Image Added

📙 You will learn

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic, Intermediate or Advanced
Time needed: Approximately __ minutes
Tools required: If any

This section outlines the ThreadFix Defect Tracker (tool) support.

Introduction

ThreadFix supports Defect Trackers, this involves two primary functions. The first is to bundle and export ThreadFix vulnerabilities into the tracker's defect format. The second is to get the current status of the defect from the tracker and update the ThreadFix vulnerabilities.

Supported Defect Trackers

ThreadFix currently supports these Defect Trackers:

• Bugzilla

• HP Quality Center

  • Suggested if we support it : Micro Focus Quality Center (formerly HP Quality Center, removed from HP’s website)

• JIRA [On Premise, On Demand]

• Microsoft Team Foundation Server (TFS), Visual Studio Team Service (VSTS), and Azure DevOps

• Version One

• IBM Rational ClearQuest 

• Rally (CA Agile Central)

• )

Bugzilla

Bugzilla is a popular open-source defect tracking system created by the Mozilla Foundation, the developers of Firefox. The Bugzilla website has more information about its features and installation.

HP Quality Center (acquired by Micro Focus)

This no longer seems to exist, not on HP’s website and support for it seems to be gone too. Seems to have been replaced with https://www.microfocus.com/en-us/products/alm-quality-center/overview

Hewlett-Packard's Quality Center is quality management software featuring defect and requirements tracking. It is available as a free, open-source Community Edition or as a paid Enterprise version. The Enterprise version has an expanded feature set and technical support. Installation of HPQC Enterprise can be on premise, or is available in a SaaS implementation. More information regarding HP Quality Center is available on the HP website.

JIRA

Atlassian's JIRA is a project management and issue tracking application, geared toward agile development. You Users can install JIRA on your their own server, or use a hosted, SaaS solution. You can find more information More information is available on the Atlassian website. OAuth is supported in Threadfix ThreadFix for JIRA.

To be able to submit defects, the JIRA user account must have these permissions: Browse Projects, Create Issues, Assign Issues and, if the project does not allow non-assigned issues, at least one user must have the Assignable User permission.

ThreadFix leverages JIRA’s Status and Status Category* fields to determine if a defect is Open (red) or Closed (green). Note: If the Status Category is available, ThreadFix prioritizes it over Status.

JIRA has three status categories: To Do, In Progress, and Done. If a defect has a Status Category of “Done”, it is considered Closed in ThreadFix. The status of “Resolved” falls under the “Done” category.

Microsoft Visual Studio Team Foundation Server / VSTS

Microsoft's Visual Studio Team Foundation Server is a version control and project management platform aimed at developing Windows applications.  This application shares the same API as Visual Studio Team Services. More details about Team Foundation Server are on Microsoft's website. For info on how to configure security on the VSTS side, see the corresponding section at the bottom of this article.

VersionOne

VersionOne is an Application Lifecycle Management platform, designed with agile and lean development methodologies as its focus. You can read Read more about its features and capabilities on the VersionOne website.

IBM Rational ClearQuest

IBM Rational ClearQuest is a database workflow application development and production system. You can read more about its features on the IBM Rational ClearQuest website.

Rally (CA Agile Central)

Rally (now CA Agile Central) is an enterprise-class platform that's purpose-built for scaling agile development practices. It provides a hub for teams to collaboratively plan, prioritize and track work on a synchronized cadence. You can read more about its features and capabilities on the CA Technologies website.

Creating a Defect Tracker

Example Configuration Using JIRA

Creating a defect tracker in ThreadFix follows the same process for every supported tracker. This The following example walks through the process using JIRA.

Set up Defect Tracker

You must complete two actions before submitting a defect from ThreadFix. First, you need to create the defect tracker within ThreadFix. Then, you must attach that defect tracker to an application in ThreadFix.

