As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

ThreadFix Version Release Notes

For REST API updates, refer to the Change Log

3.1.0

October 2021

Security Enhancements

  • SQL and Pent Test security enhancements [This will be removed?]

  • Snyk integration security enhancements [This will be removed?]

  • The two bullets above tie to:

    • Task      TFN-2485            Validate PenTest security fix successfully gets merged in from 2.8/3.0.x

    • Task      TFN-2593            SQL Injection (High, 4)

    • Task      TFN-2594            Information Exposure (High 1, Medium 32, Low 5)

    • Task      TFN-2729            Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection

    • Story     TFN-2589            TF Snyk/assessment vulnerabilities

    • Task      TFN-2590            XML External Entity (XXE) Injection (High 2, Medium 6)

    • Task      TFN-2592            Deserialization of Untrusted Data (High 10, Medium 1)

    • Task      TFN-2595            Denial of Service (DoS) [High 2, Medium 5)

Key Updates

  • Qualys WAS integration performance enhancement

    • Improvement    DGTF-8386         [Infrastructure] Improve memory management of Qualys integration

    • Task      TFN-1541            UI - Update React to latest stable version

  • Introduction of Remote Provider UI display cards and associated API

  • Remote provider import and scan ingestion statuses display on the Scan Queue page

  • Updates to the Scan Import Queue’s UI tooltips

  • Update to add a new Queue Management permissions level

New/Updated API

  • New GET ThreadFix application assets by import request ID API

  • New GET Remote Provider Import Requests API

  • New Pending Scan Status API

  • New Scan Queue Management report view API

  • Update to Remote Provider Import Request API

General Improvements

  • Improvements to user login session management

    • Task      DGTF-8433         Update Local/LDAP/SAML login flows to save session information to an external datastore

    • Task      DGTF-8434         Create custom kong plugin to handle additional session active

    • Task      DGTF-8435         Remove session check mechanism from all upstream services

    • Task      DGTF-8436         Update Local/LDAP/SAML logout flows to remove session from the external datastore

    • Task      DGTF-8442         Add a redis configuration to the docker and k8s deployments

    • Task      DGTF-8444         Remove the ability for a single user to have concurrent sessions

  • Leveraged new architecture to implement self-recovery for scan ingestion

  • New Scan Ingestion Allow List flag permission toggle for network settings [Tentative] New network vulnerability permissions

    • Task      TFN-1644            Create new Permission for toggling the Scan Ingestion whitelist flag on network settings

  • Improvements to Manual Vulnerability Actions

    • Task      TFN-2035            Update Manual Vulnerability Actions APIs/Controllers

    • Story     TFN-2088            Update Manual Vulnerability Actions

    • Task      TFN-2089            Reflect Queued Manual Vulnerability Actions in UI/API

    • Task      TFN-2266            Manual Vulnerability Update Technical Design

Miscellaneous tickets not reflected in the key updates/general improvements above

  • Task      TFN-2369            API - Add backend websocket support for Remote Provider Import Requests tab

  • Improvement    DGTF-7849         Refactor of the Defect Tracker

  • Story     TFN-2083            Scan Ingestion Events/Notifications

  • Task      TFN-2155            Review defenses against allowing multiple Remote Provider configurations of the same channel mapping to a single TF App

  • Task      TFN-2178            Configure queue management  retention time from environment file for testing queue management page

  • Task      TFN-2455            Consume and store events for scan import activity/history to Event table to match 2.x

  • Task      TFN-2456            Consume and store Vulnerability history to Event table to match 2.x (Scan Uploads)

  • Story     TFN-2499            Queue Management v.2 Report Mode History & Behavior

  • Story     TFN-2589            TF Snyk/assessment vulnerabilities

  • Task      TFN-2615            Disable/remove 3.1 UI elements that don't work anymore

  • Task      TFN-2729            Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection

  • Task      TFN-2752            Snyk: Arbitrary Code Execution affecting hibernate

  • Task      TFN-2785            Snyk: org.jsoup:jsoup - Denial of Service

All tickets selected from Carla/Quico meetings

  • Improvement    DGTF-7849         Refactor of the Defect Tracker

  • Improvement    DGTF-8386         [Infrastructure] Improve memory management of Qualys integration

  • Task      DGTF-8433         Update Local/LDAP/SAML login flows to save session information to an external datastore

  • Task      DGTF-8434         Create custom kong plugin to handle additional session active

  • Task      DGTF-8435         Remove session check mechanism from all upstream services

