Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Info |
---|
DeprecatedAs of ThreadFix 2.8 this feature has been replaced with the /wiki/spaces/TDOC/pages/952565799 Pen Test feature. For all manual vulnerability submissions in ThreadFix 2.8 or later please refer to that documentation page. |
Importing vulnerabilities from scanner files is quick and convenient, but ThreadFix also allows you to easily add manual vulnerabilities to your applications for tracking. This guide details the process for creating static or dynamic findings and how you can interact with these vulnerabilities once you have created them.
Creating Manual Findings
Via the Web UI
The first thing you will want to do is navigate to your application's detail page. Click 'Teams', then your application's name.
Once on the application detail page, click the 'Action' dropdown next to your application's name and select 'Add Manual Finding'.
Image RemovedImage AddedHere, you choose whether your manual finding is 'Static' or 'Dynamic' and fill out the appropriate fields.
Examples:
Dynamic finding:
Image Removed
Image AddedStatic finding:
Image Removed
Image AddedField descriptions:
The 'CWE' is the vulnerability category that best represents the threat that you have discovered.
If the finding is not associated with a CWE, you may leave it blank.
The 'Description' provides helpful information about the specific vulnerability detected.
The rest of the fields allow you to specify where exactly the threat was observed.
Click the 'Submit Finding' button. You will see a success message stating that a manual finding has been added to the application.
Image RemovedImage AddedVia the REST API
You can likewise create manual findings via REST API ("Add Manual Finding"). More info here.
Note |
---|
In order to create a manual finding without a CWE, use None as the vulnType. |
Viewing Manual Findings
Now that you have created a manual finding, you will be able to view in the vulnerability tree towards the bottom of your application's detail page.
Image RemovedImage AddedThe boxed icons in the picture above will allow you to (from left to right) view comments, supporting file attachments, and attack paths for the finding.
Clicking 'View More' will bring you to a Vulnerability Details page that gives you options for editing your manual finding, adding comments to it, or attaching supporting files. This page also provides a good overview of the finding and its associated vulnerability type.
The 'View Finding' link will bring you to a page with information specifically about your manual finding.
Additionally, any manual findings that you add to an application on a given day will also be collected under the 'Scans' tab on your application's detail page as a manual scan.
Image RemovedImage AddedTable of Contents |
---|