Following CSS code did not work:

writing-mode: vertical-rl;
text-orientation: mixed;

Reference:
https://developer.mozilla.org/en-US/docs/Web/CSS/text-orientation

I got vertical text working by using transform though, it is not pretty:

.vertical{
  display: inline-block;
  transform: rotate(90deg);
  transform-origin: left top 0;
  margin:0;
  padding:0;
  margin-left:20px;
  width:100px;
  top:-20px;
  position: absolute;
}

Setup: docker compose self hosted
browser: Google Chrome

In the latest version of sysreptor, support for multiple languages for templates has been added. However, it does not seem to be possible to edit the content of findings in other languages. This also happens in the default templates.

As you can see in the following screenshot, it is not possible to modify the corresponding fields (e.g. Summary).

By error, I created an extra user, there is no way to remove it from the WebUI.

• Workaround 1: set user as Inactive and remove all roles
• Workaround 2: connect to DB and remove it manually with SQL (could be dangerous if not inherited properly)

Solution: add a delete user button.

Helll and first of all thank you for this amazing project.

I would like to take advantage of it as I will be doing OSCP training soon but I am facing some issues due to the fact I don't have a x64 VM.

First, I had issues when installing the dependencies, so I changed the version of FROM python:3.10-slim-bullseye for one ARM version in the Dockerfile.

After that, I had to include && pip3 install Django after RUN pip3 install -r requirements.txt in the Dockerfile also as it couldn't find when running manage.py.

And now I have the following error that I was not able to fix...

Could you please let me know if I missed something ?
Thank you in advance.

It would be handy to have a /version page with a link into the user menu (like for license) that would display the version information about sysreptor.

Maybe a security consideration would be to limit access to superuser only.

Hi there trying to get a full page background with:

#page-cover {
    margin: -15mm -15mm 0mm -15mm;
}

On the matrix one. Trying to like shift the margins. The first page works fine now. But I cannot get it to work for a second page that comes after the first page.

I have:

#page-disclaimer {
   margin: -15mm -15mm -25mm -15mm;
}

but it won't shift the whole page up 15mm for some reason, I have a gaping white bar at the top.

Appreciate any help!

Hi, when I run both via script and manual installs I get the following error:

docker compose -f docker-compose.yml up -d unknown shorthand flag: 'f' in -f

Any help greatly appreciated

I deleted the background.svg file, then tried to upload it back onto the server. It gives me:

Hi there,

Any way to highlight certain parts of a code block in markdown with a different color? For example:

GET /?request=abc HTTP1/.1
XXXXX

I want to highlight request=abc. I tried things like asterisk, and backticks.

It helps to be able to point out the payload in a request.

Hi there,

How would you reference the cusotmer's name in markdown?

We attacked {{report.customer}} ...?

Hello!
I downloaded the installation script from the repository and I needed to change all the docker compose commands to docker-compose to proceed with the installation.

Script:
https://docs.sysreptor.com/install.sh

The error occurs at this point in the script:

if 
    ! docker-compose $compose_args up -d
then
    echo "Ups. Something did not work while bringing up your containers."
    exit -2
fi

Error message:

docker: "docker-init": executable file not found in $PATH

It looks like it's looking for the binary docker-init in the PATH, but it doesn't find it. How can I solve the problem?

OS: Ubuntu 22.04
Docker version: 20.10.23
Docker compose version: v2.17.2

Thanks!

Hello,
Can we please have a feature to export the markdown 'Personal Notes' to PDF?

I know your custom Spell Check is only included in the Professional edition but (both for community and pro version) it would be nice to be able to switch to other solution as per user preferences:

• Default browser spell checking
• Plugin based spell checking

Default browser spell checking

It would be as easy as modifying the attribute spellcheck="false" for each field and have an option Enable default browser spell checking in /users/self/.

Plugin based spell checking

Software like LanguageTool or Antidote are offering advanced spell checking with a plugin. They work by default with all text fields like textareas but sometime they don't work with some WYSIWYG editor (example with EasyMDE and associated PR).

