2.8.8.5

August 2023

ThreadFix 2.8.8.5 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

• Minor UI updates

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

Addressed Reported Issues

2.8.8.4

July 2023

ThreadFix 2.8.8.4 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

• Performance enhancements

• UI Improvements

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

Addressed Reported Issues

2.8.8.3

May 2023

ThreadFix 2.8.8.3 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

• Improvement in ThreadFix’s ability to reflect a finding’s hidden/unhidden status following multiple uploaded scans with the same finding

• UI performance enhancements

• Microservice Project support added for Fortify on Demand

• Improved SSVL scan import date validation. Note ThreadFix will now only accept dates utilizing 12 hour (AM/PM) formatting.

• Security updates

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

Addressed Reported Issues

2.8.8.2

February 2023

ThreadFix 2.8.8.2 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

• Improvement for ThreadFix’s ability to identify and parse Fortify external lists and filters to more accurately mark findings

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

2.8.8

January 2023

ThreadFix 2.8.8 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below: 

Ingestion Enhancements

• Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus

• Contrast findings support greater specificity in filtering on finding types based on finding data

• SonarQube integration has been updated to support changes in their API

  • Hotspot findings in version 8.9 and 9 are now supported

  • All previous versions of SonarQube are no longer supported 

System Enhancements

• API support added for custom severity name

• Created a bulk-export for all unmapped vulnerability types to CSV file

• Additional bug fixes and security enhancements

Addressed Reported Issues

2.8.7

September 2022

ThreadFix 2.8.7 Download Release

ThreadFix Deployment Update Guides

Key Updates / Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below: 

Integration Enhancements

• The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source

• Checkmarx can now ingest additional scanner detail and scanner recommendations for findings

  Open

  

• Improved SonarQube severity mappings

• The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024

• Improvement to Fortify SCC findings filtering

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

Addressed Reported Issues and Security Updates

• Fixed intermittent import errors with Acunetix 360/Netsparker

• Resolved ASoC integration errors on import

• Improvement to UI messaging indicating when all remote providers have been mapped

• Improvement to UI messaging indicating when an invalid scanId was used

• The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal

• ThreadFix’s data retention behavior has been updated allowing all files to be properly deleted when the File Upload Location is disabled

2.8.6.1

July 2022

ThreadFix 2.8.6.1 Download Release

Key Update / Version Feature Change

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below.

• ThreadFix has been updated to automatically authenticate API keys in response to WhiteHat Sentinel’s latest update July 7th 2022 - Sentinel API Authentication Change, which now only allows authentication of API keys in Request Headers.

To view a complete list including prior releases, please view the 2.X Version Feature Changes list.

Addressed Reported Issues

2.8.6

April 2022

Key Updates

• Contrast Remote Provider Enhancements

  • Enhancement when importing vulnerabilities to include Contrast Finding comments

  • Addition of support for OSS Dependency Findings imports to Contrast scans

  • Additional Contrast Statuses have been provided for mapping by ThreadFix

• Addition of Scan Orchestration option to Acunetix 360 Remote Provider

• Support added for flexible tag definitions from Fortify SCC

• The AppScan on Cloud integration has been updated to allow importing applications with no scans but do have vulnerabilities

• Added support for GitHub Dependabot (Beta) Remote Provider

New/Updated API

• New Fetch Applications and Get Scans API calls for Contrast Remote Provider

• The Get Application by Name and Get Application in a Team by Unique ID calls have been merged into Get Application by Name or Unique ID

General Improvements

• General UI improvements

• General bug fixes and performance improvements          

Feature Changes

Note the following changes to features with the introduction of ThreadFix 2.8.6:

Deprecated and Removed

For other REST API updates, refer to the Change Log

• The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"

2.8.5.1

January 2022

ThreadFix 2.8.5.1 Download Release

This release includes key updates to account for the log4j vulnerability. Users will need to perform a deployment update.

