- Created by Daniel Colon, last modified on Sept 05, 2024
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 65 Current »
ThreadFix Version Release Notes
For REST API updates, refer to the /wiki/spaces/T3D/pages/3304816641
3.8
September 2024
Upgrade Migration Notifications
Kong has been updated from version 2.8 to 3.6. To upgrade to ThreadFix 3.8 please note there are required Kong changes to be made. Please view the 3.7.0 to 3.8.0 Upgrade Required Kong Changes guide.
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes
For REST API updates, refer to the Change Log
Please note:
As of ThreadFix 3.8, OpenShift is no longer supported
ThreadFix Kubernetes version supports 1.27
The ThreadFix CLI tool will be deprecated in a future release
The defect description text format for Azure DevOps Defect tracker in the Classic_Description.vm file has been updated
Key Updates
The character limits for email, username, and First/Last have been increased to 25 characters
The list of currently accepted file types for uploading to findings has been updated to include the following:
.csv
.fpr
.json
.nessus
.ozasmt
.xml
csv
doc
docx
JPEG
JPG
PDF
PNG
xls
xlsx
Improvements to error messaging
Minor UI improvements
Addressed Reported Issues
Addressed issue where a manually closed vulnerability may display as having been reopened by a scan upload
Addressed issue with importing .fpr file types
Addressed issue where Time to Remediate policies for new teams/applications may not display correctly in the UI
Addressed an issue where Snyk may not allow a new scan to be imported if there is prior data present
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
Legacy 3.X Release Notes
3.7
April 2024
Upgrade Migration Notifications
Users must be on version 3.6 to upgrade to 3.7. Users interested in migrating to 3.7 from 2.X must upgrade to 2.8.9.1 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes.
For REST API updates, refer to the Change Log.
Helm
Addressed Reported Issues
Resolved issue of not being able to set a Parent field during a Jira ticket creation
Resolved an issue where users may receive an error when attempting to retrieve a team’s history of events via API if an application does not exist with a matching ID
Addressed an issue where Admin level users are able to delete themselves
Resolved an issue where Automated Defect Creation through Azure may not create defects
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
3.6
March 2024
Upgrade Migration Notifications
Users must be on version 3.5 to upgrade to 3.6. Users interested in migrating to 3.6 from 2.X must upgrade to 2.8.9.1 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes.
For REST API updates, refer to the Change Log.
Helm
Key Updates
Snyk has been added as a new Remote Provider
Note: When creating a new Remote Provider connection, a new drop-down to import SBOM data from Snyk is greyed out by default. The ability to import SBOMs from Snyk will be added in a future release.
Improved logging visibility to the Vulnerability Details page in the UI and in the API response for Vulnerability Details
Security updates
Addressed Reported Issues
SAML user with global admin role cannot access Queue Management
User may not be able to select the Components and/or Affect versions when attempting to create a Defect tracker for Jira
After uploading a file to the Application page, the UI does not reflect the new file
3.5
January 2024
Upgrade Migration Notifications
Users must be on version 3.4.2 to upgrade to 3.5. Users interested in migrating to 3.5 from 2.X must upgrade to 2.8.9.1 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes.
For REST API updates, refer to the Change Log.
Helm
Key Updates
Security updates
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
When a user performs a Vulnerability Search API call using an invalid value, ThreadFix returns a “success=true” status with a blank message. | This issue has been addressed in 3.5, invalid values will return a “Vulnerability ID not found” message. |
API calls for deleted or invalid IDs return a success message. | This issue has been addressed in 3.5. |
On SQL Server, when exporting a Vulnerability Search CSV, the user receives an error. | This issue has been addressed in 3.5. |
A Vulnerability Search API export returns different data each time it is performed regardless of filter settings. | This issue has been addressed in 3.5. |
Some Veracode SCA findings may import with duplicate IDs of other findings rather than unique IDs. | This issue has been addressed in 3.5. |
3.4.2
November 2023
Upgrade Migration Notifications
Users must be on version 3.4 to upgrade to 3.4.2. Users interested in migrating to 3.4.2 from 2.X must upgrade to 2.8.9.1 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes.
For REST API updates, refer to the Change Log.
