As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Black Duck Remote Provider

You will learn

How to configure Black Duck with ThreadFix.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A

 

As of version 2.8.4, ThreadFix’s use of the Black Duck hub-common library to authenticate and pull application, version and vulnerability information has been deprecated. To view information related to this deprecated content, please see the Deprecated - Black Duck Hub-common section at the bottom of this guide.

Introduction

As of version 2.8.4, ThreadFix no longer uses Black Duck's hub-common library to authenticate and pull application, version and vulnerability information, API calls are now used in its place.

IMPORTANT: Connection Requirement

ThreadFix typically requires requires any secure external sites to have their certificate imported into the security store first before connecting. Follow the instructions here to do so:

Importing External Site's Certificate

Authentication

ThreadFix uses Black Duck's Access Token to authenticate and establish a connection with its service layer. This token is generated from Profile Page of the target Black Duck instance. 

Here's how to create your token:

  1. Go to your Profile Page in Black Duck.

  2. Scroll to the bottom to find the User Access Token section.

  3. Enter a name.

  4. Select at least Read access for the scope.

  5. Click Generate.

  6. Copy the resulting API Token to Clipboard and Enter it into the Remote Providers section in ThreadFix.

Obtain Bearer Token/Authenticate (ThreadFix 2.8.4+)


The following call is used to get the Bearer Token:

/api/tokens/authenticate

Get Applications

The following call is used to get applications:

/api/projects

Get Versions

The following call is used to get versions:

api/projects/{{projectId}}/versions

Get Scans & Scan Dates

ThreadFix no longer uses Black Duck's hub-common library to authenticate and pull application, version and vulnerability information. The following API call is now used to fetch scans:

Get Scans:


Get Remediation-Guidance:

The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade".

Parsing Vulnerabilities

ThreadFix parses the VulnerableComponentViews pulled from Black Duck into a Finding-Dependency pair. Most of the component information is stored in the VulnerableComponentView, while the vulnerability information is stored in the VulnerabilityWithRemediationView within it.

Dependency:

  • CVE: If the Vulnerability Name pulled from the VulnerabilityWithRemediationView is a CVE, ThreadFix records it here.

  • Component File PathComponent Version Origin Id pulled from the VulnerableComponentView. The value is a combination of the Origin, Component Name and Component Version.

  • Component Name: Combination of the Componenet Name and Component Version Name pulled from the VulnerableComponentView.

  • DescriptionDescription pulled from the VulnerabilityWithRemediationView.

Finding:

  • Native Id: Hashed together from Component Id, Component Version Id and Origin Id pulled from the Vulnerabilities URL stored in the VulnerableComponentView's Meta Data and the Vulnerability Name pulled from the VulnerabilityWithRemediationView.

  • Severity Code: Rounded down Base Score pulled from the VulnerabilityWithRemediationView.

  • Detail: Description pulled from VulnerabilityWithRemediationView.

  • CWE: Not always included, but when available its pulled from CWE Id in the VulnerabilityWithRemediationView.

  • Vulnerability Code: If a CWE Id is provided, it is used to catagorize the finding using ThreadFix's Generic Vulnerability table. If not present, it's catagorized as Configuration.

  • Created DateRemediation Created At date pulled from the VulnerabilityWithRemediationView.

  • Modified Date: Remediation Updated At date pulled from the VulnerabilityWithRemediationView.

Vulnerability Statuses:

ThreadFix will not ingest findings with the following statuses, closing them if they were ingested in a previous scan:

  • Patched

  • Remediation Complete

  • Mitigated

ThreadFix will mark findings false positive if they have the following statuses:

  • Duplicate

  • Ignored

ThreadFix will ingest all other status as an open finding.

If you have any questions, please reach out to support@threadfix.it.


Deprecated- Black Duck Hub-common

Earliest Supported Version

Latest Supported Version

v4.4.0

v2020.8.1

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.

For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API

Introduction

Black Duck integrates with ThreadFix to automatically scan, identify and inventory open source software, allowing you to understand license obligations, conflicts and risks. As of version 2.6+, ThreadFix uses Black Duck's hub-common library to authenticate and pull application, version and vulnerability information.

