Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
📙 You will learn
How to configure Black Duck with ThreadFix.
Prerequisites
Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A
Note |
---|
ThreadFix’s use of the Black Duck hub-common library to authenticate and pull application, version and vulnerability information has been deprecated. API calls are now used in its place. To view information related to this deprecated content, please see the Deprecated - Black Duck Hub-common section at the bottom of this guide. |
Introduction
As of version 2.8.4, ThreadFix no longer uses Black Duck's hub-common library to authenticate and pull application, version and vulnerability information, API calls are now used in its place. |
Info |
---|
IMPORTANT: Connection Requirement ThreadFix typically requires requires any secure external sites to have their certificate imported into the security store first before connecting. Follow the instructions here to do so: |
Authentication
ThreadFix uses Black Duck's Access Token to authenticate and establish a connection with its service layer. This token is generated from Profile Page of the target Black Duck instance.
Here's how to create your token:
Go to the Profile Page in Black Duck.
Image ModifiedScroll to the bottom to find the User Access Token section.
Enter a name.
Select at least Read access for the scope.
Click Generate.
- Image Added
Copy the resulting API Token to Clipboard and Enter it into the Remote Providers section in ThreadFix.
- Image Added
Obtain Bearer Token/Authenticate
The following call is used to obtain get the Bearer Token:
Code Block |
---|
curl --location --request POST 'https://threadfixhub.blackducksoftware.com/api/tokens/authenticate' \ --header 'Authorization: token {APIKEY}' \ --header 'Accept: application/vnd.blackducksoftware.user-4+json' |
Fetching Applications
ThreadFix uses Black Duck's ProjectService to pull down application info as ProjectViews up to 2.8.3 version:
Native Name: Name of the Project in Black Duck.
Native Id: Name of the Project in Black Duck.
Version URL: Versions URL pulled from ProjectView Meta Data.
Get Applications
The following call is used to fetch get applications:
Code Block |
---|
curl --location --request GET 'https://threadfixhub.blackducksoftware.com/api/projects' \ --header 'Authorization: Bearer {bearerToken-generated}' \ --header 'Accept: application/vnd.blackducksoftware.project-detail-4+json' |
Fetching Versions
ThreadFix uses Black Duck's ProjectService to pull down application info as ProjectViews up to 2.8.3 version:
Native Name: Name of the Project Version in Black Duck
Native Id: Name of the Project Version in Black Duck
Get Versions
The following call is used to fetch get versions:
Code Block |
---|
curl --location --request GET 'https://threadfixhub.blackducksoftware.com/api/projects/{{projectId}}/versions' \ --header 'Authorization: Bearer {generatedAbove}' \ --header 'Accept: application/vnd.blackducksoftware.project-detail-4+json' |
Fetching Scans & Scan Dates
ThreadFix uses Black Duck's ProjectService to pull down application info as ProjectViews up to 2.8.3 version:
When ThreadFix ingests the results they have their created and modified dates. This creates a new scan every time results are imported into ThreadFix using the lastScanDate as the Scan Date. This will update the current set of Black Duck vulnerabilities in the mapped ThreadFix Application. Vulnerabilities in different Versions of a Project in Black Duck will map to their corresponding vulnerability in previous versions, reopening them if they were reintroduced, closing them if they are no longer present or marking them false positive if they have been deemed so.
When attempting to upload a large amount of historical data from Black Duck into ThreadFix, it's heavily recommend to leverage Black Duck's Project Versions and ThreadFix's Remote Provider Mapping to introduce the results chronologically to avoid inaccurate results in the final data set.
As of version 2.8.4, ThreadFix |
Get Scans & Scan Dates
ThreadFix no longer uses Black Duck's hub-common library to authenticate and pull application, version and vulnerability information. The following API call is now used to fetch scans:
Get Scans:
Code Block |
---|
/api/projects/{{projectId}}/versions/{{versionIdversion}}/vulnerable-bom-components' \ --header 'Authorization: Bearer {generatedAbove}' |
Get Remediation-Guidance:
Note |
---|
The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade". |
Code Block |
---|
/remediating |
Import Options
As of 3.1.1, a selection has been added allowing multiple users the option to import applications by Application or Application Version, as seen below.
Image AddedParsing Vulnerabilities
ThreadFix parses the VulnerableComponentViews pulled from Black Duck into a Finding-Dependency pair. Most of the component information is stored in the VulnerableComponentView, while the vulnerability information is stored in the VulnerabilityWithRemediationView within it.
Dependency:
CVE: If the Vulnerability Name pulled from the VulnerabilityWithRemediationView is a CVE, ThreadFix records it here.
Component File Path: Component Version Origin Id pulled from the VulnerableComponentView. The value is a combination of the Origin, Component Name and Component Version.
Component Name: Combination of the Componenet Name and Component Version Name pulled from the VulnerableComponentView.
Description: Description pulled from the VulnerabilityWithRemediationView.
Finding:
Native Id: Hashed together from Component Id, Component Version Id and Origin Id pulled from the Vulnerabilities URL stored in the VulnerableComponentView's Meta Data and the Vulnerability Name pulled from the VulnerabilityWithRemediationView.
