Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ThreadFix Version Release Notes

For REST API updates, refer to the Change Log

3.3.3

July 2023

Warning

Integration Support Notifications

  • As of ThreadFix versions 3.4, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued.

  • ThreadFix currently supports MySQL up to version 5.7, the future release of ThreadFix 3.4 will support MySQL 8 and will not be backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.

  • Jira has deprecated and removed certain endpoints as of version 9.0, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 3.3.3.

Note

Upgrade Migration Notifications

  • Users must be on version 3.3/ 3.3.1/ 3.3.2 to upgrade to 3.3.3

  • Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes.

  • For REST API updates, refer to the Change Log.

Helm

Key Updates

  • Improvement to Vulnerability Detail page display of Findings Comments

  • Improvement for scanning of Fortify XML files, removing invalid characters that may impede the scanning process

  • Performance enhancements

  • UI Improvements

  • Security updates

To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.

Addressed Reported Issues

Issue

Resolution

LDAP user group membership not validated/synced on login.

This issue has been addressed in 3.3.3

User receivers an “Invalid username/password combination” error when attempting to gather collections from a defect tracker in Azure DevOps.

This issue has been addressed in 3.3.3

Under certain user configurations, importing Contrast Remote Provider findings may fail and provide a “Failed during remote provider import” error.

This issue has been addressed in 3.3.3

3.3.2

May 2023

Warning

Integration Support Notifications

  • As of ThreadFix versions 3.4, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued

  • ThreadFix currently supports MySQL up to version 5.7, the future release of ThreadFix 3.4 will support MySQL 8 and will not be backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.

  • Jira has deprecated and removed certain endpoints as of version 9.0, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 3.3.2

Note

Upgrade Migration Notifications

  • Users must be on version 3.3 or 3.3.1 to upgrade to 3.3.2. Users interested in migrating to 3.3.2 from 2.X must upgrade to 2.8.8.3 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

  • Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes

  • For REST API updates, refer to the Change Log

Helm

Key Updates

  • Issue addressed where users may not be able to upgrade to 3.X if specific data exists in the ChannelVulnerability table for Burp

  • UI performance enhancements

  • Microservice Project support added for Fortify on Demand

  • Security updates

Addressed Reported Issues

Issue

Resolution

When submitting a new defect through the Azure DevOps / TFS defect tracker, the Area and Iteration drop-downs do not display set default values and cannot be edited.

This issue has been addressed in 3.3.2.

Unmapped Qualys WAS Findings are automatically upgraded/downgraded to a Severity level of 3 (Medium) and without a channel vulnerability name.

This issue has been addressed in 3.3.2.

ThreadFix allowing multiple scans without an Updated Date if there is a prior scan present containing an UpdatedDate.

This issue has been addressed in 3.3.2.

.threadfix file exports from the Assessment tab with incorrect Finding descriptions.

This issue has been addressed in 3.3.2.

Date displayed in the Status section of Vulnerability Details do not reflect a user’s local time zone.

This issue has been addressed in 3.3.2.

User receives a "Jira Credentials are invalid" error when authenticating with Atlassian’s newly implemented longer API tokens.

This issue has been addressed in 3.3.2.

SAML settings prevents System Settings page from updating/saving.

This issue has been addressed in 3.3.2.

Email notifications fail to send.

This issue has been addressed in 3.3.2.

3.3.1

February 2023

Note to users, ThreadFix currently supports MySQL up to version 5.7, the future release of ThreadFix 3.4 will support MySQL 8 and will not be backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.

Note

Users must be on version 3.2 or 3.3 to upgrade to 3.3.1. Users interested in migrating to 3.3.1 from 2.X must upgrade to 2.8.8 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

Note users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Posgresql changes

Helm

Key Updates

  • Improvement of ThreadFix’s ability to identify and parse Fortify SCC external lists and filters to more accurately mark findings

  • Improved ThreadFix upgrade migration automation to have better error handling and recovery

To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.

3.3

January 2023

Note

Users must be on version 3.2 to upgrade to 3.3. Users interested in migrating to 3.3 from 2.X must upgrade to 2.8.8 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

Note users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Posgresql changes.

