2.8.8.5August 2023 Warning |
---|
Note: As of ThreadFix versions 2.8.9, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued. |
Note |
---|
Users must be on 2.8.8/ 2.8.8.1/ 2.8.8.2/2.8.8.3/2.8.4 to upgrade to 2.8.8.5. Users interested in migrating to 3.3.4 from 2.X must upgrade to 2.8.8.5 first and then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. |
ThreadFix 2.8.8.5 Download Release ThreadFix Deployment Update Guides Key Updates / Version Feature ChangesTo view a complete list including prior releases, please view the 2.X Version Feature Changes list. Addressed Reported Issues Issue | Resolution |
---|
Qualys applications with over 100 open vulnerabilities do not automatically paginate scan results. | This issue has been addressed in 2.8.8.5. | ThreadFix’s integration with Black Duck ingests invalid Finding CVE data. | This issue has been addressed in 2.8.8.5. | When a user updates the File Upload location, any scans previously downloaded remain in the prior location. Note: This is not the same as when the File Upload location is removed/deleted. | This issue has been addressed in 2.8.8.5. | User receives a NullPointerException error when trying to update an application, via the Update Application API, containing at least one unmapped vulnerability. | This issue has been addressed in 2.8.8.5. | For Acunetix 360 and Netsparker Enterprise, if the application is renamed on the scanner, the existing RemoteProviderApplication row is discarded. This occurs despite the nativeId value persisting. | This issue has been addressed in 2.8.8.5. | Error addressed when a user tries to edit a JIRA defect tracker using a new longer API token. | This issue has been addressed in 2.8.8.5. | When creating a JIRA defect Tracker, the following error message is received: “Failure. Message was : ThreadFix encountered an error and could not complete the request. Please check the Error Messages page or server logs for more details.” | This issue has been addressed in 2.8.8.5. | When a Fortify on Demand microservice is scanned, it registers more vulnerabilities than actually exist. | This issue has been addressed in 2.8.8.5. |
2.8.8.4July 2023 Warning |
---|
Note: As of ThreadFix versions 2.8.9, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued. |
Note |
---|
Users must be on 2.8.8/ 2.8.8.1/ 2.8.8.2/2.8.8.3 to upgrade to 2.8.8.4. Users interested in migrating to 3.3.3 from 2.X must upgrade to 2.8.8.4 first and then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. |
ThreadFix 2.8.8.4 Download Release ThreadFix Deployment Update Guides Key Updates / Version Feature ChangesPerformance enhancements UI Improvements
To view a complete list including prior releases, please view the 2.X Version Feature Changes list. Addressed Reported Issues Issue | Resolution |
---|
An application being able to be associated with a deleted policy ID through an API Call. | This issue has been addressed in 2.8.8.4. | User receivers an “Invalid username/password combination” error when attempting to gather collections from a defect tracker in Azure DevOps. | This issue has been addressed in 2.8.8.4. |
2.8.8.3May 2023 Warning |
---|
Note: As of ThreadFix version 2.8.9, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued. |
Note |
---|
Users must be on 2.8.8/ 2.8.8.1/ 2.8.8.2 to upgrade to 2.8.8.3. Users interested in migrating to 3.3.2 from 2.X must upgrade to 2.8.8.3 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. |
ThreadFix 2.8.8.3 Download Release ThreadFix Deployment Update Guides Key Updates / Version Feature ChangesImprovement in ThreadFix’s ability to reflect a finding’s hidden/unhidden status following multiple uploaded scans with the same finding UI performance enhancements Microservice Project support added for Fortify on Demand Improved SSVL scan import date validation. Note ThreadFix will now only accept dates utilizing 12 hour (AM/PM) formatting. Security updates
To view a complete list including prior releases, please view the 2.X Version Feature Changes list. Addressed Reported Issues Issue | Resolution |
---|
Unmapped Qualys WAS Findings are automatically upgraded/downgraded to a Severity level of 3 (Medium) and without a channel vulnerability name. | This issue has been addressed in 2.8.8.3. | If there are multiple Dependency Track projects mapped to a single ThreadFix application, bulk remote provider imports for the application may fail and not import vulnerability data if any of the Dependency Track projects have an older Last BOM Import date than the latest scan date for the ThreadFix application. | This issue has been addressed in 2.8.8.3. | The .threadfix file exports from the Assessment tab with incorrect Finding descriptions. | This issue has been addressed in 2.8.8.3. | The Date displayed in the Status section of Vulnerability Details does not reflect a user’s local time zone. | This issue has been addressed in 2.8.8.3. | User receives a "Jira Credentials are invalid" error when authenticating with Atlassian’s new longer API tokens. | This issue has been addressed in 2.8.8.3. | Email notifications fail to send. | This issue has been addressed in 2.8.8.3. |
2.8.8.2 February 2023 Note |
---|
Users must be on 2.8.7 or 2.8.8 to upgrade to 2.8.8.2. Users interested in migrating to 3.3.1 from 2.X must upgrade to 2.8.8.2 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. |
ThreadFix 2.8.8.2 Download Release ThreadFix Deployment Update Guides Key Updates / Version Feature ChangesTo view a complete list including prior releases, please view the 2.X Version Feature Changes list. 2.8.8January 2023 Note |
---|
Users interested in migrating to 3.3 from 2.X must upgrade to 2.8.8 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. |
