Ghostwriter v4.3.0-rc1

Summary

This is the release candidate for v4.3.0. The release has been tested and is finalized but includes some bigger changes. We're releasing this as an RC to give people time to review the CHANGELOG and test the release before upgrading. We will tag a final release in a few days.

If anyone reports an issue, we will fix it for the final release.

CHANGELOG

[4.3.0] – 10 Sep 2024

Added

• Added two mutations to the GraphQL API to support uploading new evidence files and report template files (Closes #230)
• Added a new adapter for handling authentication for Single Sign-On (SSO) providers
  • The adapter fills-in a nearly full profile for any new accounts (full name, email address, username)
  • Usernames for new accounts will default to the first half of the email address
  • If an existing account has the same email address, the accounts will be linked
  • Review the wiki for more information: https://www.ghostwriter.wiki/features/single-sign-on
• Added support for loading customized config files
  • These are files you can use to modify settings normally found in /config/settings/base.py and production.py
  • Admins can make changes to the custom config files without worrying about the changes needing to be stashed prior to pulling an update
  • Review this section of the wiki for information: https://www.ghostwriter.wiki/features/single-sign-on#configuring-an-sso-provider
• Added support for a JSON field type for custom fields
• Added a "Tags" column to the domain and server library tables

Changed

• Updated the django-allauth module used for authentication and SSO
  • Important: This change impacts anyone currently using SSO with Azure
  • The azure provider is now microsoft and SSO configurations will need to be updated
• Changed the cloud infrastructure monitoring task to also check auxiliary IP addresses when determining if a cloud host is tracked in a project
• Cloud hosts tracked on a project no longer require a unique IP address
  • A warning is displayed if a cloud host is tracked on a project with multiple hosts sharing the same IP address
• Changed filtering on tags to be case-insensitive

Fixed

• Fixed spaces disappearing after Microsoft Word cross-references placed at the beginning of a new line or paragraph

Ghostwriter v4.2.5

Summary

This fixes a few minor issues with activity logging.

[4.2.5] - 7 August 2024

Changed

• Changed filtered activity logs to sort by the start date instead of relevancy rank

Fixed

• Fixed activity logs not loading additional entries when scrolling to the bottom of the page
• Fixed an issue that could cause an error when importing an activity log csv file with one or more individual cells with content exceeding 128KB

Ghostwriter v4.2.4

Summary

This release fixes a bug and changes the code formatting to make it easier to apply additional formatting to your code samples.

CHANGELOG

[4.2.4] - 29 July 2024

Changed

• Changed the "Inline Code" formatting to work for blocks of text in the WYSIWYG editor (Closes #337)
  • You can now use the "Inline Code" formatting to apply code styling to a block of text in the WYSIWYG editor
  • This change allows you to apply the code style to multiple lines of text without needing to use the TinyMCE "Code Sample" blocks
  • When Ghostwriter detects an entire line or multiple lines of text are formatted as "Inline Code," it will format them as a code block in the report template
  • This change allows for additional formatting options, like highlighting or bolding text within the code block
  • The "Code Sample" button is still present in the WYSIWYG editor if you prefer to use that for code blocks

Fixed

• Fixed an error with template linting when the template did not have a CodeInline or CodeBlock style (Fixes #486)

Ghostwriter v4.2.3

Summary

This release includes some minor bug fixes and a few community contributions and requests.

CHANGELOG

[4.2.3] - 24 July 2024

Added

• Added support for internal hyperlinks in the WYSIWYG editor (Closes #465; thanks to @domwhewell-sage)
  • You can now create internal links to headings when you insert a hyperlink, enter # to start your hyperlink URL, and select a heading
  • Internal links will be converted to cross-references in the report template

Changed

• Applied ListParagraph to the lists in Word reports to ensure proper paragraph styling (PR #482; thanks to @smcgu)
• The autocomplete list for keywords in reports now includes entries for {{.ref <Evidence File Name>}} for evidence references alongside the evidence file (e.g., {{.<Evidence File name>}}) (Closes #479)
• Custom fields for observations and findings now support autocomplete and have the "Upload Evidence" button (Closes #485)

Fixed

• Fixed an issue that could prevent reports from being generated if a related cloud server was missing a hostname (PR #481)

Ghostwriter v4.2.2

Summary

This is a minor release that addresses some bugs reported by the community.

