Image Added

📙 You will learn

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic, Intermediate or Advanced
Time needed: Approximately __ minutes
Tools required: If any

Below are the steps to incorporate the automated defect creation process.

1. Create a Defect Tracker instance by going to Integrations -> Defect Trackers (refer to the 

1. Create Defect Tracker page for more info).
   

2. Create a defect profile which fills out all required fields for that configured defect tracker by clicking the “Show Default Profiles” button, then clicking the “Create Profile” button.
   

   Image Modified

   Image Modified

3. Open the Application Detail page for the application you wish to configure automated defect creation on and select the Top Action Menu -> Manage Defect Trackers -> Edit Defect Trackers.

   Image Modified

4. Click the “Add Defect Tracker” button to select the configured defect tracker you would like associated to this application.

   Image Modified

5. Click the “Change Profile” button to expand all configured profiles for this defect tracker and select a profile to be the default profile (ensure you select a default profile that fills all required fields).

   Image Modified

6. Go to the Manage Policies page under Customize -> Policies.

   Image Modified

7. Select the Defect Reporters tab,

1. click the “Create Defect Reporter” button and select the criteria for which you would like to auto-create defects.

   1. First, by selecting the Severity you would like automated defects to be created for, you can dictate when to create a defect.  For example, if you select Severity "High" and chose the "Or Greater" option, a defect will be created anytime a new vulnerability is introduced with a High or Critical Severity.

   2. The Group By options let you choose to bundle similar vulnerabilities or severities into a single defect to reduce the potential noise created by a bad check-in or a particularly troubled new feature.  Choose between no grouping, bundling by identical CWE's, bundling by identical Severities, or bundling by identical CWE's per severity.   If you choose "CWE and Severity", for example, all Critical XSS vulnerabilities would be grouped into a single defect with all High XSS vulnerabilities grouped into a separate defect.

      Image Modified

2. Click the “Applications” button for the policy you just defined.

   Image Modified

3. Start typing the desired application name you wish to add, select it from the drop-down list, and click the 'Add Application' button;. Repeat if you want to add more applications.

   Image Modified 

4. You'll receive confirmation that the defect tracker was added.

   Image Modified

After the above steps, when you upload a scan into the ThreadFix application, ThreadFix will submit defects for new vulnerabilities that meet the specified criteria (i.e., automated defects will not be created for existing vulnerabilities).