As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
AppScan Enterprise Remote Provider (ThreadFix 3.X)
- Daniel Colon
You will learn
How to fetch applications and scans, how scan dates are organized, and configuring certificates.
Prerequisites
Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API
Introduction
HCL AppScan Enterprise mitigates application security risk, strengthens application security program management initiatives and achieves regulatory compliance. ThreadFix uses AppScan Enterprise's (ASE)Â Application Security Management REST API to authenticate and pull both application and scan information.Â
Login:
/ase/api/loginLogout:
/ase/api/logoutUser Role
The ASE service user will need to have Job Administrator role in order for ThreadFix to use the endpoints below to obtain the necessary data.
Get Applications
ThreadFix uses the following endpoint to pull applications from the ASE instance. ThreadFix paginates this request.
/ase/api/applicationsGet Scans
ASE's Application Security Management REST API does not currently provide an endpoint to get issues from an application by scan. Instead, ThreadFix uses these endpoints:
Returns issues from ASE based on query parameters
ThreadFix uses this to pull the severity, status, datecreated, location and issuetype values of each finding from all new, open and reopened issues for the specified application
ThreadFix does paginate this request
Â
The issues endpoint returns attribute IDs instead of attribute names. ThreadFix uses this endpoint to pull the attribute names to parse the issues
Scan Dates
ThreadFix uses this endpoint and finds the latest Last Run Date of the returned jobs:
If a job does not have a Last Run Date, that means it has not been run before, but just configured to run, so these are ignored
In the absence of any jobs with a Last Run Date, or any jobs configured, ThreadFix attempts to get the latest Date Created via the /issues endpoint
Scan Updated Date:
ThreadFix uses the /issues endpoint to search for the latest Last Updated Date for all the findings, regardless of severity. ThreadFix configures the parameters to only return one value, which is used as the Scan Updated Date.
Parsing Vulnerabilities
The JSON returned by ASE's issues endpoint maps directly to these ThreadFix Finding Mappings:
Native Id -Â id
Vulnerability code - issuetype
Severity code - severity
Path - location
Configuring Certificates
AppScan Enterprise requires its certificate to be stored in the users ThreadFix web server's Java keystore. Users may run into a "...SunCertPathBuilderException: unable to find valid certification path to requested target..." error when:
Migrating to a new ThreadFix web server or AppScan Enterprise Server
Changing or updating the ThreadFix web server's Java installation
Clearing your ThreadFix web server's Java keystore
Please refer to the Adding Custom Root Certificates to AppSec Container documentation to resolve this issue.
Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.