Releases: salesforce/vulnreport
3.0.3 - VRLO API Update, Vulntype Import/Export, and Bugfixes
3.0.3 changes the VRLO API so that all methods default to a no-op instead of raising an exception. This allows you to only implement a few of the methods instead of implementing every single one.
There are multiple small bugfixes as well for minor issues.
Finally, 3.0.3 adds the ability to import/export Vulntypes using XML files. There is a new folder (/vulntypeExamples) with some XML files of Vulntypes we use internally for Salesforce platform apps and infra security reviews. These can be imported via the admin UI after the initial install/seed.
My next priority is issue #3 - allowing import of vulns to tests from ZAP XML files. Look for that and some more VRLO functionality updates coming soon. These will likely make up 3.1 in the next month or so. Any future 3.0.x releases will be bugfixes or very minor improvements.
3.0.2 - Bugfixes and User Login History
3.0.2 contains several minor bugfixes, new Dashboard Panel types ("unassigned new" apps - apps that have not been started and are not assigned to an owner), and a new security feature.
User logins will now be tracked (both direct and via SSO) - the source IP, user agent, and time of login will be stored as well as success/failure status. This information can be audited by admins via the Admin Users view.
This release also contains a minor update which includes the wkhtmltopdf-heroku gem by default. This gem will only be activated based on detection of Vulnreport running on Heroku. This detection is done by a new function onHeroku? which detects the Heroku environment by looking for an ENV variable containing "HEROKU" in the name. The expectation of this variable being present is based on the use of Heroku Postgres by the Heroku version of Vulnreport, which sets an environment variable like HEROKU_POSTGRES_...
3.0.1 - Minor Updates and Features
Thanks to everyone who has contributed ideas or comments since Vulnreport went open source at Blackhat 2016!
From feedback and further testing, over the past few weeks minor fixes to style and functionality have been made. Some minor features have also been added, the biggest of which is IP Access Restrictions. This IP whitelist feature can be controlled from the main Vulnreport Settings UI and is evaluated on every request.