Skip to content

SolidPoint

2024

Release notes for 2024¶

v24.25.1 — 2025-01-30¶

Server part¶

Bug fixes¶

Fixed an issue due to which users with the “User” and “Administrator” roles could not delete reports.

v24.25 — 2024-12-31¶

Dashboard¶

Bug fixes¶

Fixed an issue due to which the super administrator could not add a target if a target with the same address already existed in another organization.
For super administrators, the button to repeat scans related to other organizations has been removed.

Server part¶

Added¶

The zh_CN value has been added to the enumerated locale parameter in the body of the POST /api/scans/reports request.
Added the within_tenant query parameter to the POST/api/targets/wizard/exist request. Now the super administrator can see both local targets and targets of all organizations.
Added a scan report service that can create, provide, and synchronize reports.
API requests responsible for interacting with reports have been added to the API request group responsible for working with scans.

Bug fixes¶

Fixed an issue due to which endpoints were not displayed when resources were unavailable.

SolidPoint CLI Command line interface¶

Added¶

Added support for new resources, endpoints, and vulnerabilities.

Scan modules¶

Bug fixes¶

For the SQL injection scanner, fixed an issue due to which the report specified an incorrect CWE identifier.

v24.24 — 2024-12-17¶

Dashboard¶

Added¶

Added a pop-up notification that is displayed when a request to generate a PDF report is sent.
Added a confirmation window for deleting a generated PDF report.
For super administrators, added email address validation when editing it in the user profile.
Added “Data Flows” and “Additional Info” sections to the PDF reports.

Bug fixes¶

Fixed the display of numbers along the vertical axis in the severity trend graph. Fractional values are no longer displayed when a small number of vulnerabilities are detected.
Fixed alignment of modal confirmation window headers for group operations in Russian-language interfaces.
For super administrators, fixed interface behavior when running scans for targets related to other organizations.

Server part¶

Added¶

Added support for dirbusting.
Updated the description of API logic.

Changes¶

Now the GET /api/severity-trend request returns null instead of “empty” objects if there is no trend data.
The server side now uses the 202 response code for ambiguous user actions, such as trying to pause an already stopped scan.

Scanner fuchsiad¶

Bug fixes¶

The fuchsiactl console client now supports parameter file transfers (specified using the --file option) over 4 MiB.

Scan modules¶

Changes¶

Now, for the SSTI scanner, finding the average response time stops only if a timeout was on the first iteration, otherwise the number of remaining trial requests decreases.

Bug fixes¶

For the file upload vulnerability scanner, false positives related to attack vectors that are validated by checking the response time from the server have been eliminated.

Client-side JavaScript code analysis module¶

Added¶

Added support for modeling the operation of some JavaScript functions to increase analysis coverage.

Bug fixes¶

The stability of the module has been improved.

v24.23 — 2024-12-03¶

Dashboard¶

Added¶

A graph showing severity trend for the last calendar month has been added to the Overview page.

Changes¶

In authentication and registration forms, the format of the email address is now validated when focus is taken off the input field.

Bug fixes¶

Fixed format validation when changing the email address in the user profile.
Fixed an issue due to which the existence of a target was incorrectly determined when creating a target or scan. Now the existence of such targets is checked as soon as the address is typed.

Server part¶

Added¶

Added additional logging for database migrations.
Added logic for creating scans with pre-prepared data based on the methods of discovering endpoints.
Added support for repeating scans when sending the scanIDs parameter in the body of a POST /api/scans/new HTTP request.

Changes¶

Users with the “analyst” role can now generate reports for scans.

Bug fixes¶

Fixed an issue due to which users with the “readOnly” and “analyst” roles could not end the session.
Fixed behavior that broke the sequence of processes during database migration. Now migrations take place first, then the database connection is made, and after that the HTTP server is launched.

Client-side JavaScript code analysis module¶

Bug fixes¶

The stability of the module has been improved.

v24.22 — 2024-11-19¶

Dashboard¶

Added¶

Users with the super administrator role now can see which organization the targets and scans belong to.

Changes¶

Improved visual display of pinned cells in tables with lists of data.

Bug fixes¶

Fixed authentication form behavior which caused the error status of improperly filled fields to be handled incorrectly.
Added a case check when filling in the hostname in the target authentication data.

