Release notes for Canopy 3.9

Upgrading steps.

3.9.3 (2023-12-07)

Canopy 3.9.3 is a bug fix patch release. It improves the quality and stability of Canopy. Upgrading is recommended.

Take note that xlsx template escaping has changed and existing formulas will now be preserved instead of escaped.

Also, deletion of projects, phases and reports can now only be done via their primary views.

Bug

  • [CAN-3475] Report API schema doesn’t cater for Oracle DB emitting empty strings

  • [CAN-3477] Reassign project finding should not be possible on secondary/tertiary findings

  • [CAN-3481] Contact import on New Contact dialog results in error

  • [CAN-3484] Report editing by a single user leads to API conflicts

Improvement

  • [CAN-3487] Preserve existing formulas in xlsx templates

Task

  • [CAN-3487] Remove list based deletion for projects/phases/reports

3.9.2 (2023-10-23)

Canopy 3.9.2 is predominantly a bug fix patch release. It improves the quality and stability of Canopy. Upgrading is recommended.

Warning

The default value for the report classification field will now pick the first value from the DOCUMENT_CLASSIFICATIONS settings. The first value in Canopy’s default setting is Public. The default cannot be changed at the moment, but you can reorder the values in the settings if you prefer to use another value for default.

Bug

  • [CAN-3458] Rich Text fields in Report tables generate errors when being edited

  • [CAN-3462] Report template export fails when a table has no rows

  • [CAN-3463] Combobox custom fields do not parse options correctly

  • [CAN-3464] Generate report section fails to render when a phase’s finding section is selected

  • [CAN-3466] Opportunity admin cannot view phase scope questions

  • [CAN-3467] Add from KB fails when a custom field is disabled

  • [CAN-3470] Remote field lookup raises exception in production

  • [CAN-3471] Editing multiple rich text inline fields results loss of pending edits

  • [CAN-3473] Incorrect permission checks for contacts in UI

Improvement

  • [CAN-3460] Improve affordance for Inline editable fields when empty

  • [CAN-3472] Create report sets ‘Confidential’ value as default classification instead of using first value

3.9.1 (2023-09-22)

Caution

Canopy 3.9.1 is a patch release, which addresses a number of quality and other improvements over the 3.9.0 release. If you are already running 3.9.0, upgrading to 3.9.1 is strongly recommended.

Many of the improvements related to performance deficiencies that were noted in certain API endpoints.

However, some functional improvements were also made, including:

  • File uniqueness changes. The uploads section will now allow for files to be uploaded with a duplicate checksums, but different filenames. Automated file creation will still function based on checksums.

  • Improve CanopyToolData JSON support. This is Canopy’s standardised data format. It can be used for importing findings from external tools that implement Canopy’s format.

  • Export/Import support for Template Taxonomies (premium only).

  • Export/Import support for Admin Settings.

It includes all the changes from the Canopy 3.8.3 path release.

For a list of bugs, see below.

Task

  • [CAN-3233] Report tables should support positive/negative numbers

  • [CAN-3407] Template Taxonomy import/export

  • [CAN-3409] Settings import/export

  • [CAN-3413] Findings JSON export as CanopyToolData

  • [CAN-3440] Remove unique checksum constraint on phase uploads

  • [CAN-3444] Comment button styling changes

Bug

  • [CAN-3002] Workflow actions can result in the user losing access to a report, resulting in error views

  • [CAN-3167] TinyMCE fields do not honour required field configuration option

  • [CAN-3343] Fields use too much width which leads to horizontal scrolling in new report view

  • [CAN-3344] Comment button overlaid on top of TinyMCE fields

  • [CAN-3346] Report view total comment count should be red (when open comments exist) grey when not

  • [CAN-3355] Remote field lookups do not report lookup API errors

  • [CAN-3370] Duplicated API queries when revisiting a react page

  • [CAN-3375] Validation error on rating_type field formatting error

  • [CAN-3377] Finding table font sizes incorrect and unnecessary text wrapping

  • [CAN-3380] Page skeleton shown after form fields saved (report and findings view)

  • [CAN-3381] Confirmation dialogue should have a max width

  • [CAN-3385] Finding full edit mode hides fields from editing

  • [CAN-3397] Comment view uses incorrect permissions

  • [CAN-3403] User and Phase/Scope repeatable buttons visually toggle incorrectly on Template Sow/Report pages

  • [CAN-3404] Example endpoint allows creation of assets which should fail validation

  • [CAN-3405] canopy-manage public_data: faulty update_or_create logic.