CHANGELOG

[v4.2.2] - 3 July 2024

Added

• Added a check to the template linter to ensure the CodeInline and CodeBlock styles have the correct style type (PR #474)

Changed

• Gave every optional field in the database a default value (a blank string) to help prevent errors when creating new entries via the GraphQL API (PR #469)

Fixed

• Fixed extra fields on findings not being processed for report generation (PR #467)
• Fixed project fields being processed twice when generating a report (PR #468)
• Fixed syntax errors that weren't being caught properly and returning generic failure messages (PR #470)
• Fixed observation tags missing from the linting data (PR #471)
• Fixed uploading evidence and autocomplete on observations (PR #472)
• Fixed a server error that could occur when using the checkoutServer and checkoutDomain mutations in the GraphQL API and providing a null value for the note field (PR #475)
• Fixed the "My Active Projects" sidebar dropdown not showing the correct message if all projects are marked as complete (PR #475)

Ghostwriter v4.2.1

Summary

This release includes some bug fixes and enhancements following feedback from the v4.2.0 release.

CHANGELOG

[v4.2.1] - 20 June 2024

Changed

• Increased the filename character limit to 255 characters for evidence filenames
  • This aligns with the maximum filename length for most filesystems
  • Filenames displayed in the interface are now truncated if they are longer than 50 characters
  • The full filenames can be viewed by hovering over the filename when viewing the evidence file's details
• Changed report export errors to help further narrow down the cause of Jinja2 syntax errors
• Activity log imports now make naive timestamps timezone-aware (Closes #433 & #434)
  • If the import does not specify a timezone (e.g., +00:00 for UTC), the server's timezone will be used
• When coming from an activity log to import entries, the log you came from will now be selected by default
• A domain's current availability status is no longer only visible under the Health tab

Fixed

• Fixed white space before hyperlinks being removed in generated Word documents (Closes #461)
• Fixed an issue with how evidence displayed inside XLSX reports (Closes #462)
• Fixed extra fields on projects not being processed for project document generation

Ghostwriter v4.2.0

Summary

This release introduces project document generation and numerous reporting enhancements.

CHANGELOG

[v4.2.0] - 10 June 2024

Added

• Added a third template document type, Project DOCX, for project document templates
  • These templates are separate from other DOCX templates because they will have access to different context data
  • Project templates will have access to project data
  • Report templates will have access to project and report data
• Added the ability to generate project documents to the project dashboard
  • This new feature uses the new project docx templates and existing pptx templates
• Added support for templating document properties with Jinja2 in the report templates
  • You can now use Jinja2 expressions to template document properties like the title, author, and company name
  • Edit these properties inside the Word application under File » Properties, save the document, and re-upload your template
  • Thank you, @domwhewell, for the original submission (Closes #397)
• Added template linting checks for the Heading 1-7 styles
  • These styles should always be present in a Word document but may be unidentifiable if styles.xml is corrupted
• Added support for using Jinja2 in the report filename template configured under the Global Report Configuration inside the admin panel
  • You can now use Jinja2 expressions to template the report filename (e.g., {{client.name}} or {{now|format_datetime("Y-m-d")}})
  • The filename template is used when downloading a generated report
• Added options for importing and exporting observations
• Added support for Jinja2-style loops inside the WYSIWYG editor
  • You can now use Jinja2 loops to create lists, table rows, and new paragraphs
  • Use li, tr, and p tags with the loops–e.g., {%li for item in items %}...{%li endfor %}
• Added Jinja2 validation checks to the WYSIWYG editor to check if user-submitted content is valid Jinja2 code
• Added filename overrides for report templates
  • You can now set a custom filename for a report template that will override the global default filename
  • The filename supports Jinja2 templating, like the global report filename
• Added support for referencing custom fields inside other custom fields in the WYSIWYG editor
  • e.g., You can now reference another custom field or a pre-formated value like finding.severity_rt inside a custom field
• Added croniter to the Docker builds to support scheduling background tasks with Cron syntax

