resolved as tech managers

3.10.1 (2023-12-07)

Canopy 3.10.1 is a patch release that incorporates the changes from Canopy 3.9.3, see Release notes for Canopy 3.9. Upgrading is recommended.

Canopy 3.9.3 had two notable changes:

• XLSX templates preserve existing formulas

• Project/Phase/Report deletion was removed from their list views. Deletion is of those objects are now only possible via their primary views.

Additionally, the following Canopy 3.10.x specific issue was also addressed:

Bug

• [CAN-3486] Pastes are reverted in Rich Text elements

3.10.0 (2023-11-10)

Canopy 3.10.0 is a small feature release.

We are continuing our theme of improvements around QA and collaboration. This release sees the addition of Threaded Commenting. Threaded comments allows users to have a conversation, rather than simply leaving one-off comments. This will help improve the QA process on teams.

Canopy’s installation process now offers the creation of the initial admin user via the UI. This is another step in making the onboarding process simpler for new Canopy deployments. Existing users will not be affected by this change.

We have also added improved health checks for the /health endpoint. The default config values are:

• HEALTH_DISK_USAGE_MAX is 90%

• HEALTH_MEMORY_MIN is 100MB

These can be overridden in /etc/canopy/canopy.ini if required.

We changed the custom_rating_sum field to support decimal values, this might improve the sorting accuracy for clients using custom rating systems.

Epic

• [CAN-3429] Threaded commenting

Task

• [CAN-3330] Integrate forked marrow mailer

• [CAN-3461] Expand health endpoint checks to include disk space and free memory

Bug

• [CAN-3203] History endpoint fails on invalid custom_rating_sum values

• [CAN-3426] Non-nullable fields with blank=True bypass initial validation

• [CAN-3478] Download template fails under report templates

Improvement

• [CAN-3435] Allow the user to create an admin user via the UI if no users exist.

Older releases

• Release notes for Canopy 3.9
• Release notes for Canopy 3.8
• Release notes for Canopy 3.7
• Release notes for Canopy 3.6
• Release notes for Canopy 3.5
• Release notes for Canopy 3.4
• Release notes for Canopy 3.3
• Release notes for Canopy 3.2
• Release notes for Canopy 3.1