For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.
For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API
Coverity User Account
Ensure that the service account used for ThreadFix to connect to Coverity has admin role/privilege.
List of SOAP API requests that ThreadFix uses for the Coverity Remote Provider integration
- Scans: defectservice#getMergedDefectsForProjectScope
- Findings: defectservice#getStreamDefects
- Projects: configurationservice#getProjects
Parsing Vulnerabilities
Fields parsed and mapped from Coverity to ThreadFix:
- defectStateAttributeValues.DefectStatus -> used to determine vuln open / closed
- defectStateAttributeValues.Classification -> used to determine false positive
- defectStateAttributeValues.Comment -> comment
- defectStateAttributeValues.Severity -> severity
- defectInstances.longDescription -> long description
- defectInstances.cwe -> cwe
- defectInstances.checkerName -> vuln code
- defectInstances.events.lineNumber -> dataflow line number
- defectInstances.events.eventNumber -> dataflow sequence index
- defectIntances.events.fileId -> dataflow file name
Vulnerability Statuses
ThreadFix will mark findings False Positive if they have False Positive status in Coverity.
ThreadFix will not ingest findings with fixed status, closing them if they were ingested in a previous scan.
Default Severity Mappings
- Unspecified -> Info
- Major -> High
- Moderate -> Medium
- Minor -> Low