As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

3.X Version Feature Changes

Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:

3.8

September 2024

  • Kong has been updated from version 2.8 to 3.6

  • OpenShift is no longer supported

  • The defect description text format for Azure DevOps Defect tracker in the Classic_Description.vm file has been updated

  • The character limits for email, username, and First/Last have been increased to 25 characters

  • The list of currently accepted file types for uploading to findings has been updated

  • Addressed issue where a manually closed vulnerability may display as having been reopened by a scan upload

  • Addressed issue with importing .fpr file types

  • Addressed issue where Time to Remediate policies for new teams/applications may not display correctly in the UI

  • Addressed an issue where Snyk may not allow a new scan to be imported if there is prior data present

3.7

April 2024

  • Resolved issue of not being able to set a Parent field during a Jira ticket creation

  • Resolved an issue where users may receive an error when attempting to retrieve a team’s history of events via API if an application does not exist with a matching ID

  • Addressed an issue where Admin level users are able to delete themselves

  • Resolved an issue where Automated Defect Creation through Azure may not create defects

3.6

March 2024

  • Snyk has been added as a new Remote Provider

  • Improved logging visibility to the Vulnerability Details page in the UI and in the API response for Vulnerability Details

  • Addressed issue where a SAML user with global admin role cannot access Queue Management

  • Addressed issue where a user may not be able to select the Components and/or Affect versions when attempting to create a Defect tracker for Jira

  • Addressed issue where a after uploading a file to the Application page, the UI does not reflect the new file

3.5

January 2024

  • Fix for an issue when a user performs a Vulnerability Search API call using an invalid value, ThreadFix returns a “success=true” status with a blank message

  • Fix for API calls for deleted or invalid IDs returning a success message

  • Fix for an issue On SQL Server, when exporting a Vulnerability Search CSV, the user receives an error

  • Fix for an issue where a Vulnerability Search API export returns different data each time it is performed regardless of filter settings

  • Fix for an issue where some Veracode SCA findings may import with duplicate IDs of other findings rather than unique IDs

3.4.2

November 2023

  • The ability to manually adjust a vulnerability’s Time To Remediate Policy window has been reinstated

  • Performance improvement for the Defect Reporter to Application Defect Tracker Mapping process

  • ThreadFix MSSQL mappings update

  • Checkmarx One available for Remote Provider and proxy settings

  • Security improvements

  • Fix for an issue where MS SQL Server vulnerabilities display the incorrect Severity level

  • Fix for an issue where the Customize Scanner Vulnerability Types Scanner Vulnerability Mapping may not update severities correctly

  • Fix for an issue where the ‘Tag’ field does not display when creating a new ticket in Azure DevOps

  • Fix for an issue where the Scan event messages in the History page displays the date with a UTC Time Zone rather than the user’s Local Time Zone

  • Fix for an issue where after a user updates the Default LDAP Role settings in ThreadFix, the login page may not respect default settings

  • Fix for an issue where a users name that has been updated in the User Management page may not reflect onto the user Login page

  • Fix for an issue where the Vulnerability Search API exports may provide different results each time run

  • Fix for an issue where a Remote Provider will not be created if the user attempts to use a previously entered a name for it that was submitted but not allowed to complete the creation process by exiting the modal before successful completion

  • Performance improvement for the BlackDuck Remote Provider creation process, addressing an issue where it may timeout

  • Fix for an issue where SAML login fails if a username includes invalid characters

3.4

October 2023

  • Integration support is discontinued for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne

  • ThreadFix 3.4 supports MySQL 8 and is not backwards compatible to 5.7. Users will need to upgrade their database to MySQL 8 when upgrading to ThreadFix 3.4.

  • Jira has deprecated and removed certain endpoints as of version 9.0, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 3.4

  • AppScan Enterprise identified and resolved an issue where some vulnerabilities reported finding details for multiple issue types as a single concatenated string via the AppScan API.  In this instance ThreadFix would ingest this data as if it was legitimate which could cause some display and merging issues if the instance of AppScan Enterprise in use is a version subject to this misbehavior. HCL has informed our impacted clients that the issues have been resolved; clients should prioritize updating their AppScan Enterprise instance to the latest HCL patch prior to updating ThreadFix.