Changed

• The Reports tab on the project dashboard has been renamed to Reporting to better reflect the new project document templates
• Exports now include an extra_fields column for any user-defined extra fields associated with the exported data
• Slack messages for cloud assets now include the asset's current state (e.g., Running, Stopped, etc.) (Closes #417)
• The activity log filter now searches all log entries for the log, not just the entries on the current page
  • Log entries will continue to update in real time as new entries are added
  • Only the entries that match the filter will appear until the filter is changed or cleared
• Set a default value of {} for extra fields to avoid errors when creating new entries via the GraphQL API with empty extra fields
• Modified error handling for report generation to provide more detailed error messages when a report fails to generate (e.g., which finding or field caused the error)
• Changed nullable database fields to no longer be nullable to prevent errors when creating new entries via teh GraphQL API
• Removed the spaces before and after the figure and table prefixes to allow for flexibility (Closes #446)
  • If spaces before or after the prefix are desired, they can be added when setting the value in the report configuration
  • Current values should be updated to add spaces (if desired) – e.g., change "–" to " – "
  • Thanks to @smcgu for the original pull request!

Fixed

• Fixed an error that could occur when editing a finding with no editor assigned
• Fixed blank findings added to a report not having user-defined fields
• Removed the "Upload Evidence" button from report custom fields as it was not functional
  • It will be functional in a future release
• Fixed an issue with generating reports when an attached finding had a null field
• Fixed an issue with cross-references not working when special characters were present in the reference name (Fixes #444)
• Fixed issue with report generation when adjusting font sizes in the WYSIWYG editor

Ghostwriter v4.1.0

Summary

This release includes significant changes to Ghostwriter and several new features.

CHANGELOG

[4.1] - 3 April 2024

Added

• Added support for creating custom fields for findings, domains, servers, projects, clients, and activity log entries
  • Custom field types include text, integer, float, boolean, and formatted text
  • Custom fields can be added, edited, and deleted via the admin panel
  • Formatted text fields use the WYSIWYG editor for formatting
  • Formatting carries over to report templates like formatted text in findings
  • Custom fields are available in the report template context
  • Learn more: https://ghostwriter.wiki/
• Added support for using Jinja2 and report context data inside formatted text fields
  • You can reference {{ client.name }} to insert the client's name into a formatted text field
  • You can also use Jinja2 filters and functions to manipulate the data (e.g., {{ client.name|upper }} to make the client's name uppercase)
• Added the ability to preview formatted text fields in the interface
  • Formatted text fields can be previewed with the new "Preview" button that appears next to them in the interface
  • Any evidence referenced in the formatted text field will also be displayed in the preview (rather than just the reference text)
  • Jinja2 statements and expressions will appear as text in the preview as these must be evaluated in the report template
• Added support for tables in the WYSIWYG editor (Closes #355)
  • Tables use the Table Grid style in the Microsoft Word templates
  • Thank you for the contribution, @domwhewell!
• Added support for inserting page breaks in the WYSIWYG editor
  • Page breaks carry over to the Microsoft Word templates
• Added an option to "sanitize" activity logs as an alternative to deleting them to remove sensitive information
  • Sanitizing an activity log will remove selected data from all log entries in the log
• Added a new library for "observations"
  • These observations are similar to findings but much simpler
  • The base model includes a title, description, and tags and can be used to track positive observations for a project
  • The model is also highly customizable with support for custom fields (see the first item)
• Added user permissions to control who can create, edit, and delete observations in the library
• Added support for footer information (e.g., date, footer text, and slide numbers) in the PowerPoint report templates
  • The footer information is set in your slide deck templates
• Added a configuration option for the target report delivery date
  • The target date is configured as a number of business days from the project's end date
• Added a report configuration option to enforce title case for captions
  • If enabled, this option will enforce title case for all evidence captions in a report
  • An accompanying exclusion list allows you to specify words (e.g., articles) that should not be title cased
• Added a getExtraFieldSpec query to the GraphQL API that returns the extra field specification for a model
  • This query is useful for extensions that need to know the extra fields available for a model
• Added a note to the WYSIWYG editor to call-out it is possible to access a browser's context menu by using CTRL+right-click
• Added a new hostname configuration option to the General Settings in the admin panel
  • This option allows you to set the hostname for the Ghostwriter server
  • The hostname is used to generate links in Slack notifications and other places where a link to the server is needed

