As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

2.X Release Notes

ThreadFix Version Release Notes

 

For REST API updates, refer to the Change Log

2.8.9.1

November 2023

For REST API updates, refer to the Change Log

Reminder: As of ThreadFix versions 2.8.9, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne was discontinued.

Users must be on 2.8.8/ 2.8.8.1/ 2.8.8.2/ 2.8.8.3/ 2.8.8.4/ 2.8.8.5/2.8.9 to upgrade to 2.8.9.1

Users interested in migrating to 3.X from 2.X must upgrade to 2.8.9.1 first and then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.9.1 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

  • Performance improvement for the Defect Reporter to Application Defect Tracker Mapping process

  • Performance improvement for scan upload processing

  • Improvement for error messaging in the UI

 

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

 

Addressed Reported Issues

Issue

Resolution

Issue where a users name that has been updated in the User Management page may not reflect onto the user Login page.

This issue has been addressed in 2.8.9.1

Issue where the Vulnerability Search API exports may provide different results each time run.

This issue has been addressed in 2.8.9.1

Issue where a Remote Provider will not be created if the user attempts to use a previously entered a name for it that was submitted but not allowed to complete the creation process by exiting the modal before successful completion.

This issue has been addressed in 2.8.9.1

Performance improvement for the BlackDuck Remote Provider creation process, addressing an issue where it may timeout.

This issue has been addressed in 2.8.9.1

Issue where an exported CSV/SSVL report is generated using currently selected filters rather than currently applied filters.

This issue has been addressed in 2.8.9.1

Issue where a users name that has been updated in the User Management page may not reflect onto the user Login page.

This issue has been addressed in 2.8.9.1

2.8.9

October 2023

Important Integration Support Notifications

  • Reminder: As of ThreadFix versions 2.8.9, integration support is discontinued for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne

  • AppScan Enterprise identified and resolved an issue where some vulnerabilities reported finding details for multiple issue types as a single concatenated string via the AppScan API. In this instance ThreadFix would ingest this data as if it was legitimate which could cause some display and merging issues if the instance of AppScan Enterprise in use is a version subject to this misbehavior. HCL has informed our impacted clients that the issues have been resolved; clients should prioritize updating their AppScan Enterprise instance to the latest HCL patch prior to updating ThreadFix.

Users must be on 2.8.8/ 2.8.8.1/ 2.8.8.2/ 2.8.8.3/ 2.8.8.4/ 2.8.8.5 to upgrade to 2.8.9.1

Users interested in migrating to 3.4 from 2.X must upgrade to 2.8.9.1 first and then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.9 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

  • Improvement to error messaging when uploading files

  • Several minor UI updates

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

 

Addressed Reported Issues

Issue

Resolution

Issue where not all Pen Test teams would display in the Identity Management page.

This issue has been addressed in 2.8.9

Issue where a user cannot create a Jira Defect Tracker instance with OAuth Token as the Authorization Type.

This issue has been addressed in 2.8.9

Issue where if a Team is deleted in the Portfolio page and a newly created Team with the same name is created with an application, the previously deleted Team name may appear on the UI.

This issue has been addressed in 2.8.9

Legacy 2.8 Release Notes

2.8.8.5

August 2023

Note: As of ThreadFix versions 2.8.9, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued.

Note: Jira has deprecated and removed certain endpoints as of version 9.2, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 2.8.8.5.

Users must be on 2.8.8/ 2.8.8.1/ 2.8.8.2/2.8.8.3/2.8.4 to upgrade to 2.8.8.5.

Users interested in migrating to 3.3.4 from 2.X must upgrade to 2.8.8.5 first and then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.8.5 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

  • Minor UI updates

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

Addressed Reported Issues

Issue

Resolution

Qualys applications with over 100 open vulnerabilities do not automatically paginate scan results.

This issue has been addressed in 2.8.8.5.

ThreadFix’s integration with Black Duck ingests invalid Finding CVE data.

This issue has been addressed in 2.8.8.5.

When a user updates the File Upload location, any scans previously downloaded remain in the prior location. Note: This is not the same as when the File Upload location is removed/deleted.

This issue has been addressed in 2.8.8.5.

User receives a NullPointerException error when trying to update an application, via the Update Application API, containing at least one unmapped vulnerability.

This issue has been addressed in 2.8.8.5.

For Acunetix 360 and Netsparker Enterprise, if the application is renamed on the scanner, the existing RemoteProviderApplication row is discarded. This occurs despite the nativeId value persisting.

This issue has been addressed in 2.8.8.5.

Error addressed when a user tries to edit a JIRA defect tracker using a new longer API token.

This issue has been addressed in 2.8.8.5.

