As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
GitHub Dependabot [Beta] Remote Provider (ThreadFix 3.X)
Introduced in 3.1.1.
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.
GitHub Remote Provider Setup
To setup this remote provider, a GitHub username and OAuth Token (non-expired Personal Access Token with public_repo scope) are required.
Generate Token
The process below covers generating a token if one is not already available.
In GitHub, navigate to the user’s Settings > Developer Settings > Personal Access Token. Click the Generate new token button.
Provide a name, expiration date, and select any appropriate scopes. At a minimum, select a scope of public_repo.
Click the Generate Token button. Copy the Personal Access Token for use when setup GitHub as a new Provider in ThreadFix.
Remote Provider Setup
From the Integrations menu, on the Remote Providers page, select the Create New Remote Provider button. In the Create New Provider modal enter a GitHub username and an OAuth Token and click the Create Provider button to create the provider in ThreadFix.
Once the provider has been created, applications and teams can be mapped, and scans imported. Note the example below.
ThreadFix imports vulnerabilityAlerts from GitHub in batches of 100, each of the vulnerabilityAlerts contains a securityVulnerability and a securityAdvisory object within. This information is used to create findings and dependency data.
Findings
Description: ThreadFix builds the description using the firstPatchedVersion, vulnerableVersionRange, and securityAdvisory description. If there is no firstPatchedVersion ThreadFix will insert the text “No fix” in place of the version. A description will have the following form:
“Vulnerable versions: <vulnerableVersionRange>
Patched versions: <firstPatchedVersion>
Description: <securityAdvisory description>”
Severity Code: This is the severity pulled from the securityVulnerability
CVE: If the securityAdvisory contains a CVE it will be stored here
Native ID: This is a hash of the ghsaId (GitHub Security Advisory ID) and the CVE. Both of these values are found within the securityAdvisory
Vulnerability Code: This will be the summary attribute of the securityAdvisory
Source File Name: This is the vulnerableManifestPath taken from the vulnerabilityAlert
Raw Finding: String version of the whole vulnerabilityAlert
Dependency
Reference: This will be the same as the CVE above
Description: This will be the same as the description above
Component Name: This is the name of the vulnerablePackage found inside of the securityVulnerability
Component File Path: This will be the same as the Source File Name above
Queries
Search Queries
ThreadFix uses GitHub’s search queries to pull its repositories, see below via https://docs.github.com/en/graphql/reference/queries#searchresultitemconnection.
Name | Description |
---|---|
| Returns the elements in the list that come after the specified cursor. |
| Returns the elements in the list that come before the specified cursor. |
| Returns the first n elements from the list. |
| Returns the last n elements from the list. |
| The search string to look for. |
| The types of search items to search within. |
Repository Queries
ThreadFix uses GitHub’s repository query to pull Dependabot alerts, see below via https://docs.github.com/en/graphql/reference/queries#repository.
Name | Description |
---|---|
| Follow repository renames. If disabled, a repository referenced by its old name will return an error. The default value is |
| The name of the repository. |
| The login field of a user or organization. |
Table of Contents
- 1.1 GitHub Remote Provider Setup
- 1.1.1 Generate Token
- 1.1.2 Remote Provider Setup
- 1.1.3 Findings
- 1.1.4 Dependency
- 1.1.5 Queries
- 1.1 GitHub Remote Provider Setup
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.