As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Hybrid Analysis Mapping Configuration (ThreadFix 3.0)
You will learn
How to configure an application in ThreadFix to take advantage of ThreadFix's Hybrid Analysis Mapping (HAM) capabilities.
Prerequisites
Audience: IT Professional, or End User
Difficulty: Intermediate
Time needed: Approximately 5 minutes
Tools required: N/A
Introduction
This guide covers configuring an application in ThreadFix to take advantage of ThreadFix's Hybrid Analysis Mapping (HAM) capabilities allowing for better static-dynamic vulnerability merging.
Supported Languages and Frameworks for ThreadFix Hybrid Analysis Mapping (HAM)
Hybrid Analysis Mapping current works for:
Java/JSP
Java/Spring
Java/Struts
C#/ASP.NET WebForms
C#/ASP.NET MVC
Ruby/Ruby on Rails
Support for additional languages and frameworks is planned. Source code can be imported from git repositories, subversion repositories or from local or network folder locations.
Setup
HAM settings can be found by navigating to an application and from the Action drop-down button selecting Edit/Delete.
Setting up an application to take advantage of HAM involves directing ThreadFix toward the source code and (optionally) telling ThreadFix what language and framework the application uses:
The fields are as follows:
Application Type - What type (language and framework) the application uses. The "Detect" option is preferable as ThreadFix will look at the project folder and attempt to detect the language and framework. If there are detection issues, the specific language and framework can be selected.Â
Source Code URL: This is the git or Subversion URL where the application's source code can be found
Source Code Branch: The branch of the source code repository to use for analysis (optional)
Source Code Revision: A specific source code revision to use for analysis (optional)
Source Code User Name: The user name to use for source code repository access. If none is provided, anonymous access to the source code repository will be used.
Source Code Password: The password to use for source code repository access
Source Code Folder: This is the folder (from the perspective of the ThreadFix server) where the application source code can be found if the application is not available via git or Subversion
Â
Providing ThreadFix with access to the application source code will allow the server to perform a lightweight static analysis of the source code and build an internal database of the application's attack surface and the source code elements responsible for each piece of attack surface. This attack surface database allows for the advanced interactions both inside of ThreadFix and with external tools mentioned above.
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.2 Introduction
- 1.3 Setup
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.