Author Archives: Christoffer

New in Dradis Pro v4.13

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Liquid updates

Dradis v4.13.0 expands what you can do with Liquid content. Support for Liquid drops has been expanded so that they are available at more levels. For example, perhaps you want to have an auto-magically generated text in an Executive Summary ContentBlock that summarises recommendations for Issues and their respective Evidence locations, in order of severity? Now you can do that!

In addition, we have tweaked the Word exporter so that Liquid content is evaluated before Word filters. That means that you can use Liquid syntax to programmatically set filters. For example, perhaps you have filters in your Word template that separate Internal and External Issues. Now you can use Liquid to, for example, specify that if an Issue is found on a Node beginning in 192. then the Type should be set to “Internal”.

Or perhaps you want to select which ContentBlock sections to display based on the Project type as defined in a document property? Now, with some Liquid code in the relevant ContentBlock filter sections, you can do that!

Project Scheduler integration

The Project Scheduler is one of our most downloaded add-ons, and a frequently requested feature has been integrated with third-party calendars. This is now implemented in v4.13.0! The Scheduler now has a secure link to a .ics that will let you integrate the Dradis Project Scheduler with apps like Outlook, Thunderbird, and Apple Calendar. The .ics file can of course also be downloaded rather than linked.

Auto-generate Word report template properties

Correct configuration of Word templates’ Report Template Properties is essential to ensure that projects are correctly generated, validated, and exported. With our recent Mappings Manager overhaul with per-template mappings, the correct configuration of report template properties is also essential to tool uploads. To make this process easier for you, Dradis can now auto-detect report template properties when you upload a report template to your Dradis instance. If you create or tweak your own templates, and don’t want to go through a fiddly .rb file to configure a new Kit each time, this feature is for you!

Release Notes

  • Liquid: Make project-level collections available for Liquid syntax
  • Validations: Evaluate Liquid syntax before validating the fields
  • Upgraded gems: nokogiri, rails, redcloth, rexml
  • Bug fixes:
    • Business Intelligence:
      • Prevent the “Business Intelligence” navigation label overflowing (in Project and Team forms) on mid-size view ports
      • Prevent the “Compare” chart y-axis label from being covered by chart data
    • Navigation: Restore functionality of native browser back/forward buttons
    • Rules Engine: Prevent issues from getting multiple tags
    • Tables: Enable sorting by validation column status
    • Word: Prevent EvidenceCounter filters from being ignored
  • Integration enhancements:
    • Calculators: Add CVSS/Dread calculators to the Tools Manager
    • Rules Engine: Process Liquid syntax before matching field condition
  • Reporting enhancements:
    • Word:
      • Auto-generate fields for uploaded templates
      • Process Liquid before generating the Word report
      • Remove the NoSpacesInNodesValidator
      • Skip QA validation when exporting all the records
  • Security Fixes:
    • Medium: Authenticated (author) horizontal privilege escalation affecting attachments

Not using Dradis Pro?

New in Dradis Pro v4.12

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

New Mappings Manager

Dradis v4.12.0 contains a complete overhaul of how the Mappings Manager works. Mappings Manager configurations for each upload plugin (e.g. Nessus, Burp, Qualys…) are now directly associated with a particular report template and its associated report template properties. This means that you can have separate plugin mappings for separate report templates.

The editor itself has also been overhauled to be more user-friendly. Rather than having to manually type out the Dradis fields needed using their #[Field]# syntax, you can now pick “Source Fields” and “Dradis Fields” from dropdowns. Of course “Custom Text” and “Custom Field” options are also available.

This overhaul should also make it more straightforward to configure the Mappings Manager for report templates in Kits.

Your existing Mappings Manager configurations will be migrated to the new format on upgrade.

CVSSv4 Calculator

We heard you, now we support a CVSSv4 calculator right in the application!

Of course CVSSv3.0 and CVSSv3.1 are still supported as well. Pick your preferred version from the dropdown. You can have the outputs of multiple calculator versions in the same Issue if you like.

