Release notes for Canopy 3.4

3.4.2

This patch release addresses many small issues and includes security updates of our dependencies.

Noteworthy changes

  • Canopy’s bundled python and other dependencies have been upgraded due to disclosed security vulnerabilities. Our analysis indicated that the disclosed issues were unlikely to affect Canopy. However, upgrading is being done as a precaution.

  • TLS/SSL/STARTTLS email sending issue has been corrected.

  • TINYMCE_STYLE_FORMATS setting validation improved. Invalid JSON will now result in an error being returned and logged (via the canopy service). The “Formats” menu item on the WYSIWYG editor will also display a warning if invalid JSON is detected. If any problems are detected, please ensure the TINYMCE_STYLE_FORMATS setting contains valid JSON (this is located under Admin → Settings).

Bug

  • [CAN-2713] Asset deletion from asset view fails

  • [CAN-2712] SAML2 authentication backend integration is partially broken due to dependency upgrade

  • [CAN-2709] Phase stats updating runs too often when manipulating finding/assets

  • [CAN-2706] Adding finding from KB doesn’t set finding source

  • [CAN-2705] Adding an asset via an example to a finding doesn’t update asset/phase stats

  • [CAN-2704] Finding copy/move doesn’t trigger stats updating on assets/phase/project

  • [CAN-2697] Nessus parser incorrectly drops examples with no body

  • [CAN-2696] Copy/Paste logic in CVSS editors do not check if copy/paste API is available

  • [CAN-2689] Email sending over TLS fails

  • [CAN-2685] Moving/Copying findings to other phases results in finding not being visible

  • [CAN-2401] Finding list view shows no source when source is manual

  • [CAN-1816] Potential XSS in TINYMCE_STYLE_FORMATS setting

Improvement

  • [CAN-2655] Sync Finding custom field values to Portal

  • [CAN-1466] Hide report/SoW edit buttons for users with read-only access

3.4.1 (High severity security update)

This patch release addresses a remote code execution vulnerability discovered in Canopy’s email template system.

An authenticated user who has write access to a phase was able to execute arbitrary code as the canopy user on the host system.

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8 - High)

Bug

  • [CAN-2678] - Message templates are not using sandboxed jinja2 environment

  • [CAN-2680] - Asset sorting fails on strings that contain :// but are not valid URIs

  • [CAN-2670] - ‘Add to kb’ fails when finding doesn’t have a rating

  • [CAN-2665] - Finding moving fails with exception

  • [CAN-2635] - Portal sync fails when Portal Field Override’s custom fields are missing

3.4.0

Highlights: New features and improvements

Phase level permissions

In previous versions of Canopy, it was only possible to assign access to a project - this included all data in the projects. With 3.4.0 we have added the ability to control access on a per-phase level. This allows you to assign access to some users on the project, whilst restricting access to others on a per-phase level. Reports inherit permissions from the projects and phases they relate to.

Finding movement

Have you ever had the need to copy or move a finding to another phase, or to another project entirely? With 3.4.0 we’ve add the ability for a user to copy or move a finding from one phase to another phase (either in the same or a different project).

Project finding reassignment

As part of the finding copying and movement capability, you can also reassign project findings (used for unique finding tracking in projects). This will allow you to correct finding test history, as required.

Performance improvements

A number of significant performance improvements across many API end points were improved, along with improvements around the traversal of the permissions graph. This should have a noticeable impact performance in many of Canopy’s larger deployments.

Upgrade procedure

Please see Upgrading on how to upgrade to this release.