Release notes for Canopy 3.10¶
Upgrading steps.
3.10.6 (2024-07-12)¶
This patch release address two security issues and a number of bugs around the report view, and permission caching.
Upgrading is strongly recommended for security and performance reasons.
Note: CVEs have been requested for the two security issues and will be added here once they are assigned.
Datastore API phase insecure access controls¶
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5 - Medium)
The Dataview API allows users to export data from Canopy. The phase handler did not check permissions correctly on the phase objects, which could allow an authenticated malicious user to gain access to findings in phases they did not have access to.
This issue was introduced in Canopy 3.9.0 and affects all versions up to 3.10.5.
Stored/Persistent Cross-site Scripting (XSS) in Comment activity log¶
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N (6.4 - Medium)
Canopy failed to apply sufficient sanitisation to markdown returned by the turndown library, which could expose a user to XSS via the Comment activity log entry.
This issue was introduced in Canopy 3.10.5 and only affects version 3,10.5.
Bug¶
[CAN-3548] get_ui_events event results in permissions cache invalidation
[CAN-3552] Report view fails to load when user doesn’t have project access
[CAN-3553] Recent Reports endpoint result doesn’t overlap with the set of reports the user has access to
[CAN-3554] Datastore API phase endpoint fail to enforce per object permissions
[CAN-3555] Comment activity log entries fail to santinise comment bodies
Improvement¶
[CAN-3558] Increase permissions cache timeout from 1min to 5min
[CAN-3560] Improve permissions cache to handle more edge cases
3.10.5 (2024-04-26)¶
This is a minor patch release addressing a small regression introduced in the previous release (3.10.4).
Users which had conditionals in their reports that check for empty elements may have been affected.
This would also have visually affected how null values are represented in reports.
Bug¶
[CAN-3531] Report XML contains “None” string values instead of empty strings/elements where it previously did not
[CAN-3532] Frontend validation on project creation view did not report field errors in toast notification
3.10.4 (2024-04-19)¶
This patch release addresses a number of bugs. Upgrading is recommended.
The patch release also introduces text patterns. These allow for quicker formatting of content, without the need to use the toolbar. The following text patterns are currently supported:
Italic is supported by wrapping text in single *
Bold is supported by wrapping text in double **
Unordered lists can be inserted by adding a * or - followed by text and a new line
Ordered lists (numeric and lower-roman) can be inserted by adding a 1. or a i. followed by text and a new line
Bug¶
[CAN-3514] Null and control characters break XML and XLSX generation
[CAN-3515] Too many open files errors
[CAN-3518] Field configuration endpoints generate too many queries
[CAN-3519] Comments view does not handle “wide” content correctly
[CAN-3520] Report view project description field missing
[CAN-3521] Finding’s Insert Images modal lists non-image files
[CAN-3523] Phase uploads from pasted images have the same name
[CAN-3524] React bundle gets cached by browser across updates
[CAN-3525] Phase uploads of xlsx files that aren’t Canopy XLSX files result in a processing error
[CAN-3527] Comment notification sometimes fails on invalid anchor tags
[CAN-3528] XLSX parser doesn’t handle checkbox fields
[CAN-3529] Activity log renders comments as bare html
New Feature¶
[CAN-3526] Text pattern support in rich text fields
3.10.3 (2024-02-23)¶
The patch release addresses a few minor bugs and upgrading is recommended.
Bug¶
[CAN-3494] Some UI components sometimes fail with “Maximum update depth exceeded”
[CAN-3501] Tool importer removes anchor tags
[CAN-3502] Remote User authentication fails when creating users
[CAN-3503] Frontend exception occurs when editing cvss3 field without cvss version string
[CAN-3505] Missing distribution list in SoW XML
[CAN-3507] Upgrading is very slow during Version Foreign key cache generation step
[CAN-3508] Correct sorting order of findings where cvss scores were reversed
Improvement¶
[CAN-3510] Examples are set to output in reports by default
3.10.2 (2023-12-20)¶
The patch release addresses a number of bugs introduced during front-end improvements that were made in 3.10. Upgrading is recommended.
This patch release also contains a schema migration. However, it only affects Oracle users.
Bug¶
[CAN-3490] Existing examples cannot be saved
[CAN-3491] Field configurations are not applied to finding view
[CAN-3492] custom_rating_sum field type change fails on Oracle
[CAN-3493] Missing translations from new finding view
[CAN-3496] Comments cannot be resolved as tech managers
3.10.1 (2023-12-07)¶
Canopy 3.10.1 is a patch release that incorporates the changes from Canopy 3.9.3, see Release notes for Canopy 3.9. Upgrading is recommended.
Canopy 3.9.3 had two notable changes:
XLSX templates preserve existing formulas
Project/Phase/Report deletion was removed from their list views. Deletion is of those objects are now only possible via their primary views.
Additionally, the following Canopy 3.10.x specific issue was also addressed:
Bug¶
[CAN-3486] Pastes are reverted in Rich Text elements
3.10.0 (2023-11-10)¶
Canopy 3.10.0 is a small feature release.
We are continuing our theme of improvements around QA and collaboration. This release sees the addition of Threaded Commenting. Threaded comments allows users to have a conversation, rather than simply leaving one-off comments. This will help improve the QA process on teams.
Canopy’s installation process now offers the creation of the initial admin user via the UI. This is another step in making the onboarding process simpler for new Canopy deployments. Existing users will not be affected by this change.
We have also added improved health checks for the /health endpoint. The default config values are:
HEALTH_DISK_USAGE_MAX is 90%
HEALTH_MEMORY_MIN is 100MB
These can be overridden in /etc/canopy/canopy.ini if required.
We changed the custom_rating_sum field to support decimal values, this might improve the sorting accuracy for clients using custom rating systems.
Epic¶
[CAN-3429] Threaded commenting
Task¶
[CAN-3330] Integrate forked marrow mailer
[CAN-3461] Expand health endpoint checks to include disk space and free memory
Bug¶
[CAN-3203] History endpoint fails on invalid custom_rating_sum values
[CAN-3426] Non-nullable fields with blank=True bypass initial validation
[CAN-3478] Download template fails under report templates
Improvement¶
[CAN-3435] Allow the user to create an admin user via the UI if no users exist.