When creating a JIRA defect Tracker, the following error message is received:
“Failure. Message was : ThreadFix encountered an error and could not complete the request. Please check the Error Messages page or server logs for more details.”

This issue has been addressed in 2.8.8.5.

When a Fortify on Demand microservice is scanned, it registers more vulnerabilities than actually exist.

This issue has been addressed in 2.8.8.5.

2.8.8.4

July 2023

Note: As of ThreadFix versions 2.8.9, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued.

Note: Jira has deprecated and removed certain endpoints as of version 9.2, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 2.8.8.4.

Users must be on 2.8.8/ 2.8.8.1/ 2.8.8.2/2.8.8.3 to upgrade to 2.8.8.4.

Users interested in migrating to 3.3.3 from 2.X must upgrade to 2.8.8.4 first and then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.8.4 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

  • Performance enhancements

  • UI Improvements

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

Addressed Reported Issues

Issue

Resolution

An application being able to be associated with a deleted policy ID through an API Call.

This issue has been addressed in 2.8.8.4.

User receivers an “Invalid username/password combination” error when attempting to gather collections from a defect tracker in Azure DevOps.

This issue has been addressed in 2.8.8.4.

2.8.8.3

May 2023

Note: As of ThreadFix version 2.8.9, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne will be discontinued.

Note: Jira has deprecated and removed certain endpoints as of version 9.2, in order to maintain proper functionality with ThreadFix, it is recommended to upgrade to 2.8.8.3.

Users must be on 2.8.8/ 2.8.8.1/ 2.8.8.2 to upgrade to 2.8.8.3.

Users interested in migrating to 3.3.2 from 2.X must upgrade to 2.8.8.3 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.8.3 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

  • Improvement in ThreadFix’s ability to reflect a finding’s hidden/unhidden status following multiple uploaded scans with the same finding

  • UI performance enhancements

  • Microservice Project support added for Fortify on Demand

  • Improved SSVL scan import date validation. Note ThreadFix will now only accept dates utilizing 12 hour (AM/PM) formatting.

  • Security updates

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

 

Addressed Reported Issues

Issue

Resolution

Unmapped Qualys WAS Findings are automatically upgraded/downgraded to a Severity level of 3 (Medium) and without a channel vulnerability name.

This issue has been addressed in 2.8.8.3.

If there are multiple Dependency Track projects mapped to a single ThreadFix application, bulk remote provider imports for the application may fail and not import vulnerability data if any of the Dependency Track projects have an older Last BOM Import date than the latest scan date for the ThreadFix application.

This issue has been addressed in 2.8.8.3.

The .threadfix file exports from the Assessment tab with incorrect Finding descriptions.

This issue has been addressed in 2.8.8.3.

The Date displayed in the Status section of Vulnerability Details does not reflect a user’s local time zone.

This issue has been addressed in 2.8.8.3.

User receives a "Jira Credentials are invalid" error when authenticating with Atlassian’s new longer API tokens.

This issue has been addressed in 2.8.8.3.

Email notifications fail to send.

This issue has been addressed in 2.8.8.3.

 

2.8.8.2

February 2023

Users must be on 2.8.7 or 2.8.8 to upgrade to 2.8.8.2.

Users interested in migrating to 3.3.1 from 2.X must upgrade to 2.8.8.2 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.8.2 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

  • Improvement for ThreadFix’s ability to identify and parse Fortify external lists and filters to more accurately mark findings

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

2.8.8

January 2023

Users interested in migrating to 3.3 from 2.X must upgrade to 2.8.8 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.8 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below: 

Ingestion Enhancements

  • Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus

  • Contrast findings support greater specificity in filtering on finding types based on finding data

  • SonarQube integration has been updated to support changes in their API

    • Hotspot findings in version 8.9 and 9 are now supported

    • All previous versions of SonarQube are no longer supported 

System Enhancements

  • API support added for custom severity name

  • Created a bulk-export for all unmapped vulnerability types to CSV file

  • Additional bug fixes and security enhancements

Addressed Reported Issues

Issue

Resolution

In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues.

The frequency of reminders has been adjusted to once per user login.

Importing LDAP users fails if any user have Title fields containing over 60 characters.

The limit has been increased to 128 characters.

The Upload Scan API and Multiple File Scan Upload API calls return an un-versioned href.

The Upload Scan API and Multiple File Scan Upload API have been updated.

The 2.X to 3.X migration process fails if the database for the Burp channel contains a channel vulnerability with a non-numerical code.

This has been addressed in 2.8.8.

SonarQube has removed the concept of organizations from their codebase as of v8.7.

As of version 2.8.8, ThreadFix only supports importing Hotspot findings with the SonarQube v8(8.9) and V9 configurations.

