Canopy
Canopy

Release notes for Canopy 3.3

3.3.4 (High severity security update)

This patch release addresses a remote code execution vulnerability discovered in Canopy’s email template system.

An authenticated user who has write access to a phase was able to execute arbitrary code as the canopy user on the host system.

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8 - High)

Bug

  • [CAN-2678] - Message templates are not using sandboxed jinja2 environment

  • [CAN-2680] - Asset sorting fails on strings that contain :// but are not valid URIs

3.3.3

This patch release includes multiple performance enchancements and our bunbled python was updated to the latest 3.7 release for security reasons.

Bug

  • [CAN-2633] - User unable to resolve comments they have added

  • [CAN-2636] - Cannot update methodology instances

  • [CAN-2637] - Cannot save finding with control characters in rich text fields

3.3.2

This patch release addresses a single defect where certain asset values would trigger a failure condition during asset sorting, which results in substantial loss of functionality.

Bug

  • [CAN-2626] - Asset sorting doesn’t handle invalid data

3.3.1

This is a patch release which addresses the most significant bugs that have been reported to us since the 3.3.0 release.

It also makes some improvements to our report and statement of work XML outputs, adding more data points for user-related objects (e.g. the account manager, tech lead).

New tool support: WebInspect

We had a recent request for WebInspect support. This has now been included in the standard parsers. Support has been added for the XML Vulnerabilities scan data export. For information on exporting scan details from WebInspect, see:

https://www.microfocus.com/documentation/fortify-webinspect/2010/WI_Help_20.1.0/index.htm#Export_Scan_Details.html

API failure handling

We have added more functionality to Canopy to help with debugging of API calls. Now all API requests and failures are logged for analysis.

Bug

  • [CAN-2559] - Disable import button until record in table selected

  • [CAN-2560] - Phase scope defaults when created from requests

  • [CAN-2597] - Partial sync failures are reported incorrectly

  • [CAN-2608] - Substitution values are not applied in XLSX download

  • [CAN-2616] - Burp evidence incorrectly formatted

  • [CAN-2617] - Missing XML data points for the user objects

  • [CAN-2623] - Contact import save handler doesn’t fire

New Feature

  • [CAN-2611] - WebInspect parser

Improvement

  • [CAN-2561] - Log failed API calls

  • [CAN-2562] - Allow caching of uploaded images

3.3.0

Overview

Canopy 3.3.0 is both a feature release and a significant technical debt reduction release. Our migration to python 3 is now complete. We also took the opportunity to upgrade a number of dependencies, overall improving the stability and long term support for Canopy 3.3.0 and beyond. We will be adding RHEL 8 and Ubuntu 20.04 LTS support to our build solution soon. Stay tuned.

We have also added support to Canopy for integration with the Pentest Portal 1.0.0 release.

Highlights: New features and improvemens

Portal support

Canopy’s Pentest Portal addition is now in 1.0.0. The Pentest Portal is a significant step forward in managing pentests and security assessments, bringing our vision of a full end-to-end web based workflow for managing security assessments from start to finish.

Canopy can be used to support the workflow around the Pentest Portal, pushing configuration data (form fields, questionnaires, etc.) as well as assessment related data (findings and reports).

For information on the Pentest Portal, please contact us at: hola@checksec.com

OpenID Connect support

Due to the growth of adoption of oauth2, we’ve added support for OpenID Connect. Expanding on our support for centralised authentication and single-sign on approaches, the introduction of OpenID Connect will allow you for API-friendly management of authentication. If you have to follow a policy of strict rules around token management and APIs, our OpenID Connect support has you covered.

For background information on OpenID Connect, see: https://openid.net/connect/

For information on configuring OpenID Connect in Canopy, see OpenID Connect Authentication

Extended custom field support

Our user environments require more control over their Canopy environments. As such, we’ve extended our custom field support.

Custom fields can also be synced to the Pentest Portal, with a per-Portal field configuration possible. We’ve also added the ability to override field defaults, such as making fields mandatory (or not), relabelling fields, and so on. This gives our users greater control over both their Canopy and Pentest Portal configurations.

Analytics reports (beta)

Support for custom analytics reports has been added. This is the first step on Canopy’s journey to provide you with better insight into the data Canopy is responsible for.

Additional/Improvied tool support

We’ve added support for the following tools:

  • Netsparker Cloud

Backward incompatible changes

  • Canopy is now Python 3 only and existing plugins needs to be updated.

Report Mapping XML

  • Added date_created/modified fields to all possible sections

  • Added finding blocks to Methodology items and Methodology item blocks to findings

  • Added missing external_id fields for Contact/Users

SoW Mapping XML

  • Added date_created/modified fields to all possible sections

  • Added Opportunity Requester section