Invicti Enterprise On-Demand

This update includes changes to Internal Agents.

FEATURE

• Added Authentication Verifier for Internal Agents.
• Added State filter to notifications which you can use issue states like Fixed, Revived, New, etc. as filtering options.

IMPROVEMENT

• Removed the scan report selection from notification events that do not produce any reports.
• Added account-based option to display authentication credentials on API responses.

FIXES

• Fixed an issue where the Launch button does not get enabled on the New Scan page after you enable the IAST scanning and download the sensor files. 
• Fixed an issue where a notification that is sent to an external email address was not displayed on the audit logs.
• Fixed an issue where starting a PCI scan via using API could not start the scan. 
• Fixed an issue where a new notification created via API does not add the specified integration(s) to the new notification. 
• Fixed an issue where a team member was not created in API if the auto-generated password is enabled.
• [INTERNAL AGENT] Fixed an issue where the custom value of FormAuthPageLoadTimeout was being overridden by its default value.

This update includes changes to Internal Agents.

FEATURE

• Added extension for Azure DevOps Pipelines.

IMPROVEMENT

• Improved the error messages returned from the notification API endpoint.

FIXES

• Fixed missing nodes on the sitemap tree.
• Fixed an issue where links imported from a Burp file are incorrectly parsed as HTTP, not HTTPS.
• [INTERNAL AGENT] Fixed an issue where an HSTS issue keeps reviving when the website is scanned again.
• [INTERNAL AGENT] Fixed a scan failed issue that occurs during archiving scan files.
• [INTERNAL AGENT] Fixed an issue where WSDL importing fails while trying to locate the external schema.
• [INTERNAL AGENT] Fixed an InvalidOperationException.

This update includes changes to Internal Agents.

FEATURE

• Introduced tagging support for Issues.

IMPROVEMENT

• Added options to specify Is Confirmed and Severity values while failing Jenkins builds.
• [INTERNAL AGENT] Added auto-update support for Linux agents.
• [INTERNAL AGENT] Added support for TLS 1.3 protocol.
• [INTERNAL AGENT] Updated Debian docker image to version 10.8.

FIXES

• Fixed the “Internal Server Error While Exporting Scan” error while exporting scans from Invicti Standard.
• Fixed missing classification editors on report policy editor for recently added classification types.
• [INTERNAL AGENT] Fixed an issue that causes the scan to stuck while trying to capture the website thumbnail image.

This update includes changes to Internal Agents.

IMPROVEMENT

• Improved the load times of the global dashboard page.
• [INTERNAL AGENT] Added a port configuration option for the agent helper service.

FIXES

• Fixed an issue on /teammembers/new API endpoint where minimum password length requirement is enforced incorrectly for admin users.
• Fixed a UI glitch where the Fixed Issues widget on the global dashboard page is clipped.
• Fixed a user enumeration issue that exists for users where SSO is enforced.
• Fixed an issue where updates to Custom Cookies input on Scan Profiles do not persist.
• Fixed an issue where the Next button on Welcome Wizard is not enabled even if you select Website Groups as indicated.
• Fixed the incorrect input label names on the HashiCorp Vault settings dialog.
• [INTERNAL AGENT] Fixed an issue where stuck scans do not honor the Maximum Scan Duration setting.
• [INTERNAL AGENT] Fixed an issue where an agent was creating temp files on C: drive even though it is installed in D: drive.

This update includes changes to Internal Agents.

FEATURE

• Custom Security Checks via Scripting feature that allows extending vulnerability detection capabilities. (Needs to be enabled per account basis)

IMPROVEMENT

• [INTERNAL AGENT] Improved agents to reduce the number of IOPS performed.

This update includes changes to Internal Agents.

IMPROVEMENTS

• Prevented deletion of system notifications.
• Forced Browsing wordlist made editable.
• Added tooltips displaying the full issue title on the Issues tree when the titles are clipped due to length.

FIXES

• Fixed /notifications/ update API endpoint which was not updating recipient emails before.
• Fixed a Scan Policy Optimizer issue where the Resource Finder settings are not captured when the selection tree is collapsed.
• Fixed an issue where the Custom Script cannot be created when 3-Legged Authentication is selected while configuring OAuth2.
• Fixed an issue where the ISO Compliance report cannot be exported for some of the scans.
• [INTERNAL AGENT] Fixed runtime exceptions thrown on systems that are missing ClamAV.

