Invicti Enterprise On-Demand

This update includes changes to Internal Agents.

FIX

• [INTERNAL AGENT] Fixed an unhandled ArgumentNullException which causes some authenticated scans to fail.

This update includes changes to Internal Agents.

IMPROVEMENT

• Added an option to specify a scan profile while scheduling scans through API.
• Added support for Form Authentication Custom Scripts for cases when a Privileged Access Management integration is used.
• Added support for 11 digit phone numbers while inviting a new member.
• Added a field to specify the user’s SSO email address while creating a new team member using the API.
• [INTERNAL AGENT] Added IgnoreSslCertificateErrors option to Docker agent.

FIXES

• Fixed an issue with the GitLab integration script where builds were not failing when they were supposed to fail.
• Fixed an issue where the “Add Attachment Report” section was missing while adding a new notification.
• Fixed a mismatching type issue on /scanprofiles/list API response model.
• Fixed an issue where a failed scan sends an excessive amount of email notifications.
• Fixed an issue where Exclude Authentication Page configuration resets when another scan is performed.
• [INTERNAL AGENT] Fixed agent auto-update issues.

This update includes changes to Internal Agents.

FEATURE

• Added GitHub Actions CI/CD integration.
• Added a new Scope option for Scan Groups of Websites while configuring notifications to be able to better scope notifications for web applications/APIs under a website.

IMPROVEMENT

• Improved time zone calculations to handle new time zones.
• Improved configuration validation error messages for Privileged Access Management integrations.

FIXES

• Fixed validation error messages on the Email Settings page.
• Fixed some of the swagger API validation errors reported for the REST API.
• [INTERNAL AGENT] Fixed an agent scan stuck issue while archiving.
• [INTERNAL AGENT] Fixed a retest problem where some issues could not be retested.
• [INTERNAL AGENT] Fixed an agent auto-update issue.

This update includes changes to Internal Agents.

FEATURE

• Added Authentication Verifier for Internal Agents.
• Added State filter to notifications which you can use issue states like Fixed, Revived, New, etc. as filtering options.

IMPROVEMENT

• Removed the scan report selection from notification events that do not produce any reports.
• Added account-based option to display authentication credentials on API responses.

FIXES

• Fixed an issue where the Launch button does not get enabled on the New Scan page after you enable the IAST scanning and download the sensor files. 
• Fixed an issue where a notification that is sent to an external email address was not displayed on the audit logs.
• Fixed an issue where starting a PCI scan via using API could not start the scan. 
• Fixed an issue where a new notification created via API does not add the specified integration(s) to the new notification. 
• Fixed an issue where a team member was not created in API if the auto-generated password is enabled.
• [INTERNAL AGENT] Fixed an issue where the custom value of FormAuthPageLoadTimeout was being overridden by its default value.

This update includes changes to Internal Agents.

FEATURE

• Added extension for Azure DevOps Pipelines.

IMPROVEMENT

• Improved the error messages returned from the notification API endpoint.

FIXES

• Fixed missing nodes on the sitemap tree.
• Fixed an issue where links imported from a Burp file are incorrectly parsed as HTTP, not HTTPS.
• [INTERNAL AGENT] Fixed an issue where an HSTS issue keeps reviving when the website is scanned again.
• [INTERNAL AGENT] Fixed a scan failed issue that occurs during archiving scan files.
• [INTERNAL AGENT] Fixed an issue where WSDL importing fails while trying to locate the external schema.
• [INTERNAL AGENT] Fixed an InvalidOperationException.

This update includes changes to Internal Agents.

FEATURE

• Introduced tagging support for Issues.

IMPROVEMENT

• Added options to specify Is Confirmed and Severity values while failing Jenkins builds.
• [INTERNAL AGENT] Added auto-update support for Linux agents.
• [INTERNAL AGENT] Added support for TLS 1.3 protocol.
• [INTERNAL AGENT] Updated Debian docker image to version 10.8.

FIXES

• Fixed the “Internal Server Error While Exporting Scan” error while exporting scans from Invicti Standard.
• Fixed missing classification editors on report policy editor for recently added classification types.
• [INTERNAL AGENT] Fixed an issue that causes the scan to stuck while trying to capture the website thumbnail image.

This update includes changes to Internal Agents.

IMPROVEMENT

• Improved the load times of the global dashboard page.
• [INTERNAL AGENT] Added a port configuration option for the agent helper service.

