Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated the Rally section with a note.
This section outlines the ThreadFix Defect Tracker (tool) support.
Image Added

Introduction

ThreadFix currently supports these Defect Trackers:

This support , this involves two primary functions. The first is to bundle and export ThreadFix vulnerabilities into the tracker's defect format. The second is to get the current status of the defect from the tracker and update the ThreadFix vulnerabilities.

Bugzilla

Bugzilla is a popular open-source defect tracking system created by the Mozilla Foundation, the developers of Firefox. The Bugzilla website has more information about its features and installation.

HP Quality Center

Supported Defect Trackers

As of ThreadFix version 3.4, integration support has been discontinued for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne.

ThreadFix currently supports these Defect Trackers:

HP Quality Center (acquired by Micro Focus)

https://www.microfocus.com/en-us/products/alm-quality-center/overview

Hewlett-Packard's Quality Center is quality management software featuring defect and requirements tracking. It is available as a free, open-source Community Edition or as a paid Enterprise version. The Enterprise version has an expanded feature set and technical support. Installation of HPQC Enterprise can be on premise, or is available in a SaaS implementation. More information regarding HP Quality Center is available on the HP website.

JIRA

Atlassian's JIRA is a project management and issue tracking application, geared toward agile development. You Users can install JIRA on your their own server, or use a hosted, SaaS solution. You can find more information More information is available on the Atlassian website. OAuth is supported in Threadfix ThreadFix for JIRA.

To be able to submit defects, the JIRA user account must have these permissions: Browse Projects, Create IssuesAssign Issues and, if the project does not allow non-assigned issues, at least one user must have the Assignable User permission.

ThreadFix leverages JIRA’s Status and Status Category* fields to determine if a defect is Open (red) or Closed (green). Note: If the Status Category is available, ThreadFix prioritizes it over Status.

JIRA has three status categories: To Do, In Progress, and Done. If a defect has a Status Category of “Done”, it is considered Closed in ThreadFix. The status of “Resolved” falls under the “Done” category.

JIRA allows users to create and map various statuses to different categories but does not allow users to create new categories.

Azure DevOps (formerly Microsoft Visual Studio Team Foundation Server / VSTS

Microsoft's Visual Studio Team Foundation Server

)

Azure DevOps is a version control and project management platform aimed at developing Windows applications.  More information can be found on Azure DevOps Services | Microsoft Azure. This application shares the same API as Visual Studio Team Services. More details about Team Foundation Server are on Microsoft's website. For info on how to configure security on the VSTS side, see the corresponding section at the bottom of this article.

VersionOne

VersionOne is an Application Lifecycle Management platform, designed with agile and lean development methodologies as its focus. You can read more about its features and capabilities on the VersionOne website.

IBM Rational ClearQuest

IBM Rational ClearQuest is a database workflow application development and production system. You can read more about its features on the IBM Rational ClearQuest website

Note 3.X supports pulling a maximum of 1000 projects for an organization.

Rally (CA Agile Central)

Note

Rally is a custom Integration which requires paid support, for more information please submit a request through the ThreadFix Support Product Implementation Support portal.

Rally (now CA Agile Central) is an enterprise-class platform that's purpose-built for scaling agile development practices. It provides a hub for teams to collaboratively plan, prioritize and track work on a synchronized cadence. You can read more about its features and capabilities on the CA Technologies website.

Creating a Defect Tracker

Example Configuration Using JIRA

Creating a defect tracker in ThreadFix follows the same process for every supported tracker. This example walks through the process using JIRA.

Set up Defect Tracker

You must complete two actions before submitting a defect from ThreadFix. First, you need to create the defect tracker within ThreadFix. Then, you must attach that defect tracker to an application in ThreadFix.

Create a Defect Tracker

To set up JIRA up as a defect tracker in ThreadFix click Configuration (cog), then Integrations → Defect Trackers. This will take you to the Defect Trackers page.

To create a new Defect Tracker, click the Create New Tracker button.

Image Removed

New Defect Tracker modal will appear. Complete the form using the credentials for your JIRA account; ensure that the Type dropdown list is set to JIRA.

For Jira Cloud customers who are using username and password:

  • For the Default Username, enter the Jira profile's email address. For the Default Password, enter the profile's API token (you'll need to create one, if it doesn't exist).