Server part¶

Added¶

Added a GET /api/scans/{id}/status request, which returns the scan status.

Changes¶

Resources, endpoints and their tags are now stored separately.

Scanner fuchsiad¶

Added¶

Added the ability to set deduplication rules of endpoints and pages by regular expressions of their URLs for the entire scan.

Changes¶

Task pausing has been improved.
The HTTP client now saves and sends cookies on redirects if updating authentication data.

Bug fixes¶

Fixed incorrect operation of the --proxy flag for the fuchsiactl client.

Scan modules¶

Added¶

Added a check for the ability to upload a HTML page for the file upload vulnerability scanner.

Bug fixes¶

The attack vector is now correctly specified in the HAR files generated by the SSTI scanner.
A false empty response log is no longer recorded for the SSTI scanner.
Fixed an issue in the SQL injection scanner due to which temporary files generated during the scan were not deleted when the scan was interrupted.

Client-side JavaScript code analysis module¶

Bug fixes¶

The stability of the module has been improved.

v24.21 — 2024-11-01¶

Dashboard¶

Added¶

Added display of scans in the “Paused” status.

Bug fixes¶

Fixed browser navigation in the “Scanning vulnerabilities” section.

Server part¶

Added¶

Added tracking of the overall synchronization process in the scan synchronization service status logs.
Added an option to disable the scanner.
Added a way to authenticate the scanned application via local storage.
Added support for pausing and resuming scans.

Changes¶

The threshold time for loading a page has been increased to 60 seconds.
The method of connecting to a scanning node has been updated. The connection to a scanning node instance is now checked before selecting it for the next scan.

Scanner fuchsiad¶

Added¶

Added SQL injection and SSTI scanners to the standard set of modules.

Changes¶

Dirbusting is now enabled by default.

Scan modules¶

Added¶

Added the ability to set the number of timeouts using the -timeoutsToStop flag for the file upload vulnerability scanner. If the specified number is reached, the module will terminate. If the flag is set to zero, the module will not stop working if the number of timeouts is exceeded.
Added the ability to find the average server response time during blind tests for the SSTI scanner.

Bug fixes¶

Corrected the payload substitution algorithm for parameters with the same name for the XXE injection scanner.

Client-side JavaScript code analysis module¶

Changes¶

Improved the mechanism for detecting fetch function calls to increase analysis coverage.

Distribution for Docker Compose¶

Added¶

Added generation of full scan reports in PDF format.

v24.20.1 — 2024-11-01¶

Server part¶

Bug fixes¶

Fixed an issue where requesting a list of reports resulted in an emergency shutdown of the server side if it was impossible to connect to the report generator.

v24.20 — 2024-10-22¶

Dashboard¶

Added¶

Added generation of full scan reports in PDF format.
A diagram with the number of vulnerabilities and their levels for all scans available for the user to view has been added to the Overview page.

Changes¶

Now, when an error occurs in the Create Scan wizard and the Create and Edit Target wizard, the step at which it occurred is highlighted and you are redirected to the first error that occurred, if necessary.

Bug fixes¶

Fixed the behavior of the Create and Edit Target wizard when a file with an API specification, the size of which exceeds the maximum allowed value set by the server settings is uploaded.

Server part¶

Changes¶

The audit log now keeps a record of user activation.

Bug fixes¶

Fixed an issue where the URL of the target was stored and displayed in encoded form.
Fixed the behavior where the scan request returned an error when the selected scan node was unavailable.

Scanner fuchsiad¶

Added¶

Added a file upload vulnerability scanner to the standard set of modules.

SolidPoint CLI Command line interface¶

Changes¶

The scan status display now corresponds to the view in the dashboard.

v24.19 — 2024-10-08¶

Dashboard¶

Added¶

Added a diagram with the number of vulnerabilities and their levels to the scan details page.
Information about the user's organization and position is now displayed in the user's data.

Changes¶

If the uploaded specification and certificate file sizes are exceeded, the correct error description is now displayed.
Editing of the user data has been moved to the modal window.

Bug fixes¶

Fixed the field style after the Firefox browser autocomplete.
Fixed an issue where an outdated DOM-based cross-site scripting scanning module was incorrectly displayed for scans.
Fixed an issue where API specifications and certificates ranging in size from 800 kB to 5 MB could not be downloaded during the creation of the target.

