Release notes for Canopy 3.2

3.2.3

This patch release contains a major improvement in the permissions system cache and how it is invalidated after changes, thus removing the delay in permission propagation on the backend.

Additionally we changed how Report workflow permissions are allocated and this requires a data migration which is not standard for our patch relases.

Warning

This patch release contains a data migration to correct Report workflow permissions.

Please perform a database backup before installation.

Bug

  • [CAN-2187] - Tool identifiers from children in a grandparent relation are not added to KB when creating new KB

  • [CAN-2410] - Profile image allows non-image uploads

  • [CAN-2451] - Company logo cannot be uploaded during new Company creation

  • [CAN-2463] - lead_author field renders incorrectly in message templates

  • [CAN-2464] - Migrations fail on RHEL’s outdated version of postgresql

  • [CAN-2466] - Permission caching produces false negatives on newly created objects

  • [CAN-2468] - Add to KB can fail on duplicate references

  • [CAN-2474] - Output phase totals linked to SoW

  • [CAN-2475] - SoW creation does not set reference under all circumstances

  • [CAN-2477] - Jira ticket field formatting incorrect

  • [CAN-2478] - Disabled report templates shown in report creation workflow

  • [CAN-2479] - Mapping XML files are out of date

  • [CAN-2495] - Importer fails when finding title is above 255 chars

  • [CAN-2505] - Incorrect severity mapping in Netsparker Cloud parser

  • [CAN-2505] - NetsparkerCloud parser uses incorrect severity ratings

  • [CAN-2508] - Checkbox values are not retained in Report tables

  • [CAN-2512] - Tool field mapping supports basic xpaths but these cannot be entered via the UI

  • [CAN-2514] - Report workflow permissions are not removed for certain state changes and events

  • [CAN-2534] - Report titles cannot have non-ascii characters

Improvement

  • [CAN-2473] - user.address field missing from authors/lead_author XML

  • [CAN-2511] - UserPicker should allow searching instead of just typeahead

Backward incompatible changes

XML output and Mapping XML files for Reports and SoWs have been modified to add additional fields and correct some inconsistencies.

These changes will only affect users who have had issues with the fields mentioned.

Report Mapping XML

Remaining instances of template_finding_id were replaced with template_finding__reference on finding blocks and project_finding__reference/has_previous_versions added.

SoW Mapping XML

The location of scope content was moved from the scope block to the content element under each scope.

Report/SoW output XML

Report/SoW output XML gained the following fields on user blocks:

  • external_id

  • department

Additionally the address field was made consistent across all user blocks.

3.2.2

This patch release contains multiple security fixes with CVSS3 scores between 0.0 and 5.3

Security

  • [CAN-2434] - XSS via user profile/signature image upload (Self-XSS, CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N Score 0.0) and company logo upload (Admin initiated XSS, CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N Score 4.5)

  • [CAN-2448] - XSSI via JSONP format on API endpoints (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Score 5.3)

Bug

  • [CAN-2344] - New finding versions not linked to externally tracked tickets

  • [CAN-2345] - Methodology links not copied for retested findings

  • [CAN-2391] - Overdue date misaligned on report list

  • [CAN-2392] - Project view risk summaries information should be left to right in descending order

  • [CAN-2426] - Some content fields are missing from models exposed to message templates

  • [CAN-2428] - Taxonomy Item selection includes deleted taxonomies

  • [CAN-2429] - Cannot create comments on methodology items

  • [CAN-2432] - Reference generators do not respect the number of leading zeros

  • [CAN-2435] - SoW xml phases incorrect order

  • [CAN-2436] - SOW XML Structure - Repeat Section per Phase/Scope in wrong place in XML.

  • [CAN-2441] - Service list fails when systemctl cannot be executed correctly

  • [CAN-2443] - Changing user roles removes them from their custom roles

  • [CAN-2444] - Category and Attack Class creation/edit returns unhelpful error message on save

  • [CAN-2321] - Analysts are not able to send phase notifications

New Feature

  • [CAN-2437] - Single scoped phase opportunities

  • [CAN-2439] - Support “new” netsparker XML output

  • [CAN-2450] - Change re-auth load mask to be opaque and make re-auth time adjustable via /etc/canopy/canopy.ini

Backward incompatible changes

SoW XML structure has been corrected by moving the scope content fields to the scope element in the SoW XML (CAN-2436).