In Sysreptor, It's working on the one line fields (e.g., precondition) but not on multi-line text fields (with a WYSIWYG editor, e.g., Impact) even when setting contenteditable="true" and spellcheck="true".

My company currently does not opt to use CVSS for most testing as we don't believe it is the best approach for most clients. Currently we have a custom finding field that lets us set the rating manually, however, this then messes with stuff like count_critical which is super useful for graphs.

My request is either can there be alternative rating methods supported OR can someone guide me on how to dynamically plug these numbers into the graph?

After installing with the install.sh script, I then set up Caddy and generated the keys for Django and encryption. Upon launching a browser to login however I get a 403 error on GET .../api/v1/pentestusers/self/ which I believe is normal. When entering the credentials provided from the install script a login failed toast comes up. In the console I get a 500 error on POST ...api/v1/auth/login/ with the below from toast.js

Request error Error: Request failed with status code 500
    at t.exports (createError.js:16:15)
    at t.exports (settle.js:17:12)
    at XMLHttpRequest.A (xhr.js:66:7) Login failed 
<!doctype html>
<html lang="en">
<head>
  <title>Server Error (500)</title>
</head>
<body>
  <h1>Server Error (500)</h1><p></p>
</body>
</html>

Assuming this is standard for incorrect logins, what would the process be for resetting the password? And is there a step i took that i shouldn't have whilst setting it up?

Hello!
When placing more than four fields in vulnerability the page appears blank and the vulnerabilities are placed on the next page. As if there was a hidden "pagebreak".

There is no page break in the section and when I place four fields the first vulnerability appears just below the section title. In the image below I commented out the code for the other fields of the vulnerability and the problem disappeared.

Would it be some bug that breaks the page when more than four fields are placed in this vulnerability details section?
Thanks!

Hi there, how could I use CSS to make the space between the bullet point and the text bigger?

The text should still align vertically.

As per documentation: https://docs.sysreptor.com/designer/headings-and-table-of-contents/

h3.numbered-appendix::before{
    padding-right: 5mm;
    counter-increment: h3-counter;
    content: counter(h1-counter-appendix, upper-alpha) "." counter(h2-counter) "." counter(h3-counter);
}

The content: counter... line should be changed to:

content: counter(h1-appendix-counter, upper-alpha) "." counter(h2-counter) "." counter(h3-counter);

It is h1-appendix-counter not h1-counter-appendix

Otherwise with h3 tags you receive:

0.1.1

instead of the expected:

A.1.1

After importing demo data, I can see in finding template that I have two languages available:

However, I don't see any way to add or remove languages.

Expected:
Access the users in the history of a report during design creation and use the preview data to print out the author.

Reality:
The authors are not populated, resulting into NULL and therefore an empty string in the template.

Steps to reproduce:

• Do not have users populated, keep the default installation with user reptor (without names,or other infos)
• Create a new design.
• Then add the reptor as a user into the history.
• Is not populated in the HTML.

Furthermore, if you add another user and populate the fields for the names, it is also not offered in the preview data.

User Setup:

Preview Data;

HTML:

Setup: docker compose local
Browser: Chrome

Hello

Excellent tool BTW! Is there a documented procedure on how to add new fields to findings and ultimately the report? I went thru the documentation and FAQs but cannot seem to find it. The system works fine for using existing fields, however when I try to add a new one, I can never get it to appear as available in a new template even if I tell it to "Show fields of All Designs" ?

Thanks

Installation failed in

=> ERROR [api-dev 5/9] RUN chmod +x /app/api/download_fonts.sh && /app/api/download_fonts.sh
=> CANCELED [frontend 1/1] RUN npm run build
------
> [api-dev 5/9] RUN chmod +x /app/api/download_fonts.sh && /app/api/download_fonts.sh:
------
failed to solve: process "/bin/sh -c chmod +x /app/api/download_fonts.sh && /app/api/download_fonts.sh" did not complete successfully: exit code: 8

Currently, it is not possible to directly change the design of a project. If your customer has specific needs (e.g. an additional chapter, change of colors or a different order of the sections), it is not possible to make such changes in the project. The only way is to change the entire design even if the change only applies to one specific project.

