As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Creating an Application
- Kyle Pippin (Unlicensed)
- Daniel Colon
- Hector Ruiz (Unlicensed)
You will learn
How to add an application within a designated Team.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: Application source code (optional)
Adding Applications
To create a new application within ThreadFix, navigate to the Application menu from the Navigation sidebar and select the Portfolio page.
Click on the team the application will be added to in order to expand its menu and click the Add Application button.
A dialog will pop up requesting details about the application, fill the fields as desired, click the Add Application button. The only required field is "Name", see details regarding the other fields below.
The application will now display as part of the desired team and display relevant vulnerability and scan data.
New Application Details
Category | Details |
|---|---|
Name
| The name field is how ThreadFix will refer to your application throughout the user interface, and the API. Each name must be unique within the same Team, but different teams can share application names. This field is required |
Description | This is a user provided description for the application. |
URL
| This is an optional field which, if provided, will be used as the default dynamic test endpoint for any scan agent tasks configured for this application. |
Test Environment | This is a user provided description. |
Unique ID
| This is an optional field which can be used to query the API. Unique IDs must be unique across the entire system. |
Team
| This is the Team under which this application is being created. |
Criticality
| This is an optional field to label the relative sensitivity of the application. This is used in the Analytics Snapshot report "Portfolio". |
Application Type
| This is an optional field where a user can provide information about the application's source code. |
Release Frequency | This is an optional drop-down selection for the user to select, from a predefined list, the frequency of reports. |
Associated User | This is an optional drop-down selection of users to associate with the application. |
Tag | This is an optional field that allows a user to provide one or more pieces of metadata for your application. These tags are used in Analytics, Filters, and the API to allow more sophisticated queries of your data. |
Internal Application | This indicates if the app/service is used or can be accessed internally within the organization vs. public/outside the organization. |
Source Code Information | See the Source Code Information section below. |
Disable Vulnerability Merging | This is an optional field that, if selected, will disable the merging processing within ThreadFix between scan results from different scanning tools. |
Source Code Information
This hyperlink toggles the "Source Code" section, which is an optional group of fields to allow a user to associate an application with its source code, which ThreadFix will store in the threadfix.scratchFolder path that's specified in the <threadfix-deploy/WEB-INF/classes/custom.properties file. The source code is saved there when ingesting the first scan after the Source Code Information is saved.
Clicking the hyperlink will reveal the following fields:
Source Code Information Details | |
|---|---|
Category | Details |
Source Code Repository Type | ThreadFix supports Git, SVN, as well as the local file system as source code origin points. Select Git or SVN if either of those repositories are used, or leave unselected and provide information in the "Source Code Folder" field to identify a code location on the local file system. |
Source Code URL | This is the URL for the Git or SVN repositories. |
Source Code Branch | Identify the branch to use within the repository. |
Source Code Revision | This represents a specific commit ID to request. |
Source Code User Name | The user name to connect to the repository. |
Source Code Password | The password to connect to the repository. |
Source Code Folder | This is just used to identify source code on a local file system as opposed to a source control system like Git or SVN if desired. |
View Finding Details and Source Code
From a desired application, select a vulnerability from the vulnerability tree and expand it to reveal its details. Click the View More link.
From the Vulnerability Details tab click to expand a chosen Finding.
Vulnerability details will display, scroll down to the bottom and click the View Finding page link.
The page will default to the Finding Details tab, click on the Source Code tab.
If no source code has been attached to the finding, a message will display indicating this. To view how to attach source code refer to the Hybrid Analysis Mapping Configuration guide.
Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.