Versions Compared

Old Version 19

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version 20

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ThreadFix Version Release Notes

For REST API updates, refer to the Change Log

3.1

October 2021

Note

Migration from 2.8.5.1 to 3.1 is currently not supported. Users interested in migrating to 3.1 should upgrade to 2.8.4 first then continue with the 2.X to 3.X Migration process.

Key Updates

  • Fundamental and holistic rebuild of the ThreadFix architecture and deployment environment (please see the new environment requirements). To install a helm chart offline see the manual helm download.

  • Full rewrite of our scan ingestion and processing logic to provide over 60x reduction in raw scan data processing speed

  • Introduction of Remote Provider UI display cards and associated API

  • Remote provider import and scan ingestion statuses display on the Scan Queue page

  • Updates to the Scan Import Queue’s UI tooltips

  • Update to add a new Queue Management permissions level

New/Updated API

  • New GET ThreadFix application assets by import request ID API

  • New GET Remote Provider Import Requests API

  • New Pending Scan Status API

  • New Scan Queue Management report view API

  • Update to Remote Provider Import Request API

General Improvements

  • Improvements to user login session management

  • Leveraged new architecture to implement self-recovery for scan ingestion

  • Improvements to Manual Vulnerability Actions

  • Security improvements

  • Bug fixes

Feature Changes

Note the following changes to features with the introduction of ThreadFix 3.1:

Deprecated and Removed

  • Support has been ended for the SSVL Converter

  • Bi-directional capability for Checkmarx and AppSpider has been removed

  • Service Delivery/Service Request feature set is no longer supported

  • Removed the Import All Vulnerabilities remote provider option

  • Saved scan files on the file system will not be migrated to 3.1 (NOTE: this only impacts the raw scan files. All vulnerability data is fully retained and migrated)

  • SonarQube Plugin removed from the Tools section.  Remote Provider integration still behaves as before.

  • Support for the following integrations has been removed:

    • SkipFish

    • Swamp Scarf

Limitations, Scheduled for Enhancement Post 3.1

  • Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.

  • Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. (NOTE: this may impact created policies based on these filters)

Absent, Scheduled for Re-introduction Post 3.1 

  • The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced

  • Scan File Retention feature has been removed, this feature is planned to be reintroduced

  • The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced

  • The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced

  • The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future

  • Time to Remediate Date policy creation has been disabled, this feature will be reinstated

  • Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled

  • The Global FPR Filter Set API REST calls have been removed, with plans to be reintroduced

  • Support for the following integrations has been removed, with plans for reintroduction:

    • Acunetix File Importer

    • Brakeman

    • Coverity

    • Dependency Check

    • Sonatype

Table of Contents

Table of Contents