Release notes for Canopy 3.2


This patch release contains a critical bug fix (CAN-2420) that affected Canopy 3.1.0 up to and including 3.2.0

This defect resulted in the file importer incorrectly dropping examples with the same example content but with different meta data such as ports.

Canopy will now also drop root privileges when executed as root, this could affect the usage of Canopy management commands if files have incorrect permissions.


  • [CAN-2412] - LDAP auth cache doesn’t expire
  • [CAN-2414] - Incorrect cache file permissions when running as root
  • [CAN-2417] - Unable to schedule same resource in multiple phases
  • [CAN-2420] - Importer incorrectly determines example uniqueness
  • [CAN-2422] - New report candidate reviewers don’t have reviewer permissions
  • [CAN-2423] - Fix incorrect newline to br conversion in report xml

New Feature

  • [CAN-1468] - Experimental Nipper support
  • [CAN-2416] - Support for managing custom roles via SAML2



  • Implement finding tracking across phases via Project Findings
  • Major performance improvements in permissions subsystem
  • Ability to view Canopy logs and restart services from the admin section
  • Acutentix support
  • Many refinements around Knowledge Base(KB) entries
  • Includes all changes of previous Canopy release up to and including Canopy 3.1.7

Backward incompatible changes

Report XML

  • template_finding__id is now template_finding__reference
  • All retest related sections have been changed to accommodate project findings


  • [CAN-1496] - Total opportunities and total projects summary stats missing from Company dashboard
  • [CAN-1669] - SoW creation dialog doesn’t have reference field
  • [CAN-1702] - Document status not updated on page when workflow completed
  • [CAN-1832] - Tool parsers do not preserve all data during html to md conversion
  • [CAN-1841] - EditableTitle component doesn’t handle save failures correctly
  • [CAN-2034] - Email preview ajax call is slow
  • [CAN-2194] - Selectively run workflow initialisation code based on current management command
  • [CAN-2216] - Remove width/height dimensions from img tags
  • [CAN-2222] - Tinymce fullscreen button doesn’t work correctly inside editwindows
  • [CAN-2232] - Publish to portal should only be visible if a portal is configured for the client the report/sow belongs to
  • [CAN-2234] - Scope file upload fails
  • [CAN-2243] - Logo quality lost during admin upload
  • [CAN-2261] - Remove “invalid date” from phase row renderer
  • [CAN-2273] - Changed date is not saved
  • [CAN-2278] - Importer data cleanup adds unnecessary newlines in evidence blocks
  • [CAN-2280] - Opportunity creation fails
  • [CAN-2283] - Possible bug in paging where results overlap
  • [CAN-2288] - Missing activity renderer for USER_AUTH_TOKEN_CREATE
  • [CAN-2289] - Failed tool imports are not marked as failed for errors that leave the current transaction in an error state
  • [CAN-2293] - Example.url max length of 255 is too short
  • [CAN-2295] - markdown2html function generates possibly incorrect html5
  • [CAN-2297] - Stale data cause workflow permissions checks to fail
  • [CAN-2306] - Tool importing fails when tool mappings are applied
  • [CAN-2307] - Template finding save fails with HTTP 500
  • [CAN-2308] - Creating/Editing a KB entry so that it has an existing reference results in a generic error instead of a field error
  • [CAN-2310] - SAML SSO doesn’t re-enable disabled users
  • [CAN-2312] - Session timeout pop-up renders incorrectly
  • [CAN-2317] - Permission system is not performant with large amounts of phases and users
  • [CAN-2322] - Users with kb-add permission cannot add KB entries without the kb-edit permission
  • [CAN-2323] - Analysts can view Export KB button but don’t have permission to download
  • [CAN-2324] - canopy-manage templatedocument broken
  • [CAN-2325] - Add reference button is visible to users with kb-view permission but without kb-edit
  • [CAN-2326] - Analyst users cannot create reports
  • [CAN-2327] - SAML attribute mapping fails on is_admin field
  • [CAN-2331] - Deadlock in permission cache generation
  • [CAN-2332] - syncfixtures fails on settings with conflicting names (setting.setting)
  • [CAN-2333] - Canopy incorrectly assumes responseText is available on ajax response objects (Extjs > 6.2)
  • [CAN-2334] - Fix permissions for KB item reference permissions
  • [CAN-2335] - Project’s add contact window doesn’t show contacts for analyst users with admin on project
  • [CAN-2337] - Settings are only readable by admin users
  • [CAN-2341] - Project deletion fails when a ProjectFinding has multiple versions
  • [CAN-2351] - Email addresses are parsed incorrectly for to/cc/bcc recipients
  • [CAN-2353] - Opportunity list does not display date information
  • [CAN-2368] - KB endpoint returns HTTP 400 on creation/editing of KB entries
  • [CAN-2373] - SOW_DOCUMENT_STATUS field does not exist
  • [CAN-2377] - Single phase reference should not include the .1
  • [CAN-2378] - Creating a project from a SoW returns successful but fails to create due to reference uniqueness condition
  • [CAN-2380] - Phase contact UI shows role as required
  • [CAN-2388] - Custom xLSX template does not convert HTML for rendering in cells
  • [CAN-2403] - XSS in skills combobox on user profile view
  • [CAN-2406] - Email report notifications sent only for completed reports
  • [CAN-2407] - Notification message edits are not preserved during notification sending
  • [CAN-2408] - PR Required notification does not work when template is modified to include action.user_name field

