Release notes for Canopy 3.11¶
Upgrading steps.
3.11.1 (2025-06-05)¶
This patch release address small but important issues that can result in images being missing from reports.
If after the upgrade there are still images missing from reports then the workaround is to remove the image and add it again.
Bugs¶
[CAN-3854] Reports have missing images
[CAN-3865] Image selection dialog doesn’t show existing images
[CAN-3867] Circular grant detection triggers on non-circular multipaths
3.11.0 (2025-05-23)¶
*And we’re back…*
It’s been a while, but hopefully good things come to those who wait! We’ve spent the last few months paying down some accrued technical debt. The benefit of this will be a better developer experience, which will mean faster feature releases and improved quality. We felt this was a necessary step to take at this stage of our maturity.
Thank you for your continued support and valuable feedback.
Not everything in this release is related to technical debt! We do have some exciting new features that many of you have been asking for :)
New Feature: Selection-based Commenting¶
Many of our users have requested improvements related to QA/review capabilities within Canopy.
With the addition of selection-based commenting, users can now highlight text in rich text fields, and tag a comment on the selection. This allows users to comment more precisely, which greatly helps teams with their review process using Canopy.
For further information, see:
Single-click comment resolution¶
We have also made it easier to resolve (and reopen) comment threads. Simply click on the “tick” icon to resolve with one click. Reopening is also a single click.
New Feature: CVSS4 support¶
Canopy now supports CVSSv4 - yay! You can use it on Findings and Template Findings. If you don’t plan to use CVSS4 yet, and want to hide it in Canopy’s UI, you can create a field configuration to hide it. For further information on field configurations, see:
Field sets and Field configurations
Canopy will continue to support CVSSv2, CVSSv3 and CVSSv3.1.
Updates: Supported operating system and dependency changes¶
With this release the list of supported distributions changes to:
Ubuntu 20.04/22.04/24.04
Red Hat/Rocky/Alma Linux 8/9
We have also added support for PostgreSQL version to 12 and higher.
It should also be noted that we have dropped support for:
Ubuntu releases < 20.04
RedHat 7.x
MS SQL Server
Oracle (new installations)
PostgreSQL < 12
The changes in database back-end support relate to our focus on providing features and management support around the best combination of software. Continuing to support both of these database servers would prevent us from building out new and improved features around data management.
Epics¶
[CAN-3504] CVSS4 support. Includes other CVSS improvements.
[CAN-3568] Remove disk based permissions cache
[CAN-3570] Selection-based commenting and other commenting improvements
Bugs¶
[CAN-3357] Frontend error endpoint should log new data being sent by frontend
[CAN-3390] Comments in activity log render as escaped HTML
[CAN-3498] (react) Conflict resolution gets into loop
[CAN-3513] (react) When a Generated Report is selected, the refresh button reloads the wrong endpoint
[CAN-3517] (react) Example body cannot be cleared
[CAN-3521] (react) Finding’s Insert Images modal lists non-image files
[CAN-3536] Custom rating plugins can’t set custom fields
[CAN-3538] xmlsec1-openssl dependency is not installed on RHEL8+
[CAN-3586] Grouped findings result in incorrect counts related to assets
[CAN-3588] (react) Click-out on rich text fields prevents use of tinymce modals
[CAN-3597] (react) Scoping questionnaire template breadcrump is incorrect
[CAN-3598] SoW XML number fields strip zeros
[CAN-3600] Unable to add multiple template findings on ExtJS and React
[CAN-3606] (react) Zod error on finding view (history)
[CAN-3611] (react) Verbose error displayed when clearing and entering asset on Example view
[CAN-3614] KB filtering by rating doesn’t work
[CAN-3616] Evaluate if canopy/libs/models/reversion/adhoc_fix.py is still required or needs updating
[CAN-3617] Direct Report XML downloading from results in filename with leading/trailing underscores
[CAN-3623] (react) Conflict resolution modal is not usable when wide content used
[CAN-3631] KB Import fails when it needs to create categories/attack classes
[CAN-3653] React breadcrumb text overflow
[CAN-3659] XLSX invalid character stripping doesn’t handle certain value types
[CAN-3668] (react) Phase view finding grid toolbars missing
[CAN-3669] Finding endpoint allows the updating of fields that should be immutable
[CAN-3670] Excel formulas don’t translate when rows are repeated
[CAN-3682] KB importing doesn’t handle certain combinations of references gracefully
[CAN-3685] Retest/Add from Project edge case failures
[CAN-3686] (react) Finding Reference creation from existing template doesn’t populate template_taxonomy_item in PUT
[CAN-3714] Jira ticket tracker’s getinfo action results in an error
[CAN-3719] Tool imports use different ProjectFinding references
[CAN-3737] Burp importer fails on false positive
[CAN-3758] File upload filter not working: Opportunities/Scope
[CAN-3796] Access control API endpoint allows creation of ACLs with invalid roles
[CAN-3815] TinyMCE insert Image plugin displays and inserts tiny images
[CAN-3821] draw_permissions management command failing
[CAN-3824] (react) Questionnaire template options not showing before field interaction on edit
[CAN-3842] CVSS 3 calculator has invalid None value for MI
Improvements¶
[CAN-1383] Celery tasks run before transaction are committed
[CAN-3535] Ubuntu 24.04 support
[CAN-3564] Hide username/password entry on login page when SSO is enabled
[CAN-3609] Example edit modal layout change to incorporate Comments better
[CAN-3647] Optimize report workflow queries
[CAN-3742] Example plugin for scatter/bubble chart