As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Upgrade from 2.8.4 to 2.8.5.1

Owned by Daniel Colon
Last updated: May 09, 2023 by Hruiz
5 min read

The instructions below are for upgrading to version 2.8.5.1, not 2.8.5. If you downloaded the 2.8.5 artifact prior to January 7, 2022 (the existing ThreadFix-2.8.5.zip file now contains the 2.8.5.1 artifact), please re-download it and proceed with the instructions below. Contact support@threadfix.it if you need the download link or have questions.

You will learn

How to upgrade from 2.8.4 to 2.8.5.1

Prerequisites

Audience: IT Professional and/or End User
Difficulty: Advanced
Time needed: Approximately 60 minutes
Tools required: Tomcat, MySQL or MS SQL Server

ALWAYS PERFORM A FULL BACKUP OF YOUR DATABASE BEFORE ATTEMPTING ANY UPGRADE!

MySQL Server: You can run the mysqldump command from the MySQL server, e.g., mysqldump -u mydbuser -p mydatabase > path/to/backup.sql (we do not recommend using MySQL Workbench to perform the backup).

MS SQL Server: Using SSMS, right-click on the database, select Tasks → Back Up…, then choose the location & name of the backup file and click OK.

If you have any questions or concerns or if you wish to upgrade from an older version of ThreadFix, please reach out to our support team here: support@threadfix.it

ThreadFix Deployment Update

Follow these steps to deploy the updated version of ThreadFix:

  1. Stop the Tomcat instance on which ThreadFix is running.

  2. Move your current ThreadFix deployment directory from your Tomcat webapps folder into a backup directory.

    1. webapps directory location: //TOMCAT_HOME/webapps

  3. Copy the updated ThreadFix folder from your new artifact into your webapps directory.

    1. webapps directory location: //TOMCAT_HOME/webapps

  4. Copy the following files from your backed up ThreadFix directory to the newly updated ThreadFix directory:
    (FROM: <previous-threadfix-deploy>/WEB-INF/classes/TO: <new-threadfix-deploy>/WEB-INF/classes/, except as noted below)

    1. custom.properties

    2. ESAPI.properties (See REQUIRED update below)

      1. Be sure that Log4jfactory is no longer referenced as the ESAPI.Logger in your ESAPI.properties.

      2. Replace with ESAPI.Logger=com.denimgroup.threadfix.logging.esapi.slf4j.CustomESAPISlf4jLogFactory in your upgraded ThreadFix 2.8.5.1 instance.

    3. jdbc.properties

    4. jms.properties

    5. threadfix.license

    6. If you've updated any of these in your previous deployment, copy them as well:

      1. <threadfix-deploy>/WEB-INF/security.xml (See REQUIRED update below)

        • Replace bean definition in security.xml file:

          <bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>

        • With:

          <bean id="velocityEngine" class="com.denimgroup.threadfix.service.saml.CustomSamlVelocityFactory" factory-method="getEngine"/>

      2. <threadfix-deploy>/WEB-INF/classes/security/samlKeystore.jks (and/or any other Java keystore that you've saved in this directory)

      3. Note: Do not copy log4j.xml. As of version 2.8.5.1, log4j.xml was replaced with logback.xml, so there’s no need to copy log4j.xml from your previous artifact.

        • Any changes that you had made in log4j.xml will need to be made in logback.xml if you want them to persist.

  5. Copy the velocityTemplates directory from your backed up ThreadFix directory to the newly-updated ThreadFix directory.
    (FROM: <previous-threadfix-deployTO:<new-threadfix-deploy>)

     

  6. In Linux environments, you may need to grant your tomcat user/group ownership and permissions to the newly-deployed artifact.
    Examples:

    sudo chown -R tomcat:tomcat /opt/tomcat sudo chmod -R 775 /opt/tomcat

     

  7. Cleanup - Delete the following:

    1. The contents of the <tomcat-deploy>/work directory

    2. Your web browser's cache/history

Before-Restart Database Updates

Database Updates

Do Not Restart Tomcat If Scripts Do Not Complete

If you receive an error when running before-restart database update scripts, please report the issue to Denim Group (create a ticket in Service Desk), including a screenshot of the script & error message.

You should NOT proceed to start Tomcat until the issue is resolved. If you do, Hibernate may make unrecoverable changes that will require you to restore your database from backup.

Caution/warning messages are OK; just not errors.

Expand the MySQL or MS SQL Server code block to reveal the scripts:

