As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
2.X Release Notes
- Daniel Colon
- Hruiz (Unlicensed)
- Daniel Colon (Unlicensed)
ThreadFix Version Release Notes
For REST API updates, refer to the Change Log
2.8.9.1
November 2023
For REST API updates, refer to the Change Log
Reminder: As of ThreadFix versions 2.8.9, integration support for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne was discontinued.
ThreadFix 2.8.9.1 Download Release
ThreadFix Deployment Update Guides
Key Updates / Version Feature Changes
Performance improvement for the Defect Reporter to Application Defect Tracker Mapping process
Performance improvement for scan upload processing
Improvement for error messaging in the UI
To view a complete list including prior releases, please view the 2.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
Issue where a users name that has been updated in the User Management page may not reflect onto the user Login page. | This issue has been addressed in 2.8.9.1 |
Issue where the Vulnerability Search API exports may provide different results each time run. | This issue has been addressed in 2.8.9.1 |
Issue where a Remote Provider will not be created if the user attempts to use a previously entered a name for it that was submitted but not allowed to complete the creation process by exiting the modal before successful completion. | This issue has been addressed in 2.8.9.1 |
Performance improvement for the BlackDuck Remote Provider creation process, addressing an issue where it may timeout. | This issue has been addressed in 2.8.9.1 |
Issue where an exported CSV/SSVL report is generated using currently selected filters rather than currently applied filters. | This issue has been addressed in 2.8.9.1 |
Issue where a users name that has been updated in the User Management page may not reflect onto the user Login page. | This issue has been addressed in 2.8.9.1 |
2.8.9
October 2023
Important Integration Support Notifications
Reminder: As of ThreadFix versions 2.8.9, integration support is discontinued for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne
AppScan Enterprise identified and resolved an issue where some vulnerabilities reported finding details for multiple issue types as a single concatenated string via the AppScan API. In this instance ThreadFix would ingest this data as if it was legitimate which could cause some display and merging issues if the instance of AppScan Enterprise in use is a version subject to this misbehavior. HCL has informed our impacted clients that the issues have been resolved; clients should prioritize updating their AppScan Enterprise instance to the latest HCL patch prior to updating ThreadFix.
ThreadFix 2.8.9 Download Release
ThreadFix Deployment Update Guides
Key Updates / Version Feature Changes
Improvement to error messaging when uploading files
Several minor UI updates
To view a complete list including prior releases, please view the 2.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
Issue where not all Pen Test teams would display in the Identity Management page. | This issue has been addressed in 2.8.9 |
Issue where a user cannot create a Jira Defect Tracker instance with OAuth Token as the Authorization Type. | This issue has been addressed in 2.8.9 |
Issue where if a Team is deleted in the Portfolio page and a newly created Team with the same name is created with an application, the previously deleted Team name may appear on the UI. | This issue has been addressed in 2.8.9 |
Legacy 2.8 Release Notes
2.8.8.5
August 2023
ThreadFix 2.8.8.5 Download Release
ThreadFix Deployment Update Guides
Key Updates / Version Feature Changes
Minor UI updates
To view a complete list including prior releases, please view the 2.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
Qualys applications with over 100 open vulnerabilities do not automatically paginate scan results. | This issue has been addressed in 2.8.8.5. |
ThreadFix’s integration with Black Duck ingests invalid Finding CVE data. | This issue has been addressed in 2.8.8.5. |
When a user updates the File Upload location, any scans previously downloaded remain in the prior location. Note: This is not the same as when the File Upload location is removed/deleted. | This issue has been addressed in 2.8.8.5. |
User receives a NullPointerException error when trying to update an application, via the Update Application API, containing at least one unmapped vulnerability. | This issue has been addressed in 2.8.8.5. |
For Acunetix 360 and Netsparker Enterprise, if the application is renamed on the scanner, the existing RemoteProviderApplication row is discarded. This occurs despite the nativeId value persisting. | This issue has been addressed in 2.8.8.5. |
Error addressed when a user tries to edit a JIRA defect tracker using a new longer API token. | This issue has been addressed in 2.8.8.5. |
When creating a JIRA defect Tracker, the following error message is received: | This issue has been addressed in 2.8.8.5. |
When a Fortify on Demand microservice is scanned, it registers more vulnerabilities than actually exist. | This issue has been addressed in 2.8.8.5. |
2.8.8.4
July 2023
ThreadFix 2.8.8.4 Download Release
ThreadFix Deployment Update Guides
Key Updates / Version Feature Changes
Performance enhancements
UI Improvements
To view a complete list including prior releases, please view the 2.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
An application being able to be associated with a deleted policy ID through an API Call. | This issue has been addressed in 2.8.8.4. |
User receivers an “Invalid username/password combination” error when attempting to gather collections from a defect tracker in Azure DevOps. | This issue has been addressed in 2.8.8.4. |
2.8.8.3
May 2023
ThreadFix 2.8.8.3 Download Release
ThreadFix Deployment Update Guides
Key Updates / Version Feature Changes
Improvement in ThreadFix’s ability to reflect a finding’s hidden/unhidden status following multiple uploaded scans with the same finding
UI performance enhancements
Microservice Project support added for Fortify on Demand
Improved SSVL scan import date validation. Note ThreadFix will now only accept dates utilizing 12 hour (AM/PM) formatting.