Helm

Key Updates / Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:

Ingestion Enhancements

  • ThreadFix File format now supports CVSS score values for both ingestion and export

  • Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus

  • Fortify on Demand now supports dependency findings

  • Acunetix enhanced false positive support

  • Contrast findings support greater specificity in filtering on finding types based on finding data

  • Added Scan Agent configuration support for AppScan Standard and WebInspect allowing custom configuration for these scan agents

  • SonarQube integration has been updated to support changes in their API

    • Hotspot findings in version 8.9 and 9 are now supported

    • All previous versions of SonarQube are no longer supported 

System Enhancements

  • Created UI driven customization for report caching times

  • Added OWASP Top 10 2021 report

  • API support added for custom severity name

  • Created a bulk-export for all unmapped vulnerability types to CSV file

  • Reintroduced Scan File Retention customization to the ThreadFix 3 architecture

  • Reintroduced LDAP linked SAML Authorization to the ThreadFix 3 architecture

  • The following Global FPR Filter Set API REST calls have been reintroduced:

    • Upload Global FPR Filter Set Override 3.X - API

    • Clear Global FPR Filter Set Override 3.X - API

  • Additional bug fixes and security enhancements

  Removed Features

  •  Acunetix & AppSpider scan agents have been disabled, with plans for re-introduction

Addressed Reported Issues

Issue

Resolution

When installing ThreadFix with Helm, issues occur following changes made to the Helm charts.

It is recommended to not make any edits or changes to the Helm charts in order to avoid undesired performance. Any necessary changes should be done through the value files.

Following changes in the K8 APIs, installing or upgrading ThreadFix on Kubernetes versions 1.25 or newer will fail.

Resolved in ThreadFix 3.3.

Importing LDAP users fails if any user have Title fields containing over 60 characters.

The limit has been increased to 128.

In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues.

The frequency of reminders has been adjusted to once per user login.

A manually closed vulnerability may be marked as “re-opened” if a scan containing the open vulnerability is uploaded from a date prior to when it was manually closed.

ThreadFix will not mark a manually closed vulnerability as having been re-opened from an uploaded scan preceding the vulnerability having been manually closed.

Legacy 3.X Release Notes

Expand
titleLegacy 3.X Release Notes

3.2

Warning

October 2022 - Known Issue Warning: Following changes in the K8 APIs, installing or upgrading ThreadFix on Kubernetes versions 1.25 or newer will fail. This issue will be addressed in the next ThreadFix release.

September 2022

Note

Users interested in migrating to 3.2 from 2.X must upgrade to 2.8.7 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. Users upgrading from 3.1.2 please view the expandable note below before upgrading.

In ThreadFix 3.2, Minio requires the Minio secret data to contain the keys “rootUser” and “rootPassword” instead of “secretKey” and “accessKey”. When attempting an upgrade, some users may encounter the following error:

Code Block
Error: UPGRADE FAILED: template: threadfix/charts/minio/templates/secrets.yaml:14:15: executing "threadfix/charts/minio/templates/secrets.yaml" at <include "minio.root.username" .>: error calling include: template: threadfix/charts/minio/templates/_helpers.tpl:208:8: executing "minio.root.username" at <include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 20 "Key" "rootUser")>: error calling include: template: threadfix/charts/minio/templates/_helpers.tpl:198:28: executing "minio.getValueFromSecret" at <b64dec>: invalid value; expected string

This error can be resolved by manually editing the Minio secret to change the data values to what is expected.

Code Block
kubectl edit secret tf-minio

Change the following:

Code Block
apiVersion: v1
data:
  secretkey: <secret-key-value>
  accesskey: <access-key-value>

To:

Code Block
apiVersion: v1
data:
  secretkey: <secret-key-value>
  accesskey: <access-key-value>
  rootUser: <access-key-value>
  rootPassword: <secret-key-value>

Once complete, perform the upgrade procedure once again.

