Versions Compared

Old Version 8

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Info

Deprecated

As of ThreadFix 2.8 this feature has been replaced with the /wiki/spaces/TDOC/pages/952565799 Pen Test feature.  For all manual vulnerability submissions in ThreadFix 2.8 or later please refer to that documentation page.

Importing vulnerabilities from scanner files is quick and convenient, but ThreadFix also allows you to easily add manual vulnerabilities to your applications for tracking. This guide details the process for creating static or dynamic findings and how you can interact with these vulnerabilities once you have created them.

Creating Manual Findings

Via the Web UI

The first thing you will want to do is navigate to your application's detail page. Click 'Teams', then your application's name.

Once on the application detail page, click the 'Action' dropdown next to your application's name and select 'Add Manual Finding'.

Image RemovedImage Added


Here, you choose whether your manual finding is 'Static' or 'Dynamic' and fill out the appropriate fields.

Examples:

  • Dynamic finding:

    Image Removed


    Image Added



  • Static finding:

    Image Removed


    Image Added



  • Field descriptions:

    • The 'CWE' is the vulnerability category that best represents the threat that you have discovered.

      • If the finding is not associated with a CWE, you may leave it blank.

    • The 'Description' provides helpful information about the specific vulnerability detected.

    • The rest of the fields allow you to specify where exactly the threat was observed.

Click the 'Submit Finding' button. You will see a success message stating that a manual finding has been added to the application.

Image RemovedImage Added

Via the REST API

You can likewise create manual findings via REST API ("Add Manual Finding"). More info here.

Note

In order to create a manual finding without a CWE, use None as the vulnType.


Viewing Manual Findings

Now that you have created a manual finding, you will be able to view in the vulnerability tree towards the bottom of your application's detail page.

Image RemovedImage Added

The boxed icons in the picture above will allow you to (from left to right) view comments, supporting file attachments, and attack paths for the finding.


Clicking 'View More' will bring you to a Vulnerability Details page that gives you options for editing your manual finding, adding comments to it, or attaching supporting files. This page also provides a good overview of the finding and its associated vulnerability type.


The 'View Finding' link will bring you to a page with information specifically about your manual finding.


Additionally, any manual findings that you add to an application on a given day will also be collected under the 'Scans' tab on your application's detail page as a manual scan.

Image RemovedImage Added


Table of Contents