Category Archives: Dradis_Pro

Posts about features, announcements and updates of Dradis Professional Edition.

New in Dradis Pro v3.6

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you deliver the results of security assessments, in a fraction of the time without the time-wasting frustration of creating manual reports.

Hello, good looking.

screen showing the project summary in Dradis Tylium theme
Tylium is included with Dradis Pro v3.6 and CE 3.16

We’ve introduced a new project theme for Dradis. Tylium* is more than sprucing up the design with sleek lines and modern styles. It incorporates thoughtful details to improve your workflow and provides us greater flexibility to address your UI feedback moving forward.

This is a big visual change, but you won’t have to hunt for the Dradis items you rely on since they haven’t gone too far from the previous theme, Snowcrash. We’ve minimized the impact on your day-to-day use of Dradis by keeping the feel and flow of the app familiar. 

A comparison of two different project summary themes
Snowcrash vs Tylium

Tylium optimizes your workspace, keeping the purpose of each view in mind. It adds space where you need more real estate for updating findings and resizes or rearranges elements when you need to see the big picture. An example of this can be seen with the collapsible sidebar that adds roughly 20% more space and keeps all sections of the app quickly accessible, even adding a dashboard link to the project summary.

animation showing a navigation bar collapsing.
Now you see it, now you don’t!

As always, we’re eager to hear what you think. If you have feedback on Tylium drop a comment here, send it via email, or share it in Slack.

*It is SOP at Security Roots that we honor our nerdoms where we can. Snowcrash, the previous theme, is a nod to Neal Stephenson’s cyberpunk novel of the same name. Our love of Battlestar Galactica continues on with the new theme, paying homage to the powerful fuel source used in the series – Tylium.

Report Generation Errors

Everyone knows that validating your report before generating it will save you a headache tracking down problems with the report later. Now, the validator is more helpful by providing additional context to help locate the problematic evidence. While we are preventing headaches if your report has errors that are detected during generation the option to download it won’t be displayed.

Oooh, there’s the problem!

Release Notes

  • Update app to new Tylium layout
  • Add the ability for kits to update an instance’s Plugin Manager templates
  • Add revision history for cards
  • Bugs fixed:
    • Updated support beacon. Legacy support was dropped for older versions
    • Fix errors on content overwrite flash messages
    • Fail and redirect to login instead of raising an error when attempting to log in as a user that has been removed
    • When a report export is invalid and errors we disable the download button to prevent further errors
    • Fix the mail initializer not finding existing configuration settings from the db
    • Fix Cancel link path for the Note Edit page
    • Fix services_extras not being excluded from Excel exports
    • Fix Rule checking for non-existent fields
  • Integration enhancements:
    • CVSSv3 calculator provides access to all Temporal/Environmental fields
  • Reporting enhancements:
    • Add support for ellipsis
    • Better Evidence references on failed validations
  • REST/JSON API enhancements:
    • Add team (team id, team name, team_since) in the teams API endpoint
  • Security Fixes:
    • High: Authenticated author can no longer continue to make project changes and will be logged out after being disabled by an admin
    • Medium: Prevent admins from updating other user’s comments

Not using Dradis Pro on your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features or what our users are saying.

Dradis version 3.5

New in Dradis Pro v3.5

This post references an older release of Dradis Pro. You can find the most current version here:

Email Notifications

Now you can have your notifications emailed to you when you aren’t working in a Dradis project. Each user can adjust their notification settings to receive them individually as they happen, in a daily digest, or not at all. Get started using email notifications by configuring the mail server on your Dradis Pro instance.

A few @mention enhancements are in this release, including loading an @mentioned user’s profile photo or gravatar so you quickly spot who is in the conversation.

Burp Suite Issue severity

The way that Burp Suite handles severity is different than other integrations. Burp assigns severity to each instance of an issue as evidence and doesn’t assign severity to the issue directly. As a result, this was leading to several pieces of evidence with different severity levels for an issue with no assigned severity in Dradis. Now, Dradis will assign the issue severity using the highest evidence severity level.

