Faraday Server Releases

Faraday Server Releases

3.16.2 [Jul 2nd, 2021]:

 * FIX bug where workspaces are not updatable by UI

3.16.1 [Jul 2nd, 2021]:

  • MOD only show settings of this version in faraday-manage settings
  • FIX update minimum version of click dependency

3.16.0 [Jun 29th, 2021]:

  • BREAKING CHANGE: API V2 discontinued
  • BREAKING CHANGE: Changed minimum version of python to 3.7
  • ADD agent parameters has types (protocol with agent and its APIs)
  • ADD move settings from server.in to a db model
  • ADD (optional) query logs
  • MOD new threads management
  • MOD vulnerabilities' endpoint no longer loads evidence unless requested with get_evidence=true
  • FIX now it is not possible to create workspace of name "filter"
  • FIX bug with dates in the future
  • FIX bug with click 8
  • FIX bug using --port command
  • FIX endpoints returning 500 as status code
  • REMOVE the need tom CSRF token from evidence upload api

3.15.0 [May 18th, 2021]:

  • ADD Basic Auth support
  • ADD support for GET method in websocket_tokens, POST will be deprecated in the future
  • ADD CVSS(String), CWE(String), CVE(relationship) columns to vulnerability model and API
  • ADD agent token's API says the renewal cycling duration
  • MOD Improve database model to be able to delete workspaces fastly
  • MOD Improve code style and uses (less flake8 exceptions, py3 super style, Flask app as singleton, etc)
  • MOD workspaces' names regex to verify they cannot contain forward slash (/)
  • MOD Improve bulk create logs
  • FIX Own schema breaking Marshmallow 3.11.0+
  • UPD flask_security_too to version 4.0.0+

3.14.4 [Apr 15th, 2021]:

  • Updated plugins package, which update appscan plugin

3.14.3 [Mar 30th, 2021]:

  • MOD MAYOR Breaking change: Use frontend from other repository
  • ADD last_run to executors and agents
  • ADD ignore info vulns option (from faraday-plugins 1.4.3)
  • ADD invalid logins are registered in audit.log
  • ADD agent registration tokens are now 6-digit short and automatically regenerated every 30 seconds
  • MOD Fix logout redirect loop
  • REMOVE support for native SSL

3.14.2 [Feb 26th, 2021]:

  • ADD New plugins:
    • microsoft baseline security analyzer
    • nextnet
    • openscap
  • FIX old versions of Nessus plugins bugs

3.14.1 [Feb 17th, 2021]:

  • ADD forgot password
  • ADD update services by bulk_create
  • ADD FARADAY_DISABLE_LOGS varibale to disable logs to filesystem
  • ADD security logs in audit.log file
  • UPD security dependency Flask-Security-Too v3.4.4
  • MOD rename total_rows field in filter host response
  • MOD improved Export cvs performance by reducing the number of queries
  • MOD sanitize the content of vulns' request and response
  • MOD dont strip new line in description when exporting csv
  • MOD improved threads management on exception
  • MOD improved performance on vulnerability filter
  • MOD improved API documentation
  • FIX upload a report with invalid custom fields
  • ADD v3 API, which includes:
    • All endpoints ends without /
    • PATCH {model}/id endpoints
    • Bulk update via PATCH {model} endpoints In a future release
    • Bulk delete via DELETE {model} endpoints In a future release
    • Endpoints removed:
      • /v2/ws/<workspace_id>/activate/
      • /v2/ws/<workspace_id>/change_readonly/
      • /v2/ws/<workspace_id>/deactivate/
      • /v2/ws/<workspace_name>/hosts/bulk_delete/
      • /v2/ws/<workspace_name>/vulns/bulk_delete/
    • Endpoints updated:
      • /v2/ws/<workspace_name>/vulns/<int:vuln_id>/attachments/ =>

3.14.0 [Dec 23th, 2020]:

