v3.14.3

3.14.3 [Mar 30th, 2021]:

• MOD MAYOR Breaking change: Use frontend from other repository
• ADD last_run to executors and agents
• ADD ignore info vulns option (from faraday-plugins 1.4.3)
• ADD invalid logins are registered in audit.log
• ADD agent registration tokens are now 6-digit short and automatically regenerated every 30 seconds
• MOD Fix logout redirect loop
• REMOVE support for native SSL

v3.14.2

3.14.2 [Feb 26th, 2021]:

• ADD New plugins:
  • microsoft baseline security analyzer
  • nextnet
  • openscap
• FIX old versions of Nessus plugins bugs

v3.14.1

3.14.1 [Feb 17th, 2021]:

• ADD forgot password
• ADD update services by bulk_create
• ADD FARADAY_DISABLE_LOGS varibale to disable logs to filesystem
• ADD security logs in audit.log file
• UPD security dependency Flask-Security-Too v3.4.4
• MOD rename total_rows field in filter host response
• MOD improved Export cvs performance by reducing the number of queries
• MOD sanitize the content of vulns' request and response
• MOD dont strip new line in description when exporting csv
• MOD improved threads management on exception
• MOD improved performance on vulnerability filter
• MOD improved API documentation
• FIX upload a report with invalid custom fields
• ADD beta v3 API, which includes:
  • All endpoints ends without /
  • PATCH {model}/id endpoints
  • Bulk update via PATCH {model} endpoints
  • Bulk delete via DELETE {model} endpoints
  • Endpoints removed:
    • /v2/ws/<workspace_id>/activate/
    • /v2/ws/<workspace_id>/change_readonly/
    • /v2/ws/<workspace_id>/deactivate/
    • /v2/ws/<workspace_name>/hosts/bulk_delete/
    • /v2/ws/<workspace_name>/vulns/bulk_delete/
  • Endpoints updated:
    • /v2/ws/<workspace_name>/vulns/<int:vuln_id>/attachments/ =>
      /v3/ws/<workspace_name>/vulns/<int:vuln_id>/attachment

Release 3.14.0

• ADD RESTless filter to multiples views, improving the searchs
• ADD "extras" modal in options menu, linking to other Faraday resources
• ADD import vulnerability templates command to faraday-manage
• ADD generate nginx config command to faraday-manage
• ADD vulnerabilities severities count to host
• ADD Active Agent columns to workspace
• ADD critical vulns count to workspace
• ADD Remember me login option
• ADD distinguish host flag
• ADD a create_date field to comments
• FIX to use new webargs version
• FIX Custom Fields view in KB (Vulnerability Templates)
• FIX bug on filter endpoint for vulnerabilities with offset and limit parameters
• FIX bug raising 403 Forbidden HTTP error when the first workspace was not active
• FIX bug when changing the token expiration change
• FIX bug in Custom Fields type Choice when choice name is too long.
• FIX Vulnerability Filter endpoint Performance improvement using joinedload. Removed several nplusone uses
• MOD Updating the template.ini for new installations
• MOD Improve SMTP configuration
• MOD The agent now indicates how much time it had run (faraday-agent-dispatcher v1.4.0)
• MOD Type "Vulnerability Web" cannot have "Host" type as a parent when creating data in bulk
• MOD Expiration default time from 1 month to 12 hour
• MOD Improve data reference when uploading a new report
• MOD Refactor Knowledge Base's bulk create to take to take also multiple creation from vulns in status report.
• MOD All HTTP OPTIONS endpoints are now public
• MOD Change documentation and what's new links in about
• REMOVE Flask static endpoint
• REMOVE of our custom logger