Create a Defect Tracker

To set up JIRA up as a defect tracker in ThreadFix click Configuration (cog), then Integrations → Defect Trackers. This will take you to the Defect Trackers page.click:

1. From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.
   

   Image Added

2. To create a new Defect Tracker, click the Create New Tracker button.

Image Removed

1. A New Defect Tracker modal will appear. Complete the form using the credentials for

1. a JIRA account; ensure that the Type dropdown list is set to JIRA.
   For

1. JIRA Cloud customers who are using username and password:

   • For the Default Username, enter the

1. • JIRA profile's email address. For the Default Password, enter the profile's API token (

1. • create one, if it doesn't exist).

   • The above is supported as of version ThreadFix version 2.7.3 (equivalent for 3x support version?); earlier versions don't support email usernames nor API authentication.

   For on-

1. premise JIRA deployments that don't support API tokens,

1. use username/password basic authentication; using the email address for the username is supported as of version 2.7.3 (equivalent for 3x support version?).
   

   Image Added

2. As of ThreadFix version 2.8.1, to configure a Jira Defect Tracker using username/password. Select Basic Auth for Auth Type

1. . Confirm this does not exist in 3x? (at least not in 3.0.6+?)
   

   Image Modified

2. Click the Get Product Names button. A Product Names

1. drop-down will appear, populated with the products from

1. the user JIRA server. Select the product associated with

1. the application and click the Create Defect Tracker button.
   

Image Removed

1. Image Added

   
   

Attach Defect Tracker

1. Navigate to the details page of the application that needs a tracker attached to it. Once on the

1. application’s detail page, click the 

1. Action drop-down button, highlight Manage Defect Trackers

1. and select Edit Defect Trackers.
   

Image Removed

1. Image Added

2. The Manage Defect Trackers for Application <application name> page

1. displays a list of attached defect trackers

1. , if any.
   

Image Removed

1. Image Added

2. To attach a defect tracker to the application, click the Add Defect Tracker button. A modal dialogue will appear.
   

Image Removed

1. Image Added

2. For the Defect Tracker,

1. from the drop-down list select [the created] JIRA Defect Tracker. Then either select the Use Default Credentials checkbox

1. or fill in the Username and Password fields with

1. the necessary credentials. The defaults are the credentials

1. supplied when [the Defect Tracker was created] you created the TF JIRA defect tracker initially.
   

   Image Added

2. If

1. there is a default product defined in JIRA,

1. users may select the Use Default Product checkbox. If not, or

1. to select a different product, click the Get Product Names button. After JIRA verifies

1. the credentials, a Product Name

1.  drop-down appears.

1. Select the JIRA product that is associated with

1. the application and click the Add Defect Tracker button.
   

Image Removed

1. Image Added

2. The added defect tracker will now appear in the 

1. Defect Trackers

1. page.
   

Image Removed

1. Image Added

Submit Defects

1. To submit a defect to

1. the defect tracker, expand a section in an application's vulnerability tree.

1. Either select the instance(s) of the vulnerability(ies)

1. to submit to

1. the tracker, or select the Check All checkbox to select all instances.
   

   Image Added

2. Click on the lower Action button and

1. highlight Create Defect

1. then select<defect tracker name>.
   

Image Removed

1. Image Added

2. A Submit Defect modal will appear; fill out the fields and click the Submit Defect button. A success message will appear at the top of the screen.
   

Image Removed

1. Image Added

2. Opening the vulnerability in the tree now shows these issues opened and assigned in

your

1. the JIRA defect tracker, as seen below.
   

Image Removed

1. Image Added

2. If you click on the defect badge, another window will open to the defect in JIRA.
   

Add to Existing Defect

You Users can add one or more vulnerabilities to an existing defect.

1. Either select the instance(s) of the vulnerability(ies) or select the Check All checkbox to select all instances.
   

   Image Added

2. Click on the lower Action 

button and select 

1. button, highlight Add to Existing Defect

→ 

1. and select <defect tracker name>.
   

Image Removed

1. Image Added

2. In

the ensuing dialog

1. Add to Existing Defect modal, enter the defect ID and click the

'

1. Submit Defect

'

1. button.
   

