Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Cross-references in Word reports
A frequent report template request is being able to cross-reference Issues, so that you can have a summary table of issues in one part of the finished report that links to each full Issue description later in the report. Previously we have implemented this using VBA macros; now you can do it right in the Word template using content controls, no VBA needed!
You can create links in summary tables, or even refer to specific issues in other blocks of text (such as Content Blocks) with links directly to each individual issue you want to reference. For example, maybe you have a “Most urgent issues” content block? Now you can refer to those individual issues with links in text.
Reach out to us if you would like us to implement cross-referencing in your Word report templates, or if you currently have a VBA macro implementation of cross-referencing that you want to replace with the built-in cross-referencing feature.
Custom Tag Order
You have been able to customise tags in Dradis for a while; now you can sort them dynamically as well. For example, maybe you have your own custom “Resolved” tag as well as your typical High/Medium/Low tags, and you want Resolved issues sorted first. Now you can do that! Change your mind and want to see High issues first? Re-order the tags and you’re done.
Kit Updates
We refreshed our built-in Kits with updated templates for reports, projects, issues, and more. We also included integration mappings and rules, along with an OWASP Top 10 methodology update.
Kits can be deployed immediately on an instance (no upload required) and can be used immediately with some tool output for which mappings are included. Other tweaks like CVSSv4 support are also included.
Release Notes
Projects: Add `Owner` column to projects data table
Tags: Add custom ordering
Welcome Kit:
Add HTML report template
Add issue and evidence templates
Add integration mappings
Add project template
Add rules for Rules Engine
Update OWASP Top 10 methodology to latest version (2021)
Update report templates
Upgraded gems: net-scp, net-ssh, rexml
Bug fixes:
Dashboard: refresh cache on recent project changes
Word export: allow charts to be edited post-export
Integration enhancements:
Gateway: Process Liquid in content block, evidence, issue and note text by default when rendering template
To achieve this, we’re continually improving the product. Fixing bugs and adding/improving features.
Let’s look back on the updates that shaped Dradis Pro in 2024. From major feature rollouts to smaller, user-requested enhancements, our focus remained on delivering tools that help streamline workflows and improve reporting efficiency.
v4.12: Enhanced Mappings Manager and CVSSv4 Support
Released in May 2024
Overhauled Mappings Manager: We’ve revamped the Mappings Manager to associate configurations directly with specific report templates and their properties. This change allows for distinct plugin mappings tailored to each report template, streamlining your reporting process.
CVSSv4 Calculator Integration: Responding to user feedback, we’ve integrated a CVSSv4 calculator into Dradis Pro. You can now assess vulnerabilities using CVSSv4, with the flexibility to include outputs from multiple calculator versions within the same issue.
API Enhancements for Attachments: The API now provides additional functionalities for attachments, including access to size, creation date, and direct download links, enhancing automation and integration capabilities.
Official AWS and Azure Support: Our Dradis images for AWS and Azure have transitioned from beta to officially supported status, ensuring reliable deployments when following our documented methods.
v4.13: Advanced Liquid Support and Scheduler Integration
Released in August 2024
Expanded Liquid Functionality: We’ve broadened Liquid support, making Liquid drops available at more levels. This enhancement enables dynamic content generation, such as auto-generated executive summaries that summarize recommendations based on issue severity and evidence locations.
Project Scheduler Calendar Integration: The Project Scheduler now offers secure links to .ics files, facilitating integration with third-party calendar applications like Outlook, Thunderbird, and Apple Calendar. This feature ensures seamless scheduling and project management across platforms.
Auto-Detection of Word Report Template Properties: To simplify template configuration, Dradis Pro can now auto-detect report template properties upon template upload. This automation reduces manual setup, ensuring accurate project generation, validation, and export.
v4.14: Issue Library Synchronization and Quality Assurance
Released in October 2024
Synchronized Issues and Issue Library Entries: We’ve introduced synchronization between project issues and Issue Library entries. This feature allows for real-time updates and consistency, enabling you to sync content between associated issues and library entries seamlessly.
Quality Assurance for Issue Library: A new QA view for the Issue Library lets you review, edit, and manage entries with version history tracking. This addition ensures that reusable issues maintain high quality and consistency across projects.
Liquid Support for Issue Sorting Fields: We’ve added Liquid support for issue sorting fields, allowing you to use Liquid code within sorting fields without affecting the sort order. The evaluated result of the Liquid code determines the sorting, providing dynamic and customized report organization.