Key Updates

• ThreadFix Platform

  • Changed log4j.xml to logback.xml in the ThreadFix Installation guide

  • Updated the ESAPI command. See Class Daily Rolling File Appender

Deployment Update

• See Upgrade from 2.8.5 to 2.8.5.1

2.8.5

December 2021

Key Updates

• Added additional fields to the Application API to enable greater automation

• Added new QualysWAS mappings

• Added support for Analysis Type filters from Fortify

• Black Duck now uses Overall Score for severity mapping instead of Base Score

   

General Improvements

• Performance improvements to API for Import Remote Provider Scans for Applications

• Performance improvements to the loading of the Application Detail page

• Performance improvements to the loading of the Portfolio page

• Bug Fixes

2.8.4

May 2021

Key Updates

• ThreadFix Platform

  • Dependency Check reportDate precision fix

  • OpenJDK 11.0.2 compatibility update

  • DISA STIG and OWASP report analytics fix

  • Update to support Mitre v4.4 mappings

  • Finding reference link updated on subsequent scans

• Remote Provider Integrations

  • Fortify SCC improvements:

    • Fortify SSC import fix for empty remote provider applications

    • Fortify SCC microservice mapping performance improvements

  • Netsparker Enterprise Improvements:

    • Support for XML file imports

    • Enhanced severity calculation (Netsparker Cloud)

    • Added support for BestPractice severity

  • WhiteHat Improvements:

    • Support custom severity on import

    • Updated attack vector architecture to merge findings

  • Fix to SAML authentication fix bug which prevented BlackDuck remote provider connection

  • Service Now enabled proxy support

  • SonarQube improved cross-version compatibility

  • Now Secure synchronization update to handle duplicate application names

  • Veracode update to differentiate between static & dynamic scan dates

2.8.3.1

February 2021

Security Updates

• Remediated identified access control vulnerabilities

Key Feature Updates

• Issue resolution for QualysWAS findings scan profiles and findings merging error

General Improvements

• Improvement to Veracode Remote Provider scan updates

2.8.3

January 2021

Key Updates

• Comprehensive Time zone management updates in ThreadFix

• Fortify on Demand no longer imports Fixed or Suppressed findings

• Introduced support for Acunetix 360 Remote Provider and Acunetix Premium exports

• Improvement to the Jenkins plugin

• Added CVSS Score and Vulnerability IDs as dynamic Defect Tracker profile values

• Checkmarx Remote Provider microservice mapping performance improvement

General Improvements

• API performance improvements

• Vulnerability Trending report improvements

• Portfolio UI improvements for large-scale deployments

• UI performance enhancements

• Bug fix for graphs displayed on PDF exports

• General bug fixes and improvements

2.8.2

September 2020

Key Updates

• Vulnerability statuses are now mutually exclusive

• WhiteHat mobile data support

• Checkmarx enhanced finding tracking

• Portfolio page now reflects ThreadFix Pen Tests as Assessments

• WebInspect findings details expanded

• Portfolio Application View pagination

• Most Vulnerable Applications report grouping

• Significant performance improvements to the Team delete function

• Time to Remediate Policies now allow for per-vulnerability exceptions

• Veracode Remote Provider import includes SCA data

• NowSecure Remote Provider integration

General Improvements

• Filter on mobile vulnerability data

• Improved error messaging

• WhiteHat integration respects the Out of Scope status

• LDAP login supports additional user attributes

• Netsparker Enterprise enhancements

• Time to Remediate notification improvements

• File attachment usability improvements

• Updated 3rd party dependencies and other security improvements

• Other enhancements and bug fixes

2.8.1

(Jun '20)

• Added OAuth support for Jira Defect Tracker integration

• Improved parsing of scan data from AppScan Enterprise and Fortify SSC

• Other enhancements and bug fixes

2.8

(May '20)

New/Improved Functionality:

• velocityTemplates/policyReport.vm update. NOTE: If upgrading your deployment, use the new file instead of the previous.

• UI update to align with ThreadFix 3 
  (**be aware this will drop support for IE 11**)

• Added Penetration Test functionality
  (this replaces our current manual finding feature)

• Updated our Version tags to treat its date as the release date of that version
  (current version tags will be recalculated based on this change)

• Added Time to Remediate functionality

• Add on filter functionality to search for dynamic, static, and dependency vulnerabilities

• CWE v4 mappings

• Added Finding Type filter

• Added Manage Filters page

• Performance improvements for trend graphs, group management and application deletes

• Added Dependency pivot for vulnerability tree

• Dependency findings to OWASP Top 10 report

• Capability to allow admin to delete comments.