This update includes changes to Internal Agents.

NEW FEATURES

• Added IAST Scanning capabilities.
• Added CyberArk Vault Privileged Access Management integration.

IMPROVEMENTS

• HashiCorp Vault settings no more require Testing Settings as mandatory before saving the integration.
• Added search capability to the Website Group selection drop-down on the global dashboard page.
• Added the API endpoint option to create users that can only log in using Single Sign-on.
• Added the last login date information to the team member API endpoint.
• [INTERNAL AGENT] Added “Detect authentication tokens” capability for authenticated scans.

FIXES

• Fixed a reporting issue where addressed issues were included on reports generated with the Exclude Addressed Issues option.
• Fixed the “Internal Server Error While Exporting Scan” error while exporting scans from Invicti Standard.
• Fixed an issue where a Scan Policy used on a Scheduled Scan cannot be deleted.
• Fixed an issue where the Single Sign-on only users were not able to access their API tokens.
• [INTERNAL AGENT] Fixed an issue that occurs while creating the custom report policy on Linux environments.

IMPROVEMENTS

• Added Scan Profile Name column to Recent Scans page.
• Added Website URL as a filter field to Scheduled Scans page.
• Removed encrypted authentication credentials from API responses.

FIXES

• Fixed an issue where the scans launched from CI/CD without a Scan Profile were creating redundant Scan Groups on the Website dashboard.
• Fixed an issue where pressing the TAB key was not committing the entered email address on email input fields.
• Fixed an issue where some settings are not saved when you save a cloned Scan Policy for the first time.
• Fixed an issue where the View Scan Reports and Manage Issues (Restricted) options under Scan Permission are not saved while creating new members.
• Fixed an issue where the modified Scan Profile settings are not saved when another profile is selected from the dropdown.

IMPROVEMENTS

• Improved an agent auto-update procedure to support updates for minor version changes.
• All credential information on API responses is encrypted.
• Prevented agent log file names to be renamed by the browser according to the user’s regional settings.

FIXES

• Fixed an issue where the scan and report policies are not preserved while scheduling group scans.
• Fixed several issues on the sitemap tree and improved the performance.
• Fixed a hanging scan issue that occurs while the scan state is changing.
• Fixed an issue where setting an already deleted scan profile name to a new scan profile gives an error.
• Fixed the incorrect VDB version displayed on the agent.
• Fixed an issue where Download Scan Data and Download HttpRequest Logs were not working previously.
• Fixed an issue where an agent was not using the correct proxy settings while communicating with the web app.

IMPROVEMENTS

• Added grouping support for agents.
• Added Scan Profile Name to Scan Group dropdown on the Website Dashboard page.
• Added websitesgroups/delete/{id} API endpoint.
• Improved the performance of the technology dashboard.
• Fixed the absolute start date of scheduled scans as a tooltip to relative dates.

FIXES

• Fixed several scan stuck issues.
• Fixed an issue where the scan is stuck when it is paused and tried to be deleted.
• Fixed an issue an incorrect email address could be entered as a notification recipient.
• Fixed an issue where the New Scan page stuck at loading when you switch back and forth between scan profiles.
• Fixed the unspecified format of the NameID SAML2 attribute by setting it to emailAddress.

IMPROVEMENTS

• Added support for provisioning users without invitation requirement if the user is going to log in using SSO.
• Added support for setting external email recipients for notifications for all the event types.
• Added SANS Top 25 Report as export.
• Updated PCI Compliance Report to match the new style of the reports.
• Added Scan Profile name to Detailed Scan Report and several other compliance reports.

FIXES

• Fixed an issue where the scan files fail to archive to S3 storage and pile up on the agent machine.
• Fixed an issue where an Internal Server Error occurs while trying to start or schedule a new scan.

IMPROVEMENTS

• Improved the Basic, Digest, NTLM/Kerberos, Negotiate Authentication entry user interface. 
• Improved the performance of Technologies pages

FIXES

• Removed the “SSO Email” field requirement for new member invitations on accounts where SSO is not enforced
• Fixed a typo on the Bugzilla integration configuration page
• Fixed the misleading error messages received when /websitegroups/update API endpoint is called with a missing or invalid “Id” values
• Fixed a UTF8 encoding issue