Skip to content

Releases: cisagov/assessment-reporting-engine

RE 2.0.5

05 Dec 18:20
b96ce1d
Compare
Choose a tag to compare

Reporting Engine v2.0.5

This release of Reporting Engine (RE) 2.0 builds on 2.0.4 and includes the new features, fixes, and improvements outlined below. See README for full instructions.

New Features

  • Initial Remote Penetration Test implementation including the following features:
    • Assessment Details to track stakeholder and assessor information
    • Findings to track details about vulnerabilities, misconfigurations, and other findings of note during an assessment
    • Phishing services to track metrics pertaining to payload testing
    • Other services to track OSINF and port mapping metrics
    • Narratives to track attack path details and step-by-step walkthroughs
    • KEV Catalog to track identified Known Exploited Vulnerabilities and map them to findings
    • Risk Scoring placeholder to generate a score for comparing risk over time and between stakeholders based on custom methodology
    • Activity Tracker to track high level assessment activity and infrastructure details for stakeholder awareness
    • Report screen for previewing/finalizing the assessment report
    • Export screen for exporting various artifacts and deliverables related to the assessment

Improvements and Updates

  • Instances of Vulnerability Evaluation have been changed to Penetration Testing Capabilities
  • Out-Brief slides for RVA and FAST now include the narrative steps (one slide per step)
  • Bumped Pillow dependency to v10.0.1 due to vulnerabilities in previous versions
  • Changed EI JSON output to use helpful descriptors instead of numbers
  • Updated README to reflect correct Node/NPM requirements
  • Updated Payload Parser dependencies
  • Updated KEV Catalog
  • Implemented number type form fields to restrict data entry to numbers for certain fields
  • Added two new findings: Non-Essential Use of Elevated Accounts and Spam Filtering Weakness
  • Updated various finding descriptions

Fixes

  • Mailto hyperlink for vulnerability_info has been fixed (previously was pointing to vulnerability alias)
  • Export All function only exports relevant artifacts based on assessment type
  • Offline restore function in ptp.py has been fixed
  • Date fields have been converted to naive form fields to eliminate issues when changing timezones
  • MITRE sub-techniques now appear on the attack path creation screen (previously only appeared on the edit screen)

RE 2.0.4

02 Oct 16:03
d600205
Compare
Choose a tag to compare

Reporting Engine v2.0.4

This is the initial release of Reporting Engine (RE) 2.0 and includes the features outlined below. Assessment types not described below are not currently supported and will not work correctly until implementation in future releases. See README for full instructions.

  • Initial Risk and Vulnerability Assessment (RVA) implementation including the following features:

    • Assessment Details to track stakeholder and assessor information
    • Findings to track details about vulnerabilities, misconfigurations, and other findings of note during an assessment
    • Phishing services to track metrics pertaining to payload testing and phishing campaigns
    • Other services to track data exfiltration, ransomware, and port mapping metrics
    • Narratives to track attack path details and step-by-step walkthroughs
    • KEV Catalog to track identified Known Exploited Vulnerabilities and map them to findings
    • Risk Scoring placeholder to generate a score for comparing risk over time and between stakeholders based on custom methodology
    • Activity Tracker to track high level assessment activity and infrastructure details for stakeholder awareness
    • Election Infrastructure to track information pertaining to elections systems and their findings
    • Report screen for previewing/finalizing the assessment report
    • Export screen for exporting various artifacts and deliverables related to the assessment
  • Initial Federal Attack Surface Testing (FAST) implementation including the following features:

    • Assessment Details to track stakeholder and assessor information
    • Findings to track details about vulnerabilities, misconfigurations, and other findings of note during an assessment
    • Phishing services to track metrics pertaining to phishing campaigns
    • Port Mapping services to report open ports on public-facing systems
    • Narratives to track attack path details and step-by-step walkthroughs
    • KEV Catalog to track identified Known Exploited Vulnerabilities and map them to findings
    • Activity Tracker to track high level assessment activity and infrastructure details for stakeholder awareness
    • Report screen for previewing/finalizing the assessment report
    • Export screen for exporting various artifacts and deliverables related to the assessment