• Report caching to Dashboard

• Power to set default landing page

• Ability to capture history when vuln severity changed by user

• Default Pivot changed to Severity by Issue Type

• Over 100 other enhancements and bug fixes!

New/Improved Integrations:

• Added SonarQube remote provider support

• Added Fortify on Demand mappings

• Added support for Veracode SCA findings

• Added ability to view Remote Provider AppID on Finding Details page for microservice traceability

• Defects deleted in an outside defect tracker will now be reflected in ThreadFix

• Added TFS collections support for Microsoft TFS Defect Tracker

• Added support for non-vulnerable version information from Black Duck

• Added Kiuwan as a supported scanner type

• Added Rally Workspace list to Rally options

2.7.9

(Dec '19)

• Improved AppScan Enterprise remote provider integration (2.7.9.1)

• Added support for OpenJDK 11 (see here for more info)

• New integration: SNYK ThreadFix file export support

• Updated CWE mappings

• Added ability to see more Pass Criteria information in the UI

• Vulnerability tree updated to show vulnerabilities with unassigned severities

• Added source line numbers to CSV report

• Enriched log verbosity

• Enhanced handling of Burp findings generated with extensions

• Improved type-ahead dropdown menu behavior

• Clarified time zones within Remote Provider schedule settings

• API updates (see Change Log)

• Other enhancements and bug fixes

2.7.8

(Nov '19)

• Import Scan Issue Comments (Fortify SCA, AppScan Source, Checkmarx Cx SAST)

• API call for Importing Remote Provider apps mapped to single app in ThreadFix

• Remote Provider sync information can now be viewed in the UI

• Improved path storage for Black Duck, Dependency Check, and .threadfix scans

• Improved field validation for various bug trackers

• New permission for report generation

• API updates (see Change Log)

• Other enhancements and bug fixes

2.7.7

(Sep '19)

• jdbc.properties update for MySQL DB server users: You MUST update the hibernate.dialect to MySQL55Dialect (see your respective upgrade page for details)

• Remote Provider application mapping persists if an application is renamed on the Remote Provider side (AppSpider, Checkmarx, Veracode, and WhiteHat only)

• Ability to remove reports from the Dashboard and the Team/App detail pages

• Add all Teams/Apps option for policy

• Component file paths displayed on Vuln Details page

• Finding statuses are now supported by the .threadfix file

• Added Dependency Check severities

• Error message improvements

• API updates (see Change Log)

• Other enhancements and bug fixes

2.7.6

(Aug '19)

• (2.7.6.2) jdbc.properties update for MySQL DB server users: You MUST update the hibernate.dialect to MySQL55Dialect (see your respective upgrade page for details)

• New support for Veracode authorization to utilize API keys vs. username and password.

• Performance improvements to the following pages:

  • Team Details

  • App Details

  • Portfolio

  • History

• New integrations:

  • IBM RTC Defect Tracker

  • AppSpider Enterprise Remote Provider

  • Dependency-Track Remote Provider

  • WhiteSource ThreadFix file export support

• Fortify SSC imports now parse FPR files offering much faster ingestion at scale.

• HTML characters in Application Names are now permitted.

• New CWE mappings have been added.

• Improved handling of Project Names changes in Jira.

• Support for custom checkbox fields from Jira.

• Functionality to allow to LDAP permissions with SAML logins.

• Additional granular permissions for Manage Applications and Teams roles.

• Pull in scanner version for Dependency Check scans.

• Increased defect description character limit.

• Ability to export the User Audit list as a .csv file.

• Most Vulnerable Apps list to show only top 10 apps.

• Import the file path for vulnerabilities in open source/dependency scanning tools.

• API updates (see Change Log)

• Other enhancements and bug fixes

2.7.5

(Jun '19)

• Performance improvements

  • Significant reduction in subsequent scan upload times for large environments

  • Significant reduction in page load time for large environments

• Added Custom Application Metadata Key/Value Pairs

• Updates and improvements to the following integrations:

  • Fortify on Demand

  • ASoC

  • White Hat

  • Black Duck

  • Dependency Check

  • Jira

  • Rally

• Improved event logging

• Custom severity enhancements

• API updates (see Change Log)

• Other enhancements and bug fixes

2.7.4

(Apr '19)

• Added Synopsys Coverity as a Remote Provider integration

• Added an Issue Type pivot to the Vulnerability Tree, which allows a user to see issues organized by CWE if it is present, or the scanner vulnerability if no CWE is present

