As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

📙 You will learn

How to configure Black Duck with ThreadFix.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A

ThreadFix’s use of the Black Duck hub-common library to authenticate and pull application, version and vulnerability information has been deprecated. API calls are now used in its place. To view information related to this deprecated content, please see the Deprecated - Black Duck Hub-common section at the bottom of this guide.

IMPORTANT: Connection Requirement

ThreadFix typically requires requires any secure external sites to have their certificate imported into the security store first before connecting. Follow the instructions here to do so:

Adding Custom Root Certificates to AppSec Container

Authentication

ThreadFix uses Black Duck's Access Token to authenticate and establish a connection with its service layer. This token is generated from Profile Page of the target Black Duck instance. 

Here's how to create your token:

  1. Go to the Profile Page in Black Duck.

  2. Scroll to the bottom to find the User Access Token section.

  3. Enter a name.

  4. Select at least Read access for the scope.

  5. Click Generate.

  6. Copy the resulting API Token to Clipboard and Enter it into the Remote Providers section in ThreadFix.

Obtain Bearer Token/Authenticate

The following call is used to get the Bearer Token:

/api/tokens/authenticate

Get Applications

The following call is used to get applications:

/api/projects

Get Versions

The following call is used to get versions:

api/projects/{{projectId}}/versions

Get Scans & Scan Dates

ThreadFix no longer uses Black Duck's hub-common library to authenticate and pull application, version and vulnerability information. The following API call is now used to fetch scans:

Get Scans:

/api/projects/{{projectId}}/versions/{{version}}/vulnerable-bom-components


Get Remediation-Guidance:

The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade".

/remediating


Import Options

As of 3.1.1, a selection has been added allowing multiple users the option to import applications by Application or Application Version, as seen below.

Parsing Vulnerabilities

ThreadFix parses the VulnerableComponentViews pulled from Black Duck into a Finding-Dependency pair. Most of the component information is stored in the VulnerableComponentView, while the vulnerability information is stored in the VulnerabilityWithRemediationView within it.

Dependency:

  • CVE: If the Vulnerability Name pulled from the VulnerabilityWithRemediationView is a CVE, ThreadFix records it here.

  • Component File PathComponent Version Origin Id pulled from the VulnerableComponentView. The value is a combination of the Origin, Component Name and Component Version.

  • Component Name: Combination of the Componenet Name and Component Version Name pulled from the VulnerableComponentView.

  • DescriptionDescription pulled from the VulnerabilityWithRemediationView.

Finding:

  • Native Id: Hashed together from Component Id, Component Version Id and Origin Id pulled from the Vulnerabilities URL stored in the VulnerableComponentView's Meta Data and the Vulnerability Name pulled from the VulnerabilityWithRemediationView.

  • Severity Code: Rounded down Base Score pulled from the VulnerabilityWithRemediationView.

  • Detail: Description pulled from VulnerabilityWithRemediationView.

  • CWE: Not always included, but when available its pulled from CWE Id in the VulnerabilityWithRemediationView.

  • Vulnerability Code: If a CWE Id is provided, it is used to catagorize the finding using ThreadFix's Generic Vulnerability table. If not present, it's catagorized as Configuration.

  • Created DateRemediation Created At date pulled from the VulnerabilityWithRemediationView.

  • Modified Date: Remediation Updated At date pulled from the VulnerabilityWithRemediationView.

Vulnerability Statuses:

ThreadFix will not ingest findings with the following statuses, closing them if they were ingested in a previous scan:

  • Patched

  • Remediation Complete

  • Mitigated

ThreadFix will mark findings false positive if they have the following statuses:

  • Duplicate

  • Ignored

ThreadFix will ingest all other status as an open finding.

BlackDuck NativeId Calculation

Locating the values in use from the Threadfix finding view:

Variables used for nativeId calculation:

  • Reference (as named in Threadfix Finding view) = Get vulnerabilityWithRemediation.vulnerabilityName
    In this example reference = BDSA-2014-0129.

