Skip to content

Release notes

v24.7 — 2024-04-23

Dashboard

Added

  • Added support for LDAP authentication.

Changes

  • A number of improvements and changes made to the user interface.

Scanner fuchsiad

Bug fixes

  • Fixed “cannot unmarshal array into Go struct field Tag.attributes of type map[string]interface” issue.

Client-side JavaScript code analysis module

Added

  • Added support for native modules.

🕸 Dynamic web crawling module

Changes

  • The domain restriction has been removed.

Distribution for Debian

Bug fixes

  • Fixed a bug where the database connection was overwritten by the default value if debconf was not set earlier. Now, in this situation, the connection is saved.

v24.6 — 2024-04-09

Dashboard

Added

  • Added display of entry points to the technical report page.
  • During scanning, the status “Authentication error” is now displayed when a corresponding error occurs.

Bug fixes

  • Fixed a bug where the number of issues was incorrectly calculated in some cases.
  • Fixed a bug where the execution time was not stopped for cancelled scans.
  • The modal scan window now correctly displays a message for any search query stating that no matches were found.
  • The fast addition of a target was improved in the modal scan window.
  • Improved user interaction with web interface buttons.

Server part

Added

  • User actions are now recorded in the audit log.

Scanner fuchsiad

Bug fixes

  • Domain verification is now used to check entry points, created by franzisrunner -labelsFromScanner.

WAF integration module

Changes

  • The extracted entry points are now saved according to the new scheme as independent entities without binding to the root resource.

Scan modules

Changes

  • If there are no issues for the entry point, the report is now generated without an issue ID.

Bug fixes

  • Fixed the cause of the “ERROR: unsupported Unicode escape sequence (SQLSTATE 22P05)” error.

OpenAPI specifications import module

Bug fixes

  • Added support for self-signed certificates.

🕸 Dynamic web crawling module

Added

  • Implemented the processing of new URLs from the <a> tags.

Distribution for Debian

Added

  • In the backend, the configuration of the database connection via debconf for the gujian-backend package has been added.

Changes

  • In the dynamic web crawling module for the fuchsia-dynamic-crawler package unnecessary dependencies were removed and its total weight has been reduced.

v24.5 — 2024-03-26

Dashboard

Added

  • Added a field with the number of found entry points in the scan details card.
  • When a vulnerability from the list is selected, all its properties are displayed in the new sidebar panel.
  • Added error handling to the target creation wizard, making error messages more clear to the user.

Changes

  • Modal windows do not close anymore when clicked outside the window.
  • Updated the design of the target creation wizard.
  • Improved the contents of the cards when there is no data to display.
  • Improved error handling in authentication and registration forms.
  • A number of improvements and changes to the user interface.

Bug fixes

  • When the received scan status value is unknown, e.g. from a third-party module, the scan list and individual scan modules will display the status "Unknown" by default.

Scanner fuchsiad

Changes

  • Now, the authentication verification mechanism and authentication data update mechanism check and try to update session credentials at the start of the scan, double-checking if the update was successful.

Bug fixes

  • Made changes to the logic of the authentication data update mechanism to bypass blacklist URL restrictions.

v24.4 — 2024-03-12

Dashboard

Added

  • Added the ability to load the OpenAPI specification in the scan target settings.

Bug fixes

  • The functionality for disabling and enabling authentication data in the scan target settings has been fixed.
  • All static resources are now available locally, no longer using a third-party CDN to load flag icons..

Scanner fuchsiad

Added

  • Opportunity of setting a proxy at the level of an individual scan.

    This functionality is currently only available through the fuchsiactl console client. Usage example:

    fuchsiactl scan --proxy socks5://127.0.0.1:9050 --url http://example.com

Bug fixes

  • Fixed logging of HTTP request URLs in the HTTP proxy.
  • Fixed issue “panic: assignment to entry in nil map” in the authentication update module.

Client-side JavaScript code analysis module

Bug fixes

  • Fixed issue when analyzing some code fragments that used the addition of a large number of arrays led to the analyzer freezing due to a combinatorial explosion.

v24.3 — 2024-02-28

Dashboard

Added

  • A visual indication of connected authentication methods has been added to the list of targets.

Bug fixes

  • The login form now ignores email address case.
  • In some cases, the URL was not displayed in the list of crawl targets.

🕷 Dynamic web crawling module

Bug fixes

  • Fixed issue “TypeError: Cannot convert object to primitive value”, occurs when parsing some URLs.
  • Fixed issue “Command '['timeout', ...]' returned non-zero exit status 124”, leading to a crash and detection of fewer entry points due to exceeding the module operating time limit.

Client-side JavaScript code analysis module

Changes

Bug fixes

  • Fixed issue when analyzing function calls with default arguments.
  • Fixed issue “RangeError: Incorrect locale information provided”.

Scan modules

Added

  • The module for searching vulnerabilities of the path traversal class is included in the standard package .
  • Added Nuclei template for CVE-2024-23897 vulnerability in Jenkins.

Changes

  • Nuclei standard templates have been updated to the latest version.
  • Among Nuclei detections, only those with a severity level of medium or higher are now flagged as vulnerabilities.
  • In the standard delivery of Nuclei templates, often false positive rules are disabled:
    • http/misconfiguration/http-missing-security-headers;
    • http/miscellaneous/x-recruiting-header;
    • http/miscellaneous/addeventlistener-detect.

Bug fixes

  • Fixed issue “ERROR: unsupported Unicode escape sequence (SQLSTATE 22P05)”, that appears, for example, when processing one of the Nuclei templates

Distribution for Debian

Added

  • When installing the package of the fuchsia scanning service data is requested to connect to PostgreSQL and S3-compatible storage.

Changes

  • The Debian repository has been moved to this address repo.gujian.cloud.
  • Node.js of the required version is now installed automatically.
  • The overall size of the distribution has been reduced.

v24.2 — 2024-02-14

Dashboard

Added

  • Ability to load a client TLS certificate in the scan target authentication settings.

Bug fixes

  • Fixed erroneous interface behavior when scanning is interrupted under certain conditions.
  • Fixed an erroneous behavior that could cause scans to remain in a "pending" status forever under certain conditions.

Gujian CLI Command line interface

Changes

  • The command system has been changed.

    Now in the hierarchy of commands, the first defines the entity, and the second defines possible actions with it.

    For example, instead of using the gujian-cli new target command, gujian-cli target new command should be used.

  • Some teams have been renamed.

    For example, instead of using the gujian-cli show users command, gujian-cli user list command should be used.

Scanner fuchsiad

Added

  • Ability to update authentication data.

    A description of the corresponding configuration format is available in the description of the --authrefresh-config option in the man fuchsiactl-scan man page.

Changes

  • Deduplication of similar pages and entry points is now enabled by default.

Scan modules

Changes

  • The running time of the vulnerability search module of the path traversal class has been optimized.

Distribution for Debian

Added

  • Metapackage fuchsia-full, which includes the scanner and the main stable scanning modules.
  • Metapackage gujian-dashboard with web interface and server part of the dashboard.
  • Package gujian-cli with command line interface.

Distribution for Docker Compose

Changes

  • Environment variables with the MINIO_ prefix have been renamed to S3_.

For the version dated 2024-01-31 and earlier, no versioning was performed.