 

2.8.7

September 2022

Users interested in migrating to 3.2 from 2.X must upgrade to 2.8.7 first, then contact the Coalfire Support Portal to continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.7 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below: 

Integration Enhancements

  • The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source

  • Checkmarx can now ingest additional scanner detail and scanner recommendations for findings

  • Improved SonarQube severity mappings

  • The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024

  • Improvement to Fortify SCC findings filtering

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

  

Addressed Reported Issues and Security Updates

  • Fixed intermittent import errors with Acunetix 360/Netsparker

  • Resolved ASoC integration errors on import

  • Improvement to UI messaging indicating when all remote providers have been mapped

  • Improvement to UI messaging indicating when an invalid scanId was used

  • The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal

  • ThreadFix’s data retention behavior has been updated allowing all files to be properly deleted when the File Upload Location is disabled

Issue

Resolution

When trying to update Jira Defect Tracker integration credentials, a 403 error is received with the following message:

“Failure. Message was : The defect tracker URL is not valid."

Resolved JIRA connection issue.

"You don't have permission for this team." error is received when attempting to move an application to another team using the Update Application API even with an Administrator Global role

The Update Application API has been updated to address the permissions error, allowing the application to be successfully moved.

A user without read-access could view all policy data for an application.

The Policies tab in ThreadFix has been updated to address the information disclosure.

When importing Veracode scans, in the event a RestIOException is received, scan data would not process and could be lost.

Resolved handling of the exception.

Threadfix files incorrectly export with a filename of null instead of the associated application’s name.

A fix has been provided to ensure the Threadfix files correctly export with the associated application’s name.

Error importing Contrast cloud scans .

Resolved imports failing for certain Ruby applications.

 

2.8.6.1

July 2022

Migration from 2.8.5.1 to 3.1.2 is currently not supported. Users interested in migrating to 3.1.2 should upgrade to 2.8.6.1 first then continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.6.1 Download Release

Key Update / Version Feature Change

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below.

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

Addressed Reported Issues

Issue

Resolution

SonarQube findings listed as Blocker and/or Critical are downgraded to Critical/High respectively, causing them to be incorrectly ingested within ThreadFix.

The SonarQube remote provider integration’s logic has been updated to address the incorrect severity issue.

"You don't have permission for this team." error is received when attempting to move an application to another team using the Update Application API even with an Administrator Global role.

The Update Application API has been updated to address the permissions error, allowing the application to be successfully moved.

 

2.8.6

April 2022

The National Vulnerability Database has identified a high risk exploit, Spring4Shell, which affects applications running Tomcat as a WAR deployment. For more information refer to CVE-2022-22965. In response Coalfire has tested ThreadFix to assess risk and mitigation options. Users should update their version of Tomcat to the latest version in addition to upgrading to ThreadFix version 2.8.6 which further mitigates risk of exposure and provides an additional security enhancement. At a minimum, ThreadFix recommends all users update their version of Tomcat to version 8.5.78 to safeguard against exposure.

Migration from 2.8.5.1 to 3.1.1 is currently not supported. Users interested in migrating to 3.1.1 should upgrade to 2.8.6 first then continue with the 2.X to 3.X Migration process.

 

Key Updates

New/Updated API

  • New Fetch Applications and Get Scans API calls for Contrast Remote Provider

  • The Get Application by Name and Get Application in a Team by Unique ID calls have been merged into Get Application by Name or Unique ID

General Improvements

  • General UI improvements

  • General bug fixes and performance improvements          

Feature Changes

Note the following changes to features with the introduction of ThreadFix 2.8.6:

Deprecated and Removed

For other REST API updates, refer to the Change Log

  • The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"

2.8.5.1

January 2022

Migration from 2.8.5.1 to 3.1 is currently not supported. Users interested in migrating to 3.1 should upgrade to 2.8.4 first then continue with the 2.X to 3.X Migration process.

ThreadFix 2.8.5.1 Download Release

This release includes key updates to account for the log4j vulnerability. Users will need to perform a deployment update.

Key Updates

Deployment Update

 

2.8.5

December 2021

Migration from 2.8.5 to 3.1 is currently not supported. Users interested in migrating to 3.1 should upgrade to 2.8.4 first then continue with the 2.X to 3.X Migration process.