Table Sorting

Finding the information you are looking for in a long table is easier with table sorting. Tables in Dradis can be sorted by any column. Click on the column heading of your choice and presto, change-o the table is sorted.

animation of a table of security findings sorting by column heading

Release Notes

  • Email notifications
  • Add notification settings to decide how often to get email notifications
  • Add a smtp.yml config file to handle the SMTP configuration
  • Preserve SMTP configuration on updates
  • Various mention related improvements:
    • Enhance the mentions box in comments to close when it is open and the page is scrolled.
    • Fix bug that prevents the mentions dialog from appearing after navigating through the app.
    • Fix elongated avatar images so they are round once again.
    • Added avatar images to mentions in comments.
    • Load Gravatars for users whose email has been set up with gravatar.
  • Add and update methodology download links to Dradis Portal
  • Enhancement when adding new nodes to copy node label data between the single and multiple node forms.
  • All tables can be sorted by column
  • Bugs fixed:
    • Fix handling of pipe character in node property tables
    • Fix projects count not updating in teams view
    • Fix error on team page when showing primary team
    • Fix overflow issue where the content would expand out of view
    • Fix page jump when issues list is collapsed
    • Fix conflicting version message when updating records with ajax
    • Fix hamburger dropdown menu functionality.
    • Fix node merging bug when `services_extras` properties are present
    • Fix cross-project info rendering
    • Prevent content block group names to be whitespaces only
    • Fix displaying of content blocks with no block groups
    • Limit project name length when viewing a project
    • Removed bullet style in node modals
    • Validate parent node project
  • Integration enhancements:
    • Burp: Make `issue.severity` available at the Issue level
    • Nessus: Fixed bullet points formatting to handle internal text column widths
    • Nexpose: Wrap ciphers in code blocks
    • Netsparker: Fix link parsing of issue.external_references
    • Jira: Loading custom (required) fields from JIRA by IssueType and Project
  • REST/JSON API enhancements:
    • Fix disappearing owner when assigning authors to a Project using the API
    • Set the “by” attribute for item revisions when using the API
  • Security Fixes:
    • Medium: Authenticated author mentioning an existing user outside of the project will subscribe that user to the note/issue/evidence
    • High: Authenticated author was able to access unauthorized projects using the API
    • Upgraded gems: nokogiri (CVE-2019-13117)

Not using Dradis Pro on your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features or what our users are saying.

New in Dradis Pro v3.4

This post references an older release of Dradis Pro. You can find the most current version here:


Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you deliver the results of security assessments, in a fraction of the time without the time-wasting frustration of creating manual reports.

Node Methodology

Add a methodology to a node containing the details appropriate for that node type. Create and apply methodology templates to ensure everyone on the team knows the next steps for that node. Project methodologies are still available; these new methodologies bring the same consistency to nodes.

Merging Nodes

If you have ended up duplicate nodes in your project, you can now merge them and preserve any findings related to that node. The new node merge action moves all associated Notes, Evidence, Attachment, and Activities from the source node into the target node.

Highlight Inside Code Blocks

Call attention to the most important details within a code block. Wrap the section with $${{ }}$$ to highlight it in yellow. The highlights transfer to your final report using styling updated in your report template.

Collapsable Sidebars

If your project has a long list of issues or attachments, it can be unwieldy to quickly access the import fields at the bottom to add more. The sidebars are now collapsable using the chevron at the top of the list and are expanded by default. Issues, Report content, and Nodes received this UI update to help you move through a cleaner interface.

Release Notes

  • Allow nodes to have an associated methodology
  • Highlight code snippets.
  • Better new board form empty name handling
  • Fix migration paths during database setup
  • Collapsable sidebar in issues
  • Collapsable sidebar in report content
  • Better placeholder syntax in Issuelib
  • Contributor dashboard redesign
  • Fix screenshot validator when Textile screenshot links have captions
  • Add Node merging feature
  • REST/JSON API:
    • New coverage: Tester users
  • Word reports:
    • Add CodeHighlight style support
  • Add-on enhancements:
    • Nexpose: Add risk-score attribute to nodes
    • Nmap: Add port.service.tunnel field to the port template
    • Remediation tracker: tickets can be assigned to testers and contributors, and contributors can see their tickets too.

Not using Dradis Pro on your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features or what our users are saying.

New in Dradis Pro v3.3

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you deliver the results of security assessments, in a fraction of the time without the time-wasting frustration of creating manual reports.