Security updates
To view a complete list including prior releases, please view the 2.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
Unmapped Qualys WAS Findings are automatically upgraded/downgraded to a Severity level of 3 (Medium) and without a channel vulnerability name. | This issue has been addressed in 2.8.8.3. |
If there are multiple Dependency Track projects mapped to a single ThreadFix application, bulk remote provider imports for the application may fail and not import vulnerability data if any of the Dependency Track projects have an older Last BOM Import date than the latest scan date for the ThreadFix application. | This issue has been addressed in 2.8.8.3. |
The .threadfix file exports from the Assessment tab with incorrect Finding descriptions. | This issue has been addressed in 2.8.8.3. |
The Date displayed in the Status section of Vulnerability Details does not reflect a user’s local time zone. | This issue has been addressed in 2.8.8.3. |
User receives a "Jira Credentials are invalid" error when authenticating with Atlassian’s new longer API tokens. | This issue has been addressed in 2.8.8.3. |
Email notifications fail to send. | This issue has been addressed in 2.8.8.3. |
2.8.8.2
February 2023
ThreadFix 2.8.8.2 Download Release
ThreadFix Deployment Update Guides
Key Updates / Version Feature Changes
Improvement for ThreadFix’s ability to identify and parse Fortify external lists and filters to more accurately mark findings
To view a complete list including prior releases, please view the 2.X Version Feature Changes list.
2.8.8
January 2023
ThreadFix 2.8.8 Download Release
ThreadFix Deployment Update Guides
Key Updates / Version Feature Changes
New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:
Ingestion Enhancements
Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus
Contrast findings support greater specificity in filtering on finding types based on finding data
SonarQube integration has been updated to support changes in their API
Hotspot findings in version 8.9 and 9 are now supported
All previous versions of SonarQube are no longer supported
System Enhancements
API support added for custom severity name
Created a bulk-export for all unmapped vulnerability types to CSV file
Additional bug fixes and security enhancements
Addressed Reported Issues
Issue | Resolution |
---|---|
In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues. | The frequency of reminders has been adjusted to once per user login. |
Importing LDAP users fails if any user have Title fields containing over 60 characters. | The limit has been increased to 128 characters. |
The Upload Scan API and Multiple File Scan Upload API calls return an un-versioned href. | The Upload Scan API and Multiple File Scan Upload API have been updated. |
The 2.X to 3.X migration process fails if the database for the Burp channel contains a channel vulnerability with a non-numerical code. | This has been addressed in 2.8.8. |
SonarQube has removed the concept of organizations from their codebase as of v8.7. | As of version 2.8.8, ThreadFix only supports importing Hotspot findings with the SonarQube v8(8.9) and V9 configurations. |
2.8.7
September 2022
ThreadFix 2.8.7 Download Release
ThreadFix Deployment Update Guides
Key Updates / Version Feature Changes
New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:
Integration Enhancements
The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source
Checkmarx can now ingest additional scanner detail and scanner recommendations for findings
Improved SonarQube severity mappings
The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024
Improvement to Fortify SCC findings filtering
To view a complete list including prior releases, please view the 2.X Version Feature Changes list.