When you open the designer you have access to the Vue.js and CSS files. I am suggesting the same if you open the project tab. As far as I am aware the design is copied when you create a new project. So it should be very easy to give users access to those files (Vue.js + CSS) in the project tab.

I am trying to underline some text in markdown:

1. __Testing__: hello world
2. __Testing 2__: hello world 2

but it doesn't work.

Even tried <u>test</u> but doesn't work.

Hi there,

I found that the executive summary is section 1, but also the document control is too.

For Markdown H2, H3, and H4 in a section. Can I add it to in-toc somehow?

Thanks

Hi there,

Is there anyway to get the report file name such as:

{{report.filename}}

So it replaces content inside during generation?

Description and why

Pentesters from english-speaking countries are maybe the only ones that don't need this feature.

But in other countries you will need to have a finding library in both English and your native language and some countries also have 2, 3 or more official languages.

Very often, in non-english speaking countries, you need to write pentest report in several languages so having a Multilingual vulnerability database is critical for them.

Implementation

It needs a change of the SQL tables.

Instead of having something like

vulns:
  - vuln1:
    title: xxx
    description: xxx
    cvss: xxx
  - vulns2
    title: xxx
    description: xxx
    cvss: xxx

You would have

vulns:
  - vuln1:
    cvss: xxx
    lang:
      - en:
        title: xxx
        description: xxx
      - fr
        title: xxx
        description: xxx
  - vulns2
    cvss: xxx
    lang:
      - en:
        title: xxx
        description: xxx
      - fr
        title: xxx
        description: xxx

Workaround

A common workaround and why it is bad.

A common bad workaround is to add a lang prefix in the title of the vulnerability.

Like [EN] SQL injection and [FR] Injection SQL.

Or here in SysReptor to create the same vulnerability two times with a different value in language field.

This is terrible for multiple reasons.

When having multiple languages, only field containing text or sentences need to be translated, all other fields like the CVSS vector, CVE, vulnerability ID, etc. don't need to be translated and can be stored only once in the database.

Also when you edit the vuln in one language if they are not linked, you often forgot to update the vuln in other languages too.

It would also be also possible to filter by language.

And for report you can't ask for vuln.fr.description or vuln.en.description depending on your french or english template.

Demo

It's a big long and hard to explain in details.
I invite your to deploy and test PwnDoc (https://github.com/pwndoc/pwndoc) which is the only pentest report platform I know to have a mutli-lang vuln DB. It's easy to deploy with docker-compose so it won't take long to try it.

Here is what I mean in video, I'm talking about multilingual finding template (the data stored, the db schema, etc.) not the translation of the label on the WebUI (I18N):

Hi there,

I have a chart as shown below:

I am wondering how to change the font?

Hi there,

I tried many times and many ways to try reduce this code block's padding around the text.

Any idea how to reduce that to a bit smaller?

Currently it is not possible to convert a finding into a template. This function is useful because otherwise all fields of a finding have to be copied manually into a template.

Problem:
Using Version 0.96
Whenever I go into the designer I get a Aw,Snap! Chrome error once it is rendering the PDF

This is the output of the docker container logs

2023-06-22 10:11:41,595 [INFO] root: POST /api/v1/projecttypes/26cd20a9-2346-40f5-83d9-df7a971c86ac/lock/ 201 (user=reptor)
2023-06-22 10:11:42,982 [INFO] root: Function render_to_html took 0:00:01.388239
2023-06-22 10:11:43,816 [INFO] root: Function render_to_pdf took 0:00:00.833481
2023-06-22 10:11:43,816 [INFO] root: Function encrypt_pdf took 0:00:00.000003
2023-06-22 10:11:43,819 [INFO] root: Function render_pdf_task took 0:00:02.224996
2023-06-22 10:11:43,830 [INFO] root: POST /api/v1/projecttypes/26cd20a9-2346-40f5-83d9-df7a971c86ac/preview/ 200 (user=reptor)

This happens with the Demo Calzone v1.0, the Matrix 1.0 and the Margherita v1.0 design, as well as my own template.

