1.8.6

This release expands the default-vulnerability template API with full CRUD
endpoints, makes the CSV upload format header-driven (and forward-compatible
with CVSS 4.0 and custom fields), and ships a security policy for the project.

🎉 🚀 Upgrades 🎉 🚀

Default-vulnerability template API — full CRUD

New endpoints on /api/vulnerabilities:

Method	Path	Purpose
GET	/default/{id}	Fetch a single template (including custom fields).
POST	/default/{id}	Update a single template from a JSON body. Path id wins over body id.
DELETE	/default/{id}	Delete a template and its associated custom field values.
GET	/default/search?name=	Query-param form of the name search so values containing / (e.g. LLMNR/NBT-NS) round-trip cleanly.

All endpoints return 404 when no template matches the given id, and 401
when the API key is missing or invalid.

CSV upload is now header-driven

POST /api/vulnerabilities/csv/default now matches columns by header name
(case-insensitive), so column order may vary and unknown columns are ignored.

Recognized headers:

Id, Name, CategoryId, CategoryName, Description, Recommendation,
SeverityId, ImpactId, LikelihoodId, isActive,
CVSS31Score, CVSS31String, CVSS40Score, CVSS40String, CustomFields

Highlights:

• CVSS 4.0 columns (CVSS40Score, CVSS40String) are supported in addition to the existing CVSS 3.1 columns.
• Custom fields round-trip through the CustomFields column as a JSON array (same shape produced by GET /csv/default).
• Backward compatible — if the first row is not a recognizable header, the upload falls back to the legacy positional column order, so older clients keep working.

Security policy

A new top-level SECURITY.md documents how to report vulnerabilities
privately (GitHub Private Vulnerability Reporting and the project email),
the response SLA, scope, and a safe-harbor clause for researchers.

🐛 Bugfixes 🐛

• FSUtils.getEnv now falls back to JVM system properties when the named
  OS environment variable is unset, fixing brittle behavior in deployments
  that configure FACTION via -D flags.
• HibHelper now reads all FACTION_MONGO_* settings through
  FSUtils.getEnv, so the system-property fallback above applies to the
  Hibernate OGM bootstrap as well (previously some keys bypassed it and
  could NPE when only sysprops were set).

🧰 Internal / Test infrastructure

• New VulnerabilitiesIntegrationTest exercises the new endpoints
  end-to-end against MongoDB (via Testcontainers, or an external instance
  configured with FACTION_MONGO_* sysprops/env).
• VulnerabilitiesUnitTest gains coverage for the CSV upload helpers
  (buildHeaderMap, getCol, header detection, escape handling).
• pom.xml pins maven-surefire-plugin to 3.2.5 and adds
  --add-opens=java.base/java.lang=ALL-UNNAMED so Hibernate OGM's
  Javassist proxies work on JDK 9+.
• Removed the stale AI_CONFIG_DOCUMENTATION.md from the repo root.

Upgrade notes

• No database migration required.
• API: all existing endpoints and CSV payloads continue to work
  unchanged. Clients that want the new CSV features should add the
  header row described above.
• Permissions: the new CRUD endpoints use the same API-key
  authentication as the existing /api/vulnerabilities endpoints.

Full changelog

See the GitHub compare view for the complete list of commits:
1.8.5...1.8.6

1.8.5

New Features

• Condensed assessment & vulnerability endpoints — Two new REST endpoints return assessment and vulnerability data with large text blocks
  (description, recommendation, details) stripped out, sized for efficient MCP/LLM processing:
  • GET /api/assessments/completed/condensed
  • POST /api/vulnerabilities/all/condensed
• Asynchronous report generation API — Trigger and poll report generation over REST:
  • POST /api/assessments/generateReport/{aid} — kicks off report generation in the background.
  • GET /api/assessments/reportStatus/{aid} — polls progress.
• includeBase64Images query param on assessments API — Seven assessment endpoints (/queue, /{aid}, /vulns/{aid}, /history/{appid},
  /vuln/{vid}, /completed, /completed/condensed) now accept ?includeBase64Images=true|false. Default is false, which returns image links
  instead of inline base64 — much smaller responses for API/MCP consumers. Pass true to opt back into the previous inline-base64 behavior.
• Severity filtering on Manager Dashboard — Added a severity/vulnerability filter dropdown to the assessment search, replaced the
  daterangepicker with jQuery UI datepickers for start/end dates, and excluded unassigned risk levels from the active filter set.

Security Fixes

• Permission scoping closed on completed assessments and reports — AssessmentQueries.canAccessAssessment now blocks UserOnly users from any
  completed assessment, closing a gap that allowed a UserOnly assessor to download finalized reports or trigger report regeneration via
  /report, /generateReport, and /reportStatus.
• /completed and /completed/condensed no longer leak closed work to UserOnly callers — getAllCompletedAssessmentsByDateRange now returns
  empty for that role.
• Vulnerability list endpoints re-enforce assessment scope — /vulnerabilities/all and /vulnerabilities/all/condensed now filter every
  result through canAccessAssessment, restoring team-scope and user-scope checks that were missing from the bare HQL query.
• Content-Disposition header injection in downloadReport fixed — Filenames are now sanitized to strip CR/LF, quotes, backslashes, and
  control characters from user-controlled assessment names.
• Generic error responses on new endpoints — Replaced e.getMessage() with generic strings on the new report and condensed endpoints; full
  stack traces continue to go to server logs only.