3.2.1

This patch release contains a critical bug fix (CAN-2420) that affected Canopy 3.1.0 up to and including 3.2.0

This defect resulted in the file importer incorrectly dropping examples with the same example content but with different meta data such as ports.

Canopy will now also drop root privileges when executed as root, this could affect the usage of Canopy management commands if files have incorrect permissions.

Bug

  • [CAN-2412] - LDAP auth cache doesn’t expire

  • [CAN-2414] - Incorrect cache file permissions when running as root

  • [CAN-2417] - Unable to schedule same resource in multiple phases

  • [CAN-2420] - Importer incorrectly determines example uniqueness

  • [CAN-2422] - New report candidate reviewers don’t have reviewer permissions

  • [CAN-2423] - Fix incorrect newline to br conversion in report xml

New Feature

  • [CAN-1468] - Experimental Nipper support

  • [CAN-2416] - Support for managing custom roles via SAML2

3.2.0

Highlights

  • Implement finding tracking across phases via Project Findings

  • Major performance improvements in permissions subsystem

  • Ability to view Canopy logs and restart services from the admin section

  • Acutentix support

  • Many refinements around Knowledge Base(KB) entries

  • Includes all changes of previous Canopy release up to and including Canopy 3.1.7

Backward incompatible changes

Report XML

  • template_finding__id is now template_finding__reference

  • All retest related sections have been changed to accommodate project findings

Bug

  • [CAN-1496] - Total opportunities and total projects summary stats missing from Company dashboard

  • [CAN-1669] - SoW creation dialog doesn’t have reference field

  • [CAN-1702] - Document status not updated on page when workflow completed

  • [CAN-1832] - Tool parsers do not preserve all data during html to md conversion

  • [CAN-1841] - EditableTitle component doesn’t handle save failures correctly

  • [CAN-2034] - Email preview ajax call is slow

  • [CAN-2194] - Selectively run workflow initialisation code based on current management command

  • [CAN-2216] - Remove width/height dimensions from img tags

  • [CAN-2222] - Tinymce fullscreen button doesn’t work correctly inside editwindows

  • [CAN-2232] - Publish to portal should only be visible if a portal is configured for the client the report/sow belongs to

  • [CAN-2234] - Scope file upload fails

  • [CAN-2243] - Logo quality lost during admin upload

  • [CAN-2261] - Remove “invalid date” from phase row renderer

  • [CAN-2273] - Changed date is not saved

  • [CAN-2278] - Importer data cleanup adds unnecessary newlines in evidence blocks

  • [CAN-2280] - Opportunity creation fails

  • [CAN-2283] - Possible bug in paging where results overlap

  • [CAN-2288] - Missing activity renderer for USER_AUTH_TOKEN_CREATE

  • [CAN-2289] - Failed tool imports are not marked as failed for errors that leave the current transaction in an error state

  • [CAN-2293] - Example.url max length of 255 is too short

  • [CAN-2295] - markdown2html function generates possibly incorrect html5

  • [CAN-2297] - Stale data cause workflow permissions checks to fail

  • [CAN-2306] - Tool importing fails when tool mappings are applied

  • [CAN-2307] - Template finding save fails with HTTP 500

  • [CAN-2308] - Creating/Editing a KB entry so that it has an existing reference results in a generic error instead of a field error

  • [CAN-2310] - SAML SSO doesn’t re-enable disabled users

  • [CAN-2312] - Session timeout pop-up renders incorrectly

  • [CAN-2317] - Permission system is not performant with large amounts of phases and users

  • [CAN-2322] - Users with kb-add permission cannot add KB entries without the kb-edit permission

  • [CAN-2323] - Analysts can view Export KB button but don’t have permission to download

  • [CAN-2324] - canopy-manage templatedocument broken

  • [CAN-2325] - Add reference button is visible to users with kb-view permission but without kb-edit

