Users can configure severities for CWE types, such as "all XSS vulnerabilities are now Critical." Users can also configure custom remediation text for a CWE that will be included in any defects submitted for that vulnerability.
Severity Mappings
Severity Mappings in ThreadFix give the administrator the ability to remap vulnerabilities to standard CWE types. First, click the Create New Mapping button to the left. This brings up a modal dialog for the mapping. Start typing, for example, "CSRF" into the Source Vulnerability Type field and you will see a dropdown with CWE types that match your text, as seen below.
In the Target Severity Type field, you will see the severity types for applications available to apply to the chosen vulnerability, High, Low, Medium, Critical, Info and Ignore.
Click Save Mapping and you will see your newly created mapping in the Vulnerability Types list.
Custom Severity Text
An administrator can add custom text to vulnerability types as well. These could be general notes, instructions to developers, or any useful information for that particular vulnerability. This custom text will be included in any defects submitted for that vulnerability.
To set custom text for a vulnerability, first click the Custom Text tab. This will display a modal dialog. As in the mappings section, begin typing the name of the vulnerability and you will be presented with matching CWE types. Select the vulnerability that requires custom text.
Next, type in the text you would like to add.
Click the Set Custom Text button. This saves the text and attaches it to your vulnerability.
Next to the new entry is an Edit/Delete button that allows for editing or removal of custom text entries.