Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: 3.3.3 release

Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:

3.3.3

July 2023

  • Improvement to Vulnerability Detail page display of Findings Comments

  • Improvement for scanning of Fortify XML files, removing invalid characters that may impede the scanning process

  • Fix for LDAP user group membership not being validated/synced on login

  • Fix for “Invalid username/password combination” error when attempting to gather collections from a defect tracker in Azure DevOps

  • Fix for instances where in certain user configurations, importing Contrast Remote Provider findings may fail and provide a “Failed during remote provider import” error

3.3.2

May 2023

  • Microservice Project support added for Fortify on Demand

3.3.1

February 2023

  • Improvement of ThreadFix’s ability to identify and parse Fortify SCC external lists and filters to more accurately mark findings

  • Improved ThreadFix upgrade migration automation to have better error handling and recovery

3.3

January 2023

Ingestion Enhancements

  • ThreadFix File format now supports CVSS score values for both ingestion and export

  • Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus

  • Fortify on Demand now supports dependency findings

  • Acunetix enhanced false positive support

  • Contrast findings support greater specificity in filtering on finding types based on finding data

  • Added Scan Agent configuration support for AppScan Standard and WebInspect allowing custom configuration for these scan agents

  • SonarQube integration has been updated to support changes in their API

    • Hotspot findings in version 8.9 and 9 are now supported

    • All previous versions of SonarQube are no longer supported 

System Enhancements

  • Created UI driven customization for report caching times

  • Added OWASP Top 10 2021 report

  • API support added for custom severity name

  • Created a bulk-export for all unmapped vulnerability types to CSV file

  • Reintroduced Scan File Retention customization to the ThreadFix 3 architecture

  • Reintroduced LDAP linked SAML Authorization to the ThreadFix 3 architecture

  • The following Global FPR Filter Set API REST calls have been reintroduced:

    • Upload Global FPR Filter Set Override 3.X - API

    • Clear Global FPR Filter Set Override 3.X - API

  • Additional bug fixes and security enhancements

 

  Removed Features

  •  Acunetix & AppSpider scan agents have been disabled, with plans for re-introduction

Addressed Reported Issues and Security Updates

  • Importing LDAP users fails if any user have Title fields containing over 60 characters. The limit has been increased to 128.

  • In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues. The frequency of reminders has been adjusted to once per user login.

  • A manually closed vulnerability may be marked as “re-opened” if a scan containing the open vulnerability is uploaded from a date prior to when it was manually closed. ThreadFix will not mark a manually closed vulnerability as having been re-opened from an uploaded scan preceding the vulnerability having been manually closed.

3.2

September 2022

Azure Dev Ops

  • Significant improvements to our integration with Azure Dev Ops including

    • Support for unique datatypes natively in ThreadFix UI

    • Performance improvements

    • UI indication of all required fields

    • Autocomplete and picklist support of applicable fields 

2.X Feature Parity (3.X only)

  • Implemented the Sonatype remote provider utilizing the new 3.1 ingestion pipeline

  • Added Remote Provider application names to the Finding Detail page

 

Integration Enhancements

  • The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source

  • Checkmarx can now ingest additional scanner detail and scanner recommendations for findings

  • Contrast date management enhancements to provide greater accuracy on finding discovery dates

  • Improved SonarQube severity mappings

  • The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024

  • Improvement to Fortify SCC findings filtering

  

Addressed Reported Issues and Security Updates

  • Upgraded dependencies and images including Debian, Kafka, and ActiveMQ

  • Fixed intermittent import errors with Acunetix 360/Netsparker

  • WhiteHat API updates to support new requirements from WhiteHat

  • Improvement to UI messaging indicating when all remote providers have been mapped

  • Improvement to UI messaging indicating when an invalid scanId was used

  • The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal

3.1.2

May 2022

  • No feature changes in 3.1.2

3.1.1

April 2022

Note the following changes to features with the introduction of ThreadFix 3.1.1:

Reintroduced

  • The Check Remote Provider Application Import Status endpoint has been reintroduced

  • Coverity Remote Provider has been reintroduced

Deprecated and Removed

For other REST API updates, refer to the Change Log

  • The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"

  • The SSVL Converter Tool deprecated in 3.1 has been removed

3.1

October 2021

Note the following changes to features with the introduction of ThreadFix 3.1:

Deprecated and Removed

  • Support has been ended for the SSVL Converter

  • Bi-directional capability for Checkmarx and AppSpider has been removed

  • Service Delivery/Service Request feature set is no longer supported

  • Removed the Import All Vulnerabilities remote provider option

  • Saved scan files on the file system will not be migrated to 3.1 (NOTE: this only impacts the raw scan files. All vulnerability data is fully retained and migrated)

  • SonarQube Plugin removed from the Tools section.  Remote Provider integration still behaves as before.

  • Support for the following integrations has been removed:

    • SkipFish

    • Swamp Scarf

Limitations, Scheduled for Enhancement Post 3.1

  • Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.

  • Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. (NOTE: this may impact created policies based on these filters)

Absent, Scheduled for Re-introduction Post 3.1 

  • The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced

  • Scan File Retention feature has been removed, this feature is planned to be reintroduced

  • The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced

  • The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced

  • The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future

  • Time to Remediate Date policy override has been disabled, this feature will be reinstated

  • Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled

  • The Global FPR Filter Set API REST calls have been removed, with plans to be reintroduced

  • Support for the following integrations has been removed, with plans for reintroduction:

    • Acunetix File Importer

    • Brakeman

    • Coverity

    • Dependency Check

    • Sonatype

Table of Contents

Table of Contents