Addressed Reported Issues and Security Updates
Fixed intermittent import errors with Acunetix 360/Netsparker
Resolved ASoC integration errors on import
Improvement to UI messaging indicating when all remote providers have been mapped
Improvement to UI messaging indicating when an invalid scanId was used
The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal
ThreadFix’s data retention behavior has been updated allowing all files to be properly deleted when the File Upload Location is disabled
Issue | Resolution |
---|---|
When trying to update Jira Defect Tracker integration credentials, a 403 error is received with the following message: “Failure. Message was : The defect tracker URL is not valid." | Resolved JIRA connection issue. |
"You don't have permission for this team." error is received when attempting to move an application to another team using the Update Application API even with an Administrator Global role | The Update Application API has been updated to address the permissions error, allowing the application to be successfully moved. |
A user without read-access could view all policy data for an application. | The Policies tab in ThreadFix has been updated to address the information disclosure. |
When importing Veracode scans, in the event a RestIOException is received, scan data would not process and could be lost. | Resolved handling of the exception. |
Threadfix files incorrectly export with a filename of null instead of the associated application’s name. | A fix has been provided to ensure the Threadfix files correctly export with the associated application’s name. |
Error importing Contrast cloud scans . | Resolved imports failing for certain Ruby applications. |
2.8.6.1
July 2022
ThreadFix 2.8.6.1 Download Release
Key Update / Version Feature Change
New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below.
ThreadFix has been updated to automatically authenticate API keys in response to WhiteHat Sentinel’s latest update July 7th 2022 - Sentinel API Authentication Change, which now only allows authentication of API keys in Request Headers.
To view a complete list including prior releases, please view the 2.X Version Feature Changes list.
Addressed Reported Issues
Issue | Resolution |
---|---|
SonarQube findings listed as Blocker and/or Critical are downgraded to Critical/High respectively, causing them to be incorrectly ingested within ThreadFix. | The SonarQube remote provider integration’s logic has been updated to address the incorrect severity issue. |
"You don't have permission for this team." error is received when attempting to move an application to another team using the Update Application API even with an Administrator Global role. | The Update Application API has been updated to address the permissions error, allowing the application to be successfully moved. |
2.8.6
April 2022
Key Updates
Contrast Remote Provider Enhancements
Enhancement when importing vulnerabilities to include Contrast Finding comments
Addition of support for OSS Dependency Findings imports to Contrast scans
Additional Contrast Statuses have been provided for mapping by ThreadFix
Addition of Scan Orchestration option to Acunetix 360 Remote Provider
Support added for flexible tag definitions from Fortify SCC
The AppScan on Cloud integration has been updated to allow importing applications with no scans but do have vulnerabilities
Added support for GitHub Dependabot (Beta) Remote Provider
New/Updated API
New Fetch Applications and Get Scans API calls for Contrast Remote Provider
The Get Application by Name and Get Application in a Team by Unique ID calls have been merged into Get Application by Name or Unique ID
General Improvements
General UI improvements
General bug fixes and performance improvements
Feature Changes
Note the following changes to features with the introduction of ThreadFix 2.8.6:
Deprecated and Removed
For other REST API updates, refer to the Change Log
The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"
2.8.5.1
January 2022
ThreadFix 2.8.5.1 Download Release
This release includes key updates to account for the log4j vulnerability. Users will need to perform a deployment update.