API Attachments

New funcionalities have been added to the API Attachments endpoint. You can now get the size, created_at, and (by popular request) a download link with an API call!

AWS and Azure images now officially supported

After a long time in Beta, we are now able to offer our Dradis images for AWS and Azure as officially supported by us, as long as our documented AWS or Azure deployment methods are followed.

Release Notes

  • Attachments: Add size, created_at, and download link to the API
  • Kits: Automate creating Mappings
  • Mappings Manager: Map fields from scanner integrations to Dradis fields
  • Upgraded gems:
    • nokogiri, rails
  • Bugs fixes:
    • Avatars: Allow both .jpg and .jpeg formats
    • Projects: Fix redirection when updating an issue or content block
    • Sidebar: Prevent version number from overlapping listed records
  • New integrations:
    • Pentera
  • Integration enhancements:
    • CVSS Calculator: Add CVSS v4 support
    • Integration Manager: Clarify integration status after enabling/disabling
    • Veracode:
      • Create evidence for every instance of <flaw>
      • Use cweid as the issue identifier
  • Reporting enhancements:
    • Word: Accept scope parameter in command line export
    • Excel: Accept scope parameter in command line export
  • Security Fixes:
    • High: Authenticated author path traversal on attachment rename

Not using Dradis Pro?

Dradis v4.8.0 has a Quality Assurance feature to approve Issues and Content Blocks before reporting

New in Dradis Pro v4.9

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Liquid Dynamic Content in Word and HTML reports

We have already supported Liquid content in Dradis Gateway templates for a while – now we are bringing Liquid Dynamic Content to Word and HTML reports as well.

Want to refer to document properties like dradis.client inside a ContentBlock? Want to show the count of evidence inside the text of an Issue? Want to use conditionals like “If this property is in Spanish, export this issue in Spanish instead of English”? Now you can! For example, the following will export into an Issue:

#[Description]#
Global:
{{ project.name }} for {{ team.name }} team
{{document_properties.available_properties}}
 
Tag Name:
{% for tag in issue.tags %} {{ tag.name}} {%endfor%}
 
CVSSv3 score:
{{ issue.fields['CVSSv3.BaseScore'] }}
 
Evidence:
{% for evidence in issue.evidence %} {{ evidence.fields["Label"] }} {%endfor%}
 
The {{ issue.title }} issue has {{ issue.evidence.size }} instances of Evidence
 
Evidence count per node:
{% for node in issue.affected %}
{{ node.label}} has {{node.evidence.size}} instances of evidence
{% endfor %}

It would give a result like the following:

Better filters in Word templates

We now have two more filtering options available in Word: Filters with spaces, and filters on Nodes.

Filtering with spaces means you can use double quotes in both field names and filter values. For example, you can filter by "CVSS Base"|(9.0..10.0) or Category|"A1 Injection".

Nodes can be filtered by Node Properties. For example, if you have a Node property for type with values of internal/external, you can filter a Node by type|internal to only see content for internal-type Nodes.

DuoWeb and ServiceNow support in the Integration Manager

We have changed the way our integrations work, so you can now install DuoWeb and ServiceNow right in the Integration Manager. No need to use the command line to install 2FA! You can also configure Duo and ServiceNow, as well as integrations like Azure DevOps, right in the Integration Manager.

