Scan Upload Automation

Required

Scans to be uploaded
ThreadFix Command Line Interface (CLI)
- Download (tfcli.jar) from ThreadFix by clicking Configuration (Cog) → Download Tools and clicking the corresponding "Jar File" link

ThreadFix CLI Configuration

In order to upload scans to ThreadFix you must set your API Key and your URL.
Issue these commands, substituting your ThreadFix API Key and URL:

java -jar tfcli.jar --set key <apikey>
java -jar tfcli.jar --set url <url>

Uploading

This method allows the upload of a scan file to an application.

java -jar tfcli.jar -u, --upload <Application ID> <File Path>
Example:

denimgroup$ java -jar tfcli.jar --upload 1 /Users/denimgroup/Desktop/threadpak/ThreadFix/test-scans/w3af-demo-site-2.xml
INFO [main] CommandLineParser.main(193) | Uploading /Users/denimgroup/Desktop/threadpak/ThreadFix/test-scans/w3af-demo-site-2.xml to Application 1.
INFO [main] CommandLineParser.printOutput(287) | Operation successful, printing JSON output.
{"importTime":{"year":2013,"month":8,"dayOfMonth":16,"hourOfDay":9,"minute":30,"second":39},"numberClosedVulnerabilities":0,"numberNewVulnerabilities":1,"numberOldVulnerabilities":0,"numberResurfacedVulnerabilities":0,"numberTotalVulnerabilities":1,"numberHiddenVulnerabilities":0,"numberRepeatResults":0,"numberRepeatFindings":0,"numberInfoVulnerabilities":0,"numberLowVulnerabilities":0,"numberMediumVulnerabilities":0,"numberHighVulnerabilities":1,"numberCriticalVulnerabilities":0,"numberOldVulnerabilitiesInitiallyFromThisChannel":0,"findings":[{"channelVulnerability":{"channelType":{"name":"w3af","url":"http://w3af.sourceforge.net/","version":"1.0-rc6","exportInfo":"The w3af importer needs a configured XML output plugin. The w3af standard scripts contain one called script-xml_output.w3af which generates a valid xml configuration for ThreadFix.","id":19},"name":"Unhandled error in web application","code":"Unhandled error in web application","id":4010},"nativeId":"b7332f6bfad9240f7bc712b3b3579a9f","channelSeverity":{"name":"Medium","code":"Medium","numericValue":3,"id":27},"surfaceLocation":{"path":"/demo/","port":0,"id":45},"numberMergedResults":2,"entryPointLineNumber":-1,"isStatic":false,"isFirstFindingForVuln":false,"isMarkedFalsePositive":false,"calculatedUrlPath":"/","createdDate":"Mar 11, 2014 4:10:51 PM","modifiedDate":"Mar 11, 2014 4:10:51 PM","active":true,"id":45},{"channelVulnerability":{"channelType":{"name":"w3af","url":"http://w3af.sourceforge.net/","version":"1.0-rc6","exportInfo":"The w3af importer needs a configured XML output plugin. The w3af standard scripts contain one called script-xml_output.w3af which generates a valid xml configuration for ThreadFix.","id":19},"name":"OS commanding vulnerability","code":"OS commanding vulnerability","id":3993},"nativeId":"7defd04bac3089120e2187d1c28fccb3","channelSeverity":{"name":"High","code":"High","numericValue":4,"id":29},"surfaceLocation":{"parameter":"fileName","path":"/demo/OSCommandInjection2.php","port":0,"id":46},"numberMergedResults":1,"entryPointLineNumber":-1,"isStatic":false,"isFirstFindingForVuln":false,"isMarkedFalsePositive":false,"calculatedUrlPath":"/OSCommandInjection2.php","createdDate":"Mar 11, 2014 4:10:51 PM","modifiedDate":"Mar 11, 2014 4:10:51 PM","active":true,"id":46}],"id":3}

Automation

There are a few different ways that automation can be achieved but the basic outline is as follows:

Schedule scan.
Scan complete.
Upload scan to ThreadFix using CLI.

Setting up a CRON job to run your automatic upload script would be a great option. It would follow the outline above and run at the desired intervals. Example below using the Checkmarx CX Console:

    #!/bin/bash
    #Scan
    ./runCxConsole.sh scan -CxServer <host> -projectName <projectName>
    -CxUser <username> -CxPassword <password> -LocationType <LocationType>     
    -locationPath <locationpath>

    #Upload
    java -jar tfcli.jar -s key <API_KEY>
    java -jar tfcli.jar -s url <THREADFIX_URL>
    java -jar tfcli.jar -u <APP_ID> <FILE>

Another option is to use something similar to Jenkins to automate this process.