Key Updates
ThreadFix Platform
Changed
log4j.xml
tologback.xml
in the ThreadFix Installation guideUpdated the ESAPI command. See Class Daily Rolling File Appender
Deployment Update
2.8.5
December 2021
Key Updates
Added additional fields to the Application API to enable greater automation
Added new QualysWAS mappings
Added support for Analysis Type filters from Fortify
Black Duck now uses Overall Score for severity mapping instead of Base Score
General Improvements
Performance improvements to API for Import Remote Provider Scans for Applications
Performance improvements to the loading of the Application Detail page
Performance improvements to the loading of the Portfolio page
Bug Fixes
2.8.4
May 2021
Key Updates
ThreadFix Platform
Dependency Check reportDate precision fix
OpenJDK 11.0.2 compatibility update
DISA STIG and OWASP report analytics fix
Update to support Mitre v4.4 mappings
Finding reference link updated on subsequent scans
Remote Provider Integrations
Fortify SCC improvements:
Fortify SSC import fix for empty remote provider applications
Fortify SCC microservice mapping performance improvements
Netsparker Enterprise Improvements:
Support for XML file imports
Enhanced severity calculation (Netsparker Cloud)
Added support for BestPractice severity
WhiteHat Improvements:
Support custom severity on import
Updated attack vector architecture to merge findings
Fix to SAML authentication fix bug which prevented BlackDuck remote provider connection
Service Now enabled proxy support
SonarQube improved cross-version compatibility
Now Secure synchronization update to handle duplicate application names
Veracode update to differentiate between static & dynamic scan dates
2.8.3.1
February 2021
Security Updates
Remediated identified access control vulnerabilities
Key Feature Updates
Issue resolution for QualysWAS findings scan profiles and findings merging error
General Improvements
Improvement to Veracode Remote Provider scan updates
2.8.3
January 2021
Key Updates
Comprehensive Time zone management updates in ThreadFix
Fortify on Demand no longer imports Fixed or Suppressed findings
Introduced support for Acunetix 360 Remote Provider and Acunetix Premium exports
Improvement to the Jenkins plugin
Added CVSS Score and Vulnerability IDs as dynamic Defect Tracker profile values
Checkmarx Remote Provider microservice mapping performance improvement
General Improvements
API performance improvements
Vulnerability Trending report improvements
Portfolio UI improvements for large-scale deployments
UI performance enhancements
Bug fix for graphs displayed on PDF exports
General bug fixes and improvements
2.8.2
September 2020
Key Updates
Vulnerability statuses are now mutually exclusive
WhiteHat mobile data support
Checkmarx enhanced finding tracking
Portfolio page now reflects ThreadFix Pen Tests as Assessments
WebInspect findings details expanded
Portfolio Application View pagination
Most Vulnerable Applications report grouping
Significant performance improvements to the Team delete function
Time to Remediate Policies now allow for per-vulnerability exceptions
Veracode Remote Provider import includes SCA data
NowSecure Remote Provider integration
General Improvements
Filter on mobile vulnerability data
Improved error messaging
WhiteHat integration respects the Out of Scope status
LDAP login supports additional user attributes
Netsparker Enterprise enhancements
Time to Remediate notification improvements
File attachment usability improvements
Updated 3rd party dependencies and other security improvements
Other enhancements and bug fixes
2.8.1
(Jun '20)
Added OAuth support for Jira Defect Tracker integration
Improved parsing of scan data from AppScan Enterprise and Fortify SSC
Other enhancements and bug fixes
2.8
(May '20)
New/Improved Functionality:
velocityTemplates/policyReport.vm update. NOTE: If upgrading your deployment, use the new file instead of the previous.
UI update to align with ThreadFix 3
(**be aware this will drop support for IE 11**)Added Penetration Test functionality
(this replaces our current manual finding feature)Updated our Version tags to treat its date as the release date of that version
(current version tags will be recalculated based on this change)Added Time to Remediate functionality
Add on filter functionality to search for dynamic, static, and dependency vulnerabilities
CWE v4 mappings
Added Finding Type filter
Added Manage Filters page
Performance improvements for trend graphs, group management and application deletes
Added Dependency pivot for vulnerability tree
Dependency findings to OWASP Top 10 report
Capability to allow admin to delete comments.
Report caching to Dashboard
Power to set default landing page
Ability to capture history when vuln severity changed by user
Default Pivot changed to Severity by Issue Type
Over 100 other enhancements and bug fixes!
