Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.

For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API


Coverity User Account

Ensure that the Coverity account used for the ThreadFix integration has admin role/privilege on the Coverity side.


List of SOAP API requests that ThreadFix uses for the Coverity Remote Provider integration

  • Scans: defectservice#getMergedDefectsForProjectScope
  • Findings: defectservice#getStreamDefects
  • Projects: configurationservice#getProjects


Parsing Vulnerabilities

Fields parsed and mapped from Coverity to ThreadFix:

  • defectStateAttributeValues.DefectStatus -> used to determine vuln open / closed
  • defectStateAttributeValues.Classification -> used to determine false positive
  • defectStateAttributeValues.Comment -> comment
  • defectStateAttributeValues.Severity -> severity
  • defectInstances.longDescription -> long description
  • defectInstances.cwe -> cwe
  • defectInstances.checkerName -> vuln code
  • defectInstances.events.lineNumber -> dataflow line number
  • defectInstances.events.eventNumber -> dataflow sequence index
  • defectIntances.events.fileId -> dataflow file name


Vulnerability Statuses

ThreadFix will mark findings False Positive if they have False Positive status in Coverity.

ThreadFix will not ingest findings with fixed status, closing them if they were ingested in a previous scan.


Default Severity Mappings

  • Unspecified -> Info
  • Major -> High
  • Moderate -> Medium
  • Minor -> Low
  • No labels

[www.threadfix.it] | [www.coalfire.com]
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.