Helm
Key Updates
The ability to manually adjust a vulnerability’s /wiki/spaces/T3D/pages/2502658381 window has been reinstated
Performance improvement for the Defect Reporter to Application Defect Tracker Mapping process
ThreadFix MSSQL mappings update
Checkmarx One available for Remote Provider and proxy settings
Security improvements
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
MS SQL Server vulnerabilities display the incorrect Severity level. | This issue has been addressed in 3.4.2. |
Customize Scanner Vulnerability Types Scanner Vulnerability Mapping may not update severities correctly. | This issue has been addressed in 3.4.2. |
The ‘Tag’ field does not display when creating a new ticket in Azure DevOps. | This issue has been addressed in 3.4.2. |
The Scan event messages in the History page displays the date with a UTC Time Zone rather than the user’s Local Time Zone. | This issue has been addressed in 3.4.2. |
Issue where after a user updates the Default LDAP Role settings in ThreadFix, the login page may not respect default settings. | This issue has been addressed in 3.4.2. |
Issue where a users name that has been updated in the User Management page may not reflect onto the user Login page. | This issue has been addressed in 3.4.2. |
Issue where the Vulnerability Search API exports may provide different results each time run. | This issue has been addressed in 3.4.2. |
Issue where a Remote Provider will not be created if the user attempts to use a previously entered a name for it that was submitted but not allowed to complete the creation process by exiting the modal before successful completion. | This issue has been addressed in 3.4.2. |
Performance improvement for the BlackDuck Remote Provider creation process, addressing an issue where it may timeout. | This issue has been addressed in 3.4.2. |
SAML login fails if a username includes invalid characters. | This issue has been addressed in 3.4.2. |
3.4
October 2023
Important Integration Support Notifications
Reminder: As of ThreadFix version 3.4, integration support is discontinued for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne
ThreadFix 3.4 supports MySQL 8 and is not backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.
Jira has deprecated and removed certain endpoints as of version 9.0, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 3.4
AppScan Enterprise identified and resolved an issue where some vulnerabilities reported finding details for multiple issue types as a single concatenated string via the AppScan API. In this instance ThreadFix would ingest this data as if it was legitimate which could cause some display and merging issues if the instance of AppScan Enterprise in use is a version subject to this misbehavior. HCL has informed our impacted clients that the issues have been resolved; clients should prioritize updating their AppScan Enterprise instance to the latest HCL patch prior to updating ThreadFix.
Upgrade Migration Notifications
Users must be on version 3.3/ 3.3.1/ 3.3.2/ 3.3.3 / 3.3.4 to upgrade to 3.4. Users interested in migrating to 3.4 from 2.X must upgrade to 2.8.9 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes
For REST API updates, refer to the Change Log
Helm
Key Updates
ThreadFix has been updated to support MySQL 8 database
CheckmarxOne has been added as a new Remote Provider
Qualys WAS results now display more information for users to review
CWE 16 behavior has been adjusted as many scanning tools provide CWE 16 as a catch all for vulnerabilities that are not specifically software in nature:
It’s been observed through repeated testing that a more appropriate path for ThreadFix is to treat all SAST, DAST, IAST, and Mobile findings as unmergeable if they are classified as CWE 16. As of 3.4 ThreadFix will no longer permit merging in those instances.
SCA/Dependency finding types will still merge as before as CWE is not a component of the merge logic for those findings
In preparation for ThreadFix SaaS - we have updated our Allowed and Blocked file types. Below are the current allowed file types that can be uploaded as scans:
.csv
.fpr
.json
.nessus
.ozasmt
.xml
Security updates
Several minor UI updates
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
Findings show a CWE Number instead of a name. | This issue has been addressed in 3.4. |
The Last Import Attempt Status does not update for Netsparker Enterprise app after a successful import. | This issue has been addressed in 3.4. |
Issue where the user may not be able to view a defect from the Vulnerability Detail page, resulting in an error. | This issue has been addressed in 3.4. |
Issue where not all Pen Test teams would display in the Identity Management page. | This issue has been addressed in 3.4. |
Issue where if a Team is deleted in the Portfolio page and a newly created Team with the same name is created with an application, the previously deleted Team name may appear on the UI. | This issue has been addressed in 3.4. |
3.3.4
August 2023
Integration Support Notifications
As of ThreadFix version 3.4, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued.