UPDATE SeverityMap SET genericSeverityId = (SELECT id FROM GenericSeverity WHERE intValue=4) WHERE channelSeverityId = (SELECT id FROM ChannelSeverity WHERE channelTypeId=(SELECT id FROM ChannelType WHERE name = 'Nessus') AND numericValue=4); DROP PROCEDURE IF EXISTS createEventVulnIdIndex; DELIMITER $$ CREATE PROCEDURE createEventVulnIdIndex() BEGIN IF NOT EXISTS (SELECT * FROM INFORMATION_SCHEMA.STATISTICS WHERE TABLE_NAME='Event' and INDEX_NAME='idx_event_vuln') THEN CREATE INDEX idx_event_vuln ON `Event` (vulnerabilityId); END IF; END $$ DELIMITER ; CALL createEventVulnIdIndex(); DROP PROCEDURE createEventVulnIdIndex; ALTER TABLE Organization ADD CONSTRAINT unqOrgName UNIQUE (name); ALTER TABLE Application ADD CONSTRAINT unqAppNameOrgId UNIQUE (name, organizationId); INSERT INTO SelectOption (tip,value) VALUES ('Import all scans and it can take a while if you have many scans', 'All scans Netsparker'); INSERT INTO SelectOption (tip,value) VALUES (null, 'Most recent scan Netsparker'); INSERT INTO RemoteProviderAuthenticationField (name,placeholder,required,secret,type,applicationId) VALUES ('Import',null,1,0,'radiobutton',(SELECT id FROM RemoteProviderType where name = 'Netsparker Enterprise')); INSERT INTO RemoteProviderAuthenticationField_SelectOption_Join(remoteProviderAuthenticationField_id,selectOptions_id) VALUES((SELECT rp_af.id FROM RemoteProviderAuthenticationField rp_af JOIN RemoteProviderType rp_t ON rp_af.applicationId = rp_t.id AND rp_t.name = 'Netsparker Enterprise' WHERE rp_af.name = 'Import'), (SELECT id FROM SelectOption WHERE value = 'All scans Netsparker' LIMIT 1)); INSERT INTO RemoteProviderAuthenticationField_SelectOption_Join(remoteProviderAuthenticationField_id,selectOptions_id) VALUES((SELECT rp_af.id FROM RemoteProviderAuthenticationField rp_af JOIN RemoteProviderType rp_t ON rp_af.applicationId = rp_t.id AND rp_t.name = 'Netsparker Enterprise' WHERE rp_af.name = 'Import'), (SELECT id FROM SelectOption WHERE value = 'Most recent scan Netsparker' LIMIT 1)); UPDATE SelectOption SET value = 'All scans' WHERE value = 'All scans Netsparker'; UPDATE SelectOption SET value = 'Most recent scan' WHERE value = 'Most recent scan Netsparker'; INSERT INTO RemoteProviderAuthenticationEntity(encryptedValue, value, remoteProviderAuthenticationFieldId, remoteProviderEntityId) (SELECT NULL, 'All scans', rpafId, rpeId FROM ((SELECT rpe.id AS rpeId FROM RemoteProviderEntity rpe INNER JOIN RemoteProviderType rpt ON rpt.id = rpe.remoteProviderTypeId WHERE rpt.name = 'Netsparker Enterprise') AS a, (SELECT id AS rpafId FROM RemoteProviderAuthenticationField WHERE name = 'Import' AND applicationId = (SELECT id FROM RemoteProviderType WHERE name = 'Netsparker Enterprise')) AS c));
UPDATE SeverityMap SET genericSeverityId = (SELECT id FROM GenericSeverity WHERE intValue=4) WHERE channelSeverityId = (SELECT id FROM ChannelSeverity WHERE channelTypeId=(SELECT id FROM ChannelType WHERE name = 'Nessus') AND numericValue=4); GO CREATE PROCEDURE createEventVulnIdIndex AS BEGIN IF NOT EXISTS(SELECT * FROM sys.indexes WHERE OBJECT_ID = OBJECT_ID('Event') AND NAME = 'idx_event_vuln') CREATE INDEX idx_event_vuln ON Event (vulnerabilityId); END GO exec createEventVulnIdIndex; GO DROP PROCEDURE createEventVulnIdIndex; GO ALTER TABLE Organization ADD CONSTRAINT unqOrgName UNIQUE (name); GO ALTER TABLE Application ADD CONSTRAINT unqAppNameOrgId UNIQUE (name, organizationId); GO INSERT INTO SelectOption (tip,value) VALUES ('Import all scans and it can take a while if you have many scans', 'All scans Netsparker'); INSERT INTO SelectOption (tip,value) VALUES (null, 'Most recent scan Netsparker'); INSERT INTO RemoteProviderAuthenticationField (name,placeholder,required,secret,type,applicationId) VALUES ('Import',null,1,0,'radiobutton',(SELECT id FROM RemoteProviderType where name = 'Netsparker Enterprise')); INSERT INTO RemoteProviderAuthenticationField_SelectOption_Join(remoteProviderAuthenticationField_id,selectOptions_id) VALUES((SELECT rp_af.id FROM RemoteProviderAuthenticationField rp_af JOIN RemoteProviderType rp_t ON rp_af.applicationId = rp_t.id AND rp_t.name = 'Netsparker Enterprise' WHERE rp_af.name = 'Import'), (SELECT TOP 1 id FROM SelectOption WHERE value = 'All scans Netsparker')); INSERT INTO RemoteProviderAuthenticationField_SelectOption_Join(remoteProviderAuthenticationField_id,selectOptions_id) VALUES((SELECT rp_af.id FROM RemoteProviderAuthenticationField rp_af JOIN RemoteProviderType rp_t ON rp_af.applicationId = rp_t.id AND rp_t.name = 'Netsparker Enterprise' WHERE rp_af.name = 'Import'), (SELECT TOP 1 id FROM SelectOption WHERE value = 'Most recent scan Netsparker')); UPDATE SelectOption SET value = 'All scans' WHERE value = 'All scans Netsparker'; UPDATE SelectOption SET value = 'Most recent scan' WHERE value = 'Most recent scan Netsparker'; INSERT INTO RemoteProviderAuthenticationEntity(encryptedValue, value, remoteProviderAuthenticationFieldId, remoteProviderEntityId) (SELECT NULL, 'All scans', (SELECT id AS rpafId FROM RemoteProviderAuthenticationField WHERE name = 'Import' AND applicationId = (SELECT id FROM RemoteProviderType WHERE name = 'Netsparker Enterprise')), (SELECT rpe.id AS rpeId FROM RemoteProviderEntity rpe INNER JOIN RemoteProviderType rpt ON rpt.id = rpe.remoteProviderTypeId WHERE rpt.name = 'Netsparker Enterprise')); GO

Start Tomcat/ThreadFix

  1. Restart Tomcat/ThreadFix.

  2. Navigate to the login page to ensure that it loads as expected. If so, you may now log in and verify that the new version is installed; the version is included in the page footer after logging in.

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.