As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Manual Findings
Deprecated
As of ThreadFix 2.8 this feature has been replaced with the Pen Test feature. For all manual vulnerability submissions in ThreadFix 2.8 or later please refer to that documentation page.
Importing vulnerabilities from scanner files is quick and convenient, but ThreadFix also allows you to easily add manual vulnerabilities to your applications for tracking. This guide details the process for creating static or dynamic findings and how you can interact with these vulnerabilities once you have created them.
Creating Manual Findings
Via the Web UI
The first thing you will want to do is navigate to your application's detail page. Click 'Teams', then your application's name.
Once on the application detail page, click the 'Action' dropdown next to your application's name and select 'Add Manual Finding'.
Here, you choose whether your manual finding is 'Static' or 'Dynamic' and fill out the appropriate fields.
Examples:
Dynamic finding:
Static finding:
Field descriptions:
The 'CWE' is the vulnerability category that best represents the threat that you have discovered.
If the finding is not associated with a CWE, you may leave it blank.
The 'Description' provides helpful information about the specific vulnerability detected.
The rest of the fields allow you to specify where exactly the threat was observed.
Click the 'Submit Finding' button. You will see a success message stating that a manual finding has been added to the application.
Via the REST API
You can likewise create manual findings via REST API ("Add Manual Finding"). More info here.
In order to create a manual finding without a CWE, use None as the vulnType.
Viewing Manual Findings
Now that you have created a manual finding, you will be able to view in the vulnerability tree towards the bottom of your application's detail page.
The boxed icons in the picture above will allow you to (from left to right) view comments, supporting file attachments, and attack paths for the finding.
Clicking 'View More' will bring you to a Vulnerability Details page that gives you options for editing your manual finding, adding comments to it, or attaching supporting files. This page also provides a good overview of the finding and its associated vulnerability type.
The 'View Finding' link will bring you to a page with information specifically about your manual finding.
Additionally, any manual findings that you add to an application on a given day will also be collected under the 'Scans' tab on your application's detail page as a manual scan.
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.