Key Updates

  • Added additional fields to the Application API to enable greater automation

  • Added new QualysWAS mappings

  • Added support for Analysis Type filters from Fortify

  • Black Duck now uses Overall Score for severity mapping instead of Base Score

     

General Improvements

  • Performance improvements to API for Import Remote Provider Scans for Applications

  • Performance improvements to the loading of the Application Detail page

  • Performance improvements to the loading of the Portfolio page

  • Bug Fixes

2.8.4

May 2021

Key Updates

  • ThreadFix Platform

    • Dependency Check reportDate precision fix

    • OpenJDK 11.0.2 compatibility update

    • DISA STIG and OWASP report analytics fix

    • Update to support Mitre v4.4 mappings

    • Finding reference link updated on subsequent scans

  • Remote Provider Integrations

    • Fortify SCC improvements:

      • Fortify SSC import fix for empty remote provider applications

      • Fortify SCC microservice mapping performance improvements

    • Netsparker Enterprise Improvements:

      • Support for XML file imports

      • Enhanced severity calculation (Netsparker Cloud)

      • Added support for BestPractice severity

    • WhiteHat Improvements:

      • Support custom severity on import

      • Updated attack vector architecture to merge findings

    • Fix to SAML authentication fix bug which prevented BlackDuck remote provider connection

    • Service Now enabled proxy support

    • SonarQube improved cross-version compatibility

    • Now Secure synchronization update to handle duplicate application names

    • Veracode update to differentiate between static & dynamic scan dates

2.8.3.1

February 2021

Security Updates

  • Remediated identified access control vulnerabilities

Key Feature Updates

  • Issue resolution for QualysWAS findings scan profiles and findings merging error

General Improvements

  • Improvement to Veracode Remote Provider scan updates

2.8.3

January 2021

Key Updates

  • Comprehensive Time zone management updates in ThreadFix

  • Fortify on Demand no longer imports Fixed or Suppressed findings

  • Introduced support for Acunetix 360 Remote Provider and Acunetix Premium exports

  • Improvement to the Jenkins plugin

  • Added CVSS Score and Vulnerability IDs as dynamic Defect Tracker profile values

  • Checkmarx Remote Provider microservice mapping performance improvement

General Improvements

  • API performance improvements

  • Vulnerability Trending report improvements

  • Portfolio UI improvements for large-scale deployments

  • UI performance enhancements

  • Bug fix for graphs displayed on PDF exports

  • General bug fixes and improvements

2.8.2

September 2020

Do Not Upgrade Without Reading This First!

  • Adjusted vulnerability Open/Close Time to be Scan Date instead of Updated Date. To preserve historic reporting no existing data will be retroactively changed. If you would like to have your historic data migrated to match the new date ingestion logic, please open a support ticket to request a migration script.

  • Logic changes have been made to enforce vulnerability status uniqueness. Any vulnerabilities with multiple statuses will have their statuses updated in the migration to 2.8.2. For additional information please review here.

Key Updates

  • Vulnerability statuses are now mutually exclusive

  • WhiteHat mobile data support

  • Checkmarx enhanced finding tracking

  • Portfolio page now reflects ThreadFix Pen Tests as Assessments

  • WebInspect findings details expanded

  • Portfolio Application View pagination

  • Most Vulnerable Applications report grouping

  • Significant performance improvements to the Team delete function

  • Time to Remediate Policies now allow for per-vulnerability exceptions

  • Veracode Remote Provider import includes SCA data

  • NowSecure Remote Provider integration

General Improvements

  • Filter on mobile vulnerability data

  • Improved error messaging

  • WhiteHat integration respects the Out of Scope status

  • LDAP login supports additional user attributes

  • Netsparker Enterprise enhancements

  • Time to Remediate notification improvements

  • File attachment usability improvements

  • Updated 3rd party dependencies and other security improvements

  • Other enhancements and bug fixes

2.8.1

(Jun '20)

  • Added OAuth support for Jira Defect Tracker integration

  • Improved parsing of scan data from AppScan Enterprise and Fortify SSC

  • Other enhancements and bug fixes

2.8

(May '20)

New/Improved Functionality:

  • velocityTemplates/policyReport.vm update. NOTE: If upgrading your deployment, use the new file instead of the previous.

  • UI update to align with ThreadFix 3 
    (**be aware this will drop support for IE 11**)

  • Added Penetration Test functionality
    (this replaces our current manual finding feature)

  • Updated our Version tags to treat its date as the release date of that version
    (current version tags will be recalculated based on this change)

  • Added Time to Remediate functionality

  • Add on filter functionality to search for dynamic, static, and dependency vulnerabilities

  • CWE v4 mappings

  • Added Finding Type filter

  • Added Manage Filters page

  • Performance improvements for trend graphs, group management and application deletes

  • Added Dependency pivot for vulnerability tree

  • Dependency findings to OWASP Top 10 report

  • Capability to allow admin to delete comments.

  • Report caching to Dashboard

  • Power to set default landing page

  • Ability to capture history when vuln severity changed by user

  • Default Pivot changed to Severity by Issue Type

  • Over 100 other enhancements and bug fixes!