New Feature

  • [CAN-1828] - Custom Classifications
  • [CAN-2101] - Previous findings in report XML
  • [CAN-2256] - Allow project findings in retest dialog to be filtered by phase
  • [CAN-2259] - Creation of retest phase from an existing phase’s view
  • [CAN-2260] - Allow copy of project finding(s) into the current phase
  • [CAN-2320] - Add ability to create/delete Canopy settings via admin UI
  • [CAN-2367] - Allow admin users to restart canopy commands and view/download canopy logs from the admin UI
  • [CAN-2372] - SoW file format synchronisation filter required


  • [CAN-2251] - Rename message template email.phase_daily_update to email.phase_progress_update
  • [CAN-1572] - Support burp reference data
  • [CAN-1879] - Default phase creation
  • [CAN-1928] - Hide report workflow buttons for actions that a user is not authorised to take
  • [CAN-1935] - Migrate or remove Canopy 2 API endpoints
  • [CAN-1939] - Ability to set custom fields as required
  • [CAN-1949] - Warn before sending email before preview
  • [CAN-2163] - Add missing report/SoW substitution variables
  • [CAN-2165] - Add a reference field to KB to allow for unique ID assignment
  • [CAN-2166] - Mark KB findings as deprecated
  • [CAN-2233] - Publish to portal permission
  • [CAN-2257] - Retest dialog: Pre-filter project findings list to only open and partially resolved project findings
  • [CAN-2258] - Display project finding’s latest phase in project findings list
  • [CAN-2316] - Project findings XML should include the first and last phase info
  • [CAN-2318] - Project findings plugin order by CVSS
  • [CAN-2339] - Include more data in re-test finding copying
  • [CAN-2343] - Output template_finding__reference in Report XML
  • [CAN-2347] - Project centre column change to tabs
  • [CAN-2350] - Employee ID field on UserProfile and Contact models
  • [CAN-2352] - Users want to be able to determine which examples should be considered ‘primary’
  • [CAN-2355] - Expand KB item filter fields
  • [CAN-2356] - Display and order KB items by associated findings count
  • [CAN-2357] - Display user who created/approved KB item in KB item view
  • [CAN-2362] - Add KB filter button on approved status
  • [CAN-2363] - Add KB list column for date modified
  • [CAN-2365] - Automatically select search field in “Add from KB” dialog
  • [CAN-2375] - Map scope days to test days from phase_scope to phase
  • [CAN-2379] - Copy SoW contacts to phase contacts
  • [CAN-2387] - Report download XLSX option should use custom XLSX template