What’s new in Dradis Pro v3.3

Auto-Save

There are few things more frustrating than losing work in progress when your connection drops, browser crashes, or you close the wrong tab. Dradis now automatically saves your changes every few seconds to help avoid this problem. When you return to work, and auto-saved data is available, restore your work from the browser’s cached version.

Configuration Kits

Get started with Dradis Pro with a click of a button using kits. Use a Dradis kit to set up an instance tailored to your needs just by uploading a single file. A single kit zip file can quickly import and configure a project, report, issue, and evidence templates and properties, Rules Engine rules, methodologies, and sample projects. Admins can still tweak and configure Dradis manually; kits offer a simple way to jumpstart setup.

Azure DevOps / VSTS

Send any issue from a Dradis project to Azure DevOps (formerly Visual Studio Team Services / Team Foundation Server) to create a Work Item. Once sent, the Issue in Dradis displays the state of Work Item so you can keep track of remediation activities without leaving Dradis.

Ready to upgrade to v3.3?

Release Notes

  • Fix column overflow on Issues / IssueLib entries table
  • Allow report content management even without an RTP
  • Fix content blocks sorting in the sidebar
  • REST/JSON API:
    • Add-ons can inject Project attributes
    • BI custom fields included in Projects API endpoint
    • BI custom fields included in Teams API endpoint
    • Project Scheduler add-on includes :start and :end date in Projects endpoint
  • Fix sorting for issues under nodes on export
  • Add ability to upload configuration kits via web
  • Add screenshot validator
  • Projects are created with a background job
  • Two-step Contributor login

Not using Dradis Pro on your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features or what our users are saying.

New in Dradis Pro v3.2

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you deliver the results of security assessments, in a fraction of the time without the time-wasting frustration of creating manual reports.

What’s new in Dradis Pro v3.2

Here is Rachael with a quick video summary of what’s new in this release:

Integrated CVSSv3 Calculator

Quickly generate a CVSSv3 Risk score for an individual issue directly in Dradis. The CVSSv3 score calculator is now included as a tab on each issue for handy access. Edit the values on the calculator to populate the issue’s CVSSv3 details, including a valid vector string, with no need to copy and paste!

Animation showing the CVSSv3 calculator populating the base score and vector for a security issue.

IssueLibrary ships with Dradis Pro

Ever wish that the IssueLibrary wasn’t a separate installation and upgrade process from Dradis Pro? Wish no more! IssueLibrary is now bundled with Dradis Pro.

If you haven’t been using IssueLibrary, now is your pain-free opportunity to give it a spin. Cultivate a collection of your finest vulnerability descriptions to reuse across your Dradis Pro projects.

Already have vulnerability descriptions in another format outside of Dradis? Reach out to our support team and they can set you up to easily migrate them into IssueLibrary.

Upgrading from an earlier version of the IssueLibrary?
You must first remove IssueLibrary before applying the DUP by deleting the IssueLibrary line from /opt/dradispro/dradispro/current/Gemfile.plugins.

IssueLibrary API endpoints

The IssueLibrary is the newest API endpoint to be added to Dradis Pro. Use this new endpoint to create, update, retrieve and delete IssueLibrary entries. Check out the IssueLibrary API guide for examples to get started.

Ready to upgrade to v3.2?

Release Notes

  • Use ajax in comments
  • Fix nodes sidebar header margin
  • Add bold font to improve bold text visibilit
  • Fix links display in Textile fields
  • Fix redirection destinations after edit/delete evidence
  • Refactor cache keys in pages with comments
  • Disable turbolinks cache when displaying flash messages
  • Sort attachments in alphabetical ASCII order
  • Fix methodology checklist edit error
  • Add contributors and contributors management
  • Add IssueLibrary to the main app – no manual upgrades!
  • Fix export error caused by whitespace between newlines
  • Fix auto-linking export error for non-latin characters, dashes, and parenthesis
  • Fix multiple permissions added to a project when created via API
  • Add default tags to new project templates
  • Fix the bug that caused project to disappear when an author updates a project
  • Add seeds for the rules engine
  • Fix user count in teams list
  • Add contributor management view hooks for the Teams and Users pages
  • Allow deletion of teams with users
  • Show project Custom Properties in Business Intelligence – Trend Analysis
  • Fix XSS vulnerability when uploading svg attachments
  • Fix XSS vulnerability when evidence were sent to Trash
  • REST/JSON API:
    • New endpoint: IssueLibrary entries
  • Add-on enhancements:
    • CVSS calculator: embed CVSSv3 calculator in Issue page
    • Acunetix: Resolve create_node errors that appeared with URLs wo/ “http”
    • Burp: Make `issue.detail` available at the Evidence level
    • Netsparker: Change alphabetical lists to bullet lists

Not using Dradis Pro on your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features or what our users are saying.