Changed

• The WYSIWYG editor's toolbar and context menu have been updated to support the new table and page break features and make it easier to apply styles
• Project and report dashboards were redesigned to improve the layout and support the new custom fields
• Report dashboards now display the global report configuration for easier reference
• Added tags to the lists of findings, domains, and servers
• Uploaded evidence files can now be linked to a report rather than a finding
  • This change allows evidence files to be used in multiple findings, and the new custom formatted text fields
• When viewing an evidence file, the file contents are now displayed in the interface as they will appear in the report
  • This change allows you to preview the evidence file's contents with your border and caption before adding it to a report
  • Border width + color and figure label come from the global report configuration in the admin panel
• PowerPoint slide decks now include "Assessment Timeline" and "Observations" slides
  • The "Assessment Timeline" slide includes a table pre-populated with the project's start date, end date, and target report delivery date
  • The "Observations" slide(s) are similar to the findings slides but for the new observations
• Reworked the reporting engine to reduce complexity and pave the way for future enhancements
  • This is mentioned here primarily for developers and integrators who may be working with the reporting engine
• Clicking the toast notification after adding a finding to a report will now take you to the report's findings tab
• Default values for extra fields are now set when creating a new entry with empty extra fields
  • Default values now appear in the edit forms for the entries
  • The default value must be set before creating the entry for it to appear in the form or be set as the default value
• Updated the pre-built Ghostwriter CLI binaries to v0.2.19

Deprecated

• The old "dot" variables used in findings (e.g., {{.project_start}} or {{.client}}) are no longer necessary and will be removed in a future release
  • The "dot" variables inserted some data previously unavailable while writing a finding inside Ghostwriter
  • The new support for Jinja2 composition inside the WYSIWYG editor makes these old "dot" variables redundant
  • The "dot" variables will still work in this release but are no longer referenced in the documentation
  • This deprecation does not include {{.ref }} or {{.caption }} which will continue to be used for captioning and creating cross-references references

Ghostwriter v4.1.0-rc2

Summary

This release includes some enhancements and bug fixes from v4.1.0-rc1.

CHANGELOG

[4.1-rc2] - 15 March 2024

Added

• Added a getExtraFieldSpec query to the GraphQL API that returns the extra field specification for a model
  • This query is useful for extensions that need to know the extra fields available for a model
• Added a note to the WYSIWYG editor to call-out it is possible to access a browser's context menu by using CTRL+right-click
• Added a new hostname configuration option to the General Settings in the admin panel
  • This option allows you to set the hostname for the Ghostwriter server
  • The hostname is used to generate links in Slack notifications and other places where a link to the server is needed

Changed

• Default values for extra fields are now set when creating a new entry with empty extra fields
  • Default values now appear in the edit forms for the entries
  • The default value must be set before creating the entry for it to appear in the form or be set as the default value

Ghostwriter v4.1.0-rc1

Summary

This is a release candidate for Ghostwriter v4.1.0. This version introduces numerous significant changes to Ghostwriter. Deploying this for production use is not recommended at this time. We are providing this release for testing and feedback. Please read about the change below and provide feedback to help us make this a great release!