Severity Code: Rounded down Base Score pulled from the VulnerabilityWithRemediationView.
Detail: Description pulled from VulnerabilityWithRemediationView.
CWE: Not always included, but when available its pulled from CWE Id in the VulnerabilityWithRemediationView.
Vulnerability Code: If a CWE Id is provided, it is used to catagorize the finding using ThreadFix's Generic Vulnerability table. If not present, it's catagorized as Configuration.
Created Date: Remediation Created At date pulled from the VulnerabilityWithRemediationView.
Modified Date: Remediation Updated At date pulled from the VulnerabilityWithRemediationView.
Vulnerability Statuses:
ThreadFix will not ingest findings with the following statuses, closing them if they were ingested in a previous scan:
Patched
Remediation Complete
Mitigated
ThreadFix will mark findings false positive if they have the following statuses:
Duplicate
Ignored
ThreadFix will ingest all other status as an open finding.
Black Duck NativeId Calculation
Locating the values in use from the Threadfix finding view:
Image AddedVariables used for nativeId calculation:
Reference (as named in Threadfix Finding view) = Get
vulnerabilityWithRemediation.vulnerabilityName
In this examplereference = BDSA-2014-0129
.URL = Get:
_meta.links.href
where_meta.links.rel equals "vulnerabilities"
In this exampleurl = https://blackduck.integ.tfint.
link/api/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840/origin/0f27b4a4-a905-4d9c-9dba-
19343cc3aed4/vulnerabilities
URL composition:
Image Added
ThreadFix extracts only the IDs, and MD5 hash them with vulnerabilityWithRemediation.vulnerabilityName
("Reference" variable):
MD5(ComponentId + ComponentVersion + OriginId + vulnerabilityWithRemediation.vulnerabilityName)
From this example:MD5(b75f622a-30da-46e4-a9c9-56f4ab75e22e253fc311-c695-4ec7-9a4b-79d8aedaa8400f27b4a4-a905-4d9c-9dba-19343cc3aed4BDSA-2014-0129)
Example final NativeId:6da0ab747fd14da3eb5644ceb726ac08
Full "Raw Finding" JSON
Code Block |
---|
{
"_meta": {
"allow": [
"GET",
"PUT"
],
"href": "https://blackduck.integ.tfint.link/api/projects/3e9f3598-a1f0-40e7-8daf-
5812d402bb7f/versions/fefaf6b6-e65a-4a28-925c-3e462c37378e/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840/vulnerabilities/BDSA-2014-0129/remediation",
"links": [
{
"href": "https://blackduck.integ.tfint.link/api/projects/3e9f3598-a1f0-40e7-8daf-
5812d402bb7f/versions/fefaf6b6-e65a-4a28-925c-3e462c37378e/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840/origins/0f27b4a4-a905-4d9c-9dba-
19343cc3aed4/matched-files",
"rel": "matched-files"
},
{
"href": "https://blackduck.integ.tfint.link/api/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840/origin/0f27b4a4-a905-4d9c-9dba-
19343cc3aed4/vulnerabilities",
"rel": "vulnerabilities"
}
]
},
"componentName": "Apache Commons BeanUtils",
"componentVersion": "https://blackduck.integ.tfint.link/api/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840",
"componentVersionName": "1.9.2",
"componentVersionOriginId": "commons-beanutils:commons-beanutils:1.9.2",
"componentVersionOriginName": "maven",
"license": {
"licenseDisplay": "Apache License 2.0",
"licenses": [
{
"codeSharing": "PERMISSIVE",
"license": "https://blackduck.integ.tfint.link/api/licenses/7cae335f-1193-421e-92f1-
8802b4243e93",
"licenseDisplay": "Apache License 2.0",
"licenses": [
],
"name": "Apache License 2.0",
"ownership": "OPEN_SOURCE"
}
],
"type": "DISJUNCTIVE"
},
"packageUrl": "pkg:maven/commons-beanutils/commons-beanutils@1.9.2",
"vulnerabilityWithRemediation": {
"baseScore": 9.8,
"bdsaTags": [
"RCE"
],
"cweId": "CWE-184",
"description": "Apache Commons BeanUtils introduced a fix for BDSA-2014-0001 (CVE-2014-0114),
however did not enable the protections by default. A remote attacker could leverage this to cause code
execution in applications that did not use the new security feature.",
"exploitabilitySubscore": 3.9,
"impactSubscore": 5.9,
"overallScore": 9.1,
"relatedVulnerability": "https://blackduck.integ.tfint.link/api/vulnerabilities/CVE-2019-10086",
"remediationCreatedAt": "2023-02-08T14:41:45.578Z",
"remediationCreatedBy": "sysadmin",
"remediationStatus": "NEW",
"remediationUpdatedAt": "2023-02-08T14:41:45.578Z",
"remediationUpdatedBy": "sysadmin",
"severity": "CRITICAL",
"source": "BDSA",
"vulnerabilityName": "BDSA-2014-0129",
"vulnerabilityPublishedDate": "2019-08-21T14:57:06.992Z",
"vulnerabilityUpdatedDate": "2022-06-13T15:27:31.088Z"
}
} |
Table of Contents
Table of Contents |
---|