As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Customizing Scanner Severities

Owned by Hector Ruiz (Unlicensed)
Last updated: Feb 24, 2023 by Hruiz
3 min read

ThreadFix also has a set of predefined mappings from scanner severities to ThreadFix severities. You can edit any ThreadFix severity mapping on the Customize Scanner Severities page.

ThreadFix Severity Mappings

The initial page view shows a list of supported scanners. Next to each scanner is an arrow toggle button. Click the arrow and you will see the predefined ThreadFix mappings. There are Expand All and Collapse All buttons that will open or close the toggled view for all scanners.


After opening the predefined mapping for your scanner (in this example, Fortify SCA), select the Generic Severity from the dropdowns on the right that you would like to map to the scanner severity on the left.


Here, the administrator has decided to remap Fortify SCA’s Code Quality severity to a ThreadFix level 4 Generic Severity.


You can remap multiple scanner severities at the same time. When you are finished remapping scanner severities, click the Update button. You will see a success message with the number of updated scanner severities, along with a note saying that ThreadFix is updating all vulnerabilities in the background.


Exclude Severities

In addition to remapping scanner severities, you can exclude them from being processed at all, to save resources. E.g., If you don't want Low nor Note findings from Contrast to be saved into the ThreadFix database and processed, you can exclude them, as shown below:

In this scenario, Low and Note finding data from Contrast will not be added to the ThreadFix database, saving resources.

The excluded severities will take effect as of the next scan onward (i.e., the change is not retroactive).


Suppress Scanner Results

You can choose to create rules that suppress certain scanner results. This differs from exclusions, shown above, in that the findings are ingested & processed by ThreadFix, but they're simply not shown nor counted.

In this example, no one has created any rules yet.


Click the Create New Rule button. You will see a modal dialog with dropdowns that allow you to choose the scanner and level of severity you would like to suppress.


Click the Create Filter button. The dialog will close and you will see a success message. You have now suppressed all Info and Code Quality level vulnerabilities from Fortify SCA.


If you need to edit or remove the rule, click the Edit/Delete button. This brings up a modal dialog that lets you change the level of severity you wish to suppress, or delete the rule entirely.


Editing the rule and clicking Save Edits results in a success message.


If you choose to delete the rule, a browser dialog will prompt you asking if you are certain that you want to delete the rule. Click OK, and you will see a success message.


www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.