Server part¶

Bug fixes¶

Fixed an issue where the server part interacted incorrectly with a variety of unique scan IDs for different modules.
Fixed an API issue which made it impossible to change a user's tenant, as well as a syntax error in the scanEndpointIDs parameter in the API specification.

Scanner fuchsiad¶

Changes¶

CVSS vulnerability estimates were recalculated for the dynamic page analysis module, and criticality was reduced to the “low” level in reports on found data streams in “DOM XSS” and “CSPP” modes.
The selector for the SQL injection detection module is now generated according to the new report format.

Bug fixes¶

Controlled serialized data and Powby2 template detection modules are now more resistant to network and server errors when working with S3-compatible storage.
Fixed an issue due to which restarting the service could lead to an erroneous double start of the scan task.
Fixed an issue due to which a false warning was logged if there were suspended scans during the restart of the service.

Static web crawling module¶

Bug fixes¶

Fixed an issue due to which pages were downloaded multiple times if there were multiple links to the same page with different URI fragment values (e.g., page.html/#foo and page.html/#bar).

Client-side JavaScript code analysis module¶

Changes¶

The number of non-critical warnings in the module's operation log has been reduced.

v24.18 — 2024-09-24¶

Dashboard¶

Added¶

Added the ability to open the vulnerability details panel and individual tabs in it using a link.

Changes¶

The display of selectors in the vulnerability details panel on the “Confirmation“ tab and in the list of scanning vulnerabilities has been changed for better user perception.

Bug fixes¶

Fixed an issue where vulnerabilities of the scan available for viewing were not displayed to the user.

Server part¶

Changes¶

The audit log now stores user data directly instead of referring to it by ID.
The logging of the service layer has been updated, and the number of useful events during the operation of the service has been increased.

Bug fixes¶

Fixed an issue where it was impossible to delete users due to links to the audit log.

Scanner fuchsiad¶

Bug fixes¶

Fixed an issue where the SolidWall WAF integration module in the scanner crashed at startup without pre-configuration. Now the module terminates with a message, saying that configuration data for connecting to the WAF has not been provided.

v24.17 — 2024-09-10¶

Dashboard¶

Added¶

The functionality of deleting individual completed scans has been added to the scan table and the scan details page.

Changes¶

An unauthenticated user gets redirected to the landing page instead of the Overview page when clicking on a link to an internal page after authentication.
A description for the scan types has been added to the scan creation wizard.

Bug fixes¶

Fixed an issue which made it impossible to repeat a scan.

Server part¶

Added¶

A GET /api/users/wizard/email-exist request has been added to the HTTP API, which allows a user with the superAdmin role to verify the existence of an account with the specified email address in the system.

OpenAPI specifications import module¶

Bug fixes¶

Fixed issues due to which connection strings to PostgreSQL via a Unix socket or without the sslmode parameter were not supported.

Client-side JavaScript code analysis module¶

Added¶

Added built-in support for some commonly used JavaScript functions, allowing their operations to be simulated more accurately.
Added a check for the presence of a script as a DOM element on the page.

Changes¶

The processing of the window.location object properties has been supplemented to increase the coverage of the analysis.

Bug fixes¶

Fixed an issue that caused the deduplication of evaled scripts to work incorrectly among those found by the interpreter and the JavaScript code debundler.
Fixed an issue where evaled scripts containing a //# sourceURL=... directive were incorrectly classified by the analyzer.

v24.16 — 2024-08-27¶

Dashboard¶

Added¶

Added information about scan type in the scan list and on the scan details page.
Hints about domain names allowed for scanning have been added in the target wizard.
For targets which no longer match the allowed scanning templates, relevant information has been added on the scan details page.
For targets that do not match the allowed scanning templates, a corresponding mark has been added in the target table.

Changes¶

To improve the perception of multi-line texts, the line height has been increased.
When repeating, the type of the original scan is now taken into account.
Improved display of duration for long scans in the scan list.
When creating a new target, hints about the domains allowed for scanning are added in the modal window and in the scan creation wizard.
Now the scan list shows those scans whose target address no longer corresponds to the templates allowed for scanning.

