As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Dependency Track Remote Provider (ThreadFix 3.X)

Owned by Daniel Colon
Last updated: Nov 18, 2021
2 min read

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to the Remote Providers parent page. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API

Introduction

ThreadFix uses Dependency Track API Client to authenticate and pull both application and scan information.

Fetching Applications

ThreadFix uses this endpoint to pull applications from the Dependency Track instance. ThreadFix does paginate this request.

/api/v1/project

Fetching Scans

ThreadFix uses this endpoint to get vulnerability information from Dependency Track Client API:

/api/v1/vulnerability/project/{projectNativeId}

  • From the returned data ThreadFix extracts severity, status, datecreated, location, and issuetype dependency values of each finding from all new, open, and reopened issues for the specified application

  • Because the results set does not provide a scan date, ThreadFix will report the date the scan was imported as the scan date

  • ThreadFix does paginate this request

  • Users need to have the Vulnerability_Analysis permission to import scans, as seen below:

Parsing Vulnerabilities

The JSON returned by Dependency Track vulnerabilities endpoint maps directly to these ThreadFix Finding Mappings:

  • Native Id - vulnerability.uuid

  • Vulnerability code - vulnerability.cwe.name (if cwe.name is null it will map to Configuration)

  • Severity code - vulnerability.severity

  • Path - “Dependencies”

  • Dependency.reference - vulnerability.vulnId

  • dependency.componentName - component.name

  • dependency.componentFilePath - component.fileName

  • dependency.description - vulnerability.description

  • CVE - vulnerability.vulnId

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.