Helm

Key Updates / Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:

Azure Dev Ops

  • Significant improvements to our integration with Azure Dev Ops including

    • Support for unique datatypes natively in ThreadFix UI

    • Performance improvements

    • UI indication of all required fields

    • Autocomplete and picklist support of applicable fields

 

2.X Feature Parity (3.X only)

  • Implemented the Sonatype remote provider utilizing the new 3.1 ingestion pipeline

  • Added Remote Provider application names to the Finding Detail page

 

Integration Enhancements

  • The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source

  • Checkmarx can now ingest additional scanner detail and scanner recommendations for findings

  • Contrast date management enhancements to provide greater accuracy on finding discovery dates

  • Improved SonarQube severity mappings

  • The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024

  • Improvement to Fortify SCC findings filtering

To view a complete list including prior releases, please view the 3.X Version Feature Changes list.

  

Addressed Reported Issues and Security Updates

  • Upgraded dependencies and images including Debian, Kafka, and ActiveMQ

  • Fixed intermittent import errors with Acunetix 360/Netsparker

  • WhiteHat API updates to support new requirements from WhiteHat

  • Improvement to UI messaging indicating when all remote providers have been mapped

  • Improvement to UI messaging indicating when an invalid scanId was used

  • The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal

Issue

Resolution

Importing scan data from AsoC fails, displaying the following error message:

“RestIOException: Invalid response from ASoC while fetching last scan date.”

Resolved ASoC integration errors on import

A user without read-access could view all policy data for an application

The Policies tab in ThreadFix has been updated to address the information disclosure

A vulnerability’s open and close dates will no longer shift with new scan uploads unless a reopen or close event occurs

Resolved scan delete error if it includes findings that belong to vulnerabilities that have been closed and reopened multiple times

When trying to update Jira Defect Tracker integration credentials, a 403 error is received with the following message:

“Failure. Message was : The defect tracker URL is not valid."

Resolved JIRA connection issue

"You don't have permission for this team." error is received when attempting to move an application to another team using the Update Application API even with an Administrator Global role

The Update Application API has been updated to address the permissions error, allowing the application to be successfully moved

User unable to save an LDAP-linked SAML configuration, receiving a “Display Name Config Not Found” error

This issue has been addressed in 3.2

Threadfix files incorrectly export with a filename of null instead of the associated application’s name

A fix has been provided to ensure the Threadfix files correctly export with associated application’s name

Occasionally Qualys WAS Finding Scan Details and Scan Recommendation sections do not import

Version 3.2 corrects the reported issue with the scanner details and recommendations properly displaying

Error importing Contrast cloud scans

Resolved imports failing for certain Ruby applications

3.1.2

May 2022

Note

To upgrade to 3.1.2 please see the Upgrade & Migration guides. Users interested in migrating from 2.8.6 to 3.1.2 must follow the 2.X to 3.X Migration process. Note: Migration from 2.8.5.1 to 3.1.2 is currently not supported.

Helm

Key Update

  • Security update addressing user access to root information per an XML External Entity vulnerability identified during internal penetration testing. ThreadFix recommends updating to 3.1.2 to mitigate exposure.

Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:

  • No new feature changes in 3.1.2

To view a complete list including prior releases, please view the 3.X Version Feature Changes list.

3.1.1

April 2022

Warning

The National Vulnerability Database has identified a high risk exploit, Spring4Shell, which affects applications running Tomcat as a WAR deployment. For more information refer to CVE-2022-22965. In response Coalfire has tested ThreadFix to assess risk and mitigation options and recommends users update to ThreadFix version 3.1.1 to mitigate risk of exposure and provide security enhancements.

Note

Migration from 2.8.5.1 to 3.1.1 is currently not supported. Users interested in migrating to 3.1.1 must upgrade to 2.8.6 first then continue with the 2.X to 3.X Migration process.

