Release notes



  • [CAN-2800] Project finding lists has phase click throughs on view where it doesn’t make sense

  • [CAN-2799] Low privilege users cannot admin phases

  • [CAN-2792] Finding copying/moving incorrectly treats certain custom field values as HTML

  • [CAN-2791] Date custom field type incorrectly stores dates as timestamps

Backward Incompatible Changes

CAN-2791 corrected a bug where Date custom fields stored a datetime instead of a date. From now on new/edited custom date values will be stored as just a date.


This release is predominantly a bug fix release, which contains a number of low severity security improvements.


Security improvements

We would like to thank Stephan Sekula of Compass Security ( for reporting issues within the form validation handler (self-xss), an XSS in the login disclaimer, and also making some observations about the potential abuse relating to safeHTML(possible ways of abusing the UI that could be used to launch phishing attacks against authenticated users).

Due to the reporting of the self-XSS, an internal audit was conducted of the front-end code, and a number of further improvements were made.

Other improvements

A sample plugin is now available to enforce CVSS2 or CVSS3 to set the “qualitative ratings” in-line with the CVSS ranges (ranges can be customized for those users who have custom CVSS3 implementations).

Bulk approve was added to the KB Findings view. This operation is restricted to users who have the kb-admins role (or technical-managers).

New Feature

  • [CAN-2467] Bulk approve action for KB entries

  • [CAN-2735] Sample CVSS3 custom rating plugin to override rating__type


  • [CAN-2446] When TinyMCE image caption is enabled it’s no longer possible to edit the image properties

  • [CAN-2476] Missing fields on SoW creation window

  • [CAN-2750] Queries with more than 65k arguments fail on Oracle. Corrected in importer only.

  • [CAN-2756] Notify reporter when comment added to KB finding

  • [CAN-2765] setupdb’s delete-all depends on DB schema matching current models

  • [CAN-2767] Adding finding from KB can result in “Failed” status for associated methodology items

  • [CAN-2768] Comment view cuts off long comments

  • [CAN-2769] Safe html renderers are used in places where no html should be rendered

  • [CAN-2770] Self-XSS in form validation errors

  • [CAN-2771] Company access cannot be revoked via company access control tab

  • [CAN-2772] Contact editing fails when user only has access via a project

  • [CAN-2773] XSS in scheduler’s user assignment dialog

  • [CAN-2774] Safe HTML bypass on login page’s disclaimer. Only admins could trigger this.

  • [CAN-2777] Notifications render comments incorrectly


  • [CAN-2516] Changes to methodology items / templates should be logged in audit trail

  • [CAN-2657] Form modification checks should run when browser/window/tab is being closed and prevent it

  • [CAN-2674] Show toast when ajax calls fail due to network issues

  • [CAN-2701] Change default replyto email address in sample canopy configs

  • [CAN-2707] Add project fields to substitution variables

  • [CAN-2762] CVSS2/3 displays should show hand pointer when they are editable/clickable

  • [CAN-2763] Expand workflow events for create/edit/delete of main objects

  • [CAN-2764] setupdb’s cleanup options should not be mutually exclusive

API Changes

/api/phases/finding/xx/add_to_kb/ api endpoint’s main return property was renamed from data to template_finding_id


Div tag support was added to the html2markdown converter used by the tool importers. This will change how div tags are handled in many places rich text is used.



Canopy 3.5.0 introduced a regression where email sending from the phase view stopped operating due to bug CAN-2754.

Initial Ubuntu 20.04 support was added.

New Feature

  • [CAN-2722] Admin UI for management of Phase Types and Field Sets/Configurations

  • [CAN-2632] Email testing management command

  • [CAN-2688] Allow scripted user management from command line


  • [CAN-2728] Ubuntu 20.04 support


  • [CAN-2671] Postgresql playbook doesn’t install usable postgresql on Centos 7

  • [CAN-2672] Nginx configs are not valid for newer nginx versions

  • [CAN-2682] Methodology template status UI label should be removed

  • [CAN-2694] Drag&drop of files to Canopy replaces application in non-upload areas

  • [CAN-2708] Example edit view doesn’t display field validation errors

  • [CAN-2726] Default fieldset doesn’t reset field configurations already applied

  • [CAN-2730] Incorrect interaction between permission system and field configuration

  • [CAN-2732] export_phase_xlsx management command does not manage str/bytes properly

  • [CAN-2734] Project phase ordering lost during XML generation

  • [CAN-2737] Fix ansible python discovery

  • [CAN-2738] Comment text cannot be selected/copied

  • [CAN-2740] Unknown form field errors are not properly displayed

  • [CAN-2743] Phase type displays ID instead of name on Phase List view component

  • [CAN-2749] Add from KB action doesn’t copy correct PCI status field

  • [CAN-2752] Permission change warning disrupts command line output from management commands

  • [CAN-2753] Access control api endpoint breaks when user’s name is not set.

  • [CAN-2754] Email template rendering fails when a phase doesn’t have a type set

  • [CAN-2755] Report list searching has no effect


  • [CAN-2699] Allow specification of migration number when invoking setupdb

  • [CAN-2700] Change report download XLSX/CSV functionality

  • [CAN-2731] Relax restrictions on example URL field


Highlights: New features and improvements

When editing the Finding status via the Finding’s view or via the Finding’s table (bulk editing), you can now (optionally) record who made the change. A timestamp is added, along with a record of the person who made the change. The following fields are also available in the report XML for mapping, if required:


This can be useful for formally tracking when a Finding’s status changed, and why the status change was made (e.g. Finding resolved, risk accepted).

Canopy now allows for the overriding of some built-in fields and custom fields via a FieldSet concept. This allows one to rename or disable fields in certain areas of the user interface, for example.

FieldConfiguration’s are grouped into FieldSet’s. The base fieldset must be named default. Additional FieldSet can be created and must be linked to a PhaseType. An example use for this functionality might be to facilitate different UI views for different types of assessment, such as a technical pentest versus an ISO 27001 control audit.

This feature is currently in beta and has many limitations, the foremost being the lack of a user interface to configure it and the limited number of fields supported. Please contact if you would like to help evaluate this feature.


  • [CAN-2691] Document table limits rows to six (6) entries

  • [CAN-2653] Findings xlsx/csv exporter does not include custom fields

  • [CAN-2650] Finding reporter field not displayed in the user interface


  • [CAN-2723] Expose report workflow events to plugins

  • [CAN-2702] Set image figure caption separator by default

  • [CAN-2676] Add roman numerals support for tinymce

  • [CAN-2675] Generate report window should auto select the latest template document uploaded by default

  • [CAN-2669] Set default company on project creation

  • [CAN-2666] Add custom request parameters to OIDC

  • [CAN-2649] Add CSV format to xlsx export

New Feature

  • [CAN-2714] Plugin support for scheduling celery tasks

  • [CAN-2687] Provision custom roles and role assignments before first login

  • [CAN-2681] Extend project plugin hooks

API Changes

With the introduction of Phase Types we changed the phase.type string to an integer that represents the Phase Type entry in a lookup table. This means the /api/phases/phase/ endpoint’s type field is not an integer which relates to the appropriate entry in /api/phases/phase_type/ endpoint. A readonly type_name field was also added which will have the string version of the phase type.

This release includes the changes from Canopy 3.4.2.

Older releases

Release notes for Canopy 3.4

Release notes for Canopy 3.3

Release notes for Canopy 3.2

Release notes for Canopy 3.1