New/Improved Integrations:

  • Added SonarQube remote provider support

  • Added Fortify on Demand mappings

  • Added support for Veracode SCA findings

  • Added ability to view Remote Provider AppID on Finding Details page for microservice traceability

  • Defects deleted in an outside defect tracker will now be reflected in ThreadFix

  • Added TFS collections support for Microsoft TFS Defect Tracker

  • Added support for non-vulnerable version information from Black Duck

  • Added Kiuwan as a supported scanner type

  • Added Rally Workspace list to Rally options

Legacy Release Notes

2.7.9

(Dec '19)

  • Improved AppScan Enterprise remote provider integration (2.7.9.1)

  • Added support for OpenJDK 11 (see here for more info)

  • New integration: SNYK ThreadFix file export support

  • Updated CWE mappings

  • Added ability to see more Pass Criteria information in the UI

  • Vulnerability tree updated to show vulnerabilities with unassigned severities

  • Added source line numbers to CSV report

  • Enriched log verbosity

  • Enhanced handling of Burp findings generated with extensions

  • Improved type-ahead dropdown menu behavior

  • Clarified time zones within Remote Provider schedule settings

  • API updates (see Change Log)

  • Other enhancements and bug fixes

2.7.8

(Nov '19)

Significant improvements have been made to Checkmarx API interactions leveraging Checkmarx 8.8 and newer APIs. For Checkmarx Remote Provider users, this new API endpoint allows Denim Group to have a more efficient process of finding and importing new scan results; however, this requires we sync to a slightly different timestamp within the Checkmarx system to ensure an accurate ingestion. Once complete, we have seen 1,500 application environments reduce their ingestion time, for all applications, from over 12 hours to under 3 hours. This is based entirely on efficiencies in the Checkmarx server actions. Please contact ThreadFix Support so we can guide you in updating your environment to take advantage of these new improvements.

  • Import Scan Issue Comments (Fortify SCA, AppScan Source, Checkmarx Cx SAST)

  • API call for Importing Remote Provider apps mapped to single app in ThreadFix

  • Remote Provider sync information can now be viewed in the UI

  • Improved path storage for Black Duck, Dependency Check, and .threadfix scans

  • Improved field validation for various bug trackers

  • New permission for report generation

  • API updates (see Change Log)

  • Other enhancements and bug fixes

2.7.7

(Sep '19)

  • jdbc.properties update for MySQL DB server users: You MUST update the hibernate.dialect to MySQL55Dialect (see your respective upgrade page for details)

  • Remote Provider application mapping persists if an application is renamed on the Remote Provider side (AppSpider, Checkmarx, Veracode, and WhiteHat only)

  • Ability to remove reports from the Dashboard and the Team/App detail pages

  • Add all Teams/Apps option for policy

  • Component file paths displayed on Vuln Details page

  • Finding statuses are now supported by the .threadfix file

  • Added Dependency Check severities

  • Error message improvements

  • API updates (see Change Log)

  • Other enhancements and bug fixes

2.7.6

(Aug '19)

  • (2.7.6.2) jdbc.properties update for MySQL DB server users: You MUST update the hibernate.dialect to MySQL55Dialect (see your respective upgrade page for details)

  • New support for Veracode authorization to utilize API keys vs. username and password.

  • NOTE for all Veracode users: The username/password authentication for Veracode API access, required by ThreadFix to pull vulnerability data from that tool, will be disabled by Veracode as soon as the end of September 2019.

    Please upgrade to the 2.7.6 version of ThreadFix prior to the end of September and provide the new API ID and Key connection credentials to ensure an uninterrupted experience.

  • Performance improvements to the following pages:

    • Team Details

    • App Details

    • Portfolio

    • History

  • New integrations:

    • IBM RTC Defect Tracker

    • AppSpider Enterprise Remote Provider

    • Dependency-Track Remote Provider

    • WhiteSource ThreadFix file export support

  • Fortify SSC imports now parse FPR files offering much faster ingestion at scale.

  • HTML characters in Application Names are now permitted.

  • New CWE mappings have been added.

  • Improved handling of Project Names changes in Jira.

  • Support for custom checkbox fields from Jira.

  • Functionality to allow to LDAP permissions with SAML logins.

  • Additional granular permissions for Manage Applications and Teams roles.

  • Pull in scanner version for Dependency Check scans.

  • Increased defect description character limit.

  • Ability to export the User Audit list as a .csv file.

  • Most Vulnerable Apps list to show only top 10 apps.

  • Import the file path for vulnerabilities in open source/dependency scanning tools.

