Release notes

3.6.3 (2022-02-22)

This is a security patch release that upgrades TinyMCE editor to the latest v4.x release to address vulnerabilities reported to us by Stephan Sekula from Compass Security (


  • [CAN-2967] Upgrade TinyMCE to latest v4.x

3.6.2 (2022-02-15)

This patch release focusses on OpenID Connect (OIDC) and finding copying/moving bugs.


  • [CAN-2885] OIDC: JWT creation using PEM fails

  • [CAN-2886] OIDC: Report OIDC login failures to the user

  • [CAN-2887] Finding Copy/Move does not emit activity log entries

  • [CAN-2888] Finding copy/move does not duplicate examples and asset images

  • [CAN-2889] Finding copy/move incorrectly updates duplicate images in fields

  • [CAN-2898] KB approver is shown when KB is set to draft again

  • [CAN-2899] KB Add/Edit window does not honour fieldsets

  • [CAN-2901] License enforcement of user count incorrectly triggered upon any login

  • [CAN-2902] OIDC login doesn’t activate existing users

  • [CAN-2903] Ensure SameSite cookie setting is None

  • [CAN-2904] SoW XML version author shows ID instead of name

Breaking Changes

SoW XML version author field changes from a number to a string.

3.6.1 (2021-11-22)

This patch release changes how assets are unlinked from findings. Previously examples related to the asset and finding being unlinked would remain. From now on they are deleted.

Historically orphaned examples are not deleted automatically but can be pruned by executing canopy-manage prune_orphaned_examples as root on the Canopy server. This will delete orphaned examples without prompting the user.

Additionally, from now on only active users will be shown in user lists outside the Admin section.


  • [CAN-2819] Findings not removed from portals linked to de-synced report

  • [CAN-2840] Images in examples are not synced to portals

  • [CAN-2844] Unlinking an asset from a finding leaves examples behind

  • [CAN-2866] Phase creation from Scheduler fails

  • [CAN-2867] Members cannot be assigned to builtin custom roles via Admin -> Custom roles section

  • [CAN-2868] Text missing from content fields in generated xlsx when evidence and links are used

  • [CAN-2869] Burp parser doesn’t include issue description data in examples


  • [CAN-2836] Don’t log optional tool fields that are missing during tool imports

  • [CAN-2845] Only show active users in user lists

3.6.0 (2021-08-27)

Portal Synchronization protocol update

The Canopy to Portal synchronization has received a number of improvements around handling stale and deleted data updates.

Contact field type

Canopy has a contact database for users to add contacts at the client, project, phase and report level. We’ve now added the contact field type, which is a more precise way of tracking specific contact types. As this is a custom field type, Canopy users can add it in the ways that suit their specific needs.

Questionnaire support for field types

An important improvement by several of Portal’s early adopters was the ability to have more field types for Phase Scope/Request Questionnaires. To support this, we’ve added the following field types:

  • Contact field: allows the user to add a contact, or search and import a contact if a contact import plugin is configured.

  • Combobox field: this allows for default responses to be added for portal questions.

Further field support will be added in the future.

CentOS/RHEL 8 support (beta)

Initial support for CentOS/RHEL 8 support has now been added for Canopy.


  • [CAN-2790] Adding questionnnaire questions twice to a scope results in HTTP 500

  • [CAN-2793] Portal/TicketTracker info doesn’t render safe html

  • [CAN-2802] ConfigurableModelValidator incorrectly prevents disabling of m2m fields

  • [CAN-2803] Importer can fail when seemingly duplicate findings already exist

  • [CAN-2804] setupdb –delete-all doesn’t work

  • [CAN-2807] Questionnaires with duplicate questions cannot be added to scope

  • [CAN-2808] Deleting a template questionnaire question can result in an error

  • [CAN-2809] Email validation in UI doesn’t allow long TLDs

  • [CAN-2810] Distribution list uses incorrect permission

  • [CAN-2812] KB references enforce different constraints than finding references

  • [CAN-2817] Report portal sync toggle button doesn’t update

Backward Incompatible Changes

Report workflow events as returned by the get_ui_events event have been renamed to their domain event equivalents. This will only affect anyone that integrated directly with that endpoint.

Additional elements have been added to the Report/SoW xml output to support the contact field type.

This release includes the changes from Canopy 3.5.3. Note that this includes changes to how date custom fields are stored.

Older releases