As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Contrast Remote Provider (ThreadFix 3.X)

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to the Remote Providers parent page. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API

Introduction

Contrast IAST Scanner Integration uses sensors to passively monitor the behavior of applications and discover vulnerabilities quickly and accurately. The following is a list of API requests that ThreadFix uses for Contrast Remote Provider integration:

  • Organizations: /Contrast/api/ng/profile/organizations/default

  • Applications: /Contrast/api/ng/<orgId>/applications

  • Modules: /Contrast/api/ng/<orgId>/modules/<appId>

  • Issues: /Contrast/api/<orgId>/traces/<appId>

  • Events Summary: /Contrast/api/ng/<orgId>/traces/<traceId>/events/summary

  • Recommendation: /Contrast/api/ng/<orgId>/traces/<traceId>/recommendations

Scan Date and Updated Date are determined and set based on when a scan is imported into ThreadFix.

User Account Requirements

UI and “API Only” Contrast user account types are both able to integrate with ThreadFix. Use the Organization API Key and Personal Service Key found on user profile. To find the API Only user Service Key, from an admin account hover over the API Only label on list of users located at Organizational Settings > Users as seen below.

Popup showing service key when hovering over API Only label.
Service Key for API Only user.

Organization Role

Both Contrast UI and API Only type users require Organizational Role “View” at a minimum.

Application Access Group

Both Contrast UI and API Only type users require Application Access Group “View” at a minimum.

Please note both user types, UI and API Only, require “UI Access” option toggled on. Although this does not allow login access for the API Only user, it is still required for ThreadFix integration.

 

Status Mappings

As of 3.1.1, Contrast’s reported statuses are interpreted by ThreadFix as noted in the table below.

Contrast Status (Sub-Status)

ThreadFix Status

ThreadFix State

Contrast Status (Sub-Status)

ThreadFix Status

ThreadFix State

Reported

<unchanged>

Open

Suspicious

<unchanged>

Open

Confirmed

Scanner Exploitable

Open

Remediated

<unchanged>

Closed

Fixed

<unchanged>

Closed

Not a Problem (False Positive)

False Positive

Open

Not a Problem (Attack is defended by external control)

False Positive

Open

Not a Problem (Goes through internal control)

False Positive

Open

Not a Problem (URL is only accessible by trusted power users)

False Positive

Open

Not a Problem (Other)

False Positive

Open


API USAGE

Remote Provider Applications:

  • Organization: /Contrast/api/ng/profile/organizations/default

  • Modules:

    • Applications: /Contrast/api/ng/<orgId>/applications

    • Sub Modules: /Contrast/api/ng/<orgId>/modules/<appId>

  • Environments: /Contrast/api/ng/<orgId>/applications/filter?includeMerged=true

    • This call is made to Contrast for each type of environment, currently there is only support for Development, QA, and Production.

    • The ALL Remote Provider Application covers all three of the environments.

Import Scans:

  • Organization: /Contrast/api/ng/profile/organizations/default

  • Vulnerabilities: /Contrast/api/ng/<orgId>/orgtraces/filter

    • Events: /Contrast/api/ng/<orgId>/traces/<traceId>/events/summary

    • Recommendation: /Contrast/api/ng/<orgId>/traces/<traceId>/recommendation

  • Servers: /Contrast/api/ng/<orgId>/servers/filter

  • Libraries: /Contrast/api/ng/{orgUUID}/libraries/filter?expand=vulns

    • ThreadFix will only create Findings for libraries that have 1 or more vulnerabilities in the response from Contrast, all other libraries are ignored.

 

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.