Versions Compared

Old Version 2

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fix screenshot formatting
Image Removed

📙 You will learn

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic, Intermediate or Advanced
Time needed: Approximately __ minutes
Tools required: If any
Image Added

📙 You will learn

Prerequisites

Audience: IT Professional or End User
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A

Creating a Defect Tracker

Example Configuration Using JIRA

Creating a defect tracker in ThreadFix follows the same process for every supported tracker. The following example walks through the process using JIRA.

Set up Defect Tracker

JIRA.

Users must complete two actions before submitting a defect from ThreadFix. First create the defect tracker within ThreadFix, then attach the defect tracker to an application in ThreadFix.

Create a Defect Tracker

To set up JIRA up as a defect tracker in ThreadFix click:

  1. From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page. Note: If a Defect Tracker is deleted from an application, it will also delete the previously created association to the JIRA defects.

Image Removed
  1. image-20240315-170948.pngImage Added

  2. To create a new Defect Tracker, click the Create New Tracker button. A New Defect Tracker modal will appear. Complete the form using the credentials for a JIRA account; ensure that the Type dropdown list is set to JIRA.
    For JIRA Cloud customers who are using username and password:

    • For the Default Username, enter the JIRA profile's email address. For the Default Password, enter the profile's API token (create one, if it doesn't exist).

The above is supported as of version ThreadFix version 2.7.3 (equivalent for 3x support version?); earlier versions

    • For On-Premise JIRA deployments that don't support

email usernames nor API authentication.

For on-premise JIRA deployments that don't support API tokens, use username/password basic authentication; using the email address for the username is supported as of version 2.7.3 (equivalent for 3x support version?).

Image Removed

  • As of ThreadFix version 2.8.1, to configure a Jira Defect Tracker using username/password. Select Basic Auth for Auth Type. Confirm this does not exist in 3x? (at least not in 3.0.6+?)

    Image Removed

  • Click the Get Product Names button. A Product Names drop-down will appear, populated with the products from the user JIRA server. Select the product associated with the application and click the Create Defect Tracker button.

    Image Removed
    • Upon creation, validation of the URL takes place. If the URL is malformed, a URL is invalid error message will be received. If ThreadFix is unable to communicate with the JIRA instance because of a mistyped URL, a URL is not associated with selected defect tracker message will be received

      • API tokens, use username/password basic authentication

      Image Added

    2. To configure a Jira Defect Tracker using username/password. Select Basic Auth for Auth Type.

      Image Added

    3. Click the Get Product Names button. A Product Names drop-down will appear, populated with the products from the user JIRA server. Select the product associated with the application and click the Create Defect Tracker button.

      Image Added

    Upon creation, validation of the URL takes place. If the URL is malformed, a URL is invalid error message will be received. If ThreadFix is unable to communicate with the JIRA instance because of a mistyped URL, a URL is not associated with selected defect tracker message will be received.

    Note

    Note to users utilizing Basic Auth

    Users who enter incorrect credentials multiple times while creating a JIRA defect tracker with Basic Auth will receive an error indicating “There was a problem connecting to Jira. Check if captcha is enabled…HTTP status was 500”. To resolve the error, users must manually log into their Jira instance then return to ThreadFix and complete creating the Jira defect tracker.
    Users creating a defect tracker using OAuth are not affected by the error mentioned above.

    Attach Defect Tracker

    1. Navigate to the details page of the application that needs a tracker attached to it. Once on the application’s detail page, click the Action drop-down button, highlight Manage Defect Trackers and select Edit Defect Trackers.

      Image Modified

    2. The Manage Defect Trackers for Application <application name> page displays a list of attached defect trackers, if any.

      Image Modified

    3. To attach a defect tracker to the application, click the Add Defect Tracker button. A modal dialogue will appear.

    Image Removed
    1. Image Added

    2. For the Defect Tracker, from the drop-down list select

    [

    1. the

    created] 

    1. created JIRA Defect Tracker. Then either select the Use Default Credentials checkbox or fill in the Username and Password fields with the necessary credentials. The defaults are the credentials supplied when

    [

    1. the Defect Tracker was created

    ] you created the TF JIRA defect tracker initially

    1. .

    Image Removed
    1. Image Added

    2. If there is a default product defined in JIRA, users may select the Use Default Product checkbox. If not, or to select a different product, click the Get Product Names button. After JIRA verifies the credentials, a Product Name drop-down appears. Select the JIRA product that is associated with the application and click the Add Defect Tracker button.