  • CheckmarxOne has been added as a new Remote Provider

  • Qualys WAS results now display more information for users to review

  • defectProfileId and useDefaultDefectProfile have been added to the Submit Defect API calls

  • CWE 16 behavior has been adjusted as many scanning tools provide CWE 16 as a catch all for vulnerabilities that are not specifically software in nature:

    • It’s been observed through repeated testing that a more appropriate path for ThreadFix is to treat all SAST, DAST, IAST, and Mobile findings as unmergeable if they are classified as CWE 16. As of 3.4 ThreadFix will no longer permit merging in those instances.

    • SCA/Dependency finding types will still merge as before as CWE is not a component of the merge logic for those findings

  • In preparation for ThreadFix SaaS - we have updated our Allowed and Blocked file types. Below is the current allowed file types that can be uploaded as scans:

    • .csv

    • .fpr

    • .json

    • .nessus

    • .ozasmt

    • .xml

  • Fix for an issue where findings show a CWE Number instead of a name

  • Fix for the Last Import Attempt Status not updating for Netsparker Enterprise app after a successful import

  • Fix for an issue where the user may not be able to view a defect from the Vulnerability Detail page, resulting in an error

  • Fix for an issue where not all Pen Test teams would display in the Identity Management page

  • Fix for an issue where if a Team is deleted in the Portfolio page and a newly created Team with the same name is created with an application, the previously deleted Team name may appear on the UI.

  • Security updates

  • Several minor UI updates

 

3.3.4

August 2023

  • Minor UI updates

  • Fix for Black Duck ingesting invalid Finding CVE data

  • Fix for a NullPointerException error when trying to update an application, via the Update Application API, containing at least one unmapped vulnerability

  • Fix for Acunetix 360 and Netsparker Enterprise, where if the application is renamed on the scanner, the existing RemoteProviderApplication row is discarded. This occurred despite the nativeId value persisting.

  • Error addressed when a user tries to edit a JIRA defect tracker using a new longer API token

  • Fix for Fortify on Demand microservice registering more vulnerabilities than actually exist

3.3.3

July 2023

  • Improvement to Vulnerability Detail page display of Findings Comments

  • Improvement for scanning of Fortify XML files, removing invalid characters that may impede the scanning process

  • Fix for LDAP user group membership not being validated/synced on login

  • Fix for “Invalid username/password combination” error when attempting to gather collections from a defect tracker in Azure DevOps

  • Fix for instances where in certain user configurations, importing Contrast Remote Provider findings may fail and provide a “Failed during remote provider import” error

3.3.2

May 2023

  • Microservice Project support added for Fortify on Demand

3.3.1

February 2023

  • Improvement of ThreadFix’s ability to identify and parse Fortify SCC external lists and filters to more accurately mark findings

  • Improved ThreadFix upgrade migration automation to have better error handling and recovery

3.3

January 2023

Ingestion Enhancements

  • ThreadFix File format now supports CVSS score values for both ingestion and export

  • Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus

  • Fortify on Demand now supports dependency findings

  • Acunetix enhanced false positive support

  • Contrast findings support greater specificity in filtering on finding types based on finding data

  • Added Scan Agent configuration support for AppScan Standard and WebInspect allowing custom configuration for these scan agents

  • SonarQube integration has been updated to support changes in their API

    • Hotspot findings in version 8.9 and 9 are now supported

    • All previous versions of SonarQube are no longer supported 

 

System Enhancements

  • Created UI driven customization for report caching times

  • Added OWASP Top 10 2021 report

  • API support added for custom severity name

  • Created a bulk-export for all unmapped vulnerability types to CSV file

  • Reintroduced Scan File Retention customization to the ThreadFix 3 architecture

  • Reintroduced LDAP linked SAML Authorization to the ThreadFix 3 architecture

  • The following Global FPR Filter Set API REST calls have been reintroduced:

    • Upload Global FPR Filter Set Override 3.X - API

    • Clear Global FPR Filter Set Override 3.X - API

  • Additional bug fixes and security enhancements

 

  Removed Features

  •  Acunetix & AppSpider scan agents have been disabled, with plans for re-introduction

Addressed Reported Issues and Security Updates

  • Importing LDAP users fails if any user have Title fields containing over 60 characters. The limit has been increased to 128.

