As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Customizing ThreadFix Vulnerability Types

Owned by Hector Ruiz (Unlicensed)
Last updated: Nov 15, 2022 by Daniel Colon
3 min read

You will learn

How to map severity types and user customized text to vulnerabilities.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A

Users can configure severities for CWE types, such as "all XSS vulnerabilities are now Critical." Users can also configure custom remediation text for a CWE that will be included in any defects submitted for that vulnerability.

Severity Mappings

Severity Mappings in ThreadFix give the administrator the ability to remap vulnerabilities to standard CWE types.

  1. First, click on the Application menu from the Navigation sidebar and click on the Customize submenu. Click on ThreadFix Vulnerability Types and from the Severity Mappings tab click on the Create New Mapping button. This brings up a modal dialog for the mapping.

     

  2. Start typing, for example, "CSRF" into the Source Vulnerability Type field and a dropdown with CWE types that match the text will appear, as seen below.

     

  3. In the Target Severity Type field, users will see the severity types for applications available to apply to the chosen vulnerability, HighLowMediumCriticalInfo and Ignore.

    Setting the severity to Ignore will cause all vulnerabilities with the selected CWE to have a status of Hidden; they will thus not be included in the vulnerability count. View these in a vulnerability tree by expanding the Field Controls filter and checking the Hidden box within the Status section. To undo this change, simply delete the mapping created above (click Edit/Delete and then Delete).

     

  4. Click the Save Mapping button and the newly created mapping will display in the Vulnerability Type (CWE) list.

Custom Severity Text

An administrator can add custom text to vulnerability types as well. These could be general notes, instructions to developers, or any useful information for that particular vulnerability. This custom text will be included in any defects submitted for that vulnerability.

  1. To set custom text for a vulnerability, first click the Custom Text tab and click the Set Custom Text button. This will display a modal dialog.

     

  2. Similarly as in the mappings section, begin typing the name of the vulnerability to be presented with matching CWE types. Select the vulnerability that requires custom text.

     

  3. Next, type in the desired text to be added.

     

  4. Click the Set Custom Text button. This saves the text and attaches it to the vulnerability.

  5. Next to the newly added entry is an Edit/Delete button which allows for editing or removal of custom text entries.

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.