New/Improved Integrations:
Added SonarQube remote provider support
Added Fortify on Demand mappings
Added support for Veracode SCA findings
Added ability to view Remote Provider AppID on Finding Details page for microservice traceability
Defects deleted in an outside defect tracker will now be reflected in ThreadFix
Added TFS collections support for Microsoft TFS Defect Tracker
Added support for non-vulnerable version information from Black Duck
Added Kiuwan as a supported scanner type
Added Rally Workspace list to Rally options
Legacy Release Notes
2.7.9
(Dec '19)
Improved AppScan Enterprise remote provider integration (2.7.9.1)
Added support for OpenJDK 11 (see here for more info)
New integration: SNYK ThreadFix file export support
Updated CWE mappings
Added ability to see more Pass Criteria information in the UI
Vulnerability tree updated to show vulnerabilities with unassigned severities
Added source line numbers to CSV report
Enriched log verbosity
Enhanced handling of Burp findings generated with extensions
Improved type-ahead dropdown menu behavior
Clarified time zones within Remote Provider schedule settings
API updates (see Change Log)
Other enhancements and bug fixes
2.7.8
(Nov '19)
Import Scan Issue Comments (Fortify SCA, AppScan Source, Checkmarx Cx SAST)
API call for Importing Remote Provider apps mapped to single app in ThreadFix
Remote Provider sync information can now be viewed in the UI
Improved path storage for Black Duck, Dependency Check, and .threadfix scans
Improved field validation for various bug trackers
New permission for report generation
API updates (see Change Log)
Other enhancements and bug fixes
2.7.7
(Sep '19)
jdbc.properties update for MySQL DB server users: You MUST update the
hibernate.dialect
toMySQL55Dialect
(see your respective upgrade page for details)Remote Provider application mapping persists if an application is renamed on the Remote Provider side (AppSpider, Checkmarx, Veracode, and WhiteHat only)
Ability to remove reports from the Dashboard and the Team/App detail pages
Add all Teams/Apps option for policy
Component file paths displayed on Vuln Details page
Finding statuses are now supported by the .threadfix file
Added Dependency Check severities
Error message improvements
API updates (see Change Log)
Other enhancements and bug fixes
2.7.6
(Aug '19)
(2.7.6.2) jdbc.properties update for MySQL DB server users: You MUST update the
hibernate.dialect
toMySQL55Dialect
(see your respective upgrade page for details)New support for Veracode authorization to utilize API keys vs. username and password.
Performance improvements to the following pages:
Team Details
App Details
Portfolio
History
New integrations:
IBM RTC Defect Tracker
AppSpider Enterprise Remote Provider
Dependency-Track Remote Provider
WhiteSource ThreadFix file export support
Fortify SSC imports now parse FPR files offering much faster ingestion at scale.
HTML characters in Application Names are now permitted.
New CWE mappings have been added.
Improved handling of Project Names changes in Jira.
Support for custom checkbox fields from Jira.
Functionality to allow to LDAP permissions with SAML logins.
Additional granular permissions for Manage Applications and Teams roles.
Pull in scanner version for Dependency Check scans.
Increased defect description character limit.
Ability to export the User Audit list as a .csv file.
Most Vulnerable Apps list to show only top 10 apps.
Import the file path for vulnerabilities in open source/dependency scanning tools.
API updates (see Change Log)
Other enhancements and bug fixes
2.7.5
(Jun '19)
Performance improvements
Significant reduction in subsequent scan upload times for large environments
Significant reduction in page load time for large environments
Added Custom Application Metadata Key/Value Pairs
Updates and improvements to the following integrations:
Fortify on Demand
ASoC
White Hat
Black Duck
Dependency Check
Jira
Rally
Improved event logging
Custom severity enhancements
API updates (see Change Log)
Other enhancements and bug fixes
2.7.4
(Apr '19)
Added Synopsys Coverity as a Remote Provider integration
Added an Issue Type pivot to the Vulnerability Tree, which allows a user to see issues organized by CWE if it is present, or the scanner vulnerability if no CWE is present
Updated vulnerability tree UI to show issue statuses for each vuln
API Requests without a version specified have been deprecated
Implemented a blacklist and whitelist configuration for scanner vulnerability types, allowing appropriately permissioned users to prevent ThreadFix from importing specific scanner vulnerabilities
Added REST API endpoints related to email reports (see Change Log)
Other enhancements and bug fixes
2.7.3
(Mar '19)
Updated Jenkins and Burp plugins
Added API token authentication for Jira defect tracker integration
Improved scan deletion performance
Additional support for importing dependency (OSS) findings and finding comments through the ThreadFix file format
Added ability to refresh Remote Provider applications list on a schedule
Improved parsing for simultaneous multiple file upload
Show custom severity level names in .csv export