  • API updates (see Change Log)

  • Other enhancements and bug fixes

2.7.5

(Jun '19)

  • Performance improvements

    • Significant reduction in subsequent scan upload times for large environments

    • Significant reduction in page load time for large environments

  • Added Custom Application Metadata Key/Value Pairs

  • Updates and improvements to the following integrations:

    • Fortify on Demand

    • ASoC

    • White Hat

    • Black Duck

    • Dependency Check

    • Jira

    • Rally

  • Improved event logging

  • Custom severity enhancements

  • API updates (see Change Log)

  • Other enhancements and bug fixes

2.7.4

(Apr '19)

  • Added Synopsys Coverity as a Remote Provider integration

  • Added an Issue Type pivot to the Vulnerability Tree, which allows a user to see issues organized by CWE if it is present, or the scanner vulnerability if no CWE is present

  • Updated vulnerability tree UI to show issue statuses for each vuln

  • API Requests without a version specified have been deprecated

  • Implemented a blacklist and whitelist configuration for scanner vulnerability types, allowing appropriately permissioned users to prevent ThreadFix from importing specific scanner vulnerabilities

  • Added REST API endpoints related to email reports (see Change Log)

  • Other enhancements and bug fixes

2.7.3

(Mar '19)

  • Updated Jenkins and Burp plugins

  • Added API token authentication for Jira defect tracker integration

  • Improved scan deletion performance

  • Additional support for importing dependency (OSS) findings and finding comments through the ThreadFix file format

  • Added ability to refresh Remote Provider applications list on a schedule

  • Improved parsing for simultaneous multiple file upload

  • Show custom severity level names in .csv export

  • Additional REST API endpoints created for further automation support (see Change Log)

  • Other enhancements and bug fixes

2.7.2

(Feb '19)

  • Veracode Remote Provider update to honor "Force Last Scan" option

  • Clearer logging of Remote Provider ingestion actions

  • Enhanced the API permissions check to better match the UI

  • Resolved issue with batch tagging of applications

  • Enhanced application pagination on Portfolio page

  • Remote Provider scan and import request functionality added to Application Detail page

  • Added more granular permissions for new vulnerability statuses

  • Expanded automatic defect creation to account for manual findings as well

  • Added the 2017 OWASP Top 10 list

  • Improvements to our Fortify SSC Remote Provider integration

  • Created new API endpoint to allow users to attach a vulnerability to an existing defect

  • Scanner finding severities are now updated with subsequent uploads of scan results

  • Improved "Path" pivot to properly include static results

  • Enhanced the Scan Upload Messages page to include direct links to the application and team referenced in the error

  • Other enhancements and bug fixes

2.7.1

(Dec '18)

  • WhiteHat Remote Provider hosting location is now configurable

  • Contrast Remote Provider Enhancements:

    • Improvement to DataFlow ingestion

    • Added False Positive support

    • Provide Scanner Recommendations from “How to Fix” content

    • HTTP Request/Response display improvements

    • Updated link URL to point to Contrast instance

  • Black Duck and Checkmarx merge improvements

  • AppScan Enterprise new severity support

  • ThreadFix File Enhancements

  • Application and Team name size increase to 255 characters

  • Allow for filtered exports of report data via API

  • Vulnerability comments can now be imported from Checkmarx

  • Performance Improvements

  • API updates (see Change Log)

  • Bug Fixes

2.7

(Oct '18)

  • Request and receive Application Quick Assessments from Denim Group’s Pen Test experts

  • Filter and report on CVE values for vulnerabilities reported from popular Software Component Analysis tools like Black Duck, Dependency Check, and Sonatype Nessus

  • View your applications by their relative risk to your organization to help prioritize testing and remediation activities on the riskiest applications first

  • Policy statuses are now evaluated for even more triage actions within ThreadFix, giving you more up-to-the minute statuses on where your applications stand with your own internal polices

  • Greater granular control on your vulnerability workflow with additional vulnerability statuses and reporting

  • Manual assessments can now be made through the user interface, allowing for a more distributed assessment approach within your organization

  • Performance improvements on scan upload and deletion

  • Bug Fixes

2.6.2

(Aug '18)

  • Can now customize scanner severities to exclude their findings from being processed

  • Updated CWE list to 3.1

  • Added new CSV customization options

  • Added Close Date field to the CSV export

  • Added Remote Provider support for IBM Application Security on Cloud (ASoC)

  • Improvement to the App Scan Enterprise integration to respect new severity level

  • Improvement to Netsparker integration to respect additional date formats

  • Improved Remote Provider “Import All” feature to be more error tolerant

  • API updates, e.g., user management and policy status (see Change Log)

  • Bug Fixes

2.6.1

(Jun '18)

  • Improvements to API error handling with Create Defect Tracker endpoint

  • Improvements to "Check All" behavior on Application Detail pages

  • Expanded event tracking to include delete operations

  • AppScan parsing improvements to handle special characters in data

  • Performance improvements on Application and Team detail pages

  • Bug fixes

2.6

(May '18)

  • jms.properties update for queue persistence. NOTE: If upgrading your deployment, you will need to use the new file instead of the previous. Refer to /wiki/spaces/TDOC/pages/437026817 for more info.