  • In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues. The frequency of reminders has been adjusted to once per user login.

  • A manually closed vulnerability may be marked as “re-opened” if a scan containing the open vulnerability is uploaded from a date prior to when it was manually closed. ThreadFix will not mark a manually closed vulnerability as having been re-opened from an uploaded scan preceding the vulnerability having been manually closed.

3.2

September 2022

Azure Dev Ops

  • Significant improvements to our integration with Azure Dev Ops including

    • Support for unique datatypes natively in ThreadFix UI

    • Performance improvements

    • UI indication of all required fields

    • Autocomplete and picklist support of applicable fields 

2.X Feature Parity (3.X only)

  • Implemented the Sonatype remote provider utilizing the new 3.1 ingestion pipeline

  • Added Remote Provider application names to the Finding Detail page

 

Integration Enhancements

  • The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source

  • Checkmarx can now ingest additional scanner detail and scanner recommendations for findings

  • Contrast date management enhancements to provide greater accuracy on finding discovery dates

  • Improved SonarQube severity mappings

  • The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024

  • Improvement to Fortify SCC findings filtering

  

Addressed Reported Issues and Security Updates

  • Upgraded dependencies and images including Debian, Kafka, and ActiveMQ

  • Fixed intermittent import errors with Acunetix 360/Netsparker

  • WhiteHat API updates to support new requirements from WhiteHat

  • Improvement to UI messaging indicating when all remote providers have been mapped

  • Improvement to UI messaging indicating when an invalid scanId was used

  • The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal

3.1.2

May 2022

  • No feature changes in 3.1.2

3.1.1

April 2022

Note the following changes to features with the introduction of ThreadFix 3.1.1:

Reintroduced

  • The Check Remote Provider Application Import Status endpoint has been reintroduced

  • Coverity Remote Provider has been reintroduced

Deprecated and Removed

For other REST API updates, refer to the Change Log

  • The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"

  • The SSVL Converter Tool deprecated in 3.1 has been removed

3.1

October 2021

Note the following changes to features with the introduction of ThreadFix 3.1:

Deprecated and Removed

  • Support has been ended for the SSVL Converter

  • Bi-directional capability for Checkmarx and AppSpider has been removed

  • Service Delivery/Service Request feature set is no longer supported

  • Removed the Import All Vulnerabilities remote provider option

  • Saved scan files on the file system will not be migrated to 3.1 (NOTE: this only impacts the raw scan files. All vulnerability data is fully retained and migrated)

  • SonarQube Plugin removed from the Tools section.  Remote Provider integration still behaves as before.

  • Support for the following integrations has been removed:

    • SkipFish

    • Swamp Scarf

Limitations, Scheduled for Enhancement Post 3.1

  • Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.

  • Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. (NOTE: this may impact created policies based on these filters)

Absent, Scheduled for Re-introduction Post 3.1 

  • The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced

  • Scan File Retention feature has been removed, this feature is planned to be reintroduced

  • The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced

  • The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced

  • The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future

  • Time to Remediate Date policy override has been disabled, this feature will be reinstated

  • Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled

  • The Global FPR Filter Set API REST calls have been removed, with plans to be reintroduced

  • Support for the following integrations has been removed, with plans for reintroduction:

    • Acunetix File Importer

    • Brakeman

    • Coverity

    • Dependency Check

    • Sonatype

Table of Contents

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.