  • ADD RESTless filter to multiples views, improving the searchs
  • ADD "extras" modal in options menu, linking to other Faraday resources
  • ADD import vulnerability templates command to faraday-manage
  • ADD generate nginx config command to faraday-manage
  • ADD vulnerabilities severities count to host
  • ADD Active Agent columns to workspace
  • ADD critical vulns count to workspace
  • ADD Remember me login option
  • ADD distinguish host flag
  • ADD a create_date field to comments
  • FIX to use new webargs version
  • FIX Custom Fields view in KB (Vulnerability Templates)
  • FIX bug on filter endpoint for vulnerabilities with offset and limit parameters
  • FIX bug raising 403 Forbidden HTTP error when the first workspace was not active
  • FIX bug when changing the token expiration change
  • FIX bug in Custom Fields type Choice when choice name is too long.
  • FIX Vulnerability Filter endpoint Performance improvement using joinedload. Removed several nplusone uses
  • MOD Updating the template.ini for new installations
  • MOD Improve SMTP configuration
  • MOD The agent now indicates how much time it had run (faraday-agent-dispatcher v1.4.0)
  • MOD Type "Vulnerability Web" cannot have "Host" type as a parent when creating data in bulk
  • MOD Expiration default time from 1 month to 12 hour
  • MOD Improve data reference when uploading a new report
  • MOD Refactor Knowledge Base's bulk create to take to take also multiple creation from vulns in status report.
  • MOD All HTTP OPTIONS endpoints are now public
  • MOD Change documentation and what's new links in about
  • REMOVE Flask static endpoint
  • REMOVE of our custom logger

3.12 [Sep 3rd, 2020]:

  • Now agents can upload data to multiples workspaces
  • Add agent and executor data to Activity Feed
  • Add session timeout configuration to server.ini configuration file
  • Add hostnames to already existing hosts when importing a report
  • Add new faraday background image
  • Display an error when uploading an invalid report
  • Use minimized JS libraries to improve page load time
  • Fix aspect ratio distortion in evidence tab of vulnerability preview
  • Fix broken Knowledge Base upload modal
  • Fix closing of websocket connections when communicating with Agents
  • Change Custom Fields names in exported CSV to make columns compatible with faraday_csv plugin
  • Fix import CSV for vuln template: some values were overwritten with default values.
  • Catch errors in faraday-manage commands when the connection string is not specified in the server.ini file
  • Fix bug that generated a session when using Token authentication
  • Fix bug that requested to the API when an invalid filter is used
  • Cleanup old sessions when a user logs in
  • Remove unmaintained Flask-Restless dependency
  • Remove pbkdf2_sha1 and plain password schemes. We only support bcrypt

3.11.2 [Aug 6th, 2020]:

  • Fix missing evidence from generic reports with markdown
  • Fix JPG evidence in executive reports
  • Fix workspace comparasion

3.11.1 [Jun 3rd, 2020]:

  • Fix missing shodan icon and invalid link in dashboard and hosts list
  • Upgrade marshmallow, webargs, werkzeug and flask-login dependencies to latest versions in order to make packaging for distros easier

3.11 [Apr 22nd, 2020]:

  • Move GTK client to another repository to improve release times.
  • Fix formula injection vulnerability when exporting vulnerability data to CSV. This was considered a low impact vulnerability.
  • Remove "--ssl" parameter. Read SSL information from the config file.
  • Add OpenAPI autogenerated documentation support
  • Show agent information in command history
  • Add bulk delete endpoint for hosts API
  • Add column with information to track agent execution data
  • Add tool attribute to vulnerability to avoid incorrectly showing "Web UI" as creator tool
  • Add sorting by target in credentials view
  • Add creator information when uploading reports or using de bulk create api
  • Add feature to disable rules in the searcher
  • Add API endpoint to export Faraday data to Metasploit XML format
  • Change websocket url route from / to /websockets
  • Use run date instead of creation date when plugins report specifies it
  • Improve knowledge base UX
  • Improve workspace table and status report table UX.
  • Improve format of exported CSV to include more fields
  • Sort results in count API endpoint
  • Limit description width in knowledge base
  • Change log date format to ISO 8601
  • Fix parsing server port config in server.ini
  • Fix bug when _rev was send to the hosts API
  • Send JSON response when you get a 500 or 404 error
  • Fix bug parsing invalid data in NullToBlankString

