As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

System Settings

Owned by Kyle Pippin (Unlicensed)
Last updated: Sept 02, 2022 by Daniel Colon
9 min read

The System Settings page provides configuration options and defaults for many administrative functions. The settings are divided into sections, each located under the appropriate tab. 

Login Settings

Default LDAP\SAML Role

When LDAP or SAML users log in, ThreadFix can assign them a default role. If you do not select a role here, the user will be unable to access any data in ThreadFix. To configure per-team and per-application permissions for an LDAP or SAML user prior to their first login, create a ThreadFix user corresponding with their LDAP or SAML username and add them to the desired group(s) and/or role(s).

LDAP Settings

Enter the URL, Search Base, User DN, and Password to connect to your LDAP (Microsoft Active Directory) server if you choose to use LDAP authentication.

You can use Active Directory Overrides to integrate with non-AD LDAP services. To do so, specify the Login Filter, Users Filter, Groups Filter, and User's Groups Filter that will return the corresponding value(s).

Examples of Active Directory Overrides

Login Filter: Override filter to get the account of the person logging in. (uid={0})

Users Filter: Override filter to get the list of users in the directory. (objectClass=User)

Groups Filter: Override filter to get the list of groups in the directory. (&(objectClass=group)(cn={0})) 

User's Group Filter: Override filter to get the list of groups for a user. (&(memberUid={0})(objectClass=posixGroup))



You can also create multiple LDAP integrations as needed.

LDAPS Support

ThreadFix supports using LDAPS to connect to your LDAP server. Use "ldaps" to begin the URL, and port 636 (or whatever port the server is using for LDAPS connections).

Example URL:

ldaps://my.ldap.server:636/

Note: You may need to import your LDAP server's certificate into your trust store. For more information on this, see: Importing External Site's Certificate

SAML Settings

Click the 'ThreadFix Metadata' button to generate an XML file you can use to configure SAML to work with ThreadFix. Enter the IDP Metadata URL from your SAML IDP and click the 'Download Metadata' button to have ThreadFix connect to the IDP and provide a menu (after typing at least one character) of User Display Name options from which to select how the name will appear in the page's header after the user logs in to ThreadFix via the SAML IDP.

Regarding the Display Name, there are some limitations based on what is returned when requesting the metadata. Currently we know what to expect from the Azure SAML response. Other IDPs do not always return possible naming attributes in the metadata. ThreadFix is thus unable to populate this field on initial configuration.

ThreadFix can, however, determine these fields on user login. The information is then logged and has the following format:

WARN [http-nio-8080-exec-8] CustomSamlUserDetailsServiceImpl.loadUserBySAML(63) | Display Name for User wasn't set. Display by default Name ID.INFO [http-nio-8080-exec-8] CustomSamlUserDetailsServiceImpl.loadUserBySAML(78) | Possible display name attributes: {FirstName,LastName,Email,DisplayName}

You can then modify the field in System Settings to reflect the field you wish to display.

You will thus be unable to give SAML Users a custom Display Name, since it will change back to the System Settings page default after the user logs in.

When ThreadFix is hosted behind a load balancer/reverse proxy, you may need to add an entityBaseURL property & value to the metadataGeneratorFilter bean in <threadfix-deploy>/WEB-INF/security.xml so that it doesn't generate the SAML endpoints with an internal IP but instead uses the FQDN.

Example:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> <constructor-arg> <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> <property name="entityId" value="http://saml.threadfix.denimgroup.com"/> <property name="entityBaseURL" value="https://threadfix.domain.com:443"/> </bean> </constructor-arg> </bean>



If you have HTTPS on your load balancer but not on the Tomcat instance where ThreadFix is hosted, you'll need to add the https scheme value to the connector in the <tomcat-deploy>/conf/server.xml file.

Example:

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" scheme="https" redirectPort="8443"/>



LDAP-Linked SAML Configuration:

In 2.7.6, we added the ability for users to log in using SAML while managing their permissions with a linked LDAP server.

Steps to configure LDAP-linked SAML:

  • First, the IdP used for SAML SSO must be configured to delegate authentication to an LDAP server of choice.

  • Consult the IdP's documentation to see if this is supported and for configuration instructions.

  • Please note, it's required that a user's LDAP username is mapped to the NameID or an additional attribute in the SAML response.

  • Once the IdP is configured for LDAP delegated authentication, navigate to the System Settings page in Threadfix.

  • If the LDAP server used for authentication isn't already configured, create a new LDAP server for it under LDAP Settings.

  • Next, open the SAML Settings and select "LDAP" in the Authentication Type dropdown.

  • Finish the LDAP linked SSO setup by filling in the rest of the required fields and saving these changes.

  • The LDAP Server Account should be the same server configured in the above steps

  • The LDAP Username Field will be based on the mapping defined in the IdP for the user's LDAP username. This may be NameID or the name of a custom attribute.



Default Login Tab

You can specify the default login tab that's enabled when navigating to your ThreadFix login page: Local, LDAP, or SAML (the latter two only appear when their respective settings are configured).

Session Timeout

Length of time, in minutes, to allow a session to be inactive before destroying it and forcing the user to re-authenticate. The default is the maximum value of thirty (30) minutes. You can adjust this value downward if necessary.

Limit Login Records

You can specify how many login records to save or select the 'Unlimited' checkbox if you want to save all.

Default Page

You can specify the default landing page after logging in to ThreadFix. Options are Dashboard and Portfolio. Note that this applies to all users.

 

Report Settings

Dashboard Settings

Configuration settings for report placement on the Dashboard. The administrator can change the layout of report graphs, recent uploads and recent comments on vulnerabilities.

