As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

📙 You will learn

How to generate a Fortify Audit Workbench report and upload it to ThreadFix.

Prerequisites

Audience: IT Professional
Difficulty: Basic
Time needed: Approximately 10 minutes
Tools required: N/A

Generate Results

  1. After launching Audit Workbench, select Scan Java Project...:

  2. Select the directory containing the Java Project to be scanned and click OK:

  3. Select the version of Java the project uses and click OK:

  4. Select the appropriate options from for the project (the defaults work for a majority of projects) and select Scan:

  5. After the scan has finished, from the File menu select Save Project As... and save the results to the desired directory:

Filter Set

To see all vulnerabilities within Audit Workbench before uploading them to ThreadFix, go to Tools -> Project Configuration > Filter sets and make “Security auditor view” the default filter set before saving. 

Upload Results

  1. After generating a report, log in to ThreadFix and navigate to the Portfolio page, found on the Navigation sidebar under the Application sub-menu.

     

  2. Expand the Team the report will be uploaded to:

     

  3. After picking one of the Team's applications, select Upload Scan and drag the report into the pane:

     

  4. Once ThreadFix finishes processing the report, the results can be viewed on the individual application's page:

Finding Status Processing

The following list indicates how finding statuses from Fortify are marked within ThreadFix when ingesting a scan:

  • Not an issue or Suppressed - False Positive

  • Exploitable or Need more information - Open

  • Hidden - not ingested into ThreadFix

Table of Contents

  • No labels