Scan Upload Automation 3.X
You will learn
How to upload a scan file to an application and set up an automatic scan.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: Scans to be uploaded, ThreadFix Command Line Interface (CLI)
ThreadFix Command Line Interface
To download the ThreadFix Command Line Interface (CLI), a tfcli.jar file, click the Help icon and select Download Tools from the drop-down list then click the corresponding Jar File link.
Scan Upload Automation
ThreadFix CLI Configuration
In order to upload scans to ThreadFix, users must set the API Key and URL. Issue the following commands through the ThreadFix Command Line Interface (CLI), substituting the user ThreadFix API Key and URL:
java -jar tfcli.jar --set key <apikey>
java -jar tfcli.jar --set url <url>
Uploading
The following command entered through the ThreadFix CLI allows the upload of a scan file to an application:
java -jar tfcli.jar -u, --upload <Application ID> <File Path>
Example:
denimgroup$ java -jar tfcli.jar --upload 1 /Users/denimgroup/Desktop/threadpak/ThreadFix/test-scans/w3af-demo-site-2.xml
INFO [main] CommandLineParser.main(193) | Uploading /Users/denimgroup/Desktop/threadpak/ThreadFix/test-scans/w3af-demo-site-2.xml to Application 1.
INFO [main] CommandLineParser.printOutput(287) | Operation successful, printing JSON output.
{"importTime":{"year":2013,"month":8,"dayOfMonth":16,"hourOfDay":9,"minute":30,"second":39},"numberClosedVulnerabilities":0,"numberNewVulnerabilities":1,"numberOldVulnerabilities":0,"numberResurfacedVulnerabilities":0,"numberTotalVulnerabilities":1,"numberHiddenVulnerabilities":0,"numberRepeatResults":0,"numberRepeatFindings":0,"numberInfoVulnerabilities":0,"numberLowVulnerabilities":0,"numberMediumVulnerabilities":0,"numberHighVulnerabilities":1,"numberCriticalVulnerabilities":0,"numberOldVulnerabilitiesInitiallyFromThisChannel":0,"findings":[{"channelVulnerability":{"channelType":{"name":"w3af","url":"http://w3af.sourceforge.net/","version":"1.0-rc6","exportInfo":"The w3af importer needs a configured XML output plugin. The w3af standard scripts contain one called script-xml_output.w3af which generates a valid xml configuration for ThreadFix.","id":19},"name":"Unhandled error in web application","code":"Unhandled error in web application","id":4010},"nativeId":"b7332f6bfad9240f7bc712b3b3579a9f","channelSeverity":{"name":"Medium","code":"Medium","numericValue":3,"id":27},"surfaceLocation":{"path":"/demo/","port":0,"id":45},"numberMergedResults":2,"entryPointLineNumber":-1,"isStatic":false,"isFirstFindingForVuln":false,"isMarkedFalsePositive":false,"calculatedUrlPath":"/","createdDate":"Mar 11, 2014 4:10:51 PM","modifiedDate":"Mar 11, 2014 4:10:51 PM","active":true,"id":45},{"channelVulnerability":{"channelType":{"name":"w3af","url":"http://w3af.sourceforge.net/","version":"1.0-rc6","exportInfo":"The w3af importer needs a configured XML output plugin. The w3af standard scripts contain one called script-xml_output.w3af which generates a valid xml configuration for ThreadFix.","id":19},"name":"OS commanding vulnerability","code":"OS commanding vulnerability","id":3993},"nativeId":"7defd04bac3089120e2187d1c28fccb3","channelSeverity":{"name":"High","code":"High","numericValue":4,"id":29},"surfaceLocation":{"parameter":"fileName","path":"/demo/OSCommandInjection2.php","port":0,"id":46},"numberMergedResults":1,"entryPointLineNumber":-1,"isStatic":false,"isFirstFindingForVuln":false,"isMarkedFalsePositive":false,"calculatedUrlPath":"/OSCommandInjection2.php","createdDate":"Mar 11, 2014 4:10:51 PM","modifiedDate":"Mar 11, 2014 4:10:51 PM","active":true,"id":46}],"id":3}Automation
There are a few different ways that automation can be achieved, the following is a basic outline:
Schedule a scan.
Scan completes.
Upload the scan to ThreadFix using CLI.
One option would also be setting up a CRON job to run an automatic upload script. It would follow the outline above and run at desired intervals. The example below uses the Checkmarx CX Console:
#!/bin/bash
#Scan
./runCxConsole.sh scan -CxServer <host> -projectName <projectName>
-CxUser <username> -CxPassword <password> -LocationType <LocationType>
-locationPath <locationpath>
#Upload
java -jar tfcli.jar -s key <API_KEY>
java -jar tfcli.jar -s url <THREADFIX_URL>
java -jar tfcli.jar -u <APP_ID> <FILE>Another option is to use something similar to Jenkins to automate this process.
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.2 Scan Upload Automation
- 1.2.1 ThreadFix CLI Configuration
- 1.2.2 Uploading
- 1.2.3 Automation
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.