factionsecurity / faction Goto Github PK

Hi Faction team! Testing out your offering and noticed an issue when trying to create multiple report templates. Could be something I'm doing wrong of course but thought I'd ask. See attachment.

Hello. I encountered an error while trying to configure SMTP settings. Inputs include SMTP server, port, password and so on. When you type and save, a few TAB spaces are added before and after the text written to the input. I think this is why I couldn't get SMTP and e-mails to work. Does anyone know the solution to this problem?

Edit :

Also i can not select checklist from Checlists tab in Assesment page of project. I created checklists, but the dropdown does not appear in the list.

Also i can not generate report. When i click to generate report button under finalize tab loader waiting for 3-4 second and not showing any error or any information about it.

Originally posted by @codessensei in #31

Hi,

I am using version 1.1.25 , self hosted.

When I try to create an assessment it does not show any assessor, so I am unable to save the assessment.
I have an admin user and another user which is an assessor.

Any tips or help?

Could it possible to add
mvn clean compile war:war

git clone [email protected]:factionsecurity/faction.git
cd faction
mvn clean compile war:war
docker-compose up --build

Thanks

might want to add to your documentation that it requires maven to be installed for the mvn command

Hello, i am trying to test the software, but i cant initiate any instance.

First i tried to self-host with docker-compose, but i am getting a 404 error page on startup

Then i tried two types of licenses, but the instances do not startup and also show as 404 error

[[redacted screenshot]]

Version 1.2.2, self-hosted, VMware.
In order to change the name of the selected finding, you need to click on +New Vulnerability, which adds a new finding.
Deleting or changing Overall Severity of the findings just doesn't work.

HAR-file sent to email.

It appears that faction is using MongoDB 5.0+ which requires a CPU with AVX support. I was able to get everything setup not having this support, but after running the docker container you will not be able to get any further as Tomcat will just show a 404 page and you will not be able to reach the webUI. 'MongoDB 5.0+ which requires a CPU with AVX support' should be added as a requirement in the README. Edit: Some hypervisors such as Oracle don't pass the flag, so this issue is probably more prevalent for people who use VMs.

-Mav

Hi Team,

Unable to retrieve the details, Am i going wrong anywhere . Kindly look into the screenshot & please advice

Hey thanks for the report generator. I built the latest image and when you type in any of the text boxes, the autosave seems to kick in and the cursor automatically jumps to the beginning of the line whilst typing. Tried on multiple builds, Chrome, Firefox and all the same behavior.

I had a further look and it appears it might be related to SunEditor

JiHong88/suneditor#1307

JiHong88/suneditor#1348

is there any plan to include editors in custom field section?

Hi,
I am testing Version 1.1.25.2, self hosted.

I am trying to configure a report in a way that each vulnerability has its how heading, so far i was able to make it work using the following:

1. Vulnerability List

${fiBegin}

1.1 ${vulnname}
Table with vulnerability details using ${severity}, ${category}, ${desc}, etc...

${fiEnd}

It creates the vulnerabilities following the heading (1.1, 1.2, 1.3, etc... ) but i am not able to set the severity colors.
if i add "${vulnTable} ${cells Critical=8064a2,High=c0504d,Medium=e68e00, Low=33D7FF,Recommended=081417,Informational=657376}"" to the top row of my table it does not interpret it.

${fiBegin} and ${vulnTable} ${cells} are not compatible?
Is there a way to define severity color for a specific cell in conjunction with ${fiBegin} / ${fiEnd} ?

Thank you.

Hi

Im unable to deploy the war file directly on tomcat server as it i throwing the error Application at path /faction could not be started ANy suggestions would be greatly appreciated

If you create a report that is assigned to a team and later that team is deleted the application errors out in the Report Designer as shown below.

Hi,
When I want to add a user after the ldap settings are set, it pulls the user from the ldap but does not register it. Initially, it states that it cannot find the file named db.config in the /opt/faction/ directory. When I create that file manually in Docker, it does not give the error that it cannot find the file, but I cannot add a user either.

I have been playing around with a lot of different reporting tools as of late trying to find the best fit. I really enjoy the feel of faction but have the following issues. As the title states there is a mix of requests/questions!

Bug fixes:

Finalized assessment locks consultants

If an assessment is finalized early, the assigned consultants are not set to free. This is an issue as for bigger consultancies, you may have 3 specialists on the project for a few days of the overall scope just to complete their section but then they cannot be assigned to another project.

Highlight color not working for scheduling

Highlight color doesn't work for notes when scheduling (it does for all other places referenced as far as I could discover)
Scheduling:

Expected:

Custom fields not reflecting on existing items

Custom fields only reflect on newly scheduled projects and newly created vulnerabilities inside new projects. IE if I have a vulnerability template and a month later add 4 custom fields, I have to create a new template manually to add the new fields or likewise with an existing project, a client may request for x field adding but that would require deleting the scheduled assessment, creating a new one and importing all data manually to support it. The latter is an edge case, but the issue is still present.

Feature requests:

Additional custom field support

Custom fields support very limited types, consisting of string, bool and list. It would be great to get support for more complex data types. A big example would be supporting the large text boxes / markdown boxes that are contained through the reports. Past this 'object' support would be great. An example of where this could be used is in the likes of version control. Sysreptor offers this feature and it allows you to create for example a list of objects consisting of version number, consultant name, comment. That way with each new version you add an item to the list that generates the rest of the fields you require.

I think an amazing start would be to support the large text fields, but the object support would be super nice to have.

Graph support

Adding graphs into the report dynamically based on templates would be awesome. Specifically would be looking to great graphs based on the issues/vulnerabilities raised, such as number of vulnerabilities broken down by severity:

Logic decisions

There's a logic decisions that are neither bugs or features but maybe just something to raise to see peoples thoughts / if toggled support for them could be added to the config perhaps.

Finalized assessment cannot be reopened

We have cases where budgets clash and a client may not be able to schedule a retest assessment so we would consider the project complete. However, a few months later they will request a retest. Now we can use the docx we got from the initial reporting and manually update it but it would be great to be able to have a way to reopen a finalized assessment as opposed to creating a new assessment.

Finalized assessment cannot be deleted

Some clients in parts of the worlds have set requirements on data retention, this is a big EU issue. As it stands, not being able to delete a finalized report poses some problems as clients that fall out of that retention window would need to either be manually deleted from the DB or we would have to flush the data out entirely which isn't feasible with ongoing assessments.

No overlap support for scheduling consultants

This somewhat relates to the thoughts behind my bug fix request 'Finalized assessment locks consultants'. You are unable to assign a consultant to more than one project. I understand why the logic would dictate not doing this but in some cases its required. It would be good to be able to overlap these possibly with a warning message 'this consultant is assigned to x project on this date, are you sure...'.

Please note all these points where gathered over the weekend so I may have missed/overlooked stuff mentioned. If thats the case please direct me :).

Whenever I try to visit any assessments page, it shows session expired message.