Release Notes

  • AccessTokens: allow the storage of per-user encrypted tokens
  • QA: Show state changes in activity feed
  • Sessions: Store :secret_key_base in encrypted configuration file
  • Tylium: Extend support for Liquid Dynamic Content
  • Upgraded gems:
    • bootstrap, popper_js, simple_form
  • Bugs fixes:
    • Issue Library: Prevent rendering navbar over top of the fullscreen editor
    • QA: Redirect to correct view when changing states on QA edit views
    • Users: Force logout for users with locked accounts
  • Integration enhancements:
    • Acunetix: Parse inline code, not just code blocks
    • Burp: Adds strong and code tags parsing
    • CSV: Fix CSV Upload for files with special characters
    • Nessus:
      • Parse code tags as inline code
      • Add plugin_type as an available Issue field
    • Nexpose:
      • Parse inline code, not just code blocks
      • Wrap ciphers in the ssl-weak-message-authentication-code-algorithms finding
    • Qualys: Adds Request/Response Evidence fields for Web Application Scans (WAS)
    • Azure DevOps: Switch authentication from PAT to OAuth2
    • Duo 2FA:
      • Migrate to UI-based configuration
      • Add to Integrations Manager
    • ServiceNow:
      • Migrate to UI-based configuration
      • Add to Integrations Manager
  • Reporting enhancements:
    • Word
      • Add support for filtering nodes by properties
      • Add support for the notextile tag
      • Allow multi-word fields/values in the content control filters with double quotes
      • Extend support for liquid dynamic content in Word reports
      • Warn of missing blank lines around a screenshot only when it’s not the first or last item in a field

Not using Dradis Pro?

New in Dradis Pro v4.6

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Integration and Tool Manager

Now you can install and upgrade integrations (such as DuoWeb and Jira) and tools (such as the Gateway and the Remediation Tracker) directly in the Dradis application – no need to use ssh or the command line! Simply browse to the Integration and Tool Manager in Dradis v4.6, Get the tool, and then Enable it. Then you should be good to go!

Instance Dashboard

Want a better overview of what is going on in your Dradis instance after login? The new Instance Dashboard gives you an at-a-glance overview of Projects, Tickets, and Tasks assigned to you; a list of the newest unread notifications; and and overview of what’s new in the latest version of Dradis.

As a new feature, please do let us know if there are other things you would like to see or change on the instance dashboard once you start using it.

Permanently delete items in Trash

As of v4.2 of Dradis, you could soft-delete projects and teams so they end up in an Instance Trash. However, to permanently delete items in trash, you needed to use the command line. Not anymore! Now you can permanently delete items in Trash straight from the UI.

New Kits

We have long had a few templates and kits available for download at the Dradis Users Portal. We have overhauled some of these kits and made them available directly from the Dradis UI. Simply go to Templates –> Kit Upload, and either upload a kit file as you normally would, or click the Upload button under your preferred preinstalled testing kit.

Release Notes

  • Dashboard: See active projects, notifications, assignments, and what’s new in one view
  • Integration and Tool Manager: Add UI for installing and managing integrations
  • Kits:
    • Add selection of kits to choose from
    • Enable import of kit with no templates
  • Mintcreek: Adjust element contrast ratios to be WCAG 2.1 compliant
  • Navbar:
    • Split the Addons menu into Integrations and Tools menus
    • Remove inaccessible addon’s menu items for contributors
  • Notes: Remove category selection from form UI
  • Projects: Update active projects empty state
  • Trash: Delete projects and teams permanently
  • Rubocop: lint changed files since previous commit
  • Upgraded gems:
    • nokogiri
  • Bugs fixes:
    • Comments: Align comment header content in Safari
    • Content Blocks: Fix revision history links
  • New integrations:
    • Core Impact
    • Veracode
  • Integration enhancements:
    • Implement enable/disable feature for Gateway, JIRA, Remediation Tracker, Scheduler, and VSTS
    • JIRA:
      • Add view for editing configuration
      • Hide link in addons menu for contributors
    • VSTS:
      • Add view for editing configuration
      • Issues: add WorkItem Status and Comment feed
  • REST/JSON API: new v2 released
    • Projects: undiscard and permanently delete from trash.
    • Teams:
      • Undiscard and permanently delete from trash.
      • Deprecate the “/clients” endpoint, use “/teams”
      • Deprecate the “client_since” attribute, use “team_since”

Not using Dradis Pro?

New in Dradis Pro v4.5

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

CSV Importer

Dradis can now import CSV files into projects! Some vulnerability scanners produce output in CSV format rather than e.g. XML or JSON. You can now import these (and other) CSV files into Dradis, and configure which column to assign to which field in your Dradis projects on a per-file basis. Simply go to “Upload”, select the CSV importer, upload a file, and you will be redirected to an interface to assign data to fields. As with other plugins, you can create Issue, Evidence, or Node data and fields.