Image Removed

1. Image Added

2. Just like when creating a new defect, ThreadFix will add a badge to the

vuln

1. vulnerability(

s

1. ies) with the defect ID and its status.
   

   Image Added

Update Defect Status

If you close the issue is closed in JIRA, you users can request an update for the defects in ThreadFix on the application’s details page.

1. Click on the upper Action button

and select 

1. , highlight Manage Defect Trackers

→

1. and select Update Defect Status.
   

Image Removed

1. Image Added

2. ThreadFix will get the current status of all defects submitted for the application and update the label accordingly if one or more defects are closed.

Image RemovedNote: You will need to refresh

1. Refresh the page to see the updated status. Need help with an updated screenshot showing an updated defect status for the example submitted above.

Image Added

Creating a Defect Status Update Schedule

Continue

Once you have one or more defect trackers are configured, you users can create a schedule or schedules to automatically check their status for changes.  This This removes the need to manually update the defect status to see if an issue has been resolved by a development team or not.

1. First,

go back to the defect trackers page by clicking on the Cog menu and selecting Integrations → Defect TrackersImage RemovedOnce there, select

1. return to the Defect Trackers.From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.
   

   Image Added

2. Select the Scheduled Updates tab and

click 

1. click the Schedule New Update

 to bring up the scheduling dialog box.Image RemovedSelect a

1. button. This brings up a Defect Tracker Update modal which contains scheduling options.
   

   Image Added

2. Select the time and frequency

when you would like your

1. for when to run the status update check

to run

1. .

 You

1. Users can alternatively define a Cron expression.

 Click 

1.  Click the Add Scheduled Update to save it to

your list of Defect Status Update schedules.  You

1. the list of defect status update schedules.
   

   Image Added

Optionally, an “Update status for deleted defects” checkbox is provided. If selected this option will allow ThreadFix to update each defect, including marking deleted defects as “Issue not found”.

Image Added

Users may create as many of these as you like, but be aware that desired, however each one will run at the requested time.  Some Some defect trackers require an API call per defect to determine status, so you the user could inadvertently overwhelm your their defect server if you schedule them these are scheduled too frequently.

Defect Profiles

To help make the process of submitting a defect more efficient, you users can create and use defect profiles that which save you the effort of filling out certain fields in the submission form. For example (using Jira, as with the above examples), say you want The following uses Jira with the above as an example for a user who wants to create a profile that preselects the type of defect and fills out several fields.. .

Access the Defect Trackers page by clicking Configuration (cog) → Integrations → Defect Trackers.

Click the Show Default Profiles button and then (Is this prior accurate?).

1. From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.
   

2. Click the Show Default Profiles button, this will display a field for existing profiles and add a Create Profile button.
   

   Image Added

3. Click the Create Profile button.
   

Image Removed

1. Image Added

2. Give the profile a name

and Image Removed

1. , select a product, then click Add new Default Profile.

1. 
   

   Image Added

   Note the Name field has a 2 character limit.

2. Recommended options to select for this portion below? Fill out the desired fields in the Set Defect Defaults form. Note

that you can use tags

1. tags can be used to help automate some of the content, like the severity,

  scanner vuln

1.  scanner vulnerability name, etc. (hover over the tags at the top for a description). When finished,

click 

1. click the Update Defaults button.

You'll receive a confirmation that A confirmation banner will display showing the defaults were updated for the specified defect profile and see it listed within the Profile list. You can create Create more as needednecessary.

To use a profile when submitting a defect, select it from the top pull-down menu, and the default values will appear in the form; you may edit as needed and submit the defect when done. Note that the values corresponding with tags in the profile will appear in the form.

VSTS / TFS / Azure DevOps - Security Configuration

In order to set up an integration between ThreadFix and VSTS, you must use a a Personal Access Token is required.Click

1. In VSTS, click on the profile icon toward the top right of the screen and select Personal access tokens from the menu.
   