    Image Removed
    1. Image Added

    2. The added defect tracker will now appear in the Defect Trackers page.

      Image Modified

    Submit Defects

    1. To submit a defect to the defect tracker, expand a section in an application's vulnerability tree. Either select the instance(s) of the vulnerability(ies) to submit to the tracker

    ,

    1. or select the Check All checkbox to select all instances.

    Image Removed
    1. Image Added

    2. Click on the lower Action button and highlight Create Defect then select<defect tracker name>.

    Image Removed
    1. Image Added

    2. A Submit Defect modal will appear; fill out the fields and click the Submit Defect button. A success message will appear at the top of the screen.

      Image Modified

    3. Opening the vulnerability in the tree now shows these issues opened and assigned in the JIRA defect tracker, as seen below.

      Image Modified

    4. Clicking on the defect badge will open another window showing the defect in JIRA.

    Cannot see this when I click on the created defect in the above example


    Add to Existing Defect

    Users can add one or more vulnerabilities to an existing defect.

    1. Either select the instance(s) of the vulnerability(ies) or select the Check All checkbox to select all instances.

    Image Removed
    1. Image Added

    2. Click on the lower Action button, highlight Add to Existing Defect and select <defect tracker name>.

    Image Removed
    1. Image Added

    2. In Add to Existing Defect modal, enter the defect ID and click the Submit Defect button.

    Image Removed
    1. Image Added

    2. Just like when creating a new defect, ThreadFix will add a badge to the vulnerability(ies) with the defect ID and its status.

    Image Removed
    1. Image Added

    Update Defect Status

    If the issue is closed in JIRA, users can request an update for the defects in ThreadFix on the application’s details page.

    1. Click on the upper Action button, highlight Manage Defect Trackers and select Update Defect Status.

    Image Removed
    1. Image Added

    2. ThreadFix will get the current status of all defects submitted for the application and update the label accordingly if one or more defects are closed. Refresh

    the page to see the updated status. Need help with an updated screenshot to replace the one below, showing an updated defect status for the example submitted above.
    Image Removed

    1. the page to see the updated status.

      Image Added

    Creating a Defect Status Update Schedule

    Once one or more defect trackers are configured, users can create a schedule or schedules to automatically check their status for changes. This removes the need to manually update the defect status to see if an issue has been resolved by a development team or not.

    1. First, return to the Defect Trackers.From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.

      Image Modified

    2. Select the Scheduled Updates tab and click the Schedule New Update button. This brings up a Defect Tracker Update modal which contains scheduling options.

      Image Modified

    3. Select the time and frequency for when to run the status update check. Users can alternatively define a Cron expression.  Click the Add Scheduled Update to save it to the list of defect status update schedules.

    Image Removed
    1. Image Added

    Optionally, an “Update status for deleted defects” checkbox is provided. If selected this option will allow ThreadFix to update each defect, including marking deleted defects as “Issue not found”.

    Users may create as many as desired, however each one will run at the requested time. Some defect trackers require an API call per defect to determine status, so the user could inadvertently overwhelm their defect server if these are scheduled too frequently.

    Defect Profiles

    To help make the process of submitting a defect more efficient, users can create and use defect profiles which save the effort of filling out certain fields in the submission form. The following uses Jira with the above as an example for a user who wants to create a profile that preselects the type of defect and fills out several fields. (Is this prior statement accurate?)to create a profile that preselects the type of defect and fills out several fields. Note as of version 3.2 ThreadFix allows a maximum of 1024 Defect Profiles to be associated with a single defect tracker.

    1. From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.

    2. Click the Show Default Profiles button, this will display a field for existing profiles and add a Create Profile button.

      Image Modified

    3. Click the Create Profile button.

      Image Modified

    4. Give the profile a name, select a product, then click Add new Default Profile.

      Image Modified

      Note the Name field has a

    2

    1. 25 character limit.

    Recommended options to select for this portion below in order to be able to get an updated screenshot?

    1. Fill out the desired fields in the Set Defect Defaults form. Note tags can be used to help automate some of the content, like the severity, scanner vulnerability name, etc. (hover over the tags at the top for a description). When finished, click the Update Defaults button.

    A confirmation banner will display showing the defaults were updated for the specified defect profile and see it listed within the Profile list. Create more as necessary. The options to enter above will affect a new screenshot for below.

    Image Removed

    more as necessary.