This is v1 of the CSV importer, so we look forward to your feedback on what works for you and what you would like to see in the future from this feature!

Note that for the sake of internal naming consistency, we have renamed the CSV exporter plugin with this change, so if you have the CSV exporter installed, you will need to reinstall the plugin as dradis-csv_export.

JIRA bulk send

Do you use our JIRA integration? If so, you can now bulk-send issues to JIRA. Simply select multiple issues from your project in the “All Issues” view, and click “Send to JIRA”:

That will send all your selected issues to the Dradis-JIRA interface. Pick the destination project, issue type, and other required fields for each item, and you’re done!

Bug fixes and quality-of-life improvements

Another focus of the v4.5 release is working through some bug reports and lower-level requests we have accumulated over time.

Bug fixes include multiple items relating to attachment validation and export, Node labels linking to external resources (so e.g. clicking on a Node label of “www.google.com” will no longer redirect you to Google instead of the Node in Dradis), and the Rules Engine matching against IssueLibrary entries without trailing empty lines.

Quality-of-life improvements include adding Revision History for Content Blocks and improved error messages in the Output Console on Word report export. Check our release notes for more detail!

Release Notes

  • Content Blocks: implement Revision History
  • Upgraded Dradis Pro to run on ruby 3.1.2
  • Upgraded gems:acts_as_tree, bootsnap, bundler-audit, factory_bot, paper_trail, rails, rails-html-sanitizer, timecop, thor, unicorn, unicorn-worker-killer
  • Bug fixes:
    • Attachments: Fix attachments not showing, validating, or exporting correctly
    • Evidence:
      • Add validation for creating evidences in the issue view
      • Set correct localStorage key to prevent pre-populating incorrect content at the issue level
    • Issue Library: Render colored badges in the Tags column of the entries table
    • Nodes: Prevent evidence labels linking to external resources
    • Rules Engine: Fix the Rules Engine not matching Issue Library entries with no trailing empty lines
  • New integrations:
    • CSV Importer
  • Integration enhancements:
    • JIRA:
      • Add support for datepicker custom fields
      • Add Bulk Send To support
      • Update JIRA setup instructions
    • Rules Engine: Prevent subsequent rules from running after a discard action
    • Qualys: Wrap ciphers in code blocks for the Vuln Importer
  • Reporting enhancements:
    • CSV Export: Rename integration to dradis-csv_export
    • HTML Export: Add :rtp plugins feature
    • Word:
      • Fixes “-” in hyperlinks displaying HTML entity
      • Fixes duplicated relationship Ids when adding relationships
      • Fixes text with double exclamation marks breaking report
      • Show error message in export logs when populating multi-paragraph content in inline content controls
      • Show error message in export logs when removing invalid screenshots
  • Security Fixes:
    • Medium: Authenticated author broken access control: read access to issue content

Not using Dradis Pro?

New in Dradis Pro v4.3

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Auto-update Charts in Word

Previously, to include charts in Word templates, VBA macros were necessary to be able to update the charts in exported reports. This was a problem for the Mac users among us, as the relevant VBA is not supported in Office for Mac. We have now tweaked the reporting engine so that the source Excel sheets for charts in Word can be filled in with filters so they will auto-update during the export process from Dradis. The supported filters support the majority of use cases we have seen, such as issue counts by CVSS score, severity, type, category, host, etc.

Gateway comments

Do you use the Dradis Gateway? We have now improved this collaboration feature! Comments are already supported within Dradis projects, but now comments have reached the Gateway as well. If you are an Admin or Author on a project, you can choose to make a comment public (available on Gateway) or not (only visible to your team members within the project). Gateway contributors are able to view your public comments and submit their own comments on issues and other content inside the Gateway.