  • Task      DGTF-8436         Update Local/LDAP/SAML logout flows to remove session from the external datastore

  • Task      DGTF-8442         Add a redis configuration to the docker and k8s deployments

  • Task      DGTF-8444         Remove the ability for a single user to have concurrent sessions

  • Task      TFN-1541            UI - Update React to latest stable version

  • Task      TFN-1644            Create new Permission for toggling the Scan Ingestion whitelist flag on network settings

  • Task      TFN-2035            Update Manual Vulnerability Actions APIs/Controllers

  • Story     TFN-2083            Scan Ingestion Events/Notifications

  • Story     TFN-2088            Update Manual Vulnerability Actions

  • Task      TFN-2089            Reflect Queued Manual Vulnerability Actions in UI/API

  • Task      TFN-2155            Review defenses against allowing multiple Remote Provider configurations of the same channel mapping to a single TF App

  • Task      TFN-2178            Configure queue management  retention time from environment file for testing queue management page

  • Task      TFN-2266            Manual Vulnerability Update Technical Design

  • Story     TFN-2277            Queue Management Permissions

  • Task      TFN-2279            Scan Import Queue - Update UI statuses and explanatory tooltips

  • Task      TFN-2281            Remote Provider Import Activity UI Frame Buildout

  • Task      TFN-2284            UI - Apply Full-text tooltip for Scan Import Queue Page

  • Story     TFN-2291            Remote Provider Import Request Tab

  • Story     TFN-2292            UI - Full-text Tooltips

  • Task      TFN-2297            API - GET Remote Provider Import Requests

  • Task      TFN-2306            Pending Scan Status API Endpoint

  • Task      TFN-2307            Scan File Upload Response - Pending Scan Tracking Receipts

  • Task      TFN-2343            Refine available RP import and scan ingestion statuses

  • Task      TFN-2364            API - Get TF app assets by Import request id

  • Task      TFN-2367            Update RP Import Request API to return tracking receipt

  • Task      TFN-2369            API - Add backend websocket support for Remote Provider Import Requests tab

  • Task      TFN-2377            Scan Queue Management API - Add new endpoint to support Report View

  • Task      TFN-2435            Implement Health Check for AppSec Ingestion projects

  • Task      TFN-2451            API - Create an endpoint to support RP card details

  • Task      TFN-2455            Consume and store events for scan import activity/history to Event table to match 2.x

  • Task      TFN-2456            Consume and store Vulnerability history to Event table to match 2.x (Scan Uploads)

  • Task      TFN-2485            Validate PenTest security fix successfully gets merged in from 2.8/3.0.x

  • Story     TFN-2499            Queue Management v.2 Report Mode History & Behavior

  • Story     TFN-2589            TF Snyk/assessment vulnerabilities

  • Task      TFN-2590            XML External Entity (XXE) Injection (High 2, Medium 6)

  • Task      TFN-2592            Deserialization of Untrusted Data (High 10, Medium 1)

  • Task      TFN-2593            SQL Injection (High, 4)

  • Task      TFN-2594            Information Exposure (High 1, Medium 32, Low 5)

  • Task      TFN-2595            Denial of Service (DoS) [High 2, Medium 5)

  • Task      TFN-2615            Disable/remove 3.1 UI elements that don't work anymore

  • Task      TFN-2729            Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection

  • Task      TFN-2752            Snyk: Arbitrary Code Execution affecting hibernate

  • Task      TFN-2785            Snyk: org.jsoup:jsoup - Denial of Service

Feature Changes

Note the following changes to features with the introduction of ThreadFix 3.1:

Deprecated and Removed

  • Support has been ended for the SSVL Converter

  • Bi-directional capability for Checkmarx and AppSpider have been removed

  • Service Delivery/Service Request is no longer supported

  • Removed the Import All Vulnerabilities remote provider options

  • Saved scan files on the file system will not be migrated to 3.1

  • SonarQube Plugin removed from the Tools section.  Remote Provider integration still behaves as before

  • Removed the ability for a single user to have concurrent sessions [need verification]

Limitations, Scheduled for Enhancement Post 3.1

  • Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.

  • Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. Note: this may impact created policies based on these filters, [need QA verification]

Absent, Scheduled for Re-introduction Post 3.1 

  • The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced

  • Scan File Retention feature has been removed, this feature is planned to be reintroduced

  • The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced

  • The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced

  • The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future

  • Time to Remediate Date policy creation has been disabled, this feature will be reinstated

  • Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled

Table of Contents

  • No labels

[www.threadfix.it] | [www.coalfire.com]
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.