Bug fixes¶

Tokens with the same expiration date as the current one are now displayed correctly in the token table.
Incorrect error highlighting in the token creation window has been fixed.
Repeat operations are no longer available for scans with targets whose address no longer matches the allowed scanning templates.
For targets that do not match the allowed templates, a quick scan launch is no longer available.

v24.15 — 2024-08-13¶

Dashboard¶

Added¶

Added a scan creation wizard with the functionality of selecting individual modules.

Changes¶

The length of the description for the target has been increased to 500 characters.
Error handling has been added to the access token creation form.
Improved visualization of the loading list of targets.

Bug fixes¶

A number of small fixes to the user interface.

Scanner fuchsiad¶

Added¶

Scanning can now be paused while the module is running. After resuming, the module will continue to work from the point where it left off.
Added the ability to customize the name of the used S3/MinIO bucket.

Client-side JavaScript code analysis module¶

Changes¶

Added a limit on the URL length to improve the reliability of the analysis.

Distribution for Debian¶

Changes¶

The scanner now automatically reloads the configuration when installing or updating scanning modules (only when installed in a “real” OS, does not apply to deployment in a Docker container).

v24.14 — 2024-07-30¶

Dashboard¶

Changes¶

A number of improvements and changes to the user interface.

SolidPoint CLI Command line interface¶

Added¶

The solidpoint auth login command has been added, which interactively requests the scanner installation URL from the user if the environment variable SOLIDPOINT_BASE_URL is not defined.

v24.13 — 2024-07-16¶

Dashboard¶

Added¶

Added the ability to return to the login form from the new account activation waiting screen.
Added the ability to select the scan type for the scan modal window.
Added a description of the available authentication types at the “Authentication” step for the target creation wizard.

Bug fixes¶

A number of small fixes to the user interface.

Scanner fuchsiad¶

Added¶

Added an SQL injection vulnerability scanner to the standard set of modules.

Scan modules¶

Bug fixes¶

Fixed an issue where the reflected XSS vulnerability scan module sometimes froze.

v24.12 — 2024-07-02¶

Dashboard¶

Added¶

The tabs “Data Flows” and “Additional Info” have been added to the issue details panel.
The “Documentation” item has been added to the side menu, which allows you to go to the user documentation. The API specification is availible by clicking on the corresponding button.

Changes¶

A number of improvements and changes to the user interface.

Static web crawling module¶

Bug fixes¶

Fixed an issue where some scans could have failed due to incorrect error handling.

v24.11 — 2024-06-18¶

Dashboard¶

Added¶

A “Classification” tab has been added to the issue details panel which contains links to resources related to its classification .

Changes¶

Improved visualization of loading the issue details panel.

Bug fixes¶

A number of small fixes to the user interface.

Server part¶

Added¶

Added error handling related to the database connection.
Added support for a whitelist of restrictions on scanned URLs for targets.

v24.10 — 2024-06-04¶

Dashboard¶

Added¶

A “Validation” tab has been added to the issue details panel, which contains examples of attack vectors and a request-response sequence confirming the issue.
A “References” tab has been added to the issue details panel, which contains links to resources related to the identified issue.

Changes¶

The list of access tokens is now displayed on a separate page.
A number of improvements and changes to the user interface.

Server part¶

Added¶

User session tracking is configured for the audit log.

Scanner fuchsiad¶

Added¶

Added the ability to pause scans. Thus, new tasks within the scan are not started, and already started tasks continue their work.

Dynamic web crawling module¶

Changes¶

The identified endpoints are now sent to the database at the moment of their discovery instead of a single general dispatch at the end of the module.

v24.9 — 2024-05-21¶

Dashboard¶

Added¶

Added animation for loading the whole application, as well as animation for loading content: scan details, HTTP Endpoints and raw scan report.
A display of the number of locations has been added to the scan details page. This amount is calculated as the sum of the identified endpoints and resources.
The “Classification” tab has been added to the issue details panel, which contains information about the classification of the identified issue.

Changes¶

In the scan table, the “HTTP Endpoints” column has been replaced by the “Locations” column.
Users can no longer edit the email address themselves, now they need to contact the system administrator.

