As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Coverity Remote Provider (ThreadFix 3.X)
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to the Remote Providers parent page. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API
Coverity User Account
Ensure that the Coverity account used for the ThreadFix integration has admin role/privilege on the Coverity side. The following is a list of SOAP API requests that ThreadFix uses for the Coverity Remote Provider integration
Scans: defectservice#getMergedDefectsForProjectScope
Findings: defectservice#getStreamDefects
Projects: configurationservice#getProjects
Parsing Vulnerabilities
The following fields are parsed and mapped from Coverity to ThreadFix:
defectStateAttributeValues.DefectStatus -> used to determine vuln open / closed
defectStateAttributeValues.Classification -> used to determine false positive
defectStateAttributeValues.Comment -> comment
defectStateAttributeValues.Severity -> severity
defectInstances.longDescription -> long description
defectInstances.cwe -> cwe
defectInstances.checkerName -> vuln code
defectInstances.events.lineNumber -> dataflow line number
defectInstances.events.eventNumber -> dataflow sequence index
defectIntances.events.fileId -> dataflow file name
Vulnerability Statuses
ThreadFix will mark findings False Positive if they have False Positive status in Coverity. ThreadFix will not ingest findings with fixed status, closing them if they were ingested in a previous scan.
Default Severity Mappings:
Unspecified -> Info
Major -> High
Moderate -> Medium
Minor -> Low
Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.