• Updated vulnerability tree UI to show issue statuses for each vuln

• API Requests without a version specified have been deprecated

• Implemented a blacklist and whitelist configuration for scanner vulnerability types, allowing appropriately permissioned users to prevent ThreadFix from importing specific scanner vulnerabilities

• Added REST API endpoints related to email reports (see Change Log)

• Other enhancements and bug fixes

2.7.3

(Mar '19)

• Updated Jenkins and Burp plugins

• Added API token authentication for Jira defect tracker integration

• Improved scan deletion performance

• Additional support for importing dependency (OSS) findings and finding comments through the ThreadFix file format

• Added ability to refresh Remote Provider applications list on a schedule

• Improved parsing for simultaneous multiple file upload

• Show custom severity level names in .csv export

• Additional REST API endpoints created for further automation support (see Change Log)

• Other enhancements and bug fixes

2.7.2

(Feb '19)

• Veracode Remote Provider update to honor "Force Last Scan" option

• Clearer logging of Remote Provider ingestion actions

• Enhanced the API permissions check to better match the UI

• Resolved issue with batch tagging of applications

• Enhanced application pagination on Portfolio page

• Remote Provider scan and import request functionality added to Application Detail page

• Added more granular permissions for new vulnerability statuses

• Expanded automatic defect creation to account for manual findings as well

• Added the 2017 OWASP Top 10 list

• Improvements to our Fortify SSC Remote Provider integration

• Created new API endpoint to allow users to attach a vulnerability to an existing defect

• Scanner finding severities are now updated with subsequent uploads of scan results

• Improved "Path" pivot to properly include static results

• Enhanced the Scan Upload Messages page to include direct links to the application and team referenced in the error

• Other enhancements and bug fixes

2.7.1

(Dec '18)

• WhiteHat Remote Provider hosting location is now configurable

• Contrast Remote Provider Enhancements:

  • Improvement to DataFlow ingestion

  • Added False Positive support

  • Provide Scanner Recommendations from “How to Fix” content

  • HTTP Request/Response display improvements

  • Updated link URL to point to Contrast instance

• Black Duck and Checkmarx merge improvements

• AppScan Enterprise new severity support

• ThreadFix File Enhancements

• Application and Team name size increase to 255 characters

• Allow for filtered exports of report data via API

• Vulnerability comments can now be imported from Checkmarx

• Performance Improvements

• API updates (see Change Log)

• Bug Fixes

2.7

(Oct '18)

• Request and receive Application Quick Assessments from Denim Group’s Pen Test experts

• Filter and report on CVE values for vulnerabilities reported from popular Software Component Analysis tools like Black Duck, Dependency Check, and Sonatype Nessus

• View your applications by their relative risk to your organization to help prioritize testing and remediation activities on the riskiest applications first

• Policy statuses are now evaluated for even more triage actions within ThreadFix, giving you more up-to-the minute statuses on where your applications stand with your own internal polices

• Greater granular control on your vulnerability workflow with additional vulnerability statuses and reporting

• Manual assessments can now be made through the user interface, allowing for a more distributed assessment approach within your organization

• Performance improvements on scan upload and deletion

• Bug Fixes

2.6.2

(Aug '18)

• Can now customize scanner severities to exclude their findings from being processed

• Updated CWE list to 3.1

• Added new CSV customization options

• Added Close Date field to the CSV export

• Added Remote Provider support for IBM Application Security on Cloud (ASoC)

• Improvement to the App Scan Enterprise integration to respect new severity level

• Improvement to Netsparker integration to respect additional date formats

• Improved Remote Provider “Import All” feature to be more error tolerant

• API updates, e.g., user management and policy status (see Change Log)

• Bug Fixes

2.6.1

(Jun '18)

• Improvements to API error handling with Create Defect Tracker endpoint

• Improvements to "Check All" behavior on Application Detail pages

• Expanded event tracking to include delete operations

• AppScan parsing improvements to handle special characters in data

• Performance improvements on Application and Team detail pages

• Bug fixes

2.6

(May '18)

• jms.properties update for queue persistence. NOTE: If upgrading your deployment, you will need to use the new file instead of the previous. Refer to /wiki/spaces/TDOC/pages/437026817 for more info.