Bug fixes¶

Fixed incorrect display in the modal window of scan creation when no targets have been created yet.
Fixed localization errors in the modal windows of group operations for the Chinese version of the dashboard.
Minor fixes to the user interface.

Scanner fuchsiad¶

Bug fixes¶

Fixed scanner crash when detecting endpoints containing “{” and “}” symbols in the domain.

Distribution for Docker Compose¶

Bug fixes¶

Fixed an issue where caching could result in multiple Debian packages with different build versions.

v24.8 — 2024-05-07¶

Dashboard¶

Added¶

An issue details panel has been added, which implements the following tabs: “General Info”, which contains general information about the identified issue, and “Description”, which contains a brief description of the identified issue.

Bug fixes¶

A number of minor fixes to the user interface.

Scanner fuchsiad¶

Added¶

Added parallel launching of scan modules within a single scan.

Dynamic web crawling module¶

Added¶

Added a waiting mechanism for page loading.

v24.7 — 2024-04-23¶

Dashboard¶

Added¶

Added support for LDAP authentication.

Changes¶

A number of improvements and changes made to the user interface.

Scanner fuchsiad¶

Bug fixes¶

Fixed “cannot unmarshal array into Go struct field Tag.attributes of type map[string]interface” issue.

Client-side JavaScript code analysis module¶

Added¶

Added support for native modules.

Dynamic web crawling module¶

Changes¶

The domain restriction has been removed.

Distribution for Debian¶

Bug fixes¶

Fixed a bug where the database connection was overwritten by the default value if debconf was not set earlier. Now, in this situation, the connection is saved.

v24.6 — 2024-04-09¶

Dashboard¶

Added¶

Added display of endpoints to the technical report page.
During scanning, the status “Authentication error” is now displayed when a corresponding error occurs.

Bug fixes¶

Fixed a bug where the number of issues was incorrectly calculated in some cases.
Fixed a bug where the execution time was not stopped for cancelled scans.
The modal scan window now correctly displays a message for any search query stating that no matches were found.
The fast addition of a target was improved in the modal scan window.
Improved user interaction with web interface buttons.

Server part¶

Added¶

User actions are now recorded in the audit log.

Scanner fuchsiad¶

Bug fixes¶

Domain verification is now used to check endpoints, created by franzisrunner -labelsFromScanner.

SolidWall WAF integration module¶

Changes¶

The extracted endpoints are now saved according to the new scheme as independent entities without binding to the root resource.

Scan modules¶

Changes¶

If there are no issues for the endpoint, the report is now generated without an issue ID.

Bug fixes¶

Fixed the cause of the “ERROR: unsupported Unicode escape sequence (SQLSTATE 22P05)” error.

OpenAPI specifications import module¶

Bug fixes¶

Added support for self-signed certificates.

Dynamic web crawling module¶

Added¶

Implemented the processing of new URLs from the <a> tags.

Distribution for Debian¶

Added¶

In the backend, the configuration of the database connection via debconf for the solidpoint-backend package has been added.

Changes¶

In the dynamic web crawling module for the fuchsia-dynamic-crawler package unnecessary dependencies were removed and its total weight has been reduced.

v24.5 — 2024-03-26¶

Dashboard¶

Added¶

Added a field with the number of found endpoints in the scan details card.
When a vulnerability from the list is selected, all its properties are displayed in the new sidebar panel.
Added error handling to the target creation wizard, making error messages more clear to the user.

Changes¶

Modal windows do not close anymore when clicked outside the window.
Updated the design of the target creation wizard.
Improved the contents of the cards when there is no data to display.
Improved error handling in authentication and registration forms.
A number of improvements and changes to the user interface.

Bug fixes¶

When the received scan status value is unknown, e.g. from a third-party module, the scan list and individual scan modules will display the status "Unknown" by default.

Scanner fuchsiad¶

Changes¶

Now, the authentication verification mechanism and authentication data update mechanism check and try to update session credentials at the start of the scan, double-checking if the update was successful.

Bug fixes¶

Made changes to the logic of the authentication data update mechanism to bypass blacklist URL restrictions.

v24.4 — 2024-03-12¶

Dashboard¶

Added¶

Added the ability to load the OpenAPI specification in the scan target settings.

Bug fixes¶

The functionality for disabling and enabling authentication data in the scan target settings has been fixed.
All static resources are now available locally, no longer using a third-party CDN to load flag icons..