Additional REST API endpoints created for further automation support (see Change Log)
Other enhancements and bug fixes
2.7.2
(Feb '19)
Veracode Remote Provider update to honor "Force Last Scan" option
Clearer logging of Remote Provider ingestion actions
Enhanced the API permissions check to better match the UI
Resolved issue with batch tagging of applications
Enhanced application pagination on Portfolio page
Remote Provider scan and import request functionality added to Application Detail page
Added more granular permissions for new vulnerability statuses
Expanded automatic defect creation to account for manual findings as well
Added the 2017 OWASP Top 10 list
Improvements to our Fortify SSC Remote Provider integration
Created new API endpoint to allow users to attach a vulnerability to an existing defect
Scanner finding severities are now updated with subsequent uploads of scan results
Improved "Path" pivot to properly include static results
Enhanced the Scan Upload Messages page to include direct links to the application and team referenced in the error
Other enhancements and bug fixes
2.7.1
(Dec '18)
WhiteHat Remote Provider hosting location is now configurable
Contrast Remote Provider Enhancements:
Improvement to DataFlow ingestion
Added False Positive support
Provide Scanner Recommendations from “How to Fix” content
HTTP Request/Response display improvements
Updated link URL to point to Contrast instance
Black Duck and Checkmarx merge improvements
AppScan Enterprise new severity support
ThreadFix File Enhancements
Application and Team name size increase to 255 characters
Allow for filtered exports of report data via API
Vulnerability comments can now be imported from Checkmarx
Performance Improvements
API updates (see Change Log)
Bug Fixes
2.7
(Oct '18)
Request and receive Application Quick Assessments from Denim Group’s Pen Test experts
Filter and report on CVE values for vulnerabilities reported from popular Software Component Analysis tools like Black Duck, Dependency Check, and Sonatype Nessus
View your applications by their relative risk to your organization to help prioritize testing and remediation activities on the riskiest applications first
Policy statuses are now evaluated for even more triage actions within ThreadFix, giving you more up-to-the minute statuses on where your applications stand with your own internal polices
Greater granular control on your vulnerability workflow with additional vulnerability statuses and reporting
Manual assessments can now be made through the user interface, allowing for a more distributed assessment approach within your organization
Performance improvements on scan upload and deletion
Bug Fixes
2.6.2
(Aug '18)
Can now customize scanner severities to exclude their findings from being processed
Updated CWE list to 3.1
Added new CSV customization options
Added Close Date field to the CSV export
Added Remote Provider support for IBM Application Security on Cloud (ASoC)
Improvement to the App Scan Enterprise integration to respect new severity level
Improvement to Netsparker integration to respect additional date formats
Improved Remote Provider “Import All” feature to be more error tolerant
API updates, e.g., user management and policy status (see Change Log)
Bug Fixes
2.6.1
(Jun '18)
Improvements to API error handling with Create Defect Tracker endpoint
Improvements to "Check All" behavior on Application Detail pages
Expanded event tracking to include delete operations
AppScan parsing improvements to handle special characters in data
Performance improvements on Application and Team detail pages
Bug fixes
2.6
(May '18)
jms.properties update for queue persistence. NOTE: If upgrading your deployment, you will need to use the new file instead of the previous. Refer to /wiki/spaces/TDOC/pages/437026817 for more info.
applicationContext-scheduling.xml update. NOTE: If upgrading your deployment, you will need to use the new file instead of the previous.
Organized permissions into categories and added new ones for: managing tags, viewing the queues, managing versions, editing remote provider configurations, and deleting scans
Queue management: ability to view & cancel queued tasks
Dashboard reports are now customizable
Policy updates:
Consolidated policy management...merged CI/CD policy page into the Manage Policies page
Policies can now be associated to teams and tags
Policy list can be updated in Application Details page
Pass criteria can be grouped
Ability to modify existing vulnerability comments
ThreadFix file format
Reworked Black Duck integration (we recommend removing existing integrations and creating new ones)
Report caching
Fixed issue in Fortify parser which could mark vulnerabilities as "False Positive" incorrectly. Issue will be automatically updated on next scan upload after upgrade
API updates (see Change Log)
Bug Fixes
2.5.3
(Mar '18)
WhiteHat integration improvements
Automatic defect creation for Remote Provider imports
New permissions
Jira integration enhancements
Usability and performance improvements
API updates (see Change Log)
Bug Fixes
2.5.2
(Feb '18)
jdbc.properties update. NOTE: If upgrading your deployment, use the new file instead of the previous.