We will update the Ghostwriter Wiki with documentation for these new features soon. We will publish the documentation when we are close to a final release to avoid any confusion. For now, please direct questions to the team in the #ghostwriter channel in our Slack Workspace (linked on the main README).

CHANGELOG

[4.1.0-rc1] - 22 February 2024

Added

• Added support for creating custom fields for findings, domains, servers, projects, clients, and activity log entries
  • Custom field types include text, integer, float, boolean, and formatted text
  • Custom fields can be added, edited, and deleted via the admin panel
  • Formatted text fields use the WYSIWYG editor for formatting
  • Formatting carries over to report templates like formatted text in findings
  • Custom fields are available in the report template context
• Added support for using Jinja2 and report context data inside formatted text fields
  • You can reference {{ client.name }} to insert the client's name into a formatted text field
  • You can also use Jinja2 filters and functions to manipulate the data (e.g., {{ client.name|upper }} to make the client's name uppercase)
• Added the ability to preview formatted text fields in the interface
  • Formatted text fields can be previewed with the new "Preview" button that appears next to them in the interface
  • Any evidence referenced in the formatted text field will also be displayed in the preview (rather than just the reference text)
  • Jinja2 statements and expressions will appear as text in the preview as these must be evaluated in the report template
• Added support for tables in the WYSIWYG editor (Closes #355)
  • Tables use the Table Grid style in the Microsoft Word templates
  • Thank you for the contribution, @domwhewell!
• Added support for inserting page breaks in the WYSIWYG editor
  • Page breaks carry over to the Microsoft Word templates
• Added an option to "sanitize" activity logs as an alternative to deleting them to remove sensitive information
  • Sanitizing an activity log will remove selected data from all log entries in the log
• Added a new library for "observations"
  • These observations are similar to findings but much simpler
  • The base model includes a title, description, and tags and can be used to track positive observations for a project
  • The model is also highly customizable with support for custom fields (see the first item)
• Added user permissions to control who can create, edit, and delete observations in the library
• Added support for footer information (e.g., date, footer text, and slide numbers) in the PowerPoint report templates
  • The footer information is set in your slide deck templates
• Added a configuration option for the target report delivery date
  • The target date is configured as a number of business days from the project's end date
• Added a report configuration option to enforce title case for captions
  • If enabled, this option will enforce title case for all evidence captions in a report
  • An accompanying exclusion list allows you to specify words (e.g., articles) that should not be title cased

Changed

• The WYSIWYG editor's toolbar and context menu have been updated to support the new table and page break features and make it easier to apply styles
• Project and report dashboards were redesigned to improve the layout and support the new custom fields
• Report dashboards now display the global report configuration for easier reference
• Added tags to the lists of findings, domains, and servers
• Uploaded evidence files can now be linked to a report rather than a finding
  • This change allows evidence files to be used in multiple findings, and the new custom formatted text fields
• When viewing an evidence file, the file contents are now displayed in the interface as they will appear in the report
  • This change allows you to preview the evidence file's contents with your border and caption before adding it to a report
  • Border width + color and figure label come from the global report configuration in the admin panel
• PowerPoint slide decks now include "Assessment Timeline" and "Observations" slides
  • The "Assessment Timeline" slide includes a table pre-populated with the project's start date, end date, and target report delivery date
  • The "Observations" slide(s) are similar to the findings slides but for the new observations
• Reworked the reporting engine to reduce complexity and pave the way for future enhancements
  • This is mentioned here primarily for developers and integrators who may be working with the reporting engine

Deprecated

• The old "dot" variables used in findings (e.g., {{.project_start}} or {{.client}}) are no longer necessary and will be removed in a future release
  • The "dot" variables inserted some data previously unavailable while writing a finding inside Ghostwriter
  • The new support for Jinja2 composition inside the WYSIWYG editor makes these old "dot" variables redundant
  • The "dot" variables will still work in this release but are no longer referenced in the documentation
  • This deprecation does not include {{.ref }} or {{.caption }} which will continue to be used for captioning and creating cross-references references