Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ThreadFix Version Release Notes

For REST API updates, refer to the Change Log

3.1.0

October 2021

Note

When upgrading to 3.1 users must first be on the latest, 2.8.4.

Security EnhancementsKey Updates

  • SQL and Pent Test security enhancements [This will be removed?]

  • Snyk integration security enhancements [This will be removed?]

  • The two bullets above tie to:

    • Task      TFN-2485            Validate PenTest security fix successfully gets merged in from 2.8/3.0.x

    • Task      TFN-2593            SQL Injection (High, 4)

    • Task      TFN-2594            Information Exposure (High 1, Medium 32, Low 5)

    • Task      TFN-2729            Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection

    • Story     TFN-2589            TF Snyk/assessment vulnerabilities

    • Task      TFN-2590            XML External Entity (XXE) Injection (High 2, Medium 6)

    • Task      TFN-2592            Deserialization of Untrusted Data (High 10, Medium 1)

    • Task      TFN-2595            Denial of Service (DoS) [High 2, Medium 5)

Key Updates

  • Qualys WAS integration performance enhancement

  • Improvement    DGTF-8386         [Infrastructure] Improve memory management of Qualys integration

  • Task      TFN-1541            UI - Update React to latest stable version

    Fundamental and holistic rebuild of the ThreadFix architecture and deployment environment (please see new environment requirements here)

  • Full rewrite of our scan ingestion and processing logic to provide over 60x reduction in raw scan data processing speed

  • Introduction of Remote Provider UI display cards and associated API

  • Remote provider import and scan ingestion statuses display on the Scan Queue page

  • Updates to the Scan Import Queue’s UI tooltips

  • Update to add a new Queue Management permissions level

New/Updated API

  • New GET ThreadFix application assets by import request ID API

  • New GET Remote Provider Import Requests API

  • New Pending Scan Status API

  • New Scan Queue Management report view API

  • Update to Remote Provider Import Request API

General Improvements

  • Improvements to user login session management

  • Task      DGTF-8433         Update Local/LDAP/SAML login flows to save session information to an external datastore

  • Task      DGTF-8434         Create custom kong plugin to handle additional session active

  • Task      DGTF-8435         Remove session check mechanism from all upstream services

  • Task      DGTF-8436         Update Local/LDAP/SAML logout flows to remove session from the external datastore

  • Task      DGTF-8442         Add a redis configuration to the docker and k8s deployments

  • Task      DGTF-8444         Remove the ability for a single user to have concurrent sessions

  • Leveraged new architecture to implement self-recovery for scan ingestion

    New Scan Ingestion Allow List flag permission toggle for network settings [Tentative] New network vulnerability permissions

    Task      TFN-1644            Create new Permission for toggling the Scan Ingestion whitelist flag on network settings

  • Improvements to Manual Vulnerability Actions

    • Task      TFN-2035            Update Manual Vulnerability Actions APIs/Controllers

    • Story     TFN-2088            Update Manual Vulnerability Actions

    • Task      TFN-2089            Reflect Queued Manual Vulnerability Actions in UI/API

    • Task      TFN-2266            Manual Vulnerability Update Technical Design

Miscellaneous tickets not reflected in the key updates/general improvements above

  • Task      TFN-2369            API - Add backend websocket support for Remote Provider Import Requests tab

  • Improvement    DGTF-7849         Refactor of the Defect Tracker

  • Story     TFN-2083            Scan Ingestion Events/Notifications

  • Task      TFN-2155            Review defenses against allowing multiple Remote Provider configurations of the same channel mapping to a single TF App

  • Task      TFN-2178            Configure queue management  retention time from environment file for testing queue management page

  • Task      TFN-2455            Consume and store events for scan import activity/history to Event table to match 2.x

  • Task      TFN-2456            Consume and store Vulnerability history to Event table to match 2.x (Scan Uploads)

  • Story     TFN-2499            Queue Management v.2 Report Mode History & Behavior

  • Story     TFN-2589            TF Snyk/assessment vulnerabilities

  • Task      TFN-2615            Disable/remove 3.1 UI elements that don't work anymore

  • Task      TFN-2729            Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection

  • Task      TFN-2752            Snyk: Arbitrary Code Execution affecting hibernate

  • Task      TFN-2785            Snyk: org.jsoup:jsoup - Denial of Service

All tickets selected from Carla/Quico meetings

  • Improvement    DGTF-7849         Refactor of the Defect Tracker

  • Improvement    DGTF-8386         [Infrastructure] Improve memory management of Qualys integration

  • Task      DGTF-8433         Update Local/LDAP/SAML login flows to save session information to an external datastore

  • Task      DGTF-8434         Create custom kong plugin to handle additional session active

  • Task      DGTF-8435         Remove session check mechanism from all upstream services

  • Task      DGTF-8436         Update Local/LDAP/SAML logout flows to remove session from the external datastore

  • Task      DGTF-8442         Add a redis configuration to the docker and k8s deployments

  • Task      DGTF-8444         Remove the ability for a single user to have concurrent sessions

  • Task      TFN-1541            UI - Update React to latest stable version

  • Task      TFN-1644            Create new Permission for toggling the Scan Ingestion whitelist flag on network settings

  • Task      TFN-2035            Update Manual Vulnerability Actions APIs/Controllers

  • Story     TFN-2083            Scan Ingestion Events/Notifications

  • Story     TFN-2088            Update Manual Vulnerability Actions

  • Task      TFN-2089            Reflect Queued Manual Vulnerability Actions in UI/API

  • Task      TFN-2155            Review defenses against allowing multiple Remote Provider configurations of the same channel mapping to a single TF App

  • Task      TFN-2178            Configure queue management  retention time from environment file for testing queue management page

  • Task      TFN-2266            Manual Vulnerability Update Technical Design

  • Story     TFN-2277            Queue Management Permissions

  • Task      TFN-2279            Scan Import Queue - Update UI statuses and explanatory tooltips

  • Task      TFN-2281            Remote Provider Import Activity UI Frame Buildout

  • Task      TFN-2284            UI - Apply Full-text tooltip for Scan Import Queue Page

  • Story     TFN-2291            Remote Provider Import Request Tab

  • Story     TFN-2292            UI - Full-text Tooltips

  • Task      TFN-2297            API - GET Remote Provider Import Requests

  • Task      TFN-2306            Pending Scan Status API Endpoint

  • Task      TFN-2307            Scan File Upload Response - Pending Scan Tracking Receipts

  • Task      TFN-2343            Refine available RP import and scan ingestion statuses

  • Task      TFN-2364            API - Get TF app assets by Import request id

  • Task      TFN-2367            Update RP Import Request API to return tracking receipt

  • Task      TFN-2369            API - Add backend websocket support for Remote Provider Import Requests tab

  • Task      TFN-2377            Scan Queue Management API - Add new endpoint to support Report View

  • Task      TFN-2435            Implement Health Check for AppSec Ingestion projects

  • Task      TFN-2451            API - Create an endpoint to support RP card details

  • Task      TFN-2455            Consume and store events for scan import activity/history to Event table to match 2.x

  • Task      TFN-2456            Consume and store Vulnerability history to Event table to match 2.x (Scan Uploads)

  • Task      TFN-2485            Validate PenTest security fix successfully gets merged in from 2.8/3.0.x

  • Story     TFN-2499            Queue Management v.2 Report Mode History & Behavior

  • Story     TFN-2589            TF Snyk/assessment vulnerabilities

  • Task      TFN-2590            XML External Entity (XXE) Injection (High 2, Medium 6)

  • Task      TFN-2592            Deserialization of Untrusted Data (High 10, Medium 1)

  • Task      TFN-2593            SQL Injection (High, 4)

  • Task      TFN-2594            Information Exposure (High 1, Medium 32, Low 5)

  • Task      TFN-2595            Denial of Service (DoS) [High 2, Medium 5)

  • Task      TFN-2615            Disable/remove 3.1 UI elements that don't work anymore

  • Task      TFN-2729            Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection

  • Task      TFN-2752            Snyk: Arbitrary Code Execution affecting hibernate

  • Task      TFN-2785            Snyk: org.jsoup:jsoup - Denial of Service

After 10/19 meeting

  • Epic TFN-1871 AppSec - VIP Service

  • Story TFN-1907 Migrate HAM

  • Bug TFN-2430 User do not get notified if connection lost with Remote Provider

  • Task TFN-2519 3.1 Ingestion SQL migration scripts

  • Task TFN-2547 Migrate GIT Repository Services

  • Task TFN-2628 Migrate Veracode Remote Provider Changes from 2.X to 3.X

  • Bug TFN-2771 Message handling exception occurred, during merging vulnerabilities due to duplicate key.

  • Task TFN-2778 Scalability, Stability and Performance Stablization

  • Bug TFN-2781 Retry cache capacity limit breached error seen after scan failure.

  • Bug TFN-2783 SCALIBILITY- Scan saved with same date twice into database.

  • Bug TFN-2791 Queue page error when scans uploaded with high velocity updates

  • Bug TFN-2801 Error Messages on 3.1.0 develop branch with Verocode RP Import All

  • Sub-task TFN-2825 MS SQL Scan Ingestion Performance Stabilization

  • Bug TFN-2843 Investigate JobCoordinator lock release lag

  • Sub-task TFN-2873 MySQL Perf and Concurrency Stabilization

  • Bug TFN-2890 Veracode Single App Scan Updated Date Not Correct

  • Bug TFN-2893 Unable to extend Time to Remediate date

  • Bug TFN-2900 Kafka warnings [x partitions have leader brokers without a matching listener]

  • Bug TFN-2909 CWE Mapping can not be deleted on an MSSQL instance that QA was using to run test suites

  • Task TFN-2913 Soft delete vulnerability snapshots when scan is deleted, instead of hard delete

  • Bug TFN-2915 Queue management page does not load when RP status changes.

  • Bug TFN-2919 Fix MS SQL VulnerabilitySnapshot Generation Query

  • Bug TFN-2920 Scan Failure Cleanup Process Stablization

  • Security improvements

  • Bug fixes



Feature Changes

Note the following changes to features with the introduction of ThreadFix 3.1:

Deprecated and Removed

  • Support has been ended for the SSVL Converter

  • Bi-directional capability for Checkmarx and AppSpider have has been removed

  • Service Delivery/Service Request feature set is no longer supported

  • Removed the Import All Vulnerabilities remote provider optionsoption

  • Saved scan files on the file system will not be migrated to 3.1 (NOTE: this only impacts the raw scan files. All vulnerability data is fully retained and migrated)

  • SonarQube Plugin removed from the Tools section.  Remote Provider integration still behaves as before

  • Removed the ability for a single user to have concurrent sessions [need verification]

Limitations, Scheduled for Enhancement Post 3.1

  • Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.

  • Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. Note(NOTE: this may impact created policies based on these filters, [need QA verification])

Absent, Scheduled for Re-introduction Post 3.1 

  • The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced

  • Scan File Retention feature has been removed, this feature is planned to be reintroduced

  • The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced

  • The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced

  • The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future

  • Time to Remediate Date policy creation has been disabled, this feature will be reinstated

  • Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled

  • The Global FPR Filter Set API REST calls have been removed, with plans to be reintroduced

Table of Contents

Table of Contents