As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Vulnerability Comment Tags
To access the Tags page, click Customize → Tags.
Vulnerability comment tags allow the ThreadFix user to filter comments by any number of sorting criteria. You can sort tagged comments by author, type of vulnerability, feature commented upon and myriad other possibilities.
You create a vulnerability comment tag in the same fashion as the other two tag types. First, click the Create Tag button at the top of the page. The system displays a modal dialog. Choose the COMMENT tag type from the dropdown. Then give your comment tag a name. For the example, the name "Technical Lead" is used.
Click the Create Tag button to save your tag, and add it to the Vulnerability Comment Tags list.
Attach a Vulnerability Comment Tag to a Vulnerability Comment
Now, we can attach our tag to a comment. Go to the vulnerability tree view on your application’s detail page.
The simplest way to add a tag to a comment is for the author to add it during creation. Open a node in the tree view.
Within the vulnerability details, beneath the name of the scanner, are icons for Comments, Files and Scanner Details. Next to them is the number of each type available.
Click on the first icon, Comments. Each icon toggles the view of that separate section. Therefore, when you click Comments, you will open up the comment details, seen below.
Click the Add Comment button. A modal dialog appears, with a dropdown to choose a tag and a text area for the comment text. So far, you have only added a single tag for comments, "Technical Lead," so choose that from the list of existing tags.
Now add your comment and click the Add Comment button to save it.
You will now see your new comment and tag displayed. The comment counter next to the icon has incremented to account for our comment, too.
Batch Commenting and Batch Tagging of Vulnerability Comments
Another method for tagging vulnerability comments is batch tagging through batch commenting. This process works in the same way as the batch tagging of vulnerabilities that you performed earlier.
Open up your vulnerability tree on your application’s details page. This example will use the same SQL injection vulnerability node that you used for vulnerability tagging. Check the Check All checkbox to select all the findings in this node.
Now, click on the Action dropdown, and select Batch Comment.
Choose the tag you would like to apply (here it is "Technical Lead" again,) fill in your comment, and click the Add Comment button.
Notice that there are now counts next to the Comments icon. Toggling the comments display, you can see the comment and tag, both applied to all the selected entries at once:
As with vulnerability tags, clicking on the tag’s name takes you to the details page for that tag.
As you have seen, you can apply tags directly to a taggable entity, such as a vulnerability, either individually or in batches. The process you just saw demonstrated was the addition of tags to comments during the process of batch comment creation.
It is not possible to apply a batch vulnerability comment tag to untagged vulnerability comments. You would need to apply a new batch comment and tag the entities like that.
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.