MS SQL: Updated the connection string
MySQL: Changed driver to MariaDB
Additional parameters added
security.xml update. NOTE: If upgrading your deployment, use the new file instead of the previous.
Significant performance improvements in large environments
Support for multiple Active Directory domains and servers
...If upgrading from a previous version, hard-refresh the login page (or clear cache) to resolve browser caching issue
Updated application trending graph to represent “real time” data
Improved database connection pooling
Improved scanner integration with Fortify SCA, Fortify on Demand, Checkmarx, Netsparker, and Black Duck
Improvements to event logging
CSV export improvements for large data sets
New permission controls
Removed Nessus scan agent and ZAP plugin
API update (see Change Log)
Bug Fixes
2.5.1.16
(Feb '18)
Updated SSVL parser to ingest scans with zero vulns
2.5.1.12 - 2.5.1.15
(Dec '17 - Jan '18)
Updated integration with AppScan Enterprise, Black Duck and Checkmarx
Remote Provider improvements for bulk imports
Improved handling & display of scans' original Scan Date and subsequent Updated Date
Added new filter policy statuses so a policy isn't considered passing/failing without sufficient reason
API update (see Change Log)
Bug fixes
2.5.1.10
(Nov '17)
Improved integration with VSTS defect tracker ("Microsoft TFS" in menu)
Updated Fortify on Demand Remote Provider integration to connect to new endpoint
Bug fixes
2.5.1.2 - 2.5.1.7
(Oct '17)
Scan upload/delete performance improvements
API update (see Change Log)
Bug fixes
2.5.1.1
(Sep '17)
Remote Provider errors are saved in the Scan Upload Messages section of the Error Messages page
Scan Upload errors are more visible to users at the time they occur
Added Rally Defect Tracker integration
API update (see Change Log)
Bug fixes
2.5.1
(Sep '17)
Added the ability to bring in new changes from Remote Providers without requiring a new scan, via "Force Import"
New Netsparker Enterprise Remote Provider, through use of our Netsparker Plugin
Improved merged finding behavior
Fortify parser improvements
Added a button to clear LDAP settings
New LDAP User management options: importing new LDAP users and pruning outdated LDAP users are separate buttons now
New "Updated Date" support for select scanners; for some scanners such as Fortify, ThreadFix will show the date the scan was originally run as well as the date the scan was last modified
New Scanner Management options in System Settings; you can now restrict Scanners so that users cannot upload scans from that scanner type
API update (see Change Log)
Bug fixes
2.5.0.7
(Jul '17)
"Update Remote Provider Applications" feature changed to "Sync Remote Provider Applications"
CSV v2 Export improvements
Performance improvements in Manage Groups page and for scan deletions
Vuln mapping updates
API update (see Change Log)
Bug fixes
2.5.0.3 - 2.5.0.6
(Jun '17)
Added Fortify SSC Remote Provider integration
Updated Fortify Filter Set restriction capability
Vuln mapping updates
Added an expanded CSV export (CSV v2)
Jenkins plugin for CI/CD automation (available upon request)
Bug fixes
2.5.0.2
(May '17)
Added ability to restrict the Fortify Filter Set for an application
LDAP User bulk import is now a "Sync User" function, removing LDAP users no longer in LDAP system and adding new ones
Moved SMTP configuration into the UI and database (credentials are encrypted)
Created tool to encrypt jdbc.properties before launching ThreadFix for the first time (available upon request)
API update (see Change Log)
Bug fixes
2.5.0.1
(May '17)
Improved GRC integration with ServiceNow
Improved security for REST API calls (see Change Log)
Bug fixes
2.5
(Apr '17)
CI/CD Integration
UX and performance improvements
Ability to cancel pending scan uploads and deletions
Remote Provider integration redesign
Added file storage retention policy
Support for updated Arachni format
Support for dynamic scans in Fortify On Demand
Support for additional LDAP and SAML providers
Default logging level changed from DEBUG to INFO
API update (see Change Log)
Bug fixes
2.4.6
(Feb '17)
Added Remote Provider imports to the Scan Queue
Improves notifications in Blue Banner to reflect when scans are uploaded in bulk.