Bug Fixes

• NPE in decodeAndSanitize() — Fixed a null-pointer crash when Base64.decodeBase64(null) was called.

Internal / Tests

• Added ~270 new unit and Struts-action tests covering assessments, vulnerabilities, verifications, users, audit log, status, events, admin
  user management, options, checklists, CMS, and default vulnerabilities.
• MongoTestBase and DocxUtilsUnitTest now skip cleanly when Docker or template files are unavailable.

Full Changelog: 1.8.3...1.8.5

1.8.3

New Features

• Upload custom report to assessment — Assessors and managers can now upload a .docx or .pdf directly to an assessment via the Finalize tab. The uploaded file replaces the stored final report. File type is validated on both client and server.
• Download report templates from CMS — Report templates uploaded to the CMS are now displayed as a downloadable link. Clicking the filename streams the .docx template back to the browser. Download is restricted to admin and manager roles.

---

Security Fixes

• XSS mitigation in file upload — Filenames returned in upload responses are now context-appropriately escaped (HTML attributes via escapeHtml4, JSON strings via escapeJson, URL parameters via URLEncoder). Added server-side filename validation that rejects uploads containing HTML or script characters (whitelist: alphanumeric, spaces, dots, hyphens, underscores).
• Unauthenticated access to boilerplate templates fixed — The BoilerPlateConfig actions (tempDelete, tempActive, globalSaveTemplate, searchTemplateDetail) now require an authenticated session. Template detail lookups are additionally scoped to the requesting user's own templates or global templates, preventing cross-user data access.
• Interceptor auth gap closed — AccessControlInterceptor now blocks unauthenticated requests to all non-root namespaces (e.g. /portal/*), redirecting them to the login page. Previously, certain endpoints outside the default namespace could be reached without a session.

---

Bug Fixes

• LazyInitializationException in report generation — Fixed a crash that occurred when the background report generation thread attempted to access a Hibernate lazy collection after the originating session had closed. The notifiers collection is now eagerly copied at thread construction time while the session is still open.

---

1.8.2

New Features

• Adding an image upload REST endpoint to assessments API

Bug Fixes

• ai settings and prompts
• org.apache.logging.log4j:log4j-core from 2.21.1 to 2.25.4 (#126)
• braces and chokidar in /WebContent (#58)
• Fixed: Code blocks in generated reports are stripped of newlines (#127)
• Fixed: Format mismatch between VulnerabilityView and TrackChanges (code block newlines) (#128)

Thank you to our bug reporters:

• Issue #127: "Code blocks in generated reports are stripped of newlines" (reported by @fransla)
• Issue #128: "Format mismatch between VulnerabilityView and TrackChanges (code block newlines)" (reported by @ZuhaibT)

Issues Addressed

• 58
• 126
• 127
• 128

Full Changelog: 1.7.7...1.8.2

1.7.7

🐛 Bugfixes 🐛

Remove unnecessary intermediate form post for OIDC auth #124

Full Changelog: 1.7.6...1.7.7

1.7.6

🐛 Bugfixes 🐛

• Remove unnecessary intermediate form post for SSO auth #124
• Upgrade Java Libraries

Full Changelog: 1.7.5...1.7.6

1.7.4

🚀 Upgrades 🚀

• Many improvements to speed up report generation
• Replaced polling with Server Side Events for tracking multi user edits in realtime
• Added CSV downloads to the Manager Dashboard
• Improved searching in the Manager Dashbaord

🐛 Bugfixes 🐛

• Adding Full assessment details(#122) and ignored case searches when creating an assessment via api
• Fixed issues were bad html would crash report generation

Full Changelog: 1.7.1...1.7.4

1.7.1

🐛 Bugfixes 🐛

• Image auto-bordering cause performance issues when large reports were generated
• Authentication bypass issue when the appstore was disabled, reported by @wasfyelbaz

Full Changelog: 1.7.0...1.7.1

1.7.0

More info in our blog: https://medium.com/@we-are-faction/owasp-faction-1-7-major-updates-for-enterprise-security-teams-aa205cef68e7

🚀 Upgrades 🚀

• Added the manager dashboard
• Expanded the Markdown Syntax
• Added the ${Figure#.#} variable for captions
• Automatically add borders to images
• Added CVE Searching
• Updated the Status Workflow
• Expanded the REST API

🐛 Bugfixes 🐛

• Fixed issue with vulnerability severities getting replaced when CVSS was not suppoed via the API #110
• Fixed issues with custome variable updating via the API (#113 , #114 )
• Generated report would add extra spaces around images
• Fixed Chart colors shown incorrectly in Assessments
• Fixed App Extensions running after they were disabled
• Fixed Reports breaking when remediation user was removed
• Fixed issue with editing assessments
• Fixed Permission issue where users in the teamOnly and assessmentOnly roles could download reports ( #111 )

New Contributors

• @skit-cyber-security made their first contribution in #110

Full Changelog: 1.6.8...1.7.0

1.6.8

🚀 Upgrades 🚀

• Adding UserDefined Variables to Vulnerability Templates
• Improved Calendar Features for Report Outs

🐛 Bugfixes 🐛

• Report generation was not fully working in 1.6.7
• User-defined variables not saving when a new vuln is created
• Som features were broken for the manager role
• Fixing hyperlink issues in report generation
• Fixed CVSS Scoring issue #108

Full Changelog: 1.6.7...1.6.8