Qualys Asset Scans

Dradis now supports Qualys Asset Scans! This expands our Qualys coverage to include:

  • Qualys Vulnerability Scans (Vuln)
  • Qualys Web Application Scans (WAS)
  • Qualys Asset Scans (ASSET)

Release Notes

  • Comments: Show public comments for issues in a project
  • Mintcreek: Add breadcrumb navigation
  • Uploads: Allow subsequent file uploads from the same scanner without needing to re-select the scanner
  • Upgraded gems:
    • nokogiri, rails
  • Bugs fixes:
    • Document Properties: Set focus to property name/value inputs when clicking the edit icon
    • Editor:
      • Add keyboard shortcut support for windows and linux
      • Allow comparing document property values with “==” operator
      • Allow text selection expansion using shift-click
    • Issues: Show correct links in the “Send To” menu
    • Subscriptions: Show correct Subscribe/Unsubscribe link after a new comment is posted
    • Tables: Prevent columns state from resetting after 2 hours
    • Teams: Prevent displaying trashed projects
    • Tylium: Remove extra left padding from the first line of content in a code block
    • Upload: Show pre upload validation for Qualys
  • Integration enhancements:
    • Openvas: Update Node label parsing. Include :hostname and :asset_id properties.
    • Qualys: Add Qualys Asset Scanner (ASSET) support
  • Reporting enhancements:
    • Word: Charts in Word can now be exported without the need for macros
  • Security Fixes:
    • Low: Password reset token can be reused in a 5-minute window

Not using Dradis Pro?

New in Dradis Pro v4.2

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Project Soft-Delete and Instance Level Trash

Previously, once you deleted a project or a team, it was gone forever! We have now added soft-delete and an instance-level trash. So, if you delete a project or team, you can find it in your instance’s Trash, and you can recover it from there.

Choose Which Fields to Display by Default in Projects

In recent versions of Dradis, new projects will display all fields for Issues and Evidence in their respective tables by default. This can lead to a cluttered view. You can update which columns to display, but this is stored on a per-project basis. Now, you can select which Issue and Evidence fields to display by default in the Report Template Properties for your project’s associated report template in Templates –> Reports. Simply switch the toggle to “Show” to whichever fields you want to display by default, and that will apply instance-wide from then on. Of course, if you have project-specific preferences, or if you have multiple people working on the same project but with different preferences of which columns to display, each user can still manually set their preferences on a per-project basis as before.

Improved Evidence Creation from the Issue Level

Dradis lets you add Evidence directly from Issues by going to the Evidence tab of an Issue and hitting the “+ New Evidence” button. Previously that only allowed you to add a blank piece of Evidence or adding a Note template with no customised content. Now, you can customise the content right in the “Add New Evidence” form and choose where to put it, including in new nested Nodes.