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Associate and sync content between issues and Issue Library entries
Issues and Issue Library entries are now synced. When you add an Issue to your project from the Issue Library, it is synced up with the original Issue Library entry. That way, you can identify when the two are out of sync and, if needed, sync them back up.
You can update either the Issue in your project to match the Issue Library entry, or update Entry to match your Issue Library entry – it works both ways!
This link between the issue and the entry is also created when you send an already existing Issue from your project to the Issue Library. Managing your reusable Issues has never been as easy as it is now!
Quality Assurance for Issue Library
We implemented QA for the Issue Library. You can now review your Issue Library entries and perform quality assurance on them.
When entries are marked as “Ready For Review”, they’re available in the new QA view. You can edit them, change their state, and keep track of changes with the version history.
Liquid support for Issue Sort fields
Liquid support for Issue sorting fields. When you export a report to Word, you can set a numeric sorting field, and your issues will be sorted in descending order on export.
This update allows that field to contain Liquid in the Val values without affecting the sort order. The result of the Liquid code will be used in the sorting, not the Liquid code itself.
Release Notes
Issue Library:
Associate issues with Issue Library entries
Sync content between associated issues and Issue Library entries
Implement a Quality Assurance view for Issue Library entries
Kit Import:
Use file name sequencing when a template file with the same name exists
Upgraded gems:
concurrent-ruby, et-orbi, fugit, puma, rexml
Bug fixes:
Report Templates:
Fix confirmation on deleting a report template
Spelling:
Restore functionality of native browser back/forward buttons
Integration enhancements:
Business Intelligence:
Show search results in a data table
Reporting enhancements:
Word:
Allow fields that contain Liquid to be used as an export sorting field
Ignore Tag field when auto-generating word template properties
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Liquid updates
Dradis v4.13.0 expands what you can do with Liquid content. Support for Liquid drops has been expanded so that they are available at more levels. For example, perhaps you want to have an auto-magically generated text in an Executive Summary ContentBlock that summarises recommendations for Issues and their respective Evidence locations, in order of severity? Now you can do that!
In addition, we have tweaked the Word exporter so that Liquid content is evaluated before Word filters. That means that you can use Liquid syntax to programmatically set filters. For example, perhaps you have filters in your Word template that separate Internal and External Issues. Now you can use Liquid to, for example, specify that if an Issue is found on a Node beginning in 192. then the Type should be set to “Internal”.
Or perhaps you want to select which ContentBlock sections to display based on the Project type as defined in a document property? Now, with some Liquid code in the relevant ContentBlock filter sections, you can do that!
Project Scheduler integration
The Project Scheduler is one of our most downloaded add-ons, and a frequently requested feature has been integrated with third-party calendars. This is now implemented in v4.13.0! The Scheduler now has a secure link to a .ics that will let you integrate the Dradis Project Scheduler with apps like Outlook, Thunderbird, and Apple Calendar. The .ics file can of course also be downloaded rather than linked.
Auto-generate Word report template properties
Correct configuration of Word templates’ Report Template Properties is essential to ensure that projects are correctly generated, validated, and exported. With our recent Mappings Manager overhaul with per-template mappings, the correct configuration of report template properties is also essential to tool uploads. To make this process easier for you, Dradis can now auto-detect report template properties when you upload a report template to your Dradis instance. If you create or tweak your own templates, and don’t want to go through a fiddly .rb file to configure a new Kit each time, this feature is for you!
Release Notes
Liquid: Make project-level collections available for Liquid syntax
Validations: Evaluate Liquid syntax before validating the fields
Upgraded gems: nokogiri, rails, redcloth, rexml
Bug fixes:
Business Intelligence:
Prevent the “Business Intelligence” navigation label overflowing (in Project and Team forms) on mid-size view ports
Prevent the “Compare” chart y-axis label from being covered by chart data
Navigation: Restore functionality of native browser back/forward buttons
Rules Engine: Prevent issues from getting multiple tags
Tables: Enable sorting by validation column status
Word: Prevent EvidenceCounter filters from being ignored
Integration enhancements:
Calculators: Add CVSS/Dread calculators to the Tools Manager
Rules Engine: Process Liquid syntax before matching field condition
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
New Mappings Manager
Dradis v4.12.0 contains a complete overhaul of how the Mappings Manager works. Mappings Manager configurations for each upload plugin (e.g. Nessus, Burp, Qualys…) are now directly associated with a particular report template and its associated report template properties. This means that you can have separate plugin mappings for separate report templates.