ThreadFix currently supports MySQL up to version 5.7, the future release of ThreadFix 3.4 will support MySQL 8 and will not be backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.
Jira has deprecated and removed certain endpoints as of version 9.0, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 3.3.4.
Upgrade Migration Notifications
Users must be on version 3.3/3.3.1/ 3.3.2/3.3.3 to upgrade to 3.3.4. Users interested in migrating to 3.3.4 from 2.X must upgrade to 2.8.8.5 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes.
For REST API updates, refer to the Change Log.
Helm
Key Updates
Minor UI updates
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
Qualys applications with over 100 open vulnerabilities do not automatically paginate scan results. | This issue has been addressed in 3.3.4. |
User receives a NullPointerException error when trying to update an application, via the Update Application API, containing at least one unmapped vulnerability. | This issue has been addressed in 3.3.4. |
ThreadFix’s integration with Black Duck ingests invalid Finding CVE data. | This issue has been addressed in 3.3.4. |
For Acunetix 360 and Netsparker Enterprise, if the application is renamed on the scanner, the existing RemoteProviderApplication row is discarded. This occurs despite the nativeId value persisting. | This issue has been addressed in 3.3.4. |
Error addressed when a user tries to edit a Jira defect tracker using a new longer API token. | This issue has been addressed in 3.3.4. |
When creating a JIRA defect Tracker, the following error message is received: | This issue has been addressed in 3.3.4. |
When a Fortify on Demand microservice is scanned, it registers more vulnerabilities than actually exist. | This issue has been addressed in 3.3.4. |
3.3.3
July 2023
Integration Support Notifications
As of ThreadFix versions 3.4, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued.
ThreadFix currently supports MySQL up to version 5.7, the future release of ThreadFix 3.4 will support MySQL 8 and will not be backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.
Jira has deprecated and removed certain endpoints as of version 9.0, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 3.3.3.
Upgrade Migration Notifications
Users must be on version 3.3/ 3.3.1/ 3.3.2 to upgrade to 3.3.3
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes.
For REST API updates, refer to the Change Log.
Helm
Key Updates
Improvement to Vulnerability Detail page display of Findings Comments
Improvement for scanning of Fortify XML files, removing invalid characters that may impede the scanning process
Performance enhancements
UI Improvements
Security updates
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
LDAP user group membership not validated/synced on login. | This issue has been addressed in 3.3.3 |
User receivers an “Invalid username/password combination” error when attempting to gather collections from a defect tracker in Azure DevOps. | This issue has been addressed in 3.3.3 |
Under certain user configurations, importing Contrast Remote Provider findings may fail and provide a “Failed during remote provider import” error. | This issue has been addressed in 3.3.3 |
3.3.2
May 2023
Integration Support Notifications
As of ThreadFix versions 3.4, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued
ThreadFix currently supports MySQL up to version 5.7, the future release of ThreadFix 3.4 will support MySQL 8 and will not be backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.
Jira has deprecated and removed certain endpoints as of version 9.0, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 3.3.2
Upgrade Migration Notifications
Users must be on version 3.3 or 3.3.1 to upgrade to 3.3.2. Users interested in migrating to 3.3.2 from 2.X must upgrade to 2.8.8.3 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Kafka changes
For REST API updates, refer to the Change Log
Helm
Key Updates
Issue addressed where users may not be able to upgrade to 3.X if specific data exists in the ChannelVulnerability table for Burp
UI performance enhancements
Microservice Project support added for Fortify on Demand
Security updates
Addressed Reported Issues
Issue | Resolution |
---|---|
When submitting a new defect through the Azure DevOps / TFS defect tracker, the Area and Iteration drop-downs do not display set default values and cannot be edited. | This issue has been addressed in 3.3.2. |
Unmapped Qualys WAS Findings are automatically upgraded/downgraded to a Severity level of 3 (Medium) and without a channel vulnerability name. | This issue has been addressed in 3.3.2. |
ThreadFix allowing multiple scans without an Updated Date if there is a prior scan present containing an UpdatedDate. | This issue has been addressed in 3.3.2. |
.threadfix file exports from the Assessment tab with incorrect Finding descriptions. | This issue has been addressed in 3.3.2. |
Date displayed in the Status section of Vulnerability Details do not reflect a user’s local time zone. | This issue has been addressed in 3.3.2. |
User receives a "Jira Credentials are invalid" error when authenticating with Atlassian’s newly implemented longer API tokens. | This issue has been addressed in 3.3.2. |
SAML settings prevents System Settings page from updating/saving. | This issue has been addressed in 3.3.2. |
Email notifications fail to send. | This issue has been addressed in 3.3.2. |
3.3.1
February 2023
Note to users, ThreadFix currently supports MySQL up to version 5.7, the future release of ThreadFix 3.4 will support MySQL 8 and will not be backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.