It also happens when I try to render an actual report and not just in the designer.

I used the update.sh file to update to the latest version.

We have just seen that it is not possible to add images to templates. Therefore, if your template contains images, you have to add them to the corresponding finding every time. This is contrary to the purpose of a template and makes writing the report a lot more difficult.

Allow adding tags to projects to categorize them. It should be possible to filter projects for tags in the searchbar (similar to template tags).

Projects and designs can be copied. Currently there is no indicator if and from what project/design it was copied from. A reference to the original project should be added to the data model and UI.

Running the curl command from the docs produces an error.

curl -s https://docs.sysreptor.com/install.sh | bash                                               
Good to see you.
Get ready for the easiest pentest reporting tool.

Downloading SysReptor from https://github.com/syslifters/sysreptor/releases/latest/download/source-prebuilt.tar.gz ...
Checking download...
Unpacking sysreptor.tar.gz...
Creating app.env...
Generating secret key...
Generating data at rest encryption keys...
No license key found. Going with Community edition.
Creating docker volumes...
Volume: sysreptor-db-data
Volume: sysreptor-app-data
Build and launch SysReptor via docker compose...
We are downloading and installing all dependencies.
This may take a few minutes.
unknown shorthand flag: 'f' in -f
See 'docker --help'.

For some reason I'm getting blue color in Matrix theme:

 <template v-if="finding.references && finding.references.length > 0">
            <h4>References:</h4>
            <ul id="ul-references">
              <template v-for="reference in finding.references">
                <li><a :href="reference">{{ reference }}</a></li>
              </template>
            </ul>
          </template>

I modified this a bit, but the ul-references ID is not being applied to the field. The links show up like:

Hi there,

If we want to synchronize between multiple devices / servers or workstations, which folder would we need to sync to keep the data intact?

I'm considering a situation where someone wants to rework remotely and has no internet access on-site and has Docker on their laptop, they can spin it up after the online copy of templates, reports, findings is synced to the machine then go offline.

Then when they're back online it'll sync back to the master server.

Is there a specific folder?

Discussed in #13

Currently, the findings Object does not expose the CVSS3.1 subscores "Exploitability" and "Impact". The following snipped shows an exemplary findings Object, which only stores the "cvss base score" named as score.

{ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "score": "8.6", "level":"high", "level_number": 4 }

However, these scores are useful, if you want to use these values in your report/design or if you want to calculate your own scoring system. Implementation should be easy as these subscores are already calculated.

Hello,

I've attempted to install Sysreptor on my Ubuntu machine with version 22.04.1. My Docker version is 20.10.21, and docker-compose is 1.25.0.
However, I'm encountering an error message stating "unknown shorthand flag: 'f' in -f" after the dependency download.

Is there a solution available for this issue?

Thank you.

curl -s https://docs.sysreptor.com/install.sh | bash
Good to see you.
Get ready for the easiest pentest reporting tool.

Downloading SysReptor from https://github.com/syslifters/sysreptor/releases/latest/download/source-prebuilt.tar.gz ...
Checking download...
Unpacking sysreptor.tar.gz...
deploy/app.env exists. Will not create new secrets.
No license key found. Going with Community edition.
Creating docker volumes...
Volume: sysreptor-db-data
Volume: sysreptor-app-data
Build and launch SysReptor via docker compose...
We are downloading and installing all dependencies.
This may take a few minutes.
unknown shorthand flag: 'f' in -f
See 'docker --help'.