Scanner fuchsiad¶

Added¶

Opportunity of setting a proxy at the level of an individual scan.

This functionality is currently only available through the fuchsiactl console client. Usage example:
```
fuchsiactl scan --proxy socks5://127.0.0.1:9050 --url http://example.com
```

Bug fixes¶

Fixed logging of HTTP request URLs in the HTTP proxy.
Fixed issue “panic: assignment to entry in nil map” in the authentication update module.

Client-side JavaScript code analysis module¶

Bug fixes¶

Fixed issue when analyzing some code fragments that used the addition of a large number of arrays led to the analyzer freezing due to a combinatorial explosion.

v24.3 — 2024-02-28¶

Dashboard¶

Added¶

A visual indication of connected authentication methods has been added to the list of targets.

Bug fixes¶

The login form now ignores email address case.
In some cases, the URL was not displayed in the list of crawl targets.

Scanner fuchsiad¶

Added¶

Added a path traversal vulnerability scanner to the standard set of modules.

Dynamic web crawling module¶

Bug fixes¶

Fixed issue “TypeError: Cannot convert object to primitive value”, occurs when parsing some URLs.
Fixed issue “Command '['timeout', ...]' returned non-zero exit status 124”, leading to a crash and detection of fewer endpoints due to exceeding the module operating time limit.

Client-side JavaScript code analysis module¶

Changes¶

Improved analysis of web applications using the following Angular features:
- dependency injection configuration;
- using objects of the HttpParams class.

Bug fixes¶

Fixed issue when analyzing function calls with default arguments.
Fixed issue “RangeError: Incorrect locale information provided”.

Scan modules¶

Added¶

The module for searching vulnerabilities of the path traversal class is included in the standard package .
Added Nuclei template for CVE-2024-23897 vulnerability in Jenkins.

Changes¶

Nuclei standard templates have been updated to the latest version.
Among Nuclei detections, only those with a severity level of medium or higher are now flagged as vulnerabilities.
In the standard delivery of Nuclei templates, often false positive rules are disabled:
- http/misconfiguration/http-missing-security-headers;
- http/miscellaneous/x-recruiting-header;
- http/miscellaneous/addeventlistener-detect.

Bug fixes¶

Fixed issue “ERROR: unsupported Unicode escape sequence (SQLSTATE 22P05)”, that appears, for example, when processing one of the Nuclei templates

Distribution for Debian¶

Added¶

When installing the package of the fuchsia scanning service data is requested to connect to PostgreSQL and S3-compatible storage.

Changes¶

The Debian repository has been moved to this address repo.solidpoint.net.
Node.js of the required version is now installed automatically.
The overall size of the distribution has been reduced.

v24.2 — 2024-02-14¶

Dashboard¶

Added¶

Ability to load a client TLS certificate in the scan target authentication settings.

Bug fixes¶

Fixed erroneous interface behavior when scanning is interrupted under certain conditions.
Fixed an erroneous behavior that could cause scans to remain in a "pending" status forever under certain conditions.

SolidPoint CLI Command line interface¶

Changes¶

The command system has been changed.

Now in the hierarchy of commands, the first defines the entity, and the second defines possible actions with it.

For example, instead of using the solidpoint-cli new target command, solidpoint-cli target new command should be used.

Some teams have been renamed.

For example, instead of using the solidpoint-cli show users command, solidpoint-cli user list command should be used.

Scanner fuchsiad¶

Added¶

Ability to update authentication data.

A description of the corresponding configuration format is available in the description of the --authrefresh-config option in the man fuchsiactl-scan man page.

Changes¶

Deduplication of similar pages and endpoints is now enabled by default.

Scan modules¶

Changes¶

The running time of the vulnerability search module of the path traversal class has been optimized.

Distribution for Debian¶

Added¶

Metapackage fuchsia-full, which includes the scanner and the main stable scanning modules.
Metapackage solidpoint-dashboard with web interface and server part of the dashboard.
Package solidpoint-cli with command line interface.

Distribution for Docker Compose¶

Changes¶

Environment variables with the MINIO_ prefix have been renamed to S3_.

For the version dated 2024-01-31 and earlier, no versioning was performed.