  • applicationContext-scheduling.xml update. NOTE: If upgrading your deployment, you will need to use the new file instead of the previous.

  • Organized permissions into categories and added new ones for: managing tags, viewing the queues, managing versions, editing remote provider configurations, and deleting scans

  • Queue management: ability to view & cancel queued tasks

  • Dashboard reports are now customizable

  • Policy updates:

    • Consolidated policy management...merged CI/CD policy page into the Manage Policies page

    • Policies can now be associated to teams and tags

    • Policy list can be updated in Application Details page

    • Pass criteria can be grouped

  • Ability to modify existing vulnerability comments

  • ThreadFix file format

  • Reworked Black Duck integration (we recommend removing existing integrations and creating new ones)

  • Report caching

  • Fixed issue in Fortify parser which could mark vulnerabilities as "False Positive" incorrectly. Issue will be automatically updated on next scan upload after upgrade

  • API updates (see Change Log)

  • Bug Fixes

2.5.3

(Mar '18)

  • WhiteHat integration improvements

  • Automatic defect creation for Remote Provider imports

  • New permissions

  • Jira integration enhancements

  • Usability and performance improvements

  • API updates (see Change Log)

  • Bug Fixes

2.5.2

(Feb '18)

  • jdbc.properties update. NOTE: If upgrading your deployment, use the new file instead of the previous.

    • MS SQL: Updated the connection string

    • MySQL: Changed driver to MariaDB

    • Additional parameters added

  • security.xml update. NOTE: If upgrading your deployment, use the new file instead of the previous.

  • Significant performance improvements in large environments

  • Support for multiple Active Directory domains and servers

...If upgrading from a previous version, hard-refresh the login page (or clear cache) to resolve browser caching issue

  • Updated application trending graph to represent “real time” data

  • Improved database connection pooling

  • Improved scanner integration with Fortify SCA, Fortify on Demand, Checkmarx, Netsparker, and Black Duck

  • Improvements to event logging

  • CSV export improvements for large data sets

  • New permission controls

  • Removed Nessus scan agent and ZAP plugin

  • API update (see Change Log)

  • Bug Fixes

2.5.1.16

(Feb '18)

  • Updated SSVL parser to ingest scans with zero vulns

2.5.1.12 - 2.5.1.15

(Dec '17 - Jan '18)

  • Updated integration with AppScan Enterprise, Black Duck and Checkmarx

  • Remote Provider improvements for bulk imports

  • Improved handling & display of scans' original Scan Date and subsequent Updated Date

  • Added new filter policy statuses so a policy isn't considered passing/failing without sufficient reason

  • API update (see Change Log)

  • Bug fixes

2.5.1.10

(Nov '17)

  • Improved integration with VSTS defect tracker ("Microsoft TFS" in menu)

  • Updated Fortify on Demand Remote Provider integration to connect to new endpoint

  • Bug fixes

2.5.1.2 - 2.5.1.7

(Oct '17)

  • Scan upload/delete performance improvements

  • API update (see Change Log)

  • Bug fixes

2.5.1.1

(Sep '17)

  • Remote Provider errors are saved in the Scan Upload Messages section of the Error Messages page

  • Scan Upload errors are more visible to users at the time they occur

  • Added Rally Defect Tracker integration

  • API update (see Change Log)

  • Bug fixes

2.5.1

(Sep '17)

  • Added the ability to bring in new changes from Remote Providers without requiring a new scan, via "Force Import"

  • New Netsparker Enterprise Remote Provider, through use of our Netsparker Plugin

  • Improved merged finding behavior

  • Fortify parser improvements

  • Added a button to clear LDAP settings

  • New LDAP User management options: importing new LDAP users and pruning outdated LDAP users are separate buttons now

  • New "Updated Date" support for select scanners; for some scanners such as Fortify, ThreadFix will show the date the scan was originally run as well as the date the scan was last modified

  • New Scanner Management options in System Settings; you can now restrict Scanners so that users cannot upload scans from that scanner type

  • API update (see Change Log)

  • Bug fixes

2.5.0.7

(Jul '17)

  • "Update Remote Provider Applications" feature changed to "Sync Remote Provider Applications"

  • CSV v2 Export improvements

  • Performance improvements in Manage Groups page and for scan deletions

  • Vuln mapping updates

  • API update (see Change Log)

