Versions Compared

Old Version 1

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Various API calls added
Image Added

📙 You will learn

How to fetch applications and scans, how scan dates are organized, and configuring certificates.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API

Introduction

HCL AppScan Enterprise mitigates application security risk, strengthen strengthens application security program management initiatives and achieve achieves regulatory compliance. ThreadFix uses AppScan Enterprise's (ASE) Application Security Management REST API to authenticate and pull both application and scan information. 

Login:

Code Block
/ase/api/login

Logout:

Code Block
/ase/api/logout

User Role

Your The ASE service user will need to have Job Administrator role in order for ThreadFix to use the endpoints below to obtain the necessary data.

Fetching

Get Applications

ThreadFix uses this the following endpoint to pull applications from the ASE instance:. ThreadFix paginates this request.

Code Block
/ase/api/applications
  • ThreadFix does paginate this request.
Fetching

Get Scans

ASE's Application Security Management REST API does not currently provide an endpoint to get issues from an application by scan. Instead, ThreadFix uses these endpoints:

Code Block
/ase/api/issues

  • Returns issues from ASE based on query parameters

    .

  • ThreadFix uses this to pull the severity, status, datecreated, location and issuetype values of each finding from all new, open and reopened issues for the specified application

    .

  • ThreadFix does paginate this request

    .

Code Block
/ase/api/issueattributedefinitions

  • The issues endpoint returns attribute

    ids

    IDs instead of attribute names. ThreadFix uses this endpoint to pull the attribute names to parse the issues

    .

Scan Dates

As of ThreadFix version 2.7.9.1 (and requiring ASE v9.0.3.12 and higher, otherwise reverts to former functionality)... 

ThreadFix uses this

endpoint and

endpoint and finds the

latest 

latest Last Run Date

 of

 of the returned jobs:

Code Block
/jobs/search/

  • If a job does not have a Last Run Date, that means it has not been run before, but just configured to run, so these are ignored

    .

  • In the absence of any jobs with

    a 

    Last Run Date, or any jobs configured, ThreadFix attempts to get the

    latest 

    latest Date Created

     via the 

     via the /issues

     endpoint.

     endpoint

Scan Updated Date:

ThreadFix uses

the 

the /issues

 endpoint

 endpoint to search for the

latest 

latest Last Updated Date

 for

 for all the findings, regardless of severity. ThreadFix configures the parameters to only return one value, which is used as

the Scan Updated Date.

Former functionality, prior to ThreadFix 2.7.9.1 (and/or if integrating with ASE version older than 9.0.3.12):

ThreadFix organizes the results from the issues endpoint by rounding down their datecreated value to midnight and creating scans for each unique date.Caveat: If one or more issues have a lastupdated value, the newest of these values will be used when setting

the

scan's 

Scan

Date.Since these scans are dynamically created by ThreadFix, there is currently no distinction between the Scan Date and the

Updated Date.

Parsing Vulnerabilities

The JSON returned by ASE's issues endpoint maps directly to these ThreadFix Finding Mappings:

  • Native Id -

     id

     id

  • Vulnerability code - issuetype

  • Severity code - severity

  • Path - location

Configuring Certificates

AppScan Enterprise requires its certificate to be stored in your the users ThreadFix web server's Java keystore. You Users may run into a "...SunCertPathBuilderException: unable to find valid certification path to requested target..." error when:

  • Migrating to a new ThreadFix web server or AppScan Enterprise Server

  • Changing or updating the ThreadFix  web server's Java installation

  • Clearing your ThreadFix web server's Java keystore

Image RemovedImage Added

Please refer to our Importing External Site's Certificate to the Adding Custom Root Certificates to AppSec Container documentation to resolve this issue.

Generating Scans

Please refer to our File documentation for steps on how to generate a scan using AppScan Enterprise.

Table of Contents

Table of Contents