summitt
commented
7 months ago Hey @HufferSec Thanks for the feedback! I'll try to address all your points.
Finalized assessment locks consultants:
I think you may be referring to this.
This just means the consultant is currently booked on another assessment at the same time BUT can still be added to another assessment. If I understand right, you would like it to show the consultant is free and ready to be booked on the next engagement if they completed the assessment early? I think that is something we should add if I'm understanding the request correctly. I just wanted to clarify that they can still be scheduled multiple times.
Highlight color not working for scheduling: Thanks for reporting I'll add it to the bug list!
Custom fields not reflecting on existing items: I need to think through this one a bit more. The reason this is done is to ensure that old assessments and reports are not modified once finalized as well as not changing or altering an existing assessment's data after it was started.
You can however update an ongoing assessment with newly added custom fields without deleting it. You just need to "Edit" the assessment and save it after the fields are added. This might not be an ideal solution for you as it would require you to open all ongoing assessments and re-save them. Does this satisfy your requirements though or can we do this better?
Finalized assessment cannot be reopened and Finalized assessment cannot be deleted: These are features that will be added soon. Originally when designing these we had requests about specifically not having the option to delete assessment data under any circumstances. We are going to make that configurable in upcoming releases.
No overlap support for scheduling consultants: I think this goes back to my point earlier. Maybe the platform could be more clear but you can save a consultant to multiple projects at the same time. The "Not Free" tag is just a suggestion to let you know if there are others that are free. The calendar will also show you all the projects they are currently assigned once you add them to the assessment. In the following ScreenShot "Super Admin" is scheduled for 2 other assessments (red) and about to schedule a new assessment (blue) that also overlaps.
Graph Support: This is something we are working on with the rollout of our app store at the end of the month. This is something that I think everyone will want to be highly customizable and we don't want to lock users into a certain style or limited options. More information about this will be available in early March with some examples.
Additional custom field support: We definitely want to expand to more data types in the future. Feedback like this helps us determine if we are on the right track with how we think people will use Faction. Also, our extension API allows you to take data in the custom fields (or any part of your report) and transform it into your reports with custom code (which might be like what sysreptor does). Might not be quite what you're looking for yet though as the extension API is getting many new improvements with the release of the App Store feature. More information will be available in March.
I hope I was able to address all of your points and thanks again for all of the feedback, it's really helpful.
HufferSec
I have been playing around with a lot of different reporting tools as of late trying to find the best fit. I really enjoy the feel of faction but have the following issues. As the title states there is a mix of requests/questions!
Bug fixes:
Finalized assessment locks consultants
If an assessment is finalized early, the assigned consultants are not set to free. This is an issue as for bigger consultancies, you may have 3 specialists on the project for a few days of the overall scope just to complete their section but then they cannot be assigned to another project.
Highlight color not working for scheduling
Highlight color doesn't work for notes when scheduling (it does for all other places referenced as far as I could discover) Scheduling:
Expected:
Custom fields not reflecting on existing items
Custom fields only reflect on newly scheduled projects and newly created vulnerabilities inside new projects. IE if I have a vulnerability template and a month later add 4 custom fields, I have to create a new template manually to add the new fields or likewise with an existing project, a client may request for x field adding but that would require deleting the scheduled assessment, creating a new one and importing all data manually to support it. The latter is an edge case, but the issue is still present.
Feature requests:
Additional custom field support
Custom fields support very limited types, consisting of string, bool and list. It would be great to get support for more complex data types. A big example would be supporting the large text boxes / markdown boxes that are contained through the reports. Past this 'object' support would be great. An example of where this could be used is in the likes of version control. Sysreptor offers this feature and it allows you to create for example a list of objects consisting of version number, consultant name, comment. That way with each new version you add an item to the list that generates the rest of the fields you require.
I think an amazing start would be to support the large text fields, but the object support would be super nice to have.
Graph support
Adding graphs into the report dynamically based on templates would be awesome. Specifically would be looking to great graphs based on the issues/vulnerabilities raised, such as number of vulnerabilities broken down by severity:
Logic decisions
There's a logic decisions that are neither bugs or features but maybe just something to raise to see peoples thoughts / if toggled support for them could be added to the config perhaps.
Finalized assessment cannot be reopened
We have cases where budgets clash and a client may not be able to schedule a retest assessment so we would consider the project complete. However, a few months later they will request a retest. Now we can use the docx we got from the initial reporting and manually update it but it would be great to be able to have a way to reopen a finalized assessment as opposed to creating a new assessment.
Finalized assessment cannot be deleted
Some clients in parts of the worlds have set requirements on data retention, this is a big EU issue. As it stands, not being able to delete a finalized report poses some problems as clients that fall out of that retention window would need to either be manually deleted from the DB or we would have to flush the data out entirely which isn't feasible with ongoing assessments.
No overlap support for scheduling consultants
This somewhat relates to the thoughts behind my bug fix request 'Finalized assessment locks consultants'. You are unable to assign a consultant to more than one project. I understand why the logic would dictate not doing this but in some cases its required. It would be good to be able to overlap these possibly with a warning message 'this consultant is assigned to x project on this date, are you sure...'.
Please note all these points where gathered over the weekend so I may have missed/overlooked stuff mentioned. If thats the case please direct me :).