Users must be on version 3.2 or 3.3 to upgrade to 3.3.1. Users interested in migrating to 3.3.1 from 2.X must upgrade to 2.8.8 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Note users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Posgresql changes
Helm
Key Updates
Improvement of ThreadFix’s ability to identify and parse Fortify SCC external lists and filters to more accurately mark findings
Improved ThreadFix upgrade migration automation to have better error handling and recovery
To view a complete list of changes and updates, including prior releases, please view the 3.X Version Feature Changes list.
3.3
January 2023
Users must be on version 3.2 to upgrade to 3.3. Users interested in migrating to 3.3 from 2.X must upgrade to 2.8.8 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.
Note users installing or upgrading from prior versions of 3.X with Helm should be aware of the required Helm value and Posgresql changes.
Helm
Key Updates / Version Feature Changes
New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:
Ingestion Enhancements
ThreadFix File format now supports CVSS score values for both ingestion and export
Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus
Fortify on Demand now supports dependency findings
Acunetix enhanced false positive support
Contrast findings support greater specificity in filtering on finding types based on finding data
Added Scan Agent configuration support for AppScan Standard and WebInspect allowing custom configuration for these scan agents
SonarQube integration has been updated to support changes in their API
Hotspot findings in version 8.9 and 9 are now supported
All previous versions of SonarQube are no longer supported
System Enhancements
Created UI driven customization for report caching times
Added OWASP Top 10 2021 report
API support added for custom severity name
Created a bulk-export for all unmapped vulnerability types to CSV file
Reintroduced Scan File Retention customization to the ThreadFix 3 architecture
Reintroduced LDAP linked SAML Authorization to the ThreadFix 3 architecture
The following Global FPR Filter Set API REST calls have been reintroduced:
Upload Global FPR Filter Set Override 3.X - API
Clear Global FPR Filter Set Override 3.X - API
Additional bug fixes and security enhancements
Removed Features
Acunetix & AppSpider scan agents have been disabled, with plans for re-introduction
Addressed Reported Issues
Issue | Resolution |
---|---|
When installing ThreadFix with Helm, issues occur following changes made to the Helm charts. | It is recommended to not make any edits or changes to the Helm charts in order to avoid undesired performance. Any necessary changes should be done through the value files. |
Following changes in the K8 APIs, installing or upgrading ThreadFix on Kubernetes versions 1.25 or newer will fail. | Resolved in ThreadFix 3.3. |
Importing LDAP users fails if any user have Title fields containing over 60 characters. | The limit has been increased to 128. |
In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues. | The frequency of reminders has been adjusted to once per user login. |
A manually closed vulnerability may be marked as “re-opened” if a scan containing the open vulnerability is uploaded from a date prior to when it was manually closed. | ThreadFix will not mark a manually closed vulnerability as having been re-opened from an uploaded scan preceding the vulnerability having been manually closed. |
3.2
October 2022 - Known Issue Warning: Following changes in the K8 APIs, installing or upgrading ThreadFix on Kubernetes versions 1.25 or newer will fail. This issue will be addressed in the next ThreadFix release.
September 2022
Users interested in migrating to 3.2 from 2.X must upgrade to 2.8.7 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process. Users upgrading from 3.1.2 please view the expandable note below before upgrading.