The editor itself has also been overhauled to be more user-friendly. Rather than having to manually type out the Dradis fields needed using their #[Field]# syntax, you can now pick “Source Fields” and “Dradis Fields” from dropdowns. Of course “Custom Text” and “Custom Field” options are also available.
This overhaul should also make it more straightforward to configure the Mappings Manager for report templates in Kits.
Your existing Mappings Manager configurations will be migrated to the new format on upgrade.
CVSSv4 Calculator
We heard you, now we support a CVSSv4 calculator right in the application!
Of course CVSSv3.0 and CVSSv3.1 are still supported as well. Pick your preferred version from the dropdown. You can have the outputs of multiple calculator versions in the same Issue if you like.
API Attachments
New funcionalities have been added to the API Attachments endpoint. You can now get the size, created_at, and (by popular request) a download link with an API call!
AWS and Azure images now officially supported
After a long time in Beta, we are now able to offer our Dradis images for AWS and Azure as officially supported by us, as long as our documented AWS or Azure deployment methods are followed.
Release Notes
Attachments: Add size, created_at, and download link to the API
Kits: Automate creating Mappings
Mappings Manager: Map fields from scanner integrations to Dradis fields
Upgraded gems:
nokogiri, rails
Bugs fixes:
Avatars: Allow both .jpg and .jpeg formats
Projects: Fix redirection when updating an issue or content block
Sidebar: Prevent version number from overlapping listed records
New integrations:
Pentera
Integration enhancements:
CVSS Calculator: Add CVSS v4 support
Integration Manager: Clarify integration status after enabling/disabling
Veracode:
Create evidence for every instance of <flaw>
Use cweid as the issue identifier
Reporting enhancements:
Word: Accept scope parameter in command line export
Excel: Accept scope parameter in command line export
Security Fixes:
High: Authenticated author path traversal on attachment rename
We have already supported Liquid content in Dradis Gateway templates for a while – now we are bringing Liquid Dynamic Content to Word and HTML reports as well.
Want to refer to document properties like dradis.client inside a ContentBlock? Want to show the count of evidence inside the text of an Issue? Want to use conditionals like “If this property is in Spanish, export this issue in Spanish instead of English”? Now you can!
We now have two more filtering options available in Word: Filters with spaces, and filters on Nodes.
Filtering with spaces means you can use double quotes in both field names and filter values. For example, you can filter by “CVSS Base"|(9.0..10.0) or Category|"A1 Injection“.
Nodes can be filtered by Node Properties. For example, if you have a Node property for type with values of internal/external, you can filter a Node by type|internal to only see content for internal-type Nodes.
What was previously the Plugin Manager is now the Mappings Manager as we’ve extended the functionality to Azure DevOps and Jira. You told us that you usually have a pattern for the data that you send to these external tools. For example, you’d want a specific set of fields from your Dradis issue to go into your Jira card’s description.
The Mappings Manager allows you to configure that mapping so that the next time you send an Issue to Azure DevOps or Jira, the editor will pre-populate with the data from your Issue in the exact format you specified. You’ll still have the ability to edit it before sending the Issue to Azure DevOps or Jira if needed.
Review/approve Issues and Content Blocks before including them in reports.
The goal here was to give you a way to differentiate between “I’ve reviewed this issue” and “I haven’t reviewed this issue yet”.
You can use the new QA view to look at your “Ready for review” Issues and Content Blocks and review them before including them in reports.
Then, on the Export page, the default is to export just the Published records. But, you can also export All if that makes more sense for your team’s workflow.
Previously, you could create custom tags by editing the XML of the project template directly. That’s still an option if you happen to enjoy dealing with XML. Otherwise, you can now use the UI for that whole process. There’s even a color picker so that you can get just the right shade for your custom tags.
From the project level, you can also manage your tags and create, edit, or delete them as needed:
Improved admin and support features
Archiving projects – rather than moving them into the trash
Previously, we had active projects or projects in the Trash and nothing in between. You asked for another way to organize projects and we delivered! Now, you can archive projects as well. Archiving a project does not delete a project, but leaves it in the Archive tab of the Projects view. This way you can maintain an uncluttered view of active projects without needing to send inactive projects to the trash.
Before v4.7, we had no way to receive usage data from your instance other than a ping to our licensing server when you first activate the instance. In v4.7, we have rolled out optional usage analytics that you can share with us. Yes, optional!