ThreadFix 2.8.8 Download Release ThreadFix Deployment Update Guides Key Updates / Version Feature ChangesNew versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below: Ingestion EnhancementsFortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus Contrast findings support greater specificity in filtering on finding types based on finding data SonarQube integration has been updated to support changes in their API
System EnhancementsAPI support added for custom severity name Created a bulk-export for all unmapped vulnerability types to CSV file Additional bug fixes and security enhancements
Addressed Reported Issues Issue | Resolution |
---|
In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues. | The frequency of reminders has been adjusted to once per user login. | Importing LDAP users fails if any user have Title fields containing over 60 characters. | The limit has been increased to 128 characters. | The Upload Scan API and Multiple File Scan Upload API calls return an un-versioned href. | The Upload Scan API and Multiple File Scan Upload API have been updated. | The 2.X to 3.X migration process fails if the database for the Burp channel contains a channel vulnerability with a non-numerical code. | This has been addressed in 2.8.8. | SonarQube has removed the concept of organizations from their codebase as of v8.7. | As of version 2.8.8, ThreadFix only supports importing Hotspot findings with the SonarQube v8(8.9) and V9 configurations. |
2.8.7September 2022 Note |
---|
Users interested in migrating to 3.2 from 2.X must upgrade to 2.8.7 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. |
ThreadFix 2.8.7 Download Release ThreadFix Deployment Update Guides Key Updates / Version Feature ChangesNew versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below: Integration Enhancements The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source Checkmarx can now ingest additional scanner detail and scanner recommendations for findings Improved SonarQube severity mappings The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024 Improvement to Fortify SCC findings filtering
To view a complete list including prior releases, please view the 2.X Version Feature Changes list. Addressed Reported Issues and Security Updates Fixed intermittent import errors with Acunetix 360/Netsparker Resolved ASoC integration errors on import Improvement to UI messaging indicating when all remote providers have been mapped Improvement to UI messaging indicating when an invalid scanId was used The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal ThreadFix’s data retention behavior has been updated allowing all files to be properly deleted when the File Upload Location is disabled
Issue | Resolution |
---|
When trying to update Jira Defect Tracker integration credentials, a 403 error is received with the following message: “Failure. Message was : The defect tracker URL is not valid." | Resolved JIRA connection issue. | "You don't have permission for this team." error is received when attempting to move an application to another team using the Update Application API even with an Administrator Global role | The Update Application API has been updated to address the permissions error, allowing the application to be successfully moved. | A user without read-access could view all policy data for an application. | The Policies tab in ThreadFix has been updated to address the information disclosure. | When importing Veracode scans, in the event a RestIOException is received, scan data would not process and could be lost. | Resolved handling of the exception. | Threadfix files incorrectly export with a filename of null instead of the associated application’s name. | A fix has been provided to ensure the Threadfix files correctly export with the associated application’s name. | Error importing Contrast cloud scans . | Resolved imports failing for certain Ruby applications. |
2.8.6.1July 2022 Note |
---|
Migration from 2.8.5.1 to 3.1.2 is currently not supported. Users interested in migrating to 3.1.2 should upgrade to 2.8.6.1 first then continue with the 2.X to 3.X Migration process. |
ThreadFix 2.8.6.1 Download Release Key Update / Version Feature ChangeNew versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below. To view a complete list including prior releases, please view the 2.X Version Feature Changes list. Addressed Reported Issues Issue | Resolution |
---|
SonarQube findings listed as Blocker and/or Critical are downgraded to Critical/High respectively, causing them to be incorrectly ingested within ThreadFix. | The SonarQube remote provider integration’s logic has been updated to address the incorrect severity issue. | "You don't have permission for this team." error is received when attempting to move an application to another team using the Update Application API even with an Administrator Global role. | The Update Application API has been updated to address the permissions error, allowing the application to be successfully moved. |
2.8.6April 2022 Warning |
---|
The National Vulnerability Database has identified a high risk exploit, Spring4Shell, which affects applications running Tomcat as a WAR deployment. For more information refer to CVE-2022-22965. In response Coalfire has tested ThreadFix to assess risk and mitigation options. Users should update their version of Tomcat to the latest version in addition to upgrading to ThreadFix version 2.8.6 which further mitigates risk of exposure and provides an additional security enhancement. At a minimum, ThreadFix recommends all users update their version of Tomcat to version 8.5.78 to safeguard against exposure. |
Note |
---|
Migration from 2.8.5.1 to 3.1.1 is currently not supported. Users interested in migrating to 3.1.1 should upgrade to 2.8.6 first then continue with the 2.X to 3.X Migration process. |