• applicationContext-scheduling.xml update. NOTE: If upgrading your deployment, you will need to use the new file instead of the previous.

• Organized permissions into categories and added new ones for: managing tags, viewing the queues, managing versions, editing remote provider configurations, and deleting scans

• Queue management: ability to view & cancel queued tasks

• Dashboard reports are now customizable

• Policy updates:

  • Consolidated policy management...merged CI/CD policy page into the Manage Policies page

  • Policies can now be associated to teams and tags

  • Policy list can be updated in Application Details page

  • Pass criteria can be grouped

• Ability to modify existing vulnerability comments

• ThreadFix file format

• Reworked Black Duck integration (we recommend removing existing integrations and creating new ones)

• Report caching

• Fixed issue in Fortify parser which could mark vulnerabilities as "False Positive" incorrectly. Issue will be automatically updated on next scan upload after upgrade

• API updates (see Change Log)

• Bug Fixes

2.5.3

(Mar '18)

• WhiteHat integration improvements

• Automatic defect creation for Remote Provider imports

• New permissions

• Jira integration enhancements

• Usability and performance improvements

• API updates (see Change Log)

• Bug Fixes

2.5.2

(Feb '18)

• jdbc.properties update. NOTE: If upgrading your deployment, use the new file instead of the previous.

  • MS SQL: Updated the connection string

  • MySQL: Changed driver to MariaDB

  • Additional parameters added

• security.xml update. NOTE: If upgrading your deployment, use the new file instead of the previous.

• Significant performance improvements in large environments

• Support for multiple Active Directory domains and servers

...If upgrading from a previous version, hard-refresh the login page (or clear cache) to resolve browser caching issue

• Updated application trending graph to represent “real time” data

• Improved database connection pooling

• Improved scanner integration with Fortify SCA, Fortify on Demand, Checkmarx, Netsparker, and Black Duck

• Improvements to event logging

• CSV export improvements for large data sets

• New permission controls

• Removed Nessus scan agent and ZAP plugin

• API update (see Change Log)

• Bug Fixes

2.5.1.16

(Feb '18)

• Updated SSVL parser to ingest scans with zero vulns

2.5.1.12 - 2.5.1.15

(Dec '17 - Jan '18)

• Updated integration with AppScan Enterprise, Black Duck and Checkmarx

• Remote Provider improvements for bulk imports

• Improved handling & display of scans' original Scan Date and subsequent Updated Date

• Added new filter policy statuses so a policy isn't considered passing/failing without sufficient reason

• API update (see Change Log)

• Bug fixes

2.5.1.10

(Nov '17)

• Improved integration with VSTS defect tracker ("Microsoft TFS" in menu)

• Updated Fortify on Demand Remote Provider integration to connect to new endpoint

• Bug fixes

2.5.1.2 - 2.5.1.7

(Oct '17)

• Scan upload/delete performance improvements

• API update (see Change Log)

• Bug fixes

2.5.1.1

(Sep '17)

• Remote Provider errors are saved in the Scan Upload Messages section of the Error Messages page

• Scan Upload errors are more visible to users at the time they occur

• Added Rally Defect Tracker integration

• API update (see Change Log)

• Bug fixes

2.5.1

(Sep '17)

• Added the ability to bring in new changes from Remote Providers without requiring a new scan, via "Force Import"

• New Netsparker Enterprise Remote Provider, through use of our Netsparker Plugin

• Improved merged finding behavior

• Fortify parser improvements

• Added a button to clear LDAP settings

• New LDAP User management options: importing new LDAP users and pruning outdated LDAP users are separate buttons now

• New "Updated Date" support for select scanners; for some scanners such as Fortify, ThreadFix will show the date the scan was originally run as well as the date the scan was last modified

• New Scanner Management options in System Settings; you can now restrict Scanners so that users cannot upload scans from that scanner type

• API update (see Change Log)

• Bug fixes

2.5.0.7

(Jul '17)

• "Update Remote Provider Applications" feature changed to "Sync Remote Provider Applications"

• CSV v2 Export improvements

• Performance improvements in Manage Groups page and for scan deletions

• Vuln mapping updates

• API update (see Change Log)

• Bug fixes

2.5.0.3 - 2.5.0.6

(Jun '17)