  • [CAN-3410] Add references grid cannot scroll and has alignment issue on right

  • [CAN-3411] Styling inconsistencies

  • [CAN-3412] Field groups on finding/phase/project/report views do not show visual grouping

  • [CAN-3417] Email tasks from portal sync runs before sync process is complete

  • [CAN-3418] Opportunity access cannot be removed

  • [CAN-3420] Tool Importer fails with null traceroutes (affects at least nmap)

  • [CAN-3423] SoW sync to portal notifications are not being sent to distribution_list

  • [CAN-3427] Report section titles sometimes don’t update during navigation

  • [CAN-3437] Delete confirmation dialogs should use “delete” instead of “yes”

  • [CAN-3438] Reauth dialog is hidden behind modals

  • [CAN-3442] Finding API endpoint’s asset action generates excessive DB queries

  • [CAN-3443] Report content section do not update with new changes

  • [CAN-3445] Removal of user-repeatable report content section leads to error

  • [CAN-3446] Multiselect clearing results in exception

  • [CAN-3448] Report title saves changes even when discarding

  • [CAN-3449] Deleting a finding attachment calls incorrect API endpoint

  • [CAN-3451] Report properties comment component breaks when navigated to for the 2nd time

Improvement

  • [CAN-3421] Optimise Phase XLSX export’s performance

  • [CAN-3422] Optimise asset_examples API endpoint performance

  • [CAN-3428] Optimise Report XML generation performance

Report XML changes

  • port_info sections are now unique as date_created/date_modified fields have been removed

3.9.0 (2023-08-01)

Canopy 3.9.0 introduces a number of significant changes and improvements. The main themes for this release related to improving the overall editing experience, and the reporting and QA processes. For further information, see the remaining release notes.

Report interface redesign

The Report interface is one of the most important sections of Canopy for our users. There are a number of improvements we will be making over the next releases. In 3.9, the initial redesign of the report UI took place. The main aim of the design was to improve navigation, expand the reach of the report to other sections of the project and associated phases, and to enhance the QA process.

The report view incorporates report properties (configuration), project fields and phase fields to the view. This allows for easier access to fields, inline editing of fields relating to these sections, and per-field commenting for improved QA (centralised approach to and view of commenting).

Users can add and remove phases from the report, which provides more flexibility to users.

Inline editing (Finding view)

This release of Canopy adds inline editing capabilities to the Finding view. You can now click on any field to edit a specific value. You can also edit all fields as normal, but instead of using a modal popup, the view places all fields into edit mode.

Custom field support for Assets

Custom field support has been extended to the Asset model. This will allow you to add custom fields on the Asset model (and associated views). Importing of assets is also supported with custom field data (via the XLSX parser).

Commenting system improvements

Inline with our report interface redesign, we aimed to improve the use of comments. These are the first of several improvements we have planned to improve the QA processes within Canopy.

The following improvements were made in this release:

  • Add comment counts and improve open/resolved visibility.

  • Allow per-field commenting (report view only).

  • Include the report and project properties and allow field level commenting.

  • Allow users to add/remove phases from a report, and to view phase level fields for commenting.

Expanded support for exporting and importing of Canopy data

Canopy now makes it easier to export and import data. The goal is to allow users to export state from Canopy, and either modify it and add it to your existing Canopy instance, or use the feature to move data from one Canopy instance to another.

Export/Import is now supported on the following data:

  • Findings and assets, via both the XLSX and JSON parsers.

  • On various templates, including: reports, SoWs, methodologies

  • System data (experimental)

Warning

This included multiple backward incompatible changes to how Tool Parser/Import plugins function.

At the very least the following renamings should occur in Tool parser plugins:

  • FIELDS -> FINDING_FIELDS

  • FindingField -> CanopyField

Tool importer plugins would require more extensive changes. Please contact support@checksec.com for assistance.

Baseline security improvements

In this release of Canopy, a number of improvements were made to strengthen the overall security of Canopy. These included:

  • X-Forwarded-Host is now disabled by default. If you are using extra proxies then you likely need to use this, add USE_X_FORWARDED_HOST=true to the /etc/canopy/canopy.ini file.

Note

Apache users should ensure ProxyPreserveHost on is set.

  • Dependency related upgrades

Epic

  • [CAN-3135] Rewrite of the Finding view (and all dependent views) in react

  • [CAN-3148] Baseline security improvements in application and default deployment

  • [CAN-3153] Expand importers/exporters

  • [CAN-3168] Commenting system improvements (comment editing, per-field commenting, simplified approval process)

  • [CAN-3204] Custom field support for the Asset model

  • [CAN-3247] Report view redesign

Task

  • [CAN-3226] Increase logout and reauth timeout timeouts significantly

Bug

  • [CAN-3154] TemplateFinding model doesn’t handle custom fields and custom rating plugins correctly

  • [CAN-3161] Template Document upload type doesn’t have constraints

  • [CAN-3184] Save reversion function could fail with too many SQL variables operational error.

  • [CAN-3206] Deleting a report breaks the user’s activity log

  • [CAN-3207] Report’s issued_date field cannot be set by users

  • [CAN-3279] Scope questions imported from Portal has incorrect ordering

  • [CAN-3325] Template methodology categories are lost when viewed

  • [CAN-3354] Custom rich text fields lose their edits when their custom fields store reloads

  • [CAN-3364] Rich Text presentational component renders images full size in certain views

  • [CAN-3365] Group Finding does not handle mandatory validation correctly

  • [CAN-3394] Report review status shows incorrect labels

Improvement

  • [CAN-3299] Activity log should merge similar entries

Older releases