  • The above is supported as of version ThreadFix version 2.7.3; earlier versions don't support email usernames nor API authentication.

For on-prem Jira deployments that don't support API tokens, you'll need to use username/password basic authentication; using the email address for the username is supported as of version 2.7.3.

As of ThreadFix version 2.8.1, to configure a Jira Defect Tracker using username/password. Select Basic Auth for Auth Type.

Image Removed

Click the Get Product Names button. A Product Names dropdown will appear, populated with the products from your JIRA server. Select the product associated with your application and click the Create Defect Tracker button.

Image Removed

Upon creation, validation of the URL takes place. If the URL is malformed, you will receive a URL is invalid error message. If ThreadFix is unable to communicate with the JIRA instance because of a mistyped URL, you will receive a URL is not associated with selected defect tracker message.

Attach Defect Tracker

Navigate to the details page of the application that needs a tracker attached to it. Once on the application detail page, click the upper Action button and select Manage Defect Trackers → Edit Defect Trackers.

Image Removed

This will take you to the Manage Defect Trackers for Application <application name> page, where you'll see attached defect trackers listed, if any.

Image Removed

To attach a defect tracker to the application, click the Add Defect Tracker button. A modal dialogue will appear.

Image Removed

Choose JIRA as your Defect Tracker, then either select the Use Default Credentials checkbox, or fill in the fields with your own credentials. The defaults are the credentials you supplied when you created the TF JIRA defect tracker initially.

If you have a default product defined in JIRA, you may select the Use Default Product checkbox. If not, or you wish to select a different product, click the Get Product Names button. After JIRA verifies your credentials, a Product Name dropdown appears.

Select the JIRA product that is associated with your application and click the Add Defect Tracker button.

Image Removed

The added defect tracker will now appear in the Manage Defect Trackers... page.

Image Removed

Submit Defects

To submit a defect to your defect tracker, expand a section in an application's vulnerability tree.

Either select the instance(s) of the vulnerability(ies) you wish to submit to your tracker, or select the Check All checkbox to select all instances.

Click on the lower Action button and select Create Defect → <defect tracker name>.

Image Removed

A Submit Defect modal will appear; fill out the fields and click the Submit Defect button. A success message will appear at the top of the screen.

Image Removed

Opening the vulnerability in the tree now shows these issues opened and assigned in your JIRA defect tracker, as seen below.

Image Removed

If you click on the defect badge, another window will open to the defect in JIRA.

Image Removed

Add to Existing Defect

You can add one or more vulnerabilities to an existing defect.

Either select the instance(s) of the vulnerability(ies) or select the Check All checkbox to select all instances.

Click on the lower Action button and select Add to Existing Defect → <defect tracker name>.

Image Removed

In the ensuing dialog, enter the defect ID and click the 'Submit Defect' button.

Image Removed

Just like when creating a new defect, ThreadFix will add a badge to the vuln(s) with the defect ID and its status.

Update Defect Status

If you close the issue in JIRA, you can request an update for the defects in ThreadFix on the application’s details page. Click on the upper Action button and select Manage Defect Trackers → Update Defect Status.

Image Removed

ThreadFix will get the current status of all defects submitted for the application and update the label accordingly if one or more defects are closed.

Image Removed

Note: You will need to refresh the page to see the updated status.

Creating a Defect Status Update Schedule

Once you have one or more defect trackers configured, you can create a schedule or schedules to automatically check their status for changes.  This removes the need to manually update the defect status to see if an issue has been resolved by a development team or not.

First, go back to the defect trackers page by clicking on the Cog menu and selecting Integrations → Defect Trackers

Image Removed

Once there, select the Scheduled Updates tab and click Schedule New Update to bring up the scheduling dialog box.

Image Removed

Select a time and frequency when you would like your status update check to run.  You can alternatively define a Cron expression.  Click Add Scheduled Update to save it to your list of Defect Status Update schedules.  You may create as many of these as you like, but be aware that each one will run at the requested time.  Some defect trackers require an API call per defect to determine status, so you could inadvertently overwhelm your defect server if you schedule them too frequently.

Defect Profiles

To help make the process of submitting a defect more efficient, you can create and use defect profiles that save you the effort of filling out certain fields in the submission form.