Key Updates

  • The Black Duck Remote Provider Integration has been enhanced allowing multiple users to select the option to import applications by Application or Application Version

  • Contrast Remote Provider enhancements

    • Enhancement when importing vulnerabilities to include Contrast Finding comments

    • Addition of support for OSS Dependency Findings imports to Contrast scans

    • Additional Contrast Statuses have been provided for mapping by ThreadFix

  • Addition of Scan Orchestration option to Acunetix 360 Remote Provider

  • Fortify SCC enhancements

    • Now allows importing Sonatype SCA vulnerability data

    • Support added for flexible tag definitions

  • The AppScan on Cloud integration has been updated to allow importing applications that have scans but do not have vulnerabilities

  • Added support for GitHub Dependabot (Beta) Remote Provider

New/Updated API

  • New versionName and versionNativeId API calls for Black Duck Remote Provider, allowing users to import scans from multiple versions of a project at once

  • New Fetch Applications and Get Scans API calls for Contrast Remote Provider

  • The Get Application by Name and Get Application in a Team by Unique ID calls have been merged into Get Application by Name or Unique ID

  • The Create Application and Update Application REST calls have been updated to include additional fields

General Improvements

  • Remote providers can now also be instantly managed via drop-down menu from the Remote Provider list page

  • CVSS scores now available as part of Finding Details

  • General UI improvements

  • General bug fixes and improvements

Feature Changes

Note the following changes to features with the introduction of ThreadFix 3.1.1:

Reintroduced

  • The Check Remote Provider Application Import Status endpoint has been reintroduced

  • Coverity Remote Provider has been reintroduced

Deprecated and Removed

For other REST API updates, refer to the Change Log

  • The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"

  • The SSVL Converter Tool deprecated in 3.1 has been removed (since SSVL scan uploads are no longer supported)

3.1

October 2021

Note

Migration from 2.8.5.1 to 3.1 is currently not supported. Users interested in migrating to 3.1 should upgrade to 2.8.4 first then continue with the 2.X to 3.X Migration process.

Key Updates

  • Fundamental and holistic rebuild of the ThreadFix architecture and deployment environment (please see the new environment requirements). To install a helm chart offline see the manual helm download.

  • Full rewrite of our scan ingestion and processing logic to provide over 60x reduction in raw scan data processing speed

  • Introduction of Remote Provider UI display cards and associated API

  • Remote provider import and scan ingestion statuses display on the Scan Queue page

  • Updates to the Scan Import Queue’s UI tooltips

  • Update to add a new Queue Management permissions level

New/Updated API

  • New GET ThreadFix application assets by import request ID API

  • New GET Remote Provider Import Requests API

  • New Pending Scan Status API

  • New Scan Queue Management report view API

  • Update to Remote Provider Import Request API

General Improvements

  • Improvements to user login session management

  • Leveraged new architecture to implement self-recovery for scan ingestion

  • Improvements to Manual Vulnerability Actions

  • Security improvements

  • Bug fixes

Feature Changes

Note the following changes to features with the introduction of ThreadFix 3.1:

Deprecated and Removed

  • Support has been ended for the SSVL Converter and SSVL scan uploads

  • Bi-directional capability for Checkmarx and AppSpider has been removed

  • Service Delivery/Service Request feature set is no longer supported

  • Removed the Import All Vulnerabilities remote provider option

  • Saved scan files on the file system will not be migrated to 3.1 (NOTE: this only impacts the raw scan files. All vulnerability data is fully retained and migrated)

  • SonarQube Plugin removed from the Tools section.  Remote Provider integration still behaves as before.

  • Support for the following integrations has been removed:

    • SkipFish

    • Swamp Scarf

Limitations, Scheduled for Enhancement Post 3.1

  • Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.

  • Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. (NOTE: this may impact created policies based on these filters)

Absent, Scheduled for Re-introduction Post 3.1 

  • The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced

  • Scan File Retention feature has been removed, this feature is planned to be reintroduced

  • The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced

  • The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced

  • The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future

  • Time to Remediate Date policy override has been disabled, this feature will be reinstated

  • Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled

  • The Global FPR Filter Set API REST calls have been removed, with plans to be reintroduced

  • Support for the following integrations has been removed, with plans for reintroduction:

    • Acunetix File Importer

    • Brakeman

    • Coverity

    • Dependency Check

    • Sonatype

3.0.8

March 2021

Note

Do Not Upgrade Without Reading This First!

The following only applies to users upgrading from an older version of v3 to 3.0.8. When upgrading from v2 to v3, you must first be on latest, 2.8.3. Upgrade instructions can be found here.