Key Updates New/Updated API New Fetch Applications and Get Scans API calls for Contrast Remote Provider The Get Application by Name and Get Application in a Team by Unique ID calls have been merged into Get Application by Name or Unique ID
General Improvements Feature ChangesNote the following changes to features with the introduction of ThreadFix 2.8.6: Deprecated and Removed For other REST API updates, refer to the Change Log 2.8.5.1January 2022 Note |
---|
Migration from 2.8.5.1 to 3.1 is currently not supported. Users interested in migrating to 3.1 should upgrade to 2.8.4 first then continue with the 2.X to 3.X Migration process. |
ThreadFix 2.8.5.1 Download Release This release includes key updates to account for the log4j vulnerability. Users will need to perform a deployment update. Key Updates Deployment Update 2.8.5December 2021 Note |
---|
Migration from 2.8.5 to 3.1 is currently not supported. Users interested in migrating to 3.1 should upgrade to 2.8.4 first then continue with the 2.X to 3.X Migration process. |
Key Updates Added additional fields to the Application API to enable greater automation Added new QualysWAS mappings Added support for Analysis Type filters from Fortify Black Duck now uses Overall Score for severity mapping instead of Base Score
General Improvements Performance improvements to API for Import Remote Provider Scans for Applications Performance improvements to the loading of the Application Detail page Performance improvements to the loading of the Portfolio page Bug Fixes
2.8.4May 2021 Key Updates 2.8.3.1February 2021 Security Updates Key Feature Updates General Improvements 2.8.3January 2021 Key Updates Comprehensive Time zone management updates in ThreadFix Fortify on Demand no longer imports Fixed or Suppressed findings Introduced support for Acunetix 360 Remote Provider and Acunetix Premium exports Improvement to the Jenkins plugin Added CVSS Score and Vulnerability IDs as dynamic Defect Tracker profile values Checkmarx Remote Provider microservice mapping performance improvement
General Improvements API performance improvements Vulnerability Trending report improvements Portfolio UI improvements for large-scale deployments UI performance enhancements Bug fix for graphs displayed on PDF exports General bug fixes and improvements
2.8.2 September 2020 Warning |
---|
Do Not Upgrade Without Reading This First! Adjusted vulnerability Open/Close Time to be Scan Date instead of Updated Date. To preserve historic reporting no existing data will be retroactively changed. If you would like to have your historic data migrated to match the new date ingestion logic, please open a support ticket to request a migration script. Logic changes have been made to enforce vulnerability status uniqueness. Any vulnerabilities with multiple statuses will have their statuses updated in the migration to 2.8.2. For additional information please review here.
|
Key Updates Vulnerability statuses are now mutually exclusive WhiteHat mobile data support Checkmarx enhanced finding tracking Portfolio page now reflects ThreadFix Pen Tests as Assessments WebInspect findings details expanded Portfolio Application View pagination Most Vulnerable Applications report grouping Significant performance improvements to the Team delete function Time to Remediate Policies now allow for per-vulnerability exceptions Veracode Remote Provider import includes SCA data NowSecure Remote Provider integration
General Improvements Filter on mobile vulnerability data Improved error messaging WhiteHat integration respects the Out of Scope status LDAP login supports additional user attributes Netsparker Enterprise enhancements Time to Remediate notification improvements File attachment usability improvements Updated 3rd party dependencies and other security improvements Other enhancements and bug fixes
2.8.1(Jun '20) Added OAuth support for Jira Defect Tracker integration Improved parsing of scan data from AppScan Enterprise and Fortify SSC Other enhancements and bug fixes
2.8(May '20) New/Improved Functionality: velocityTemplates/policyReport.vm update. NOTE: If upgrading your deployment, use the new file instead of the previous. UI update to align with ThreadFix 3 (**be aware this will drop support for IE 11**) Added Penetration Test functionality (this replaces our current manual finding feature) Updated our Version tags to treat its date as the release date of that version (current version tags will be recalculated based on this change) Added Time to Remediate functionality Add on filter functionality to search for dynamic, static, and dependency vulnerabilities CWE v4 mappings Added Finding Type filter Added Manage Filters page Performance improvements for trend graphs, group management and application deletes Added Dependency pivot for vulnerability tree Dependency findings to OWASP Top 10 report Capability to allow admin to delete comments. Report caching to Dashboard Power to set default landing page Ability to capture history when vuln severity changed by user Default Pivot changed to Severity by Issue Type Over 100 other enhancements and bug fixes!
New/Improved Integrations: Added SonarQube remote provider support Added Fortify on Demand mappings Added support for Veracode SCA findings Added ability to view Remote Provider AppID on Finding Details page for microservice traceability Defects deleted in an outside defect tracker will now be reflected in ThreadFix Added TFS collections support for Microsoft TFS Defect Tracker Added support for non-vulnerable version information from Black Duck Added Kiuwan as a supported scanner type Added Rally Workspace list to Rally options
|