In ThreadFix 3.2, Minio requires the Minio secret data to contain the keys “rootUser” and “rootPassword” instead of “secretKey” and “accessKey”. When attempting an upgrade, some users may encounter the following error:
Error: UPGRADE FAILED: template: threadfix/charts/minio/templates/secrets.yaml:14:15: executing "threadfix/charts/minio/templates/secrets.yaml" at <include "minio.root.username" .>: error calling include: template: threadfix/charts/minio/templates/_helpers.tpl:208:8: executing "minio.root.username" at <include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 20 "Key" "rootUser")>: error calling include: template: threadfix/charts/minio/templates/_helpers.tpl:198:28: executing "minio.getValueFromSecret" at <b64dec>: invalid value; expected string
This error can be resolved by manually editing the Minio secret to change the data values to what is expected.
kubectl edit secret tf-minio
Change the following:
apiVersion: v1 data: secretkey: <secret-key-value> accesskey: <access-key-value>
To:
apiVersion: v1 data: secretkey: <secret-key-value> accesskey: <access-key-value> rootUser: <access-key-value> rootPassword: <secret-key-value>
Once complete, perform the upgrade procedure once again.
Helm
Key Updates / Version Feature Changes
New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:
Azure Dev Ops
Significant improvements to our integration with Azure Dev Ops including
Support for unique datatypes natively in ThreadFix UI
Performance improvements
UI indication of all required fields
Autocomplete and picklist support of applicable fields
2.X Feature Parity (3.X only)
Implemented the Sonatype remote provider utilizing the new 3.1 ingestion pipeline
Added Remote Provider application names to the Finding Detail page
Integration Enhancements
The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source
Checkmarx can now ingest additional scanner detail and scanner recommendations for findings
Contrast date management enhancements to provide greater accuracy on finding discovery dates
Improved SonarQube severity mappings
The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024
Improvement to Fortify SCC findings filtering
To view a complete list including prior releases, please view the 3.X Version Feature Changes list.
Addressed Reported Issues and Security Updates
Upgraded dependencies and images including Debian, Kafka, and ActiveMQ
Fixed intermittent import errors with Acunetix 360/Netsparker
WhiteHat API updates to support new requirements from WhiteHat
Improvement to UI messaging indicating when all remote providers have been mapped
Improvement to UI messaging indicating when an invalid scanId was used
The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal
Issue | Resolution |
---|---|
Importing scan data from AsoC fails, displaying the following error message: “RestIOException: Invalid response from ASoC while fetching last scan date.” | Resolved ASoC integration errors on import |
A user without read-access could view all policy data for an application | The Policies tab in ThreadFix has been updated to address the information disclosure |
A vulnerability’s open and close dates will no longer shift with new scan uploads unless a reopen or close event occurs | Resolved scan delete error if it includes findings that belong to vulnerabilities that have been closed and reopened multiple times |
When trying to update Jira Defect Tracker integration credentials, a 403 error is received with the following message: “Failure. Message was : The defect tracker URL is not valid." | Resolved JIRA connection issue |
"You don't have permission for this team." error is received when attempting to move an application to another team using the Update Application API even with an Administrator Global role | The Update Application API has been updated to address the permissions error, allowing the application to be successfully moved |
User unable to save an LDAP-linked SAML configuration, receiving a “Display Name Config Not Found” error | This issue has been addressed in 3.2 |
Threadfix files incorrectly export with a filename of null instead of the associated application’s name | A fix has been provided to ensure the Threadfix files correctly export with associated application’s name |
Occasionally Qualys WAS Finding Scan Details and Scan Recommendation sections do not import | Version 3.2 corrects the reported issue with the scanner details and recommendations properly displaying |
Error importing Contrast cloud scans | Resolved imports failing for certain Ruby applications |
3.1.2
May 2022
To upgrade to 3.1.2 please see the Upgrade & Migration guides. Users interested in migrating from 2.8.6 to 3.1.2 must follow the /wiki/spaces/T3D/pages/2768404584 process. Note: Migration from 2.8.5.1 to 3.1.2 is currently not supported.
Helm
Key Update
Security update addressing user access to root information per an XML External Entity vulnerability identified during internal penetration testing. ThreadFix recommends updating to 3.1.2 to mitigate exposure.
Version Feature Changes
New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:
No new feature changes in 3.1.2
To view a complete list including prior releases, please view the 3.X Version Feature Changes list.