FIXES

• Fixed an issue on /teammembers/new API endpoint where minimum password length requirement is enforced incorrectly for admin users.
• Fixed a UI glitch where the Fixed Issues widget on the global dashboard page is clipped.
• Fixed a user enumeration issue that exists for users where SSO is enforced.
• Fixed an issue where updates to Custom Cookies input on Scan Profiles do not persist.
• Fixed an issue where the Next button on Welcome Wizard is not enabled even if you select Website Groups as indicated.
• Fixed the incorrect input label names on the HashiCorp Vault settings dialog.
• [INTERNAL AGENT] Fixed an issue where stuck scans do not honor the Maximum Scan Duration setting.
• [INTERNAL AGENT] Fixed an issue where an agent was creating temp files on C: drive even though it is installed in D: drive.

This update includes changes to Internal Agents.

FEATURE

• Custom Security Checks via Scripting feature that allows extending vulnerability detection capabilities. (Needs to be enabled per account basis)

IMPROVEMENT

• [INTERNAL AGENT] Improved agents to reduce the number of IOPS performed.

This update includes changes to Internal Agents.

IMPROVEMENTS

• Prevented deletion of system notifications.
• Forced Browsing wordlist made editable.
• Added tooltips displaying the full issue title on the Issues tree when the titles are clipped due to length.

FIXES

• Fixed /notifications/ update API endpoint which was not updating recipient emails before.
• Fixed a Scan Policy Optimizer issue where the Resource Finder settings are not captured when the selection tree is collapsed.
• Fixed an issue where the Custom Script cannot be created when 3-Legged Authentication is selected while configuring OAuth2.
• Fixed an issue where the ISO Compliance report cannot be exported for some of the scans.
• [INTERNAL AGENT] Fixed runtime exceptions thrown on systems that are missing ClamAV.

This update includes changes to Internal Agents.

NEW FEATURES

• Added IAST Scanning capabilities.
• Added CyberArk Vault Privileged Access Management integration.

IMPROVEMENTS

• HashiCorp Vault settings no more require Testing Settings as mandatory before saving the integration.
• Added search capability to the Website Group selection drop-down on the global dashboard page.
• Added the API endpoint option to create users that can only log in using Single Sign-on.
• Added the last login date information to the team member API endpoint.
• [INTERNAL AGENT] Added “Detect authentication tokens” capability for authenticated scans.

FIXES

• Fixed a reporting issue where addressed issues were included on reports generated with the Exclude Addressed Issues option.
• Fixed the “Internal Server Error While Exporting Scan” error while exporting scans from Invicti Standard.
• Fixed an issue where a Scan Policy used on a Scheduled Scan cannot be deleted.
• Fixed an issue where the Single Sign-on only users were not able to access their API tokens.
• [INTERNAL AGENT] Fixed an issue that occurs while creating the custom report policy on Linux environments.

IMPROVEMENTS

• Added Scan Profile Name column to Recent Scans page.
• Added Website URL as a filter field to Scheduled Scans page.
• Removed encrypted authentication credentials from API responses.

FIXES

• Fixed an issue where the scans launched from CI/CD without a Scan Profile were creating redundant Scan Groups on the Website dashboard.
• Fixed an issue where pressing the TAB key was not committing the entered email address on email input fields.
• Fixed an issue where some settings are not saved when you save a cloned Scan Policy for the first time.
• Fixed an issue where the View Scan Reports and Manage Issues (Restricted) options under Scan Permission are not saved while creating new members.
• Fixed an issue where the modified Scan Profile settings are not saved when another profile is selected from the dropdown.

IMPROVEMENTS

• Improved an agent auto-update procedure to support updates for minor version changes.
• All credential information on API responses is encrypted.
• Prevented agent log file names to be renamed by the browser according to the user’s regional settings.

FIXES

• Fixed an issue where the scan and report policies are not preserved while scheduling group scans.
• Fixed several issues on the sitemap tree and improved the performance.
• Fixed a hanging scan issue that occurs while the scan state is changing.
• Fixed an issue where setting an already deleted scan profile name to a new scan profile gives an error.
• Fixed the incorrect VDB version displayed on the agent.
• Fixed an issue where Download Scan Data and Download HttpRequest Logs were not working previously.
• Fixed an issue where an agent was not using the correct proxy settings while communicating with the web app.