The SimpleRisk 20220527-001 release is mostly a bug fix and usability improvement focused release. The only new major feature is the introduction of the Risks and Issues report which tracks the movement of risks and issues risk score movements.
In our commitment to keeping SimpleRisk secure we have implemented a few security fixes discovered during this cycle in SimpleRisk which include:
- Fixed an XSS in Assessments
- Added additional parameter enforcement on the SQLi filter function
- Fixed 2 SQLi found in functions.
This release included a many well deserved bug fixes and are listed below:
- Fixed an issue where the delete file function would always return false whether it was successful or not.
- Fixed an issue where the Dynamic Risk Report would take too long to complete the query resulting in infinite processing.
- Fixed an issue where if a user deleted all threats from the threat catalog they were unable to add new threats.
- Fixed an issue where uploading supporting documentation while submitting a risk on any other template than the default would apply the supporting documentation to the default template anyway.
- Fixed an issue where creating a new project would create a duplicate.
- Fixed an issue where Mgmt Reviews were duplicated when submitted.
- Fixed an issue where Submitted risks by date report actually displays in order of ID
- Added a new flag for ignoring column statistics when doing a mysqldump for MySQL instances that require it.
The SimpleRisk Extras are the paid for functionality that extend the features of the SimpleRisk Core. This is another release that targets bugs and security patches. One of the biggest fixes being for users who could not see custom fields while editing risks.
The full list of updates to Extras are as follows:
Team-Based Separation Extra
- Fixed an issue where users can update documents outside their team even with Team-Based Separation on.
- Fixed an issue where the Current Comment Report does not work properly when using Team-Based Separation Extra.
- Status is no longer updated during import unless the status column is mapped and updated closed risks being updated will remain closed.
- Added Control-Type to the mappable values.
Risk Assessment Extra
- Remove the requirement for a phone number on assessment contacts
- Updated Questionnaire logic to strip tags to prevent situations where it would appear no answer was given on a completed questionnaire.
- Fixed an issue where risk analysis would no longer show results.