3.1.1
April 2022
The National Vulnerability Database has identified a high risk exploit, Spring4Shell, which affects applications running Tomcat as a WAR deployment. For more information refer to CVE-2022-22965. In response Coalfire has tested ThreadFix to assess risk and mitigation options and recommends users update to ThreadFix version 3.1.1 to mitigate risk of exposure and provide security enhancements.
Migration from 2.8.5.1 to 3.1.1 is currently not supported. Users interested in migrating to 3.1.1 must upgrade to 2.8.6 first then continue with the /wiki/spaces/T3D/pages/2768404584 process.
Key Updates
The Black Duck Remote Provider Integration has been enhanced allowing multiple users to select the option to import applications by Application or Application Version
Contrast Remote Provider enhancements
Enhancement when importing vulnerabilities to include Contrast Finding comments
Addition of support for OSS Dependency Findings imports to Contrast scans
Additional Contrast Statuses have been provided for mapping by ThreadFix
Addition of Scan Orchestration option to Acunetix 360 Remote Provider
Fortify SCC enhancements
Now allows importing Sonatype SCA vulnerability data
Support added for flexible tag definitions
The AppScan on Cloud integration has been updated to allow importing applications that have scans but do not have vulnerabilities
Added support for GitHub Dependabot (Beta) Remote Provider
New/Updated API
New versionName and versionNativeId API calls for Black Duck Remote Provider, allowing users to import scans from multiple versions of a project at once
New Fetch Applications and Get Scans API calls for Contrast Remote Provider
The Get Application by Name and Get Application in a Team by Unique ID calls have been merged into Get Application by Name or Unique ID
The Create Application and Update Application REST calls have been updated to include additional fields
General Improvements
Remote providers can now also be instantly managed via drop-down menu from the Remote Provider list page
CVSS scores now available as part of Finding Details
General UI improvements
General bug fixes and improvements
Feature Changes
Note the following changes to features with the introduction of ThreadFix 3.1.1:
Reintroduced
The Check Remote Provider Application Import Status endpoint has been reintroduced
Coverity Remote Provider has been reintroduced
Deprecated and Removed
For other REST API updates, refer to the Change Log
The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"
The SSVL Converter Tool deprecated in 3.1 has been removed (since SSVL scan uploads are no longer supported)
3.1
October 2021
Migration from 2.8.5.1 to 3.1 is currently not supported. Users interested in migrating to 3.1 should upgrade to 2.8.4 first then continue with the 2.X to 3.X Migration process.
Key Updates
Fundamental and holistic rebuild of the ThreadFix architecture and deployment environment (please see the new environment requirements). To install a helm chart offline see the manual helm download.
Full rewrite of our scan ingestion and processing logic to provide over 60x reduction in raw scan data processing speed
Introduction of Remote Provider UI display cards and associated API
Remote provider import and scan ingestion statuses display on the Scan Queue page
Updates to the Scan Import Queue’s UI tooltips
Update to add a new Queue Management permissions level
New/Updated API
New GET ThreadFix application assets by import request ID API
New GET Remote Provider Import Requests API
New Pending Scan Status API
New Scan Queue Management report view API
Update to Remote Provider Import Request API
General Improvements
Improvements to user login session management
Leveraged new architecture to implement self-recovery for scan ingestion
Improvements to Manual Vulnerability Actions
Security improvements
Bug fixes
Feature Changes
Note the following changes to features with the introduction of ThreadFix 3.1:
Deprecated and Removed
Support has been ended for the SSVL Converter and SSVL scan uploads
Bi-directional capability for Checkmarx and AppSpider has been removed
Service Delivery/Service Request feature set is no longer supported
Removed the Import All Vulnerabilities remote provider option
Saved scan files on the file system will not be migrated to 3.1 (NOTE: this only impacts the raw scan files. All vulnerability data is fully retained and migrated)
SonarQube Plugin removed from the Tools section. Remote Provider integration still behaves as before.
Support for the following integrations has been removed:
SkipFish
Swamp Scarf
Limitations, Scheduled for Enhancement Post 3.1
Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.
Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. (NOTE: this may impact created policies based on these filters)
Absent, Scheduled for Re-introduction Post 3.1
The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced
Scan File Retention feature has been removed, this feature is planned to be reintroduced
The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced
The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced
The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future
Time to Remediate Date policy override has been disabled, this feature will be reinstated
Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled
The Global FPR Filter Set API REST calls have been removed, with plans to be reintroduced
Support for the following integrations has been removed, with plans for reintroduction:
Acunetix File Importer
Brakeman
Coverity
Dependency Check
Sonatype
3.0.8
March 2021
Do Not Upgrade Without Reading This First!
The following only applies to users upgrading from an older version of v3 to 3.0.8. When upgrading from v2 to v3, you must first be on latest, 2.8.3. Upgrade instructions can be found here.
Adjusted vulnerability Open/Close Time to be Scan Date instead of Updated Date. To preserve historic reporting, no existing data will be retroactively changed. If you would like to have your historic data migrated to match the new date ingestion logic, please open a support ticket to request a migration script.
Logic changes have been made to enforce vulnerability status uniqueness. Any vulnerabilities with multiple statuses will have their statuses updated in the migration to 2.8.2 from an earlier version of 2.X or updating from version 3.0.6. For additional information please review the Vulnerability Status Migration Logic.
Security Updates
Remediated identified access control vulnerabilities
Key Updates
Issue fix for Qualys scan imports
Docker Logging improvement
Fix for Netsparker upload issue
Bug fix for SonarQube
Improved import ingestion and configuration options for InsightVM
Support added for JAVA_OPTIONS modifications
Issue resolution for QualysWAS findings scan profiles and findings merging error
Comprehensive Time zone management updates in ThreadFix
Fortify on Demand no longer imports Fixed or Suppressed findings
Introduced support for Acunetix 360 Remote Provider and Acunetix Premium exports
Improvement to the Jenkins plugin
Added CVSS Score and Vulnerability IDs as dynamic Defect Tracker profile values
Checkmarx Remote Provider microservice mapping performance improvement
Vulnerability statuses are now mutually exclusive
WhiteHat mobile data support
Checkmarx enhanced finding tracking
Portfolio page now reflects ThreadFix Pen Tests as Assessments
WebInspect findings details expanded
Portfolio Application View pagination
Most Vulnerable Applications report grouping
Significant performance improvements to the Team delete function
Time to Remediate Policies now allow for per-vulnerability exceptions
Veracode Remote Provider import includes SCA data
NowSecure Remote Provider integration
General Improvements
Improvements to UI-Page navigation
Adjustment for improving scan data imports
Improvement to Veracode Remote Provider scan updates
API performance improvements
Vulnerability Trending report improvements
Portfolio UI improvements for large-scale deployments
UI performance enhancements
Bug fix for graphs displayed on PDF exports
Filter on mobile vulnerability data
Improved error messaging
WhiteHat integration respects the Out of Scope status
LDAP login supports additional user attributes
Netsparker Enterprise enhancements
Time to Remediate notification improvements
File attachment usability improvements
Updated 3rd party dependencies and other security improvements
Other enhancements and bug fixes
General performance improvements
Installation and Upgrade Guides:
3.0.7
October 2020
General Improvements
Expanded SAML support to cover additional use cases. As of 3.0.7 SAML is fully configurable in the UI from the Settings page.
Resolved issues in Checkmarx and SonarQube integrations
Performance improvements
Other enhancements and bug fixes
3.0.7 also contains the following AppSec updates.
Key Updates
Vulnerability statuses are now mutually exclusive
WhiteHat mobile data support
Checkmarx enhanced finding tracking
Portfolio page now reflects ThreadFix Pen Tests as Assessments
WebInspect findings details expanded
Portfolio Application View pagination
Most Vulnerable Applications report grouping
Significant performance improvements to the Team delete function
Time to Remediate Policies now allow for per-vulnerability exceptions
Veracode Remote Provider import includes SCA data
NowSecure Remote Provider integration
General Improvements
Filter on mobile vulnerability data
Improved error messaging
WhiteHat integration respects the Out of Scope status
LDAP login supports additional user attributes
Netsparker Enterprise enhancements
Time to Remediate notification improvements
File attachment usability improvements
Updated 3rd party dependencies and other security improvements
Added OAuth support for Jira Defect Tracker integration
Improved parsing of scan data from AppScan Enterprise and Fortify SSC
Table of Contents
- No labels