Release v3.12

• Now agents can upload data to multiples workspaces
• Add agent and executor data to Activity Feed
• Add session timeout configuration to server.ini configuration file
• Add hostnames to already existing hosts when importing a report
• Add new faraday background image
• Display an error when uploading an invalid report
• Use minimized JS libraries to improve page load time
• Fix aspect ratio distortion in evidence tab of vulnerability preview
• Fix broken Knowledge Base upload modal
• Fix closing of websocket connections when communicating with Agents
• Change Custom Fields names in exported CSV to make columns compatible with
  faraday_csv plugin
• Fix import CSV for vuln template: some values were overwritten with default values.
• Catch errors in faraday-manage commands when the connection string is not
  specified in the server.ini file
• Fix bug that generated a session when using Token authentication
• Fix bug that requested to the API when an invalid filter is used
• Cleanup old sessions when a user logs in
• Remove unmaintained Flask-Restless dependency
• Remove pbkdf2_sha1 and plain password schemes. We only support bcrypt

Release v3.11.1

• Fix missing shodan icon and invalid link in dashboard and hosts list
• Upgrade marshmallow, webargs, werkzeug and flask-login dependencies to
  latest versions in order to make packaging for distros easier

Release v3.11

• Move GTK client to another repository to improve release times.
• Fix formula injection vulnerability when exporting vulnerability data to CSV. This was considered a low impact vulnerability.
• Remove "--ssl" parameter. Read SSL information from the config file.
• Add OpenAPI autogenerated documentation support
• Show agent information in command history
• Add bulk delete endpoint for hosts API
• Add column with information to track agent execution data
• Add tool attribute to vulnerability to avoid incorrectly showing "Web UI" as creator tool
• Add sorting by target in credentials view
• Add creator information when uploading reports or using de bulk create api
• Add feature to disable rules in the searcher
• Add API endpoint to export Faraday data to Metasploit XML format
• Use run date instead of creation date when plugins report specifies it
• Improve knowledge base UX
• Improve workspace table and status report table UX.
• Improve format of exported CSV to include more fields
• Sort results in count API endpoint
• Limit description width in knowledge base
• Change log date format to ISO 8601
• Fix parsing server port config in server.ini
• Fix bug when _rev was send to the hosts API
• Send JSON response when you get a 500 or 404 error
• Fix bug parsing invalid data in NullToBlankString

Changes in plugins (only available through Web UI, not in GTK client yet):

New plugins:

• Checkmarx
• Faraday_csv (output of exported Faraday csv)
• Qualyswebapp
• Whitesource

Updated plugins:

• Acunetix
• AppScan
• Arachni
• Nessus
• Netspaker
• Netspaker cloud
• Nexpose
• Openvas
• QualysGuard
• Retina
• W3af
• WPScan
• Webinspect
• Zap

Release v3.10.2

• Fix Cross-Site Request Forgery (CSRF) vulnerability in all JSON API endpoints. This was caused because a third-party library doesn't implement proper Content-Type header validation. To mitigate the vulnerability, we set the session cookie to have the SameSite: Lax property.
• Fix Faraday Server logs were always in debug
• Add update date column when exporting vulnerabilities to CSV
• Fix unicode error when exporting vulnerabilities to CSV

Release v3.10.1

• Fix installation with pip install --no-binary :all: faradaysec
• Force usage of webargs 5 (webargs 6 broke backwards compatibility)
• Use latest version of faraday-plugins
• Fix broken "Faraday Plugin" menu entry in the GTK client
• Extract export csv to reuse for reports

Release v3.10.0

• Use Python 3 instead of Python 2 in the Faraday Server
• Add ability to manage agents with multiple executors
• Agents can be run with custom arguments
• Improved processing of uploaded reports. Now it is much faster!
• Add custom fields of type choice
• Fix vuln status transition in bulk create API (mark closed vulns as re-opened when they are triggered again)
• Fix bug when using non-existent workspaces in Faraday GTK Client
• Set service name as required in the Web UI
• Validate the start date of a workspace is not greater than the end date
• Fix command API when the year is invalid
• When SSL misconfigurations cause WebSockets to fails it doesn't block the server from starting
• Check for invalid service port number in the Web UI
• Fix dashboard tooltips for vulnerability
• Fix bug when GTK client lost connection to the server
• Fix style issues in "Hosts by Service" modal of the dashboard
• Add API for bulk delete of vulnerabilities
• Add missing vuln attributes to exported CSV
• faraday-manage support now displays the Operating System version
• Notify when faraday-manage can't run because of PostgreSQL HBA config error