  • Adjusted vulnerability Open/Close Time to be Scan Date instead of Updated Date. To preserve historic reporting, no existing data will be retroactively changedIf you would like to have your historic data migrated to match the new date ingestion logic, please open a support ticket to request a migration script.

  • Logic changes have been made to enforce vulnerability status uniqueness. Any vulnerabilities with multiple statuses will have their statuses updated in the migration to 2.8.2 from an earlier version of 2.X or updating from version 3.0.6. For additional information please review the Vulnerability Status Migration Logic.

Security Updates

  • Remediated identified access control vulnerabilities

Key Updates

  • Issue fix for Qualys scan imports

  • Docker Logging improvement

  • Fix for Netsparker upload issue

  • Bug fix for SonarQube

  • Improved import ingestion and configuration options for InsightVM

  • Support added for JAVA_OPTIONS modifications

  • Issue resolution for QualysWAS findings scan profiles and findings merging error

  • Comprehensive Time zone management updates in ThreadFix

  • Fortify on Demand no longer imports Fixed or Suppressed findings

  • Introduced support for Acunetix 360 Remote Provider and Acunetix Premium exports

  • Improvement to the Jenkins plugin

  • Added CVSS Score and Vulnerability IDs as dynamic Defect Tracker profile values

  • Checkmarx Remote Provider microservice mapping performance improvement

  • Vulnerability statuses are now mutually exclusive

  • WhiteHat mobile data support

  • Checkmarx enhanced finding tracking

  • Portfolio page now reflects ThreadFix Pen Tests as Assessments

  • WebInspect findings details expanded

  • Portfolio Application View pagination

  • Most Vulnerable Applications report grouping

  • Significant performance improvements to the Team delete function

  • Time to Remediate Policies now allow for per-vulnerability exceptions

  • Veracode Remote Provider import includes SCA data

  • NowSecure Remote Provider integration

General Improvements

  • Improvements to UI-Page navigation

  • Adjustment for improving scan data imports

  • Improvement to Veracode Remote Provider scan updates

  • API performance improvements

  • Vulnerability Trending report improvements

  • Portfolio UI improvements for large-scale deployments

  • UI performance enhancements

  • Bug fix for graphs displayed on PDF exports

  • Filter on mobile vulnerability data

  • Improved error messaging

  • WhiteHat integration respects the Out of Scope status

  • LDAP login supports additional user attributes

  • Netsparker Enterprise enhancements

  • Time to Remediate notification improvements

  • File attachment usability improvements

  • Updated 3rd party dependencies and other security improvements

  • Other enhancements and bug fixes

  • General performance improvements

 

Installation and Upgrade Guides:

3.0.7

October 2020

General Improvements

  • Expanded SAML support to cover additional use cases. As of 3.0.7 SAML is fully configurable in the UI from the Settings page.

  • Resolved issues in Checkmarx and SonarQube integrations

  • Performance improvements

  • Other enhancements and bug fixes

3.0.7 also contains the following AppSec updates.

Key Updates

  • Vulnerability statuses are now mutually exclusive

  • WhiteHat mobile data support

  • Checkmarx enhanced finding tracking

  • Portfolio page now reflects ThreadFix Pen Tests as Assessments

  • WebInspect findings details expanded

  • Portfolio Application View pagination

  • Most Vulnerable Applications report grouping

  • Significant performance improvements to the Team delete function

  • Time to Remediate Policies now allow for per-vulnerability exceptions

  • Veracode Remote Provider import includes SCA data

  • NowSecure Remote Provider integration

General Improvements

  • Filter on mobile vulnerability data

  • Improved error messaging

  • WhiteHat integration respects the Out of Scope status

  • LDAP login supports additional user attributes

  • Netsparker Enterprise enhancements

  • Time to Remediate notification improvements

  • File attachment usability improvements

  • Updated 3rd party dependencies and other security improvements

  • Added OAuth support for Jira Defect Tracker integration

  • Improved parsing of scan data from AppScan Enterprise and Fortify SSC

Table of Contents

Table of Contents