As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Automated Defect Creation (ThreadFix 3.X)

You will learn

Below are the steps to incorporate the automated defect creation process.

  1. Create a Defect Tracker instance by going to Integrations -> Defect Trackers (refer to the Create Defect Tracker page for more info).

  2. Create a defect profile which fills out all required fields for that configured defect tracker by clicking the “Show Default Profiles” button, then clicking the “Create Profile” button.

  3. Provide a name and product to reference.

     

  4. Enter and/or select the Defect Defaults details values as desired.

     

  5. Open the Application Detail page for the application you wish to configure automated defect creation on and select the Top Action Menu -> Manage Defect Trackers -> Edit Defect Trackers.

     

  6. Click the “Add Defect Tracker” button to select the configured defect tracker you would like associated to this application.

     

  7. Click the “Change Profile” button to expand all configured profiles for this defect tracker and select a profile to be the default profile (ensure you select a default profile that fills all required fields).

     

  8. Go to the Manage Policies page under Customize -> Policies.

     

  9. Select the Defect Reporters tab, click the “Create Defect Reporter” button and select the criteria for which you would like to auto-create defects.

    1. First, by selecting the Severity you would like automated defects to be created for, you can dictate when to create a defect.  For example, if you select Severity "High" and chose the "Or Greater" option, a defect will be created anytime a new vulnerability is introduced with a High or Critical Severity.

    2. The Group By options let you choose to bundle similar vulnerabilities or severities into a single defect to reduce the potential noise created by a bad check-in or a particularly troubled new feature.  Choose between no grouping, bundling by identical CWE's, bundling by identical Severities, or bundling by identical CWE's per severity.   If you choose "CWE and Severity", for example, all Critical XSS vulnerabilities would be grouped into a single defect with all High XSS vulnerabilities grouped into a separate defect.

       

  10. Click the “Applications” button for the policy you just defined.

     

  11. Start typing the desired application name you wish to add, select it from the drop-down list, and click the 'Add Application' button. Repeat if you want to add more applications.

     

     

  12. You'll receive confirmation that the defect tracker was added.

 

After the above steps, when you upload a scan into the ThreadFix application, ThreadFix will submit defects for new vulnerabilities that meet the specified criteria (i.e., automated defects will not be created for existing vulnerabilities).



 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.