Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
ThreadFix Version Release Notes
For REST API updates, refer to the Change LogThreadFix Version Release Notes
For REST API updates, refer to the Change Log
3.3.2
May 2023
Warning |
---|
Integration Support Notifications
|
Note |
---|
Upgrade Migration Notifications
|
Helm
Key Updates
Issue addressed where users may not be able to upgrade to 3.X if specific data exists in the ChannelVulnerability table for Burp
UI performance enhancements
Microservice Project support added for Fortify on Demand
Security updates
Addressed Reported Issues
Issue | Resolution |
---|---|
When submitting a new defect through the Azure DevOps / TFS defect tracker, the Area and Iteration drop-downs do not display set default values and cannot be edited. | This issue has been addressed in 3.3.2. |
Unmapped Qualys WAS Findings are automatically upgraded/downgraded to a Severity level of 3 (Medium) and without a channel vulnerability name. | This issue has been addressed in 3.3.2. |
ThreadFix allowing multiple scans without an Updated Date if there is a prior scan present containing an UpdatedDate. | This issue has been addressed in 3.3.2. |
.threadfix file exports from the Assessment tab with incorrect Finding descriptions. | This issue has been addressed in 3.3.2. |
Date displayed in the Status section of Vulnerability Details do not reflect a user’s local time zone. | This issue has been addressed in 3.3.2. |
User receives a "Jira Credentials are invalid" error when authenticating with Atlassian’s newly implemented longer API tokens. | This issue has been addressed in 3.3.2. |
SAML settings prevents System Settings page from updating/saving. | This issue has been addressed in 3.3.2. |
Email notifications fail to send. | This issue has been addressed in 3.3.2. |
3.3.1
February 2023
Note to users, ThreadFix currently supports MySQL up to version 5.7, the future release of ThreadFix 3.4 will support MySQL 8 and will not be backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.
Note |
---|
Users must be on version 3.2 or 3.3 to upgrade to 3.3.1. Users interested in migrating to 3.3.1 from 2.X must upgrade to 2.8.8 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. Note users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Posgresql changes |
Helm
Key Updates
Improvement of ThreadFix’s ability to identify and parse Fortify SCC external lists and filters to more accurately mark findings
Improved ThreadFix upgrade migration automation to have better error handling and recovery
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
3.3
January 2023
Note |
---|
Users must be on version 3.2 to upgrade to 3.3. Users interested in migrating to 3.3 from 2.X must upgrade to 2.8.8 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. Note users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Posgresql changes. |
Helm
Key Updates / Version Feature Changes
New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:
Ingestion Enhancements
ThreadFix File format now supports CVSS score values for both ingestion and export
Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus
Fortify on Demand now supports dependency findings
Acunetix enhanced false positive support
Contrast findings support greater specificity in filtering on finding types based on finding data
Added Scan Agent configuration support for AppScan Standard and WebInspect allowing custom configuration for these scan agents
SonarQube integration has been updated to support changes in their API
Hotspot findings in version 8.9 and 9 are now supported
All previous versions of SonarQube are no longer supported
System Enhancements
Created UI driven customization for report caching times
Added OWASP Top 10 2021 report
API support added for custom severity name
Created a bulk-export for all unmapped vulnerability types to CSV file
Reintroduced Scan File Retention customization to the ThreadFix 3 architecture
Reintroduced LDAP linked SAML Authorization to the ThreadFix 3 architecture
The following Global FPR Filter Set API REST calls have been reintroduced:
Upload Global FPR Filter Set Override 3.X - API
Clear Global FPR Filter Set Override 3.X - API
Additional bug fixes and security enhancements
Removed Features
Acunetix & AppSpider scan agents have been disabled, with plans for re-introduction
Addressed Reported Issues
Issue | Resolution |
---|---|
When installing ThreadFix with Helm, issues occur following changes made to the Helm charts. | It is recommended to not make any edits or changes to the Helm charts in order to avoid undesired performance. Any necessary changes should be done through the value files. |
Following changes in the K8 APIs, installing or upgrading ThreadFix on Kubernetes versions 1.25 or newer will fail. | Resolved in ThreadFix 3.3. |
Importing LDAP users fails if any user have Title fields containing over 60 characters. | The limit has been increased to 128. |
In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues. | The frequency of reminders has been adjusted to once per user login. |
A manually closed vulnerability may be marked as “re-opened” if a scan containing the open vulnerability is uploaded from a date prior to when it was manually closed. | ThreadFix will not mark a manually closed vulnerability as having been re-opened from an uploaded scan preceding the vulnerability having been manually closed. |
Legacy 3.X Release Notes
Expand | ||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||
3.2
September 2022
In ThreadFix 3.2, Minio requires the Minio secret data to contain the keys “rootUser” and “rootPassword” instead of “secretKey” and “accessKey”. When attempting an upgrade, some users may encounter the following error:
This error can be resolved by manually editing the Minio secret to change the data values to what is expected.
Change the following:
To:
Once complete, perform the upgrade procedure once again. Helm Key Updates / Version Feature ChangesNew versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below: Azure Dev Ops
2.X Feature Parity (3.X only)
Integration Enhancements
To view a complete list including prior releases, please view the 3.X Version Feature Changes list.
Addressed Reported Issues and Security Updates
3.1.2May 2022
Helm Key Update
Version Feature Changes New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:
To view a complete list including prior releases, please view the 3.X Version Feature Changes list. 3.1.1April 2022
Key Updates
New/Updated API
General Improvements
Feature ChangesNote the following changes to features with the introduction of ThreadFix 3.1.1: Reintroduced
Deprecated and Removed For other REST API updates, refer to the Change Log
3.1October 2021
Key Updates
New/Updated API
General Improvements
Feature ChangesNote the following changes to features with the introduction of ThreadFix 3.1: Deprecated and Removed
Limitations, Scheduled for Enhancement Post 3.1
Absent, Scheduled for Re-introduction Post 3.1
3.0.8March 2021
Security Updates
Key Updates
General Improvements
Installation and Upgrade Guides:3.0.7October 2020 General Improvements
3.0.7 also contains the following AppSec updates. Key Updates
General Improvements
|
Table of Contents
Table of Contents |
---|