Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
📙 You will learn
How to map severity types and user customized text to vulnerabilities.
Prerequisites
Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A
Users can configure severities for CWE types, such as "all XSS vulnerabilities are now Critical." Users can also configure custom remediation text for a CWE that will be included in any defects submitted for that vulnerability.
Severity Mappings
Severity Mappings in ThreadFix give the administrator the ability to remap vulnerabilities to standard CWE types.
First, click on the Application menu from the Navigation sidebar and click on the Customize submenu. Click on ThreadFix Vulnerability Types and from the Severity Mappings tab click on the Create New Mapping
button. This brings up a modal dialog for the mapping.
Image AddedStart typing, for example, "CSRF" into
the Source Vulnerability Type
field and
a dropdown with CWE types that match
the text will appear, as seen below.
- Image Added
In
the Target Severity Type
field,
users will see the severity types for applications available to apply to the chosen vulnerability, High, Low, Medium, Critical, Info
and Ignore.
Setting the severity
to Ignore will cause all
vulnerabilities with the selected CWE to have a status
of Hidden;
they will thus not be included in
the vulnerability count.
View these in a
vulnerability tree by expanding the Field Controls filter and checking the Hidden box within the Status section.
To undo this change, simply delete the mapping created above (click Edit/Delete and then Delete).
- Image Added
Click the Save Mapping
button and the newly created mapping will display in
the Vulnerability Type (CWE) list.
- Image Added
Custom Severity Text
An administrator can add custom text to vulnerability types as well. These could be general notes, instructions to developers, or any useful information for that particular vulnerability. This custom text will be included in any defects submitted for that vulnerability.
To set custom text for a vulnerability, first click the Custom Text tab and click the Set Custom Text
button. This will display a modal dialog.
- Image Added
Similarly as in the mappings section, begin typing the name of the vulnerability
to be presented with matching CWE types. Select the vulnerability that requires custom text.
Next, type in the desired text
to
be added.
- Image Added
Click
the Set Custom Text
button. This saves the text and attaches it to
the vulnerability.
Next to the
newly added entry is
an Edit/Delete
button which allows for editing or removal of custom text entries.
- Image Added
Table of Contents
Table of Contents |
---|