As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Required

  • Scans to be uploaded
  • ThreadFix Command Line Interface (CLI)

ThreadFix CLI Configuration

In order to upload scans to ThreadFix you must set your API Key and your URL.
Issue these commands, substituting your ThreadFix API Key and URL:

  • java -jar tfcli.jar --set key <apikey>
  • java -jar tfcli.jar --set url <url>

Uploading

This method allows the upload of a scan file to an application.

  • java -jar tfcli.jar -u, --upload <Application ID> <File Path>

    Example:

denimgroup$ java -jar tfcli.jar --upload 1 /Users/denimgroup/Desktop/threadpak/ThreadFix/test-scans/w3af-demo-site-2.xml
INFO [main] CommandLineParser.main(193) | Uploading /Users/denimgroup/Desktop/threadpak/ThreadFix/test-scans/w3af-demo-site-2.xml to Application 1.
INFO [main] CommandLineParser.printOutput(287) | Operation successful, printing JSON output.
{"importTime":{"year":2013,"month":8,"dayOfMonth":16,"hourOfDay":9,"minute":30,"second":39},"numberClosedVulnerabilities":0,"numberNewVulnerabilities":1,"numberOldVulnerabilities":0,"numberResurfacedVulnerabilities":0,"numberTotalVulnerabilities":1,"numberHiddenVulnerabilities":0,"numberRepeatResults":0,"numberRepeatFindings":0,"numberInfoVulnerabilities":0,"numberLowVulnerabilities":0,"numberMediumVulnerabilities":0,"numberHighVulnerabilities":1,"numberCriticalVulnerabilities":0,"numberOldVulnerabilitiesInitiallyFromThisChannel":0,"findings":[{"channelVulnerability":{"channelType":{"name":"w3af","url":"http://w3af.sourceforge.net/","version":"1.0-rc6","exportInfo":"The w3af importer needs a configured XML output plugin. The w3af standard scripts contain one called script-xml_output.w3af which generates a valid xml configuration for ThreadFix.","id":19},"name":"Unhandled error in web application","code":"Unhandled error in web application","id":4010},"nativeId":"b7332f6bfad9240f7bc712b3b3579a9f","channelSeverity":{"name":"Medium","code":"Medium","numericValue":3,"id":27},"surfaceLocation":{"path":"/demo/","port":0,"id":45},"numberMergedResults":2,"entryPointLineNumber":-1,"isStatic":false,"isFirstFindingForVuln":false,"isMarkedFalsePositive":false,"calculatedUrlPath":"/","createdDate":"Mar 11, 2014 4:10:51 PM","modifiedDate":"Mar 11, 2014 4:10:51 PM","active":true,"id":45},{"channelVulnerability":{"channelType":{"name":"w3af","url":"http://w3af.sourceforge.net/","version":"1.0-rc6","exportInfo":"The w3af importer needs a configured XML output plugin. The w3af standard scripts contain one called script-xml_output.w3af which generates a valid xml configuration for ThreadFix.","id":19},"name":"OS commanding vulnerability","code":"OS commanding vulnerability","id":3993},"nativeId":"7defd04bac3089120e2187d1c28fccb3","channelSeverity":{"name":"High","code":"High","numericValue":4,"id":29},"surfaceLocation":{"parameter":"fileName","path":"/demo/OSCommandInjection2.php","port":0,"id":46},"numberMergedResults":1,"entryPointLineNumber":-1,"isStatic":false,"isFirstFindingForVuln":false,"isMarkedFalsePositive":false,"calculatedUrlPath":"/OSCommandInjection2.php","createdDate":"Mar 11, 2014 4:10:51 PM","modifiedDate":"Mar 11, 2014 4:10:51 PM","active":true,"id":46}],"id":3}

Automation

There are a few different ways that automation can be achieved but the basic outline is as follows:

  1. Schedule scan.
  2. Scan complete.
  3. Upload scan to ThreadFix using CLI.

Setting up a CRON job to run your automatic upload script would be a great option. It would follow the outline above and run at the desired intervals. Example below using the Checkmarx CX Console:

    #!/bin/bash
    #Scan
    ./runCxConsole.sh scan -CxServer <host> -projectName <projectName>
    -CxUser <username> -CxPassword <password> -LocationType <LocationType>     
    -locationPath <locationpath>

    #Upload
    java -jar tfcli.jar -s key <API_KEY>
    java -jar tfcli.jar -s url <THREADFIX_URL>
    java -jar tfcli.jar -u <APP_ID> <FILE>


Another option is to use something similar to Jenkins to automate this process.

  • No labels