Usage:  docker [OPTIONS] COMMAND

This will allow us to create labels with percentages in the pie-diagrams etc.

• https://chartjs-plugin-datalabels.netlify.app/
• https://github.com/chartjs/chartjs-plugin-datalabels

License is MIT.

Hi,
first of all, nice project! I tested already an early version and wanted now to install the latest version on a new vm.

Installation script works fine but I only get this page without the possibility to login.

Network analytics says, that one endpoint cant be accessed (not sure if this is the problem)

Thanks for any hint!
BR,

Sec

Hello!
There was a problem installing Sysreptor. Unable to get packages from Debian repository.
Would this be a temporary issue? Would it be the case to change the source of the Debian repository to another region?

Error output:

=> ERROR [app api-dev 2/9] RUN apt-get update && apt-get install -y --no-install-recommends         chromium         curl         fontconfig         fonts-noto         fonts-noto-mono         fonts-not  4.6s
------
 > [app api-dev 2/9] RUN apt-get update && apt-get install -y --no-install-recommends         chromium         curl         fontconfig         fonts-noto         fonts-noto-mono         fonts-noto-ui-core         fonts-noto-color-emoji         gpg         gpg-agent         libpango-1.0-0         libpangoft2-1.0-0         unzip         wget         postgresql-client     && rm -rf /var/lib/apt/lists/*:
#0 0.433 Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
#0 0.465 Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
#0 0.470 Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
#0 0.677 Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
#0 1.066 Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [244 kB]
#0 1.099 Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.8 kB]
#0 1.345 Ign:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages
#0 1.577 Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.8 kB]
#0 1.834 Ign:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages
#0 2.091 Ign:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages
#0 2.315 Err:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages
#0 2.315   Error reading from server - read (104: Connection reset by peer) [IP: 199.232.114.132 80]
#0 2.912 Fetched 8635 kB in 3s (3415 kB/s)
#0 2.912 Reading package lists...
#0 3.723 E: Failed to fetch http://deb.debian.org/debian/dists/bullseye-updates/main/binary-amd64/Packages  Error reading from server - read (104: Connection reset by peer) [IP: 199.232.114.132 80]
#0 3.723 E: Some index files failed to download. They have been ignored, or old ones used instead.
------
failed to solve: executor failed running [/bin/sh -c apt-get update && apt-get install -y --no-install-recommends         chromium         curl         fontconfig         fonts-noto         fonts-noto-mono         fonts-noto-ui-core         fonts-noto-color-emoji         gpg         gpg-agent         libpango-1.0-0         libpangoft2-1.0-0         unzip         wget         postgresql-client     && rm -rf /var/lib/apt/lists/*]: exit code: 100
Ups. Something did not work while bringing up your containers.

Thanks!

URL: /designs/7...ea/pdfdesigner/
Browser: Chrome
Setup: Self Hosted docker

I had an issue with the PDF Previewer crashing after a few seconds, even though the auto reload or manual regeneration worked fine. My issues were that I had some HTML tags with the :id attribute, rather than the normal HTML id attribute. Which is an easy copy/paste or typo mistake.

However, when the PDF Previewer is crashing no error messages are shown.

For this I suggest to add to the documentation (https://docs.sysreptor.com/designer/debugging/) for self-hosted users to:

1. Open the logging for the sysreptor-app container
2. Look for any lines with Chromium messages, this will have error message under the key message to investigate any issues within the template.
3. Another error message to look for starts with weasyprint

I guess a long term solution is the implementation of an "error log" or similar that can be accessed during the design phase.

However, some error message are useless i.e:

2023-05-19 16:36:02,878 [INFO] root: Chromium messages: [ErrorMessage(level=<MessageLevel.WARNING: 'warning'>, location=None, message='Invalid prop: type check failed for prop "text". Expected String with value "[object Object],[object Object]", got Array ', details='at <Markdown>\nat <Anonymous>'), ErrorMessage(level=<MessageLevel.WARNING: 'warning'>, location=None, message='Component is missing template or render function.', details='at <Anonymous>\nat <Markdown>\nat <Anonymous>')]

Hi there,

Any idea how to make this code block align with the rest of the text on the right side?