• Added Fortify SSC Remote Provider integration

• Updated Fortify Filter Set restriction capability

• Vuln mapping updates

• Added an expanded CSV export (CSV v2)

• Jenkins plugin for CI/CD automation (available upon request)

• Bug fixes

2.5.0.2

(May '17)

• Added ability to restrict the Fortify Filter Set for an application

• LDAP User bulk import is now a "Sync User" function, removing LDAP users no longer in LDAP system and adding new ones

• Moved SMTP configuration into the UI and database (credentials are encrypted)

• Created tool to encrypt jdbc.properties before launching ThreadFix for the first time (available upon request)

• API update (see Change Log)

• Bug fixes

2.5.0.1

(May '17)

• Improved GRC integration with ServiceNow

• Improved security for REST API calls (see Change Log)

• Bug fixes

2.5

(Apr '17)

• CI/CD Integration

• UX and performance improvements

• Ability to cancel pending scan uploads and deletions

• Remote Provider integration redesign

• Added file storage retention policy

• Support for updated Arachni format

• Support for dynamic scans in Fortify On Demand

• Support for additional LDAP and SAML providers

• Default logging level changed from DEBUG to INFO

• API update (see Change Log)

• Bug fixes

2.4.6

(Feb '17)

• Added Remote Provider imports to the Scan Queue

• Improves notifications in Blue Banner to reflect when scans are uploaded in bulk.

• Bug fixes
  
  

2.4.5

(Jan '17)

• Adds standard Scan Uploads through UI and REST to the Scan Queue alongside Scan Deletion; to upload to the queue via REST, use the "v2.4.5" or "latest" extension in the REST call

• Adds a Blue Banner to Application Detail pages that shows the status of any queued scans

• Adds a new section to the Errors page for scan upload errors

• Minor performance improvements around Scan Detail page

• More efficient JIRA defect status updates

• Adds a workFolder parameter to custom.properties, to set a location for ThreadFix to write files to on startup

• Improves IBM AppScan Enterprise remote provider integration

• Vulnerabilities filtered out as false positive by Fortify scan filters are no longer brought into ThreadFix

• Hides passwords typed during Scan Agent configuration

• API update (see Change Log)

• Bug fixes
  
  

2.4.2

(Nov '16)

• Reduces the time it takes to import scans from Veracode

• Gives all users the ability to generate their own API Keys

• Retrieves Scanner Descriptions and Recommendations for WhiteHat

• Improves page load speed for Scan Detail page

• Adds tracking for mapping deletion to Unmapped Finding histories

• Enhanced Fortify support

• Refactors GRC Service Now integration

• Bug fixes

2.4.0

(Jul '16)

• Vulnerability Hotspot detection

• Ability to create manual findings not associated with a CWE

• Alternate pivots when viewing issue trees

• API versioning system

• Login History auditing

• Custom vulnerability mapping auditing

• Support for managing and pushing to multiple defect trackers per application

• Cron expression support for schedulers

• Provide latest scan agent jar file from within the application

• Expanded CLI and REST capabilities

• UX Improvements

• API update (see Change Log)

• New integrations and integration improvements:

  • Black Duck as a Remote Provider

  • Barracuda WAF Integration

  • Nessus Scan Agent

  • BugZilla 5.0

  • On premises Contrast

  • SAML Authentication

  • Fortify integration improved and updated

  • App Scan integration improved and updated

  • Checkmarx integration improved and updated

  • Bulk create user feature for LDAP integrations

  • More robust Defect Tracker issue status reporting

2.3.4

(Apr '16)

• Resolve hostname confusion with Acunetix findings reporting “localhost” in certain instances

• Improve Burp Scan Agent support for newer versions of Java

• Improve ThreadFix behavior around a poor JIRA connection

• Improve vulnerability reopen logic within Burp

• Improve user feedback around Defect Tracker connection

• Improve performance with scan upload

• Improvements to Acunetix merging

• Bug fixes

2.3.3

(Mar '16)

• Fix favicon.ico request error if ThreadFix is not deployed at /threadfix

• Fix foreign key constraint issues in some cases

• Fix issues with some larger environments when using SQL Server as the DB

2.3.2

• Add type-ahead for JIRA user group

2.3.1

• Added Remote Provider Support for Checkmarx

• JDBC properties de/encrypt update

• Increase character limit for comments on vulnerabilities