Global Vulnerability Mapping and Severity Display

You can also remap vulnerability types and toggle the display of severities from the application details page, from the Global tab. This is an alternate workflow for the same functionality that exists in Customize->ThreadFix Vulnerability Types and Customize->ThreadFix Severities. The ability to control global vulnerability remapping and severity display from this page is for convenience. Changes made in either location will appear in both.

These are the same controls as under the Application and Team tabs, and their functions are the same. The only difference is that the scope of the changes is now global.

Click the Global tab, and then click Create New Mapping. Fill in the Source Vulnerability Type field, by typing in either the CWE number or part of its description. Then choose the Target Severity Type. Click the Save Mapping button and the remapping appears in the display list.

Setting the severity to Ignore will cause all vulns with the selected CWE to have a status of Hidden; they will thus not be included in your vulnerability count.

You can view these in a vuln tree by expanding the Field Controls filter and checking the Hidden box within the Status section.

To undo this change, simply delete the mapping created above (click Edit/Delete and then Delete).

Now, navigate to Configuration (cog)->Customize->ThreadFix Vulnerability Types. You can see that the remapping is in the global scope of ThreadFix:

The same thing applies to severity display. Click the Global tab, and then click the checkbox to enable toggling of severity display. For demonstration purposes, we will only allow severities of Critical and High to display.

If you return to the application’s details page, you can see that only High and Critical level vulnerabilities are displayed:

Now, navigate to Configuration> Customize>ThreadFix Severities. You can see that the global changes you made to severity display from the application details page are mirrored here: