Coverity User Account

Ensure that the Coverity account used for the ThreadFix integration has admin role/privilege on the Coverity side. The following is a list of SOAP API requests that ThreadFix uses for the Coverity Remote Provider integration

• Scans: defectservice#getMergedDefectsForProjectScope

• Findings: defectservice#getStreamDefects

• Projects: configurationservice#getProjects

Parsing Vulnerabilities

The following fields are parsed and mapped from Coverity to ThreadFix:

• defectStateAttributeValues.DefectStatus -> used to determine vuln open / closed

• defectStateAttributeValues.Classification -> used to determine false positive

• defectStateAttributeValues.Comment -> comment

• defectStateAttributeValues.Severity -> severity

• defectInstances.longDescription -> long description

• defectInstances.cwe -> cwe

• defectInstances.checkerName -> vuln code

• defectInstances.events.lineNumber -> dataflow line number

• defectInstances.events.eventNumber -> dataflow sequence index

• defectIntances.events.fileId -> dataflow file name

Vulnerability Statuses

ThreadFix will mark findings False Positive if they have False Positive status in Coverity. ThreadFix will not ingest findings with fixed status, closing them if they were ingested in a previous scan.

Default Severity Mappings:

• Unspecified -> Info

• Major -> High

• Moderate -> Medium

• Minor -> Low