   Image Modified

2. From there

you can

1. create a Personal Access Token:
   

   Image Modified

2. When creating the integration on the ThreadFix side, select

'

1. Microsoft TFS

'

1. in the Type menu, enter

your

1. the organization's http://visualstudio.com (or dev.azure.com) URL and credentials, then click the

'

1. Get Product Names

'

1. button to select the desired project.

(

1. Note

that

1. the username can be anything as long as

you don't leave

1. the field is not left blank.

)

1. Is there a url I can use for a fresh screenshot of the image below?

OAuth Support for JIRA - Security Configuration

OAuth is supported for Jira as of version 2.8.1. Please note OAuth 2.0 is not yet supported. First you'll need to not yet supported (any change on this?).

1. First configure Application links

in Jira

1. in JIRA to support OAuth. Then, within ThreadFix, navigate to Global → Administration → System Settings → Other Settings (tab) → OAuth Jira (heading). Provide the following details:

   1. Jira URL: URL of Jira where OAuth is configured.

   2. Consumer Key: The key assigned to JIRA by the service provider. 

   3. Private Key: Signed Private Key.
      Is this a removed feature? I don’t see this in 3x

      Image Modified

2. After providing the details, click on Populate Authorization Token URL button. This will generate a temporary Authorization Token URL. Click

on 

1. on the here link in For retrieving request token go to here and authorize it. This will expire in 10 minutes. 
   

   Image Modified

Link

1. The link navigates to a permission page in JIRA. Allow the permission.

   Image Modified

2. After allowing the permission, a verification code will be generated. 

Copy and paste the verification code in into the Secret Key text field in ThreadFix and click on on the Populate Access token button. A new Access token is generated and will be active for 5 years. 

Configuring Defect Tracker using Access Token

To Jira can be set up JIRA up as a defect tracker in ThreadFix navigate to Integrations → Defect Trackers. This will take you to the Defect Trackers page.tracker in ThreadFix.

1. From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.
   

2. To create a new Defect Tracker, click the Create New Tracker button and select JIRA as Type.
   

3. Select OAuth Token for Auth Type. Url and Access Token will be automatically filled. This doesn’t appear for me in order to proceed.
   

   Image Modified

4. Click the Get Product Names button. A Product Names dropdown will appear, populated with the products from

your

1. the user’s JIRA server. Select the product associated with

your

1. the application and click the Create Defect Tracker button.
   

Upon creation, validation of the URL takes place. If the URL is malformed, you will receive a URL is invalid error message will display. If ThreadFix is unable to communicate with the JIRA instance because of a mistyped URL, you will receive a URL is not associated with selected defect tracker message will display.

Attach Defect Tracker

1. Navigate to the details page of the application that needs a tracker attached to it. Once on the application detail page, click the upper Action button and

select 

1. highlight Manage Defect Trackers

→

1. and select Edit Defect Trackers.
   

Image Removed

1. Image Added

2. This will

take you

1. redirect to the Manage Defect Trackers for Application <application name> page, where

you'll see

1. attached defect trackers are listed, if any.
   

Image Removed

1. Image Added

2. To attach a defect tracker to the application, click the Add Defect Tracker button. A modal dialogue will appear.

1. Choose JIRA as

your

1. the Defect Tracker, then the Access Token will be automatically added to text box.
   

Image RemovedIf you have

1. The modal below is not what I see
   

   Image Added

   This is what I see, is this just how it looks in 3x or does 2x currently match this and the one above is just very outdated?
   

   Image Added

2. If a default product is defined in JIRA,

you may

1. select the Use Default Product checkbox. If not, or

you wish

1. to select a different product, click the Get Product Names button. After JIRA verifies

your

1. credentials, a Product Name dropdown appears.
   This is what I can see is it still correct?

   Image Added

2. Select the JIRA product that is associated with your application and click the Add Defect Tracker button.
   Again I don't see modal like this below

Image Modified

This is how it appears to me

Image Added

The added defect tracker will now appear in the Manage Defect Trackers page... page.

Image RemovedTo submit defects, follow Submit Defects topic in this documentation. pageImage Added