For full transparency, you can see exactly what you would be sending to us in the event log. It’s all anonymized data like “someone exported a Word report” or “someone logged in as a contributor” that is designed to help us understand how teams are using Dradis and should not reveal anything sensitive, not even your email address.
Of course, you can always opt out of sharing this data with us if you prefer. We’re excited to have a bit more information about how you’re currently using Dradis so that we can make the product even better for everyone in the future.
We’ve also added better in-app tester administration. If a user gets locked out of their account with too many incorrect login attempts, Admin users will now be able to unlock their account with 1 click.
v4.11 – the latest release
We’ve continued releasing updates in 2024, here’s an overview of our latest release:
Improved version history
Fixed liquid dynamic content preview in the editor
Fixed export crashing with links with trailing special character
Fixed link formatting for hyperlinks in inline code blocks
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Bug Fixes
Dradis v4.11.0 is full of bug fixes and technical updates. You may not see brand new features or changes to the UI but we fixed many, many different things behind the scenes. We also updated some behind-the-scenes aspects like the rails version.
Improved version history
We’ve improved the version history and the way that it displays. Previously, the entire line/paragraph would be marked as changed, even if a single word was changed. Check out the new and improved version!
Fixed liquid dynamic content preview in the editor
Fixed export crashing with links with trailing special character
Previously, exports would crash if you included a link with a trailing special character. No more!
Fixed link formatting for hyperlinks in inline code blocks
We’ve also fixed the formatting of links inside code blocks so that they appear in the report exactly how you’d expect them to appear.
Release Notes
Assets: Add importmap-rails to handle js libraries
Liquid: Add LiquidAssignsService
nginx: Add HTTP/2 support
Revision history: Improve version history for content with carriage return
Tylium: Show liquid content in editor preview
Web-server: Replace unicorn with puma in production
Validation: Display attachment validator errors when viewing/editing a record
Flash alert: Allow the ‘license about to expire’ alert to be dismissed for the session
Upgraded gems:
rails, resque-scheduler
Bug fixes:
Code blocks: Remove extra padding and background for code elements outside of projects
Contributors: Expire one time token after login
Evidence: Prevent loading old Evidence template content at the Issue level
Methodologies: validate presence of content
Integration enhancements:
Authentication Integrations: Use the AuthenticationStrategies class for Rails 7 support
Burp: Fix compatibility with nokogiri >= 1.15
Nexpose:
Add port/protocol to evidences
Use the details in <os> as the OS node property
Import `vulnerability.risk_score` as a new Issue field
Allow multiple evidence with the same test id & node address
Qualys: Add support for the output for Qualys WAS API 3.13 and later
Reporting enhancements:
Word:
Fix export crashing with links with trailing special characters
Skip link formatting for hyperlinks in inline code blocks
Security Fixes:
Low: Authenticated (author) information disclosure
After a user has been removed from a project, they may still get notifications for Issues they were subscribed to, resulting in the disclosure of Issue titles.
Low: Information Disclosure in the Output Console of Upload Manager
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Validate your projects before your export
How many times have you gone to export a report and realized later that there was an error that the validator caught, you just didn’t validate first? Now, the validation is built into the exporter so that you’ll always get a heads-up about possible problems and can fix them before exporting the report. In the case of false positive validator warnings, you’ll have the option to bypass the errors and continue with the export.
If there are no validation errors, the export will proceed with no extra clicks necessary!
Mappings Manager for Azure DevOps and Jira
What was previously the Plugin Manager is now the Mappings Manager as we’ve extended the functionality to Azure DevOps and Jira. You told us that you usually have a pattern for the data that you send to these external tools. For example, you’d want a specific set of fields from your Dradis issue to go into your Jira card’s description.
The Mappings Manager allows you to configure that mapping so that the next time you send an Issue to Azure DevOps or Jira, the editor will pre-populate with the data from your Issue in the exact format you specified. You’ll still have the ability to edit it before sending the Issue to Azure DevOps or Jira if needed.
Archiving projects
Previously, we had active projects or projects in the Trash and nothing in between. You asked for another way to organize projects and we delivered! Now, you can archive projects as well. Archiving a project does not delete a project, but leaves it in the Archive tab of the Projects view. This way you can maintain an uncluttered view of active projects without needing to send inactive projects to the trash.
New Methodologies REST API endpoint
You can now access Methodology data including Boards, Lists, and Cards via the REST API.