  • URL = Get: _meta.links.href where _meta.links.rel equals "vulnerabilities"
    In this example url = https://blackduck.integ.tfint.link/api/components/b75f622a-30da-46e4-a9c9-
    56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840/origin/0f27b4a4-a905-4d9c-9dba-
    19343cc3aed4/vulnerabilities

URL composition:


ThreadFix extracts only the IDs, and MD5 hash them with vulnerabilityWithRemediation.vulnerabilityName
("Reference" variable):

MD5(ComponentId + ComponentVersion + OriginId + vulnerabilityWithRemediation.vulnerabilityName)

From this example:
MD5(b75f622a-30da-46e4-a9c9-56f4ab75e22e253fc311-c695-4ec7-9a4b-79d8aedaa8400f27b4a4-a905-4d9c-9dba-19343cc3aed4BDSA-2014-0129)

Example final NativeId:
6da0ab747fd14da3eb5644ceb726ac08

Full "Raw Finding" JSON

{
"_meta": {
"allow": [
"GET",
"PUT"
],
"href": "https://blackduck.integ.tfint.link/api/projects/3e9f3598-a1f0-40e7-8daf-
5812d402bb7f/versions/fefaf6b6-e65a-4a28-925c-3e462c37378e/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840/vulnerabilities/BDSA-2014-0129/remediation",
"links": [
{
"href": "https://blackduck.integ.tfint.link/api/projects/3e9f3598-a1f0-40e7-8daf-
5812d402bb7f/versions/fefaf6b6-e65a-4a28-925c-3e462c37378e/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840/origins/0f27b4a4-a905-4d9c-9dba-
19343cc3aed4/matched-files",
"rel": "matched-files"
},
{
"href": "https://blackduck.integ.tfint.link/api/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840/origin/0f27b4a4-a905-4d9c-9dba-
19343cc3aed4/vulnerabilities",
"rel": "vulnerabilities"
}
]
},
"componentName": "Apache Commons BeanUtils",
"componentVersion": "https://blackduck.integ.tfint.link/api/components/b75f622a-30da-46e4-a9c9-
56f4ab75e22e/versions/253fc311-c695-4ec7-9a4b-79d8aedaa840",
"componentVersionName": "1.9.2",
"componentVersionOriginId": "commons-beanutils:commons-beanutils:1.9.2",
"componentVersionOriginName": "maven",
"license": {
"licenseDisplay": "Apache License 2.0",
"licenses": [
{
"codeSharing": "PERMISSIVE",
"license": "https://blackduck.integ.tfint.link/api/licenses/7cae335f-1193-421e-92f1-
8802b4243e93",
"licenseDisplay": "Apache License 2.0",
"licenses": [
],
"name": "Apache License 2.0",
"ownership": "OPEN_SOURCE"
}
],
"type": "DISJUNCTIVE"
},
"packageUrl": "pkg:maven/commons-beanutils/commons-beanutils@1.9.2",
"vulnerabilityWithRemediation": {
"baseScore": 9.8,
"bdsaTags": [
"RCE"
],
"cweId": "CWE-184",
"description": "Apache Commons BeanUtils introduced a fix for BDSA-2014-0001 (CVE-2014-0114),
however did not enable the protections by default. A remote attacker could leverage this to cause code
execution in applications that did not use the new security feature.",
"exploitabilitySubscore": 3.9,
"impactSubscore": 5.9,
"overallScore": 9.1,
"relatedVulnerability": "https://blackduck.integ.tfint.link/api/vulnerabilities/CVE-2019-10086",
"remediationCreatedAt": "2023-02-08T14:41:45.578Z",
"remediationCreatedBy": "sysadmin",
"remediationStatus": "NEW",
"remediationUpdatedAt": "2023-02-08T14:41:45.578Z",
"remediationUpdatedBy": "sysadmin",
"severity": "CRITICAL",
"source": "BDSA",
"vulnerabilityName": "BDSA-2014-0129",
"vulnerabilityPublishedDate": "2019-08-21T14:57:06.992Z",
"vulnerabilityUpdatedDate": "2022-06-13T15:27:31.088Z"
}
}

Table of Contents

  • No labels

[www.threadfix.it] | [www.coalfire.com]
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.