Versions Compared

Old Version 80

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version 81

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated to remove single quotations within the time stamp formatting example

As the file format is still new, only some of the fields are currently supported through the importer, thus leaving some fields within ThreadFix null.

...

*All timestamps are to be in yyyy-MM-dd'T'HHddTHH:mm:ss'Z'** format.
**For ThreadFix version 2.8.3 or newer, the 'Z' will reflect the time zone based on UTCssZ format.

Finding

Name

Required

Used

Type

Description

id

no

Export Only

integer

The Finding's primary key, findingId.  This column is ignored on imports.

created

no

no

timestamp ¥

Not used.

Future support may be added for individual findings to have different discovery dates.

updated

no

no

timestamp ¥

Not used.

Future support may be added for individual findings to have different updated dates.

nativeId

yes

yes

string

A unique id for a finding from the scanner.  This id must be unique or the other findings with the same nativeId will get de-duplicated.

Character limit:

  • 2.7.9 and older: 50

  • 2.8.0 and newer: 256

If the source scanner has the ability to track the same vulnerability across multiple scans, this filed should use an ID value that is common between multiple scan runs.

severity

yes

yes*

Severity (string)

The ThreadFix severity to assign to this finding's "nativeSeverity", if it hasn't been mapped yet.


*After a nativeSeverity has a mapping, all findings with that nativeSeverity will share the same severity mapping.

Valid options: Info, Low, Medium, High, Critical

Do NOT use an empty string as the value.

nativeSeverity

yes

yes

string

The original severity name from the scanner.

Do NOT use an empty string as the value.

Character limit: 25

cvssScore

no

no

string

Not used.

Future support will be added for CVSS Scores for Network and Dependency scanners.

summary

yes

yes*

string

Populates the finding summary on the finding details page.  150 character limit.


*After a summary has a CWE mapping (from the "mappings" field), all findings with that summary will share the same CWE mapping.

description

no

yes*

string

Populates the finding description on the finding details page. 2047 character limit.


*As of ThreadFix version 2.7.2

scannerDetail

no

yes

string

Populates the scanner details on the finding details page.

scannerRecommendation

no

yes

string

Populates the scanner recommendation on the finding details page.

findingDetails

yes

yes

DynamicDetails,

StaticDetails, or DependencyDetails

Provides additional finding details specific to the type or scanner used.  A individual finding must have one, and only one type of details object, DynamicDetails, StaticDetails, or DependencyDetails.

Future support will be added for the NetworkDetails type.

metadata

no

no

map<string,string>

Allows key value pair metadata to be associated with a Finding.

tags

no

yes

string[]

An array of ThreadFix tags to associate with the vulnerability.  Note that a tag with a matching name must already be configured in ThreadFix to successfully associate with the record.

mappings

no

yes

Mapping[]

An array of common classification IDs (Such as CWE, CVE) to categorized the finding.  See Mapping below.

Not required, but highly recommended. If no CWE is provided, no merging can take place with other scanning tools.

rawFinding

no

yes

string

The data from the raw findings sections of the scan details page.  This is used to override the information displayed on this page; if you do not specify a rawFinding, ThreadFix will list the entire finding from your .threadfix file in the rawFinding section.  Specifying this field could result in loss of data in ThreadFix.

comments

no

yes*

string[]

An array of comments to add and associate to the finding in ThreadFix.

Format: "date (in MM/dd/yy) - text" (e.g., "12/1/17 - Cannot be reproduced by hand")

Note:

  • The dash delimiter between the date and text is required...this is an "en dash" (-)

    • For Versions prior to 2.7.9: If you need to include a dash within a comment, use an "em dash" (—) instead; if you use an en dash, the text after it will be ignored (fixed in 2.7.9).

  • If the date is missing from the comment, the date of the upload will be used as the comment date.


*As of ThreadFix version 2.7.3

group

no

no

FindingGroup

Not used.

Future support may be added allowing with ManualAssessment data to allow for custom groupings of findings.

statuses 

no

yes*

map<string, boolean>

An optional map of predefined statuses with their corresponding boolean value. Valid statuses are: Exploitable and/or False Positive

Format:  "statuses": { "False Positive": true, "Exploitable": false}


*As of ThreadFix version 2.7.7

*All timestamps are to be in yyyy-MM-dd'T'HHddTHH:mm:ss'Z'** format.
**For ThreadFix version 2.8.3 or newer, the 'Z' will reflect the time zone based on UTCssZ format.

DynamicDetails

Use this Details object to represent data from a DAST scanner.

...

Name

Required

Used

Type

Description

mappingType

yes

yes

MappingType (string)

Identifies the vulnerability classification mapping type.  Valid options:

  • CWE - MITRE Common Weakness Enumeration, strongly recommended but not technically required that all Findings have one primary CWE. CWE is required for merging.

  • CVE - MITRE Common Vulnerabilities and Exposures. 

  • TOOL_VENDOR - For custom vulnerability types from a scanner vendor.  Mappings with this type require the vendorOtherTypeField to be populated.

Options that are not yet valid, but to be supported in the future:

  • PRODUCT_VENDOR - For custom vulnerability types from a developer of a vulnerable piece of software.  For example, Microsoft KB numbers.  Mappings with this type are planned to require the vendorOtherTypeField to be populated.

  • OTHER - For any other custom type.  Mappings with this type are planned to require the vendorOtherTypeField to be populated.

value

yes

yes

string

The actual id to map to.  CWE and CVE values must be valid.

Note: For CWE, you can use a “-1” value to map a finding to “None” or you can omit the mappings element altogether, which will result in an “Unmapped” CWE value.

primary

no*

yes

boolean

If more than one Mapping of a given mappingType is included for one Finding, one and only one mapping must be labeled as primary.  If only one Mapping of a given mappingType is included, it is assumed to be the primary.

vendorOtherType

no*

yes

string

The name of the custom vulnerability categorization system.  Required for Mappings of mappingType TOOL_VENDOR, PRODUCT_VENDOR and OTHER.

...