Bug fixes
2.4.5
(Jan '17)
Adds standard Scan Uploads through UI and REST to the Scan Queue alongside Scan Deletion; to upload to the queue via REST, use the "v2.4.5" or "latest" extension in the REST call
Adds a Blue Banner to Application Detail pages that shows the status of any queued scans
Adds a new section to the Errors page for scan upload errors
Minor performance improvements around Scan Detail page
More efficient JIRA defect status updates
Adds a workFolder parameter to custom.properties, to set a location for ThreadFix to write files to on startup
Improves IBM AppScan Enterprise remote provider integration
Vulnerabilities filtered out as false positive by Fortify scan filters are no longer brought into ThreadFix
Hides passwords typed during Scan Agent configuration
API update (see Change Log)
Bug fixes
2.4.2
(Nov '16)
Reduces the time it takes to import scans from Veracode
Gives all users the ability to generate their own API Keys
Retrieves Scanner Descriptions and Recommendations for WhiteHat
Improves page load speed for Scan Detail page
Adds tracking for mapping deletion to Unmapped Finding histories
Enhanced Fortify support
Refactors GRC Service Now integration
Bug fixes
2.4.0
(Jul '16)
Vulnerability Hotspot detection
Ability to create manual findings not associated with a CWE
Alternate pivots when viewing issue trees
API versioning system
Login History auditing
Custom vulnerability mapping auditing
Support for managing and pushing to multiple defect trackers per application
Cron expression support for schedulers
Provide latest scan agent jar file from within the application
Expanded CLI and REST capabilities
UX Improvements
API update (see Change Log)
New integrations and integration improvements:
Black Duck as a Remote Provider
Barracuda WAF Integration
Nessus Scan Agent
BugZilla 5.0
On premises Contrast
SAML Authentication
Fortify integration improved and updated
App Scan integration improved and updated
Checkmarx integration improved and updated
Bulk create user feature for LDAP integrations
More robust Defect Tracker issue status reporting
2.3.4
(Apr '16)
Resolve hostname confusion with Acunetix findings reporting “localhost” in certain instances
Improve Burp Scan Agent support for newer versions of Java
Improve ThreadFix behavior around a poor JIRA connection
Improve vulnerability reopen logic within Burp
Improve user feedback around Defect Tracker connection
Improve performance with scan upload
Improvements to Acunetix merging
Bug fixes
2.3.3
(Mar '16)
Fix favicon.ico request error if ThreadFix is not deployed at /threadfix
Fix foreign key constraint issues in some cases
Fix issues with some larger environments when using SQL Server as the DB
2.3.2
Add type-ahead for JIRA user group
2.3.1
Added Remote Provider Support for Checkmarx
JDBC properties de/encrypt update
Increase character limit for comments on vulnerabilities
Table of Contents
- 1 ThreadFix Version Release Notes
- 2 Legacy 2.8 Release Notes
- 3 Legacy Release Notes
- 3.1 2.7.9
- 3.2 2.7.8
- 3.3 2.7.7
- 3.4 2.7.6
- 3.5 2.7.5
- 3.6 2.7.4
- 3.7 2.7.3
- 3.8 2.7.2
- 3.9 2.7.1
- 3.10 2.7
- 3.11 2.6.2
- 3.12 2.6.1
- 3.13 2.6
- 3.14 2.5.3
- 3.15 2.5.2
- 3.16 2.5.1.16
- 3.17 2.5.1.12 - 2.5.1.15
- 3.18 2.5.1.10
- 3.19 2.5.1.2 - 2.5.1.7
- 3.20 2.5.1.1
- 3.21 2.5.1
- 3.22 2.5.0.7
- 3.23 2.5.0.3 - 2.5.0.6
- 3.24 2.5.0.2
- 3.25 2.5.0.1
- 3.26 2.5
- 3.27 2.4.6
- 3.28 2.4.5
- 3.29 2.4.2
- 3.30 2.4.0
- 3.31 2.3.4
- 3.32 2.3.3
- 3.33 2.3.2
- 3.34 2.3.1
- 4 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.