As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Fortify Software Security Center Remote Provider (ThreadFix 3.X)

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to the Remote Providers parent page. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API

Finding Status Processing

The following list indicates how finding statuses from Fortify are marked within ThreadFix when ingesting a scan:

  • Not an issue or Suppressed - False Positive

  • Exploitable or Need more information - Open

  • Hidden - not ingested into ThreadFix

When there is no scan data to import, a “No scans were found” message will display as the Last Import Attempt Status.

API Usage

Get Artifacts for Project:

/projectVersion/{{projectId}}/artifacts?fields=lastScanDate,status&start=0&limit=0&q=status:"PROCESS_COMPLETE"

Using the lastScanDate for the completed artifacts, ThreadFix compares this date to the current Fortify SSC scan date imported into ThreadFix. This also becomes the Scan Date of the ThreadFix scan.

Get Project Version

/projectVersion/{{projectId}}

ThreadFix uses the currentState.metricEvaluationDate to check if there are updates to the current state of the project, and a new artifact has not been loaded. This becomes the Updated Date of the ThreadFix scan.

FPR Download

If we determined based on the calls above that a new artifact was run or there are new updates to import we make the following call:

/download/currentStateFPRDownload.html

 

Unassigned Findings

As of 3.1.1, new findings uploaded to the Auditor Status folder are automatically set with an Unassigned severity until users manually set them to a desired severity type. Note the Unassigned finding below.

This can be reassigned manually by selecting View More to see its Vulnerability Details and manually changing the severity through the Action drop-down button.

By utilizing the Customize Scanner Severities page, users can globally have Exceptions to automatically set future Unassigned findings to their desired severity.


www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.