Release Notes

  • Editor: Support fields with the same name in the Fields View
  • Increased table loading performance on Issues, Evidence, and Notes for projects with a lot of issues, evidence, or notes
  • Issues:
    • Display evidence in a table
    • Load evidence tab content asynchronously
    • Multi-delete evidence at the issue level
    • Update evidence content while creating evidence records at the issue-level
  • Notifications Navbar Dropdown:
    • Improve font-sizes
    • Wrap long notifications links
  • Projects:
    • Generate default report content when updating the report template
    • Truncate long team name badges in active project cards
  • Report Templates: Add Show option to display certain evidence and issue fields by default in tables
  • Trash: Allow projects and teams to be soft deleted
  • Tylium:
    • Import CSS manifests from addons
    • Move ‘…’ (more actions) menu closer to the content affected by the actions of the menu
    • Move the ‘Edit’ action out of the ‘…’ (more actions) menu for issues, evidence, notes, etc.
    • Remove extra left padding from the first line of content in a code block
    • Remove height restriction from code blocks
    • Simplify issues table columns
    • Updates focus state outline color
  • Upgraded gems:
    • mini_racer, puma, rails
  • Bug fixes:
    • Comments: Show sticky toolbar when adding long comments
    • Issues: Send To menu updates when new plugins are installed
    • Fixes background services from not restarting after upgrades
    • Liquid drops: Allow author collection to be called in ProjectDrop
    • Methodology: Fix misformatted cards when saving a methodology as a template
    • Redirect back to issue when updating evidence from the issue level
    • Rules Engine: Allow authors with “update” permission to sort rules
    • Tables: Prevent the select all button from selecting filtered out rows when a filter is been applied
    • Subscriptions: Fixed a caching issue preventing users from subscribing or unsubscribing after the first cache was stored
  • Integration enhancements:
    • Dradis Projects:
      • Fixes missing parent nodes during template and package imports
      • Fixes missing nodes for attachments during template and package imports
    • Gateway:
      • Bug fixes:
        • Fixes ‘authors’ call for the atlantia theme
        • Fixes missing attachments crashing Gateway
        • Select a default pane when Authors edit a Gateway project instead of loading a mostly blank screen
    • Nexpose:
      • Add the Hostname Node property from the name rather than site-name tag
    • Nipper:
      • Add Nipperv1 fields to issues
    • PDF Export:
      • Add Thor task for console export
      • Add view hook for Export#index
    • Qualys:
      • Add ‘element.qualys_collection’ as issue field
      • Add Qualys Web Application Scanner (WAS) support
    • Remediation Tracker:
      • Bug fixes: Hide the tickets’ “edit” and “delete” buttons for unauthorized users
    • SAML:
      • Add PingIdentity support
      • Add SAML logo to Log in button
      • Increases log verbosity on errors
    • Scheduler
      • No longers shows disabled projects in the calendar
    • VSTS:
      • Format issue content when sending to VSTS
  • REST/JSON API enhancements:
    • Projects/Teams:
      • Discard Projects through the DELETE endpoint
      • Hide discarded projects/teams from endpoints
  • Security Fixes:
    • Low: Authenticated author broken access control: read access to screenshots

Not using Dradis Pro?

New in Dradis Pro v3.0

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.

The highlights of Dradis Pro v3.0

  • Add comments for issues
  • Add notifications for comments
  • Add subscriptions for issues in a project
  • Nest the dradis elements under the project scope
  • Add ‘Send to…’ menu for issues
  • Add better handling of the Services table
  • Use puma for the development and test server
  • Remove resque dependency
  • Improve redirect on Evidence#edit
  • Alphabetically sort ContentBlocks
  • Validate empty fields
  • Fix exporting with bc.. prepended with a newline
  • Fix password reset thor task
  • Fix cookie overflow
  • Fix license redirection
  • Fix missing lists bug
  • Add-on enhancements:
    • Add references and vulnerability_classifications fields in the Burp plugin
    • Fix formatting errors and hostname Node property in the Burp plugin
    • Fix vertical buttons for the CVSS calculator
    • Fix issue sorting in HTML export
    • Split services data in the Metasploit, Nessus, Nmap plugin
    • Update fields template in Nessus plugin
    • Add CVSS fields for the Netsparker plugin
    • Resolve nested duplicate content in Paragraph tags in the Nexpose plugin
    • Better handle finding `id`s in Nikto plugin
    • Smart table header for the IssueLibrary
  • Bugs fixed: #102, #118, #321
The IssueLibrary must be updated after you upgrade! Contact support for the files.
A quick video summary of what’s new in this release:

Comments, notifications, and subscriptions

You can now comment on issues within projects.  You can also tag other members of your team in a comment, or subscribe to a conversation.

If a team member is tagged in a comment or subscribed to a conversation that has received a comment, they will see a notification when they open their project.

One project per tab

You may now have multiple projects open in several tabs of your browser.  You are now able to switch freely between projects and tabs altering their content in any order – a boon for multitaskers!

API endpoints for Content Blocks and Document Properties

For users of our REST API, we have now added endpoints for Content Blocks and Document Properties. Now you may create, update, retrieve, and delete Content Blocks and Document Properties through the API.

Ready to upgrade to v3.0?

Still not using Dradis in your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.