Release notes for Canopy 3.7

3.7.4 (2022-09-09)

This patch release adds CVSS3 support to the Nessus parser and improves its robustness with importing Nessus files from other tools.

This release also adds Ubuntu 22.04 support.


  • [CAN-3083] Missing fields on methodology items in report xml

  • [CAN-3093] Phase uploads generates exception with encrypted zips

  • [CAN-3104] Nessus parser fails on 3rd party exports

  • [CAN-3105] Empty files are generated when xlsx generation fails

  • [CAN-3107] Missing images from generated reports


  • [CAN-3091] Nessus parser support for CVSS3

3.7.3 (2022-07-15)

This is a patch release that addresses a number of bugs reported to us by users and identified during internal QA. The most serious issue [CAN-3062] addressed relates to invalid data in generated Word documents, due to incorrectly escaped HTML in substitution variables.


  • [CAN-3004] Phase filtering on re-test finding selection view is not working

  • [CAN-3054] Unable to add content when creating text field type in the template document editor (reports/SoWs).

  • [CAN-3062] Substitution variables are not escaped when inserted into html

  • [CAN-3067] TinyMCE editor doesn’t honour custom contentStyles on report view

  • [CAN-3072] sync_generated_report_task fails if no portal is defined/enabled

  • [CAN-3074] Project finding endpoint is inefficient

  • [CAN-3082] Report version incrementing halts at 0.10


  • [CAN-3080] Vendor reversion’s createinitialversions management command and adapt it for Oracle issues

3.7.2 (2022-04-25)

Patch release that corrects a few more UI issues introduced in 3.7.0


  • [CAN-3034] React API calls ignore paging requirements. This affected many dialogs under Reports.

  • [CAN-3043] Project/Opportunity deletion fails from project/opportunity list

3.7.1 (2022-04-06)

Patch release that corrects a few UI issues introduced in 3.7.0 and an older issue with the templatedocument management command.

The templatedocument management command can now more easily be used to import/export and duplicate Report/SoW templates.


  • [CAN-2940] Download XML button leads to multiple “spinners” in the “Generate Report” modal popup

  • [CAN-2951] Incorrect validation handling on the Report/SoW Template Edit form

  • [CAN-3013] Report edit dialog raises error when one of the authors is deactivated

  • [CAN-3015] usergridfilter generates exception when user has null name

  • [CAN-3020] Report classifications are not sourced from the backend

  • [CAN-3029] canopy-manage templatedocument throws RuntimeError: dictionary keys changed during iteration when importing templates

3.7.0 (2022-03-11)

Note: Includes all changes from Canopy 3.6.3 and earlier.

The 3.7.0 release adds a number of new features and improvements, as follows:

User repeatable report/sow sections

It is now possible to add sections to reports and SoWs that allow for 1-many entries. This is useful for non-automated sections, where a user might need to add multiple similar sections. For example, one of the conceived use cases is for red team reports where multiple attack scenarios need to be considered. As these are typically bespoke sections to a report, but often have similar structures, the repeatable sections (in this case in a report) could be used to add one or more attack paths to a report.

Additionally, report/sow sections can now be reordered on the template view.

Builtin Analytics: Vulnerability Dashboard

Our builtin analytics section now has a vulnerability dashboard that allows users to get a high level overview of findings and how they appear across their clients.

We’ve also added a management command for running built-in and custom analytic reports via the command line (if command line automation is required).

Searching and filtering improvements

It is now possible to search and filter on many of the top level table views. For example, if you want to search across a set of projects within a given date range, this is now possible.

Finding file attachments

Initial support for attaching files to findings has been added. It was already possible to link images to findings. However, in other cases (e.g. audit-type projects), evidence may be collected via other files (e.g. PDFs) that need to be stored alongside findings. Initial support for this is now possible.

CVSS v3.1 support

CVSS v3.1 support is now available. Canopy will continue to default to 3.0 at the moment (i.e. for tool importers, unless the tool instructs Canopy to behave differently). If you want to override the tool importers to default to 3.1 calculations when a version 3 vector is provided, please contact

We’ve also added a new sample plugin for CVSS3 chart generation in reports.

JavaScript migration

We’ve finally started our migration to ReactJS. This is mostly a technical debt issue, but it’s worth pointing it out in case you or your users notice any changes.

The first sections that have been replaced are:

  • Report view/edit

  • Report template view/edit

  • SoW view/edit

  • SoW template view/edit

Future releases we will gradually move all of our front-end code base to ReactJS. This may lead to some minor differences in the look and feel in the early stages, but over time we will be redesigning the overall design.


  • [CAN-2404] Project finding totals should now take re-testing into consideration

  • [CAN-2828] Increase user’s name field length to 128 characters

  • [CAN-2998] Change analytics endpoint name to prevent it being flagged by ad-blockers


  • [CAN-2775] Add KB finding doesn’t link it to relevant methodology item

  • [CAN-2811] Saving a report can result in HTTP 500 when phases require skills which are unmet

  • [CAN-2842] Template Report/Sow deletion can result in error if title is too long

  • [CAN-2873] Report csv download contains full path in filename

  • [CAN-2882] Backend API filtering incorrectly detects model fields as custom fields

  • [CAN-2883] Mapping XML postprocessors are executed before custom fields are inserted

Breaking Changes

  • Project finding stats now operate the latests versions of retested findings

  • /api/analytics/ API namespace was renamed to /api/analyticreports/ (due to ad blockers automatically blocking such calls due to its commonality amongst trackers). e.g. /api/analytics/reports/ becomes /api/analyticreports/report/

  • Removed issue flag on comments, all comments can be marked as unresolved/resolved now.

Older releases