Release Notes
Report Template Properties: Add fields with “String” type by default
Tylium: Consolidate sidebars
Integration Manager:
Add error handling for enabling/disabling and installing incompatible files
Add the HTML Exporter to the Tools Manager
Plugin Manager: Add support for Liquid content in templates
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Liquid Dynamic Content in Word and HTML reports
We have already supported Liquid content in Dradis Gateway templates for a while – now we are bringing Liquid Dynamic Content to Word and HTML reports as well.
Want to refer to document properties like dradis.client inside a ContentBlock? Want to show the count of evidence inside the text of an Issue? Want to use conditionals like “If this property is in Spanish, export this issue in Spanish instead of English”? Now you can! For example, the following will export into an Issue:
#[Description]#
Global:
{{ project.name }} for {{ team.name }} team
{{document_properties.available_properties}}
Tag Name:
{% for tag in issue.tags %} {{ tag.name}} {%endfor%}
CVSSv3 score:
{{ issue.fields['CVSSv3.BaseScore'] }}
Evidence:
{% for evidence in issue.evidence %} {{ evidence.fields["Label"] }} {%endfor%}
The {{ issue.title }} issue has {{ issue.evidence.size }} instances of Evidence
Evidence count per node:
{% for node in issue.affected %}
{{ node.label}} has {{node.evidence.size}} instances of evidence
{% endfor %}
It would give a result like the following:
Better filters in Word templates
We now have two more filtering options available in Word: Filters with spaces, and filters on Nodes.
Filtering with spaces means you can use double quotes in both field names and filter values. For example, you can filter by "CVSS Base"|(9.0..10.0) or Category|"A1 Injection".
Nodes can be filtered by Node Properties. For example, if you have a Node property for type with values of internal/external, you can filter a Node by type|internal to only see content for internal-type Nodes.
DuoWeb and ServiceNow support in the Integration Manager
We have changed the way our integrations work, so you can now install DuoWeb and ServiceNow right in the Integration Manager. No need to use the command line to install 2FA! You can also configure Duo and ServiceNow, as well as integrations like Azure DevOps, right in the Integration Manager.
Release Notes
AccessTokens: allow the storage of per-user encrypted tokens
QA: Show state changes in activity feed
Sessions: Store :secret_key_base in encrypted configuration file
Tylium: Extend support for Liquid Dynamic Content
Upgraded gems:
bootstrap, popper_js, simple_form
Bugs fixes:
Issue Library: Prevent rendering navbar over top of the fullscreen editor
QA: Redirect to correct view when changing states on QA edit views
Users: Force logout for users with locked accounts
Integration enhancements:
Acunetix: Parse inline code, not just code blocks
Burp: Adds strong and code tags parsing
CSV: Fix CSV Upload for files with special characters
Nessus:
Parse code tags as inline code
Add plugin_type as an available Issue field
Nexpose:
Parse inline code, not just code blocks
Wrap ciphers in the ssl-weak-message-authentication-code-algorithms finding
Qualys: Adds Request/Response Evidence fields for Web Application Scans (WAS)
Azure DevOps: Switch authentication from PAT to OAuth2
Duo 2FA:
Migrate to UI-based configuration
Add to Integrations Manager
ServiceNow:
Migrate to UI-based configuration
Add to Integrations Manager
Reporting enhancements:
Word
Add support for filtering nodes by properties
Add support for the notextile tag
Allow multi-word fields/values in the content control filters with double quotes
Extend support for liquid dynamic content in Word reports
Warn of missing blank lines around a screenshot only when it’s not the first or last item in a field
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Quality Assurance
Review/approve Issues and Content Blocks before including them in reports.
The goal here was to give you a way to differentiate between “I’ve reviewed this issue” and “I haven’t reviewed this issue yet”.
You can use the new QA view to look at your “Ready for review” Issues and Content Blocks and review them before including them in reports.
Then, on the Export page, the default is to export just the Published records. But, you can also export All if that makes more sense for your team’s workflow.
Tester Administration
We’ve also added better in-app tester administration. If a user gets locked out of their account with too many incorrect login attempts, Admin users will now be able to unlock their account with 1 click.
Release Notes
Quality Assurance: Review/approve Issues and Content Blocks before including them in reports
Tester Administration: Add unlock button to UI for locked Testers
Integration enhancements:
JIRA: Add support for Jira Data Center v8.4+
Upgraded gems:
rack, rails, time
Bug fixes:
Kits: Enable import of kit with no project template