Changes in plugins (only available through Web UI, not in GTK client yet):

New plugins:

  • Checkmarx
  • Faraday_csv (output of exported Faraday csv)
  • Qualyswebapp
  • Whitesource

Updated plugins:

  • Acunetix
  • AppScan
  • Arachni
  • Nessus
  • Netspaker
  • Netspaker cloud
  • Nexpose
  • Openvas
  • QualysGuard
  • Retina
  • W3af
  • WPScan
  • Webinspect
  • Zap

3.10.2 [Jan 30th, 2020]:

  • Fix Cross-Site Request Forgery (CSRF) vulnerability in all JSON API endpoints. This was caused because a third-party library doesn't implement proper Content-Type header validation. To mitigate the vulnerability, we set the session cookie to have the SameSite: Lax property.
  • Fix Faraday Server logs were always in debug
  • Add update date column when exporting vulnerabilities to CSV
  • Fix unicode error when exporting vulnerabilities to CSV

3.10.1 [Jan 10th, 2020]:

  • Fix installation with pip install --no-binary :all: faradaysec
  • Force usage of webargs 5 (webargs 6 broke backwards compatibility)
  • Use latest version of faraday-plugins
  • Fix broken "Faraday Plugin" menu entry in the GTK client
  • Extract export csv to reuse for reports

3.10 [Dec 19th, 2019]:

  • Use Python 3 instead of Python 2 in the Faraday Server
  • Add ability to manage agents with multiple executors
  • Agents can be run with custom arguments
  • Improved processing of uploaded reports. Now it is much faster!
  • Add custom fields of type choice
  • Fix vuln status transition in bulk create API (mark closed vulns as re-opened when they are triggered again)
  • Fix bug when using non-existent workspaces in Faraday GTK Client
  • Set service name as required in the Web UI
  • Validate the start date of a workspace is not greater than the end date
  • Fix command API when year is invalid
  • When SSL misconfigurations cause websockets to fails it doesn't block server from starting
  • Check for invalid service port number in the Web UI
  • Fix dashboard tooltips for vulnerability
  • Fix bug when GTK client lost connection to the server
  • Fix style issues in "Hosts by Service" modal of the dashboard
  • Add API for bulk delete of vulnerabilities
  • Add missing vuln attributes to exported CSV
  • faraday-manage support now displays the Operating System version
  • Notify when faraday-manage can't run becasue of PostgreSQL HBA config error

    Still looking for answers? You can try opening a ticket.
      • Related Articles

      • Faraday Server

        Faraday's installers (.deb or .rpm) will install Faraday Server as a service. Faraday Server is the interface between PostgreSQL, Faraday Client and the WebUI. The Server's responsibility is to transmit information between the Client or WebUI and ...
      • Can't access Faraday Server remotely

        In your Server machine, go to /home/faraday/.faraday/config/server.ini and check if you're listening only on the localhost. You should see something like this: [faraday_server] port=5985 bind_address=localhost If your Clients are on different ...
      • How to reset Faraday Server password

        If you forgot the password or you don't know your Faraday Server password, you can use the command faraday-manage to change it: $ faraday-manage change-password
      • Updating Faraday

        Faraday will be installed as a service if you use .deb or .rpm.  Note: if you're updating from Faraday v3.8.1 or lower, follow the instructions specified in the last section of this article. Once you're done, you can proceed with the instructions ...
      • Faraday Manage

        Faraday Manage is a backend tool that helps us administrate Faraday's configuration. To use Faraday Manage, you can run it as follow: $ faraday-manage COMMAND If you run only faraday-manage, it will list all the available commands. faraday-manage.png ...