You can customize these reports by using saved filters (e.g., create a filter for critical and high severity vulns and select it for the 'Most Vulnerable Applications' report).

In order for a filter to encompass all teams and applications, you need to create it in the Vulnerability Search tab within the Analytics page. If you create the filter within an application details or team details page, the filter will be restricted to this app or team, respectively.

You can also choose to omit reports altogether by selecting the blank line from the pull-down menu for any/all of them. (2.7.7+)

Application Detail Page Settings

Configuration settings for report placement on the Application Detail page.

You can likewise choose to omit reports altogether by selecting the blank line from the pull-down menu for any/all of them. (2.7.7+)

Team Detail Page Settings

Configuration settings for report placement on the Team Detail page.

You can likewise choose to omit reports altogether by selecting the blank line from the pull-down menu for any/all of them. (2.7.7+)

Shared Vulnerability Schedule

The Shared Vulnerability Schedule feature allows a user to select a time to calculate the Shared Vulnerability report in the Hotspot section of the Analytics page.  This patented calculation analyses data flows from static results across all applications within ThreadFix to find areas of overlap indicating a likelihood of shared vulnerable source code. Due to the very large memory and processing requirements of this feature, users interested in the Shared Vulnerability Schedule should contact ThreadFix Support for recommendations when large sets of vulnerabilities exist within their instance.

  1. Checking the Enable Schedule Update box allows users to set a customized updating schedule.

     

  2. Once checked, a default frequency and update time will display. To change from the default schedule, click the Modify Schedule button.


     

  3. Within the Schedule Shared Vulnerability Updating modal, set the desired Scheduling Method, Frequency, Time, and Time zone. Click the Submit button.


     

  4. The modified schedule will now display.

Scanner Settings

Available Scanners

The order in this table defines Scanner Priority, which is used to display Vulnerability information found by more than one Scanner.

Allow Import

You can also restrict the ability to import any scanner type by selecting it in the left column and toggling Allow Import to No.

Create a New Scanner (v2.6+)

You have ability to create a new scanner and import custom .ThreadFix files into ThreadFix in order to consume penetration tests and various other 3rd party vulnerability reports. You can also disallow scans from any of the listed scanners from being imported into ThreadFix by selecting the scanner and clicking the No button next to Allow Import.

Export Settings

Vulnerability Export Settings

This page gives you a list of vulnerability data that ThreadFix can export. By dragging and dropping objects into the Columns to Export box, you can customize the default fields you would like to see exported. If the Columns to Export box is left blank (default), all fields will be included in the export.

Other Settings

Proxy Settings

This defines an optional proxy for ThreadFix to use for its external integrations. This proxy is configurable for each service. For example, you can have ThreadFix use the proxy when making requests to WhiteHat but not use the proxy for JIRA.

Email Settings

Configure Email Properties

As of 2.5.0.2, email configuration is via the UI or REST API (credentials are encrypted and stored in DB)

  1. UI Path: Global → Administration → System Settings → Other Settings (tab) → Email Settings

  2. API config: Configure Email Settings - API

  3. The following fields correspond with the previously-used settings in the email.properties file:

    • Email Host = mail.host

    • Email Port = mail.port

    • Email Sender = mail.hostmail.smtp.from

    • Email User = mail.username

    • Email Password = mail.password

    • Enable TLS = mail.smtp.starttls.enable

    • SMTP Authorization = mail.smtp.auth

    • Email Filter = custom.filters (Comma separated email filters, supports * wildcard. Non matching email addresses will be rejected at sending time for security reasons. Although not required for purposes of configuring the email settings, filters are needed to define the allowed email addresses; without any filters, no emails will be sent.)

License Information

Information about your ThreadFix license, including the number of applications that your license allows, how many of those applications have been used, and the license expiration date. When a license expiration date is approaching, a warning will display on the dashboard and will also be logged when the user logs in.

Vulnerability Close Settings

Check this box to close vulnerabilities only when all scanners report them closed. This only applies to merged vulnerabilities.
By default, ThreadFix will close vulnerabilities when any scanner that has found the vulnerability reports the vulnerability fixed.

ThreadFix Base URL

ThreadFix uses this field to construct absolute URLs for links included into emails or defect trackers descriptions. Since these are server and network settings, ThreadFix needs the user to supply the value. When null, ThreadFix populates this field automatically on first connection. The system will alert you and require a manual reconfiguration if you change your network configuration.

Enable Risk Ratings

This allows you to toggle the Risk Ratings features, allowing you to view your portfolio of applications by their relative risk to your organization to help prioritize testing and remediation activities on the riskiest applications first.



Scan File Settings

File Upload Location

ThreadFix will use this directory to store scan files as of when this setting is configured. Users with Download Scans permission will be able to download them from the Scan Details page or from an application’s Scans tab (there will be a “Download Scan” button available).

Retention Policy

Per scanner type, you can create a policy specifying a scan file Retention Type (Days or Files) and subsequently the number of Days/Files to be retained (i.e., Keep files for x Days or Keep x File(s), respectively)

Days

At midnight each day, ThreadFix will delete files older than the number of days specified in this policy, even if they were already stored in the File Upload Location directory prior to setting this policy. Minimum value is 1 day.

Files

When uploading scans to an application, ThreadFix will delete all scans that exceed the number of files specified in this policy, on a per-application basis (not globally), even if they were already stored in the File Upload Location directory prior to setting this policy. You can set this value to 0 to keep ThreadFix from storing any files from the specified scanner.



Table of Contents

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.