  • [CAN-2326] - Analyst users cannot create reports

  • [CAN-2327] - SAML attribute mapping fails on is_admin field

  • [CAN-2331] - Deadlock in permission cache generation

  • [CAN-2332] - syncfixtures fails on settings with conflicting names (setting.setting)

  • [CAN-2333] - Canopy incorrectly assumes responseText is available on ajax response objects (Extjs > 6.2)

  • [CAN-2334] - Fix permissions for KB item reference permissions

  • [CAN-2335] - Project’s add contact window doesn’t show contacts for analyst users with admin on project

  • [CAN-2337] - Settings are only readable by admin users

  • [CAN-2341] - Project deletion fails when a ProjectFinding has multiple versions

  • [CAN-2351] - Email addresses are parsed incorrectly for to/cc/bcc recipients

  • [CAN-2353] - Opportunity list does not display date information

  • [CAN-2368] - KB endpoint returns HTTP 400 on creation/editing of KB entries

  • [CAN-2373] - SOW_DOCUMENT_STATUS field does not exist

  • [CAN-2377] - Single phase reference should not include the .1

  • [CAN-2378] - Creating a project from a SoW returns successful but fails to create due to reference uniqueness condition

  • [CAN-2380] - Phase contact UI shows role as required

  • [CAN-2388] - Custom xLSX template does not convert HTML for rendering in cells

  • [CAN-2403] - XSS in skills combobox on user profile view

  • [CAN-2406] - Email report notifications sent only for completed reports

  • [CAN-2407] - Notification message edits are not preserved during notification sending

  • [CAN-2408] - PR Required notification does not work when template is modified to include action.user_name field

New Feature

  • [CAN-1828] - Custom Classifications

  • [CAN-2101] - Previous findings in report XML

  • [CAN-2256] - Allow project findings in retest dialog to be filtered by phase

  • [CAN-2259] - Creation of retest phase from an existing phase’s view

  • [CAN-2260] - Allow copy of project finding(s) into the current phase

  • [CAN-2320] - Add ability to create/delete Canopy settings via admin UI

  • [CAN-2367] - Allow admin users to restart canopy commands and view/download canopy logs from the admin UI

  • [CAN-2372] - SoW file format synchronisation filter required

Improvement

  • [CAN-2251] - Rename message template email.phase_daily_update to email.phase_progress_update

  • [CAN-1572] - Support burp reference data

  • [CAN-1879] - Default phase creation

  • [CAN-1928] - Hide report workflow buttons for actions that a user is not authorised to take

  • [CAN-1935] - Migrate or remove Canopy 2 API endpoints

  • [CAN-1939] - Ability to set custom fields as required

  • [CAN-1949] - Warn before sending email before preview

  • [CAN-2163] - Add missing report/SoW substitution variables

  • [CAN-2165] - Add a reference field to KB to allow for unique ID assignment

  • [CAN-2166] - Mark KB findings as deprecated

  • [CAN-2233] - Publish to portal permission

  • [CAN-2257] - Retest dialog: Pre-filter project findings list to only open and partially resolved project findings

  • [CAN-2258] - Display project finding’s latest phase in project findings list

  • [CAN-2316] - Project findings XML should include the first and last phase info

  • [CAN-2318] - Project findings plugin order by CVSS

  • [CAN-2339] - Include more data in re-test finding copying

  • [CAN-2343] - Output template_finding__reference in Report XML

  • [CAN-2347] - Project centre column change to tabs

  • [CAN-2350] - Employee ID field on UserProfile and Contact models

  • [CAN-2352] - Users want to be able to determine which examples should be considered ‘primary’

  • [CAN-2355] - Expand KB item filter fields

  • [CAN-2356] - Display and order KB items by associated findings count

  • [CAN-2357] - Display user who created/approved KB item in KB item view

  • [CAN-2362] - Add KB filter button on approved status

  • [CAN-2363] - Add KB list column for date modified

  • [CAN-2365] - Automatically select search field in “Add from KB” dialog

  • [CAN-2375] - Map scope days to test days from phase_scope to phase

  • [CAN-2379] - Copy SoW contacts to phase contacts

  • [CAN-2387] - Report download XLSX option should use custom XLSX template