Any way to use markdown to specify the <pagebreak/>?

=> ERROR [api-dev 6/10] RUN chmod +x /app/api/download_fonts.sh && /app/api/download_fonts.sh 2.7s

[api-dev 6/10] RUN chmod +x /app/api/download_fonts.sh && /app/api/download_fonts.sh:
#0 0.361 Downloading Open Sans from https://fonts.google.com/download?family=Open+Sans
#0 1.177 Downloading Roboto Flex from https://fonts.google.com/download?family=Roboto+Flex
#0 1.777 Downloading Roboto Serif from https://fonts.google.com/download?family=Roboto+Serif

failed to solve: process "/bin/sh -c chmod +x /app/api/download_fonts.sh && /app/api/download_fonts.sh" did not complete successfully: exit code: 8
Ups. Something did not work while bringing up your containers.

Issue

Horizontal input are overflowing the window if the text is too long.

Solution

Add cm-lineWrapping class to the parent container.

Environment

• Sysreptor version 0.110
• Firefox 116.0.1

Hi,
the install script is currently failing without an error because stderr is redericted to /dev/null on importing of the templates. If I run the command by hand the error shows up and seems to be related to the recent translation changes.

curl -s "$url" | docker compose exec --no-TTY app python3 manage.py importdemodata --type=template
2023-08-02 20:16:56,291 [ERROR] reportcreator_api.archive.import_export.import_export: Error while importing archive. Rolling back import.
Traceback (most recent call last):
  File "/app/api/reportcreator_api/archive/import_export/import_export.py", line 155, in import_archive
    raise error
  File "/app/api/reportcreator_api/archive/import_export/import_export.py", line 146, in import_archive
    serializer.is_valid(raise_exception=True)
  File "/usr/local/lib/python3.10/site-packages/rest_framework/serializers.py", line 235, in is_valid
    raise ValidationError(self.errors)
rest_framework.exceptions.ValidationError: {'format': [ErrorDetail(string='Invalid format: expected "templates/v2" got "templates/v1"', code='invalid')], 'translations': [ErrorDetail(string='This field is required.', code='required')]}
Traceback (most recent call last):
  File "/app/api/manage.py", line 22, in <module>
    main()
  File "/app/api/manage.py", line 18, in main
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.10/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.10/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.10/site-packages/django/core/management/base.py", line 412, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.10/site-packages/django/core/management/base.py", line 458, in execute
    output = self.handle(*args, **options)
  File "/app/api/reportcreator_api/management/commands/importdemodata.py", line 46, in handle
    imported = import_func(f)
  File "/app/api/reportcreator_api/archive/import_export/import_export.py", line 196, in import_templates
    return import_archive(archive_file, serializer_classes=[FindingTemplateExportImportSerializerV2, FindingTemplateImportSerializerV1], context={'uploaded_by': uploaded_by})
  File "/usr/local/lib/python3.10/contextlib.py", line 79, in inner
    return func(*args, **kwds)
  File "/app/api/reportcreator_api/archive/import_export/import_export.py", line 170, in import_archive
    raise ex
  File "/app/api/reportcreator_api/archive/import_export/import_export.py", line 155, in import_archive
    raise error
  File "/app/api/reportcreator_api/archive/import_export/import_export.py", line 146, in import_archive
    serializer.is_valid(raise_exception=True)
  File "/usr/local/lib/python3.10/site-packages/rest_framework/serializers.py", line 235, in is_valid
    raise ValidationError(self.errors)
rest_framework.exceptions.ValidationError: {'format': [ErrorDetail(string='Invalid format: expected "templates/v2" got "templates/v1"', code='invalid')], 'translations': [ErrorDetail(string='This field is required.', code='required')]}