  • Bug fixes

2.5.0.3 - 2.5.0.6

(Jun '17)

  • Added Fortify SSC Remote Provider integration

  • Updated Fortify Filter Set restriction capability

  • Vuln mapping updates

  • Added an expanded CSV export (CSV v2)

  • Jenkins plugin for CI/CD automation (available upon request)

  • Bug fixes

2.5.0.2

(May '17)

  • Added ability to restrict the Fortify Filter Set for an application

  • LDAP User bulk import is now a "Sync User" function, removing LDAP users no longer in LDAP system and adding new ones

  • Moved SMTP configuration into the UI and database (credentials are encrypted)

  • Created tool to encrypt jdbc.properties before launching ThreadFix for the first time (available upon request)

  • API update (see Change Log)

  • Bug fixes

2.5.0.1

(May '17)

  • Improved GRC integration with ServiceNow

  • Improved security for REST API calls (see Change Log)

  • Bug fixes

2.5

(Apr '17)

  • CI/CD Integration

  • UX and performance improvements

  • Ability to cancel pending scan uploads and deletions

  • Remote Provider integration redesign

  • Added file storage retention policy

  • Support for updated Arachni format

  • Support for dynamic scans in Fortify On Demand

  • Support for additional LDAP and SAML providers

  • Default logging level changed from DEBUG to INFO

  • API update (see Change Log)

  • Bug fixes

2.4.6

(Feb '17)

  • Added Remote Provider imports to the Scan Queue

  • Improves notifications in Blue Banner to reflect when scans are uploaded in bulk.

  • Bug fixes

2.4.5

(Jan '17)

  • Adds standard Scan Uploads through UI and REST to the Scan Queue alongside Scan Deletion; to upload to the queue via REST, use the "v2.4.5" or "latest" extension in the REST call

  • Adds a Blue Banner to Application Detail pages that shows the status of any queued scans

  • Adds a new section to the Errors page for scan upload errors

  • Minor performance improvements around Scan Detail page

  • More efficient JIRA defect status updates

  • Adds a workFolder parameter to custom.properties, to set a location for ThreadFix to write files to on startup

  • Improves IBM AppScan Enterprise remote provider integration

  • Vulnerabilities filtered out as false positive by Fortify scan filters are no longer brought into ThreadFix

  • Hides passwords typed during Scan Agent configuration

  • API update (see Change Log)

  • Bug fixes

2.4.2

(Nov '16)

  • Reduces the time it takes to import scans from Veracode

  • Gives all users the ability to generate their own API Keys

  • Retrieves Scanner Descriptions and Recommendations for WhiteHat

  • Improves page load speed for Scan Detail page

  • Adds tracking for mapping deletion to Unmapped Finding histories

  • Enhanced Fortify support

  • Refactors GRC Service Now integration

  • Bug fixes

2.4.0

(Jul '16)

  • Vulnerability Hotspot detection

  • Ability to create manual findings not associated with a CWE

  • Alternate pivots when viewing issue trees

  • API versioning system

  • Login History auditing

  • Custom vulnerability mapping auditing

  • Support for managing and pushing to multiple defect trackers per application

  • Cron expression support for schedulers

  • Provide latest scan agent jar file from within the application

  • Expanded CLI and REST capabilities

  • UX Improvements

  • API update (see Change Log)

  • New integrations and integration improvements:

    • Black Duck as a Remote Provider

    • Barracuda WAF Integration

    • Nessus Scan Agent

    • BugZilla 5.0

    • On premises Contrast

    • SAML Authentication

    • Fortify integration improved and updated

    • App Scan integration improved and updated

    • Checkmarx integration improved and updated

    • Bulk create user feature for LDAP integrations

    • More robust Defect Tracker issue status reporting

2.3.4

(Apr '16)

  • Resolve hostname confusion with Acunetix findings reporting “localhost” in certain instances

  • Improve Burp Scan Agent support for newer versions of Java

  • Improve ThreadFix behavior around a poor JIRA connection

  • Improve vulnerability reopen logic within Burp

  • Improve user feedback around Defect Tracker connection

  • Improve performance with scan upload

  • Improvements to Acunetix merging

  • Bug fixes

2.3.3

(Mar '16)

  • Fix favicon.ico request error if ThreadFix is not deployed at /threadfix

  • Fix foreign key constraint issues in some cases

  • Fix issues with some larger environments when using SQL Server as the DB

2.3.2

  • Add type-ahead for JIRA user group

2.3.1

  • Added Remote Provider Support for Checkmarx

  • JDBC properties de/encrypt update

  • Increase character limit for comments on vulnerabilities

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.