New in Dradis Pro v3.1

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create reports, in a fraction of the time.

For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.

The highlights of Dradis Pro v3.1

  • Added comments, subscriptions and notifications to notes
  • Added comments, subscriptions and notifications to evidence
  • Added comments, subscriptions and notifications to methodology cards
  • Pre-flight tool upload validator
  • Fix default tags creation bug
  • Allow numeric fields to be 0 when validating
  • Fix BI engine load error (hook into model load and not ActiveRecord load)
  • Fix overflow bug when editing report templates (issue sorting tab)
  • Updated how add-ons hook into the main menu
  • Fix error pages
  • Renamed clients to teams in the backend
  • Fix blockcode characters displaying incorrectly
  • Fix red dot still being displayed on the first visit to the page that caused the single unread notification
  • Fix wrong ‘There are no comments’ message
  • Escape HTML in comments
  • Track activities when multiple-creating evidence
  • Fix BI custom project properties
  • Better engine manifest hooks
  • Keep lists and cards order when exporting as XML
  • When errors found validating evidence, report with evidence id
  • Add-on enhancements:
    • Note and evidence comments in export/import in dradis-projects
    • Fix usage of set_property to use set_service in Nexpose plugin
    • Netsparker: Update cleanup_html to format content + add new fields
A quick video summary of what’s new in this release:

Comments for methodology cards, evidence, and notes

Comments, notifications, and subscriptions introduced in Dradis v3.0 have been extended to include methodology cards, notes, and evidence in projects. You can leave a comment tagging another user, subscribe to be notified of comments and receive notifications for cards, notes, evidence, and issues. All comments are included during project import/export with dradis-project.

Checking for empty fields

Dradis will check for empty fields when saving a field required by your template and when validating your project before exporting a report. Catching and correcting these empty fields before generating your report will help prevent the dreaded ambiguous cell mapping Word error.

Pre-flight tool upload validator

While uploading output from a tool into a project, Dradis will check your Plugin Manager configuration against your report template configuration. If your template is configured to require a “Recommendations” field but no #[recommendation]# field is defined in the Plugin Manager for this output file type, Dradis will throw a warning.

Showing the preflight validation

Ready to upgrade to v3.1?

Not using Dradis Pro on your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features or what our users are saying.

New in Dradis Pro v3.0

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.

The highlights of Dradis Pro v3.0

  • Add comments for issues
  • Add notifications for comments
  • Add subscriptions for issues in a project
  • Nest the dradis elements under the project scope
  • Add ‘Send to…’ menu for issues
  • Add better handling of the Services table
  • Use puma for the development and test server
  • Remove resque dependency
  • Improve redirect on Evidence#edit
  • Alphabetically sort ContentBlocks
  • Validate empty fields
  • Fix exporting with bc.. prepended with a newline
  • Fix password reset thor task
  • Fix cookie overflow
  • Fix license redirection
  • Fix missing lists bug
  • Add-on enhancements:
    • Add references and vulnerability_classifications fields in the Burp plugin
    • Fix formatting errors and hostname Node property in the Burp plugin
    • Fix vertical buttons for the CVSS calculator
    • Fix issue sorting in HTML export
    • Split services data in the Metasploit, Nessus, Nmap plugin
    • Update fields template in Nessus plugin
    • Add CVSS fields for the Netsparker plugin
    • Resolve nested duplicate content in Paragraph tags in the Nexpose plugin
    • Better handle finding `id`s in Nikto plugin
    • Smart table header for the IssueLibrary
  • Bugs fixed: #102, #118, #321
The IssueLibrary must be updated after you upgrade! Contact support for the files.
A quick video summary of what’s new in this release:

Comments, notifications, and subscriptions

You can now comment on issues within projects.  You can also tag other members of your team in a comment, or subscribe to a conversation.

