Skip to content

1.8.5

Choose a tag to compare

View all tags
@summitt summitt released this 07 May 19:54
· 19 commits to main since this release
1.8.5
67f5fe3

New Features

  • Condensed assessment & vulnerability endpoints — Two new REST endpoints return assessment and vulnerability data with large text blocks
    (description, recommendation, details) stripped out, sized for efficient MCP/LLM processing:
    • GET /api/assessments/completed/condensed
    • POST /api/vulnerabilities/all/condensed
  • Asynchronous report generation API — Trigger and poll report generation over REST:
    • POST /api/assessments/generateReport/{aid} — kicks off report generation in the background.
    • GET /api/assessments/reportStatus/{aid} — polls progress.
  • includeBase64Images query param on assessments API — Seven assessment endpoints (/queue, /{aid}, /vulns/{aid}, /history/{appid},
    /vuln/{vid}, /completed, /completed/condensed) now accept ?includeBase64Images=true|false. Default is false, which returns image links
    instead of inline base64 — much smaller responses for API/MCP consumers. Pass true to opt back into the previous inline-base64 behavior.
  • Severity filtering on Manager Dashboard — Added a severity/vulnerability filter dropdown to the assessment search, replaced the
    daterangepicker with jQuery UI datepickers for start/end dates, and excluded unassigned risk levels from the active filter set.

Security Fixes

  • Permission scoping closed on completed assessments and reports — AssessmentQueries.canAccessAssessment now blocks UserOnly users from any
    completed assessment, closing a gap that allowed a UserOnly assessor to download finalized reports or trigger report regeneration via
    /report, /generateReport, and /reportStatus.
  • /completed and /completed/condensed no longer leak closed work to UserOnly callers — getAllCompletedAssessmentsByDateRange now returns
    empty for that role.
  • Vulnerability list endpoints re-enforce assessment scope — /vulnerabilities/all and /vulnerabilities/all/condensed now filter every
    result through canAccessAssessment, restoring team-scope and user-scope checks that were missing from the bare HQL query.
  • Content-Disposition header injection in downloadReport fixed — Filenames are now sanitized to strip CR/LF, quotes, backslashes, and
    control characters from user-controlled assessment names.
  • Generic error responses on new endpoints — Replaced e.getMessage() with generic strings on the new report and condensed endpoints; full
    stack traces continue to go to server logs only.

Bug Fixes

  • NPE in decodeAndSanitize() — Fixed a null-pointer crash when Base64.decodeBase64(null) was called.

Internal / Tests

  • Added ~270 new unit and Struts-action tests covering assessments, vulnerabilities, verifications, users, audit log, status, events, admin
    user management, options, checklists, CMS, and default vulnerabilities.
  • MongoTestBase and DocxUtilsUnitTest now skip cleanly when Docker or template files are unavailable.

Full Changelog: 1.8.3...1.8.5

Assets 3
Loading