    To use a profile when submitting a defect, select it from the top pull-down menu, and the default values will appear in the form; edit as needed and submit the defect when done. Note the values corresponding with tags in the profile will appear in the form.

    Image Modified

    VSTS / TFS /

    Azure DevOps - Security Configuration

    In order to set up an integration between ThreadFix and VSTSAzure DevOps, a Personal Access Token is required.

    1. In

    VSTS

    1. Azure DevOps, click on the profile icon toward the top right of the screen and select Personal access tokens from the menu.

      Image Modified

    2. From there create a Personal Access Token:

      Image Modified

      Note: For the token’s Scope, you’ll need to select Full access.

      Image Added

    3. When creating the integration on the ThreadFix side, select

    Microsoft TFS

    1. Azure DevOps in the Type menu, enter the organization's

    http://visualstudio.com

    1. URL (or dev.azure.com) URL and credentials, then click the Get Product Names button to select the desired project. Note the username can be anything as long as the field is not left blank

    . Is there a url I can use for a fresh screenshot of the image below?Image Removed

    1. .

    Note 3.X supports pulling a maximum of 1000 projects for an organization.

    OAuth Support for JIRA - Security Configuration

    OAuth is supported for Jira as of version 2.8.1. Please note OAuth 2.0 is not yet supported (any change on this?).

    Image Removed

    1. First configure Application links in JIRA to support OAuth. Then, within ThreadFix, navigate to Global → Administration → System Settings → Other Settings (tab) → OAuth Jira (heading). Provide the following details:

      1. Jira URL: URL of Jira where OAuth is configured.

      2. Consumer Key: The key assigned to JIRA by the service provider. 

      3. Private Key: Signed Private Key.

    Is this a removed feature? I don’t see this in 3x
      1. Image Added

    2. After providing the details, click on Populate Authorization Token URL buttonThis will generate a temporary Authorization Token URL. Click on the here link in For retrieving request token go to here and authorize it. This will expire in 10 minutes. 

      Image Modified

    3. The link navigates to a permission page in JIRA. Allow the permission.

      Image Modified

    4. After allowing the permission, a verification code will be generated. 

    Copy and paste the verification code into the Secret Key text field in ThreadFix and click on the Populate Access token buttonA new Access token is generated and will be active for 5 years. 

    Configuring Defect Tracker using Access Token

    Jira can be set up as a defect tracker in ThreadFix.

    1. From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.

    2. To create a new Defect Tracker, click the Create New Tracker button and select JIRA as Type.

    3. Select OAuth Token for Auth Type.

    Url

    1. URL and Access Token will be automatically filled

    This doesn’t appear for me in order to proceed.
    Image Removed


    1. Image Added

    2. Click the Get Product Names button. A Product Names dropdown will appear, populated with the products from the user’s JIRA server. Select the product associated with the application and click the Create Defect Tracker button.

    Image RemovedImage Added

    Upon creation, validation of the URL takes place. If the URL is malformed, a URL is invalid error message will display. If ThreadFix is unable to communicate with the JIRA instance because of a mistyped URL, a URL is not associated with selected defect tracker message will display.

    Attach Defect Tracker

    1. Navigate to the details page of the application that needs a tracker attached to it. Once on the application detail page, click the upper Action button and highlight Manage Defect Trackers and select Edit Defect Trackers.

      Image Modified

    2. This will redirect to the Manage Defect Trackers for Application <application name> page, where attached defect trackers are listed, if any.

      Image Modified

    3. To attach a defect tracker to the application, click the Add Defect Tracker button. A modal dialogue will appear. Choose JIRA as the Defect Tracker

    , then the Access Token will be automatically added to text box.
    The modal below is not what I see in 3.0.8
    Image RemovedThis is what I see, is this just how it looks in 3x or does 2x currently match this and the one above is just very outdated?

    1. , then the Access Token will be automatically added to text box.

      Image Modified

    2. If a default product is defined in JIRA, select the Use Default Product checkbox. If not, or to select a different product, click the Get Product Names button. After JIRA verifies credentials, a Product Name dropdown appears.


    This is what I can see is it still correct?Image Removed

    This is how it appears to me

    Image Removed


    1. Image Modified

    2. Select the JIRA product that is associated with your application and click the Add Defect Tracker button.

    Again I don't see modal like this below
    1. Image Added

    The added defect tracker will now appear in the Manage Defect Trackers page.

    Table of Contents

    Table of Contents