For example (using Jira, as with the above examples), say you want to create a profile that preselects the type of defect and fills out several fields...

Access the Defect Trackers page by clicking Configuration (cog) → Integrations → Defect Trackers.

Click the Show Default Profiles button and then the Create Profile button.

Image Removed

Give the profile a name and select a product, then click Add new Default Profile.

Image Removed

Fill out the desired fields in the Set Defect Defaults form. Note that you can use tags to help automate some of the content, like the severity,  scanner vuln name, etc. (hover over the tags at the top for a description). When finished, click Update Defaults.

Image Removed

You'll receive a confirmation that the defaults were updated for the specified defect profile and see it listed within the Profile list. You can create more as needed.

Image Removed

To use a profile when submitting a defect, select it from the top pull-down menu, and the default values will appear in the form; you may edit as needed and submit the defect when done. Note that the values corresponding with tags in the profile will appear in the form.

Image Removed

VSTS / TFS / Azure DevOps - Security Configuration

In order to set up an integration between ThreadFix and VSTS, you must use a Personal Access Token.

Click on the profile icon toward the top right of the screen and select Personal access tokens from the menu.

Image Removed

From there you can create a Personal Access Token:

Image Removed

When creating the integration on the ThreadFix side, select 'Microsoft TFS' in the Type menu, enter your organization's http://visualstudio.com (or dev.azure.com) URL and credentials, then click the 'Get Product Names' button to select the desired project.

(Note that the username can be anything as long as you don't leave the field blank.)

Image Removed

OAuth Support for JIRA - Security Configuration

OAuth is supported for Jira as of version 2.8.1. Please note OAuth 2.0 is not yet supported. First you'll need to configure Application links in Jira to support OAuth. Then, within ThreadFix, navigate to Global → Administration → System Settings → Other Settings (tab) → OAuth Jira (heading). Provide the following details:

  1. Jira URL: URL of Jira where OAuth is configured.

  2. Consumer Key: The key assigned to JIRA by the service provider. 

  3. Private Key: Signed Private Key.

Image Removed

After providing the details, click on Populate Authorization Token URL. This will generate a temporary Authorization Token URL. Click on here link in For retrieving request token go to here and authorize it. This will expire in 10 minutes. 

Image Removed

Link navigates to permission page in JIRA. Allow the permission.

Image Removed

After allowing the permission, a verification code will be generated. 

Image Removed

Copy and paste verification code in Secret Key text in ThreadFix and click on Populate Access token. A new Access token is generated and will be active for 5 years. 

Configuring Defect Tracker using Access Token

To set up JIRA up as a defect tracker in ThreadFix navigate to Integrations → Defect Trackers. This will take you to the Defect Trackers page.

To create a new Defect Tracker, click the Create New Tracker button and select JIRA as Type.

Select OAuth Token for Auth Type. Url and Access Token will be automatically filled. 

Image Removed

Click the Get Product Names button. A Product Names dropdown will appear, populated with the products from your JIRA server. Select the product associated with your application and click the Create Defect Tracker button.

Image Removed

Upon creation, validation of the URL takes place. If the URL is malformed, you will receive a URL is invalid error message. If ThreadFix is unable to communicate with the JIRA instance because of a mistyped URL, you will receive a URL is not associated with selected defect tracker message.

Attach Defect Tracker

Navigate to the details page of the application that needs a tracker attached to it. Once on the application detail page, click the upper Action button and select Manage Defect Trackers → Edit Defect Trackers.

Image Removed

This will take you to the Manage Defect Trackers for Application <application name> page, where you'll see attached defect trackers listed, if any.

Image RemovedTo attach a defect tracker to the application, click the Add Defect Tracker button. A modal dialogue will appear.

Choose JIRA as your Defect Tracker, then Access Token will automatically added to text box.

Image Removed

If you have a default product defined in JIRA, you may select the Use Default Product checkbox. If not, or you wish to select a different product, click the Get Product Names button. After JIRA verifies your credentials, a Product Name dropdown appears.

Select the JIRA product that is associated with your application and click the Add Defect Tracker button.

Image Removed

The added defect tracker will now appear in the Manage Defect Trackers... page.

Image RemovedTo submit defects, follow Submit Defects topic in this documentation. page

Table of Contents

Table of Contents