Authentication

ThreadFix uses Black Duck's Access Token to authenticate and establish a connection with its service layer. This token is generated from Profile Page of the target Black Duck instance. 

Here's how to create your token:

  1. Go to your Profile Page in Black Duck

  2. Scroll to the bottom to find the User Access Token section.

  3. Enter a name

  4. Select at least Read access for the scope.

  5. Click Generate

  6. Copy the resulting API Token to Clipboard and Enter it into the Remote Providers section in ThreadFix.

 

Fetching Applications

ThreadFix uses Black Duck's ProjectService to pull down application info as ProjectViews:

  • Native Name: Name of the Project in Black Duck.

  • Native IdName of the Project in Black Duck.

  • Version URL: Versions URL pulled from ProjectView Meta Data.

Fetching Versions

ThreadFix uses Black Duck's HubService to pull down version info as ProjectVersionViews:

  • Native NameName of the Project Version in Black Duck

  • Native IdName of the Project Version in Black Duck

  • Report URL: Vulnerable BOM Components URL pulled from ProjectVersionView Meta Data.

Fetching Scans & Scan Dates

ThreadFix uses Black Duck's HubService to pull down vulnerabilities as VulnerableComponentViews:

While Black Duck ingests scans by uploading it's BOM files either manually or through it's Hub Scanner, it organizes those results using Projects and Versions. When ThreadFix ingests these results they have their created and modified dates, but are not attributed to a scan or scan date. This creates a new scan every time results are imported into ThreadFix using the current time as the Scan Date. This will update the current set of Black Duck vulnerabilities in the mapped ThreadFix Application. Vulnerabilities in different Versions of a Project in Black Duck will map to their corresponding vulnerability in previous versions, reopening them if they were reintroduced, closing them if they are no longer present or marking them false positive if they have been deemed so.

When attempting to upload a large amount of historical data from Black Duck into a ThreadFix, it's heavily recommend to leverage Black Duck's Project Versions and ThreadFix's Remote Provider Mapping to introduce the results chronologically to avoid inaccurate results in the final data set.

Parsing Vulnerabilities

ThreadFix parses the VulnerableComponentViews pulled from Black Duck into a Finding-Dependency pair. Most of the component information is stored in the VulnerableComponentView, while the vulnerability information is stored in the VulnerabilityWithRemediationView within it.

Dependency:

  • CVE: If the Vulnerability Name pulled from the VulnerabilityWithRemediationView is a CVE, ThreadFix records it here.

  • Component File PathComponent Version Origin Id pulled from the VulnerableComponentView. The value is a combination of the Origin, Component Name and Component Version.

  • Component Name: Combination of the Componenet Name and Component Version Name pulled from the VulnerableComponentView.

  • DescriptionDescription pulled from the VulnerabilityWithRemediationView.

Finding:

  • Native Id: Hashed together from Component Id, Component Version Id and Origin Id pulled from the Vulnerabilities URL stored in the VulnerableComponentView's Meta Data and the Vulnerability Name pulled from the VulnerabilityWithRemediationView.

  • Severity Code: Rounded down Base Score pulled from the VulnerabilityWithRemediationView.

  • Detail: Description pulled from VulnerabilityWithRemediationView.

  • CWE: Not always included, but when available its pulled from CWE Id in the VulnerabilityWithRemediationView.

  • Vulnerability Code: If a CWE Id is provided, it is used to catagorize the finding using ThreadFix's Generic Vulnerability table. If not present, it's catagorized as Configuration.

  • Created DateRemediation Created At date pulled from the VulnerabilityWithRemediationView.

  • Modified Date: Remediation Updated At date pulled from the VulnerabilityWithRemediationView.

Vulnerability Statuses:

ThreadFix will not ingest findings with the following statuses, closing them if they were ingested in a previous scan:

  • Patched

  • Remediation Complete

  • Mitigated

ThreadFix will mark findings false positive if they have the following statuses:

  • Duplicate

  • Ignored

ThreadFix will ingest all other status as an open finding.

If you have any questions, please reach out to support@threadfix.it.

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.