If a team member is tagged in a comment or subscribed to a conversation that has received a comment, they will see a notification when they open their project.

One project per tab

You may now have multiple projects open in several tabs of your browser.  You are now able to switch freely between projects and tabs altering their content in any order – a boon for multitaskers!

API endpoints for Content Blocks and Document Properties

For users of our REST API, we have now added endpoints for Content Blocks and Document Properties. Now you may create, update, retrieve, and delete Content Blocks and Document Properties through the API.

Ready to upgrade to v3.0?

Still not using Dradis in your team?

These are some of the benefits you are missing out on:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

That silly moment when a ruby gem doesn’t install

A few days ago I was helping a user to install a custom Dradis plugin.

As you may already know, Dradis plugins are ruby gems and we manage them with bundler.

The final step in the installation process usually looks something like this:

bundle install --without development,test

or

bundle update --without development,test [custom_gem]

But at some point in the installation history, a mix of both commands was run, probably something like:

bundle install --without development,test [custom_gem]

This command is wrong, bundle install does not expect a specific gem as a parameter. So the custom_gem parameter is handled by bundler as one of the groups of gems not to be installed. Bundler notifies us about that:

Gems in the groups developement,test and custom_gem were not installed.

We may notice that warning (or not), and try to execute the command correctly:

bundle install --without development,test

But we will see the same warning about custom_gem not being installed. This is because bundler uses a config file to cache some configuration options, like the –without option. That file probably in the same app folder under:

.bundler/config

If we check its contents, it looks like:

---
BUNDLE_WITHOUT: "developement,test:custom_gem"

Until we delete that file or edit it to remove the custom_gem from it, we may have a hard time installing our gem.

New in Dradis Pro v2.9

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.

The highlights of Dradis Pro v2.9

  • Added bulk view (and multi delete) for a node’s notes and evidences.
  • Added the trash functionality to content blocks
  • Added the Methodology tasks and content blocks to the search
  • Added report content attachments
  • Added validation for block groups with empty names
  • Fixed nested lists in exported reports
  • Fixed the multi-deletion of issues
  • Fixed the ghost nodes issue
  • Fixed the project import and export with missing users
  • Add-on enhancements:
    • Added trend analysis for the Business Intelligence add-on
    • Added node properties to the Acunetix and Qualys plugin
    • Added metric-specific fields to the CVSS calculator
    • Fixed the encoding error for the Burp upload plugin
    • Fixed the export errors for the HTML export plugin
  • Bugs fixed: #173#349, #354

A quick video summary of what’s new in this release:

List View for Notes and Evidences

You can now view the evidences of a node as a list. This comes with the bonus of being able to delete them in bulk!

The same goes for the notes in a node!

Business Intelligence Trend Analysis

With the addition of trend analysis to the Business Intelligence add-on, you can now compare 2 or more projects so you can easily visualize the ongoing trends between them.

Report Content Attachments

Just like attachments for nodes, you can now add attachments for your content blocks!

Ready to upgrade to v2.9?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

New in Dradis Pro v2.8

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

For this zippy release, we’ve added a few features and fixed a few bugs to make your reporting life easier.

The highlights of Dradis Pro v2.8

  • Added the content blocks feature
  • Added delete option for document properties
  • Added Excel export through the command line
  • Allow .xlsx and .xlsm templates.
  • Added “Default for template” in Evidence multi-add form.
  • New add-on:
    • Netsparker upload
  • Add-on enhancements:
    • Update Nessus plugin to include CVSSv3 fields
    • Added HTTPS Support for the Mediawiki plugin
    • Added content blocks service in dradis-plugins
  • Bugs fixed: #150#157, #332.

A quick video summary of what’s new in this release:

 

Content Blocks

The new content blocks feature makes adding notes to your report a lot easier. Gone are the days when you have to tediously add a node, add a note to it then set a category, only for you to forget it a few days later.

Document Property Deletion

We’ve added a way for teams to be able to delete unused document properties from their projects. You won’t have to worry about them cluttering your project anymore!

Ready to upgrade to v2.8?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.