As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Fortify Software Security Center Remote Provider

Owned by Daniel Hall (Unlicensed)
Last updated: Aug 22, 2022 by Hruiz
3 min read

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.

Finding Status Processing

The following list indicates how finding statuses from Fortify are marked within ThreadFix when ingesting a scan:

  • Not an issue or Suppressed - False Positive

  • Exploitable or Need more information - Open

  • Hidden - not ingested into ThreadFix

When there is no scan data to import, a “No scans were found” message will display as the Last Import Attempt Status.

API Usage

Get Artifacts for Project:

/projectVersion/{{projectId}}/artifacts?fields=lastScanDate,status&start=0&limit=0&q=status:"PROCESS_COMPLETE"

Using the lastScanDate for the completed artifacts, ThreadFix compares this date to the current Fortify SSC scan date imported into ThreadFix. This also becomes the Scan Date of the ThreadFix scan.

Get Project Version

/projectVersion/{{projectId}}

ThreadFix uses the currentState.metricEvaluationDate to check if there are updates to the current state of the project, and a new artifact has not been loaded. This becomes the Updated Date of the ThreadFix scan.

FPR Download

If we determined based on the calls above that a new artifact was run or there are new updates to import we make the following call:

/download/currentStateFPRDownload.html

 

Unassigned Findings

As of 2.8.6, new findings uploaded to the Auditor Status folder are automatically set with an Unassigned severity until users manually set them to a desired severity type. Note the Unassigned finding below.

This can be reassigned manually by selecting View More to see its Vulnerability Details and manually changing the severity through the Action drop-down button.

Note: Manually changing a vulnerability’s severity will persist indefinitely or until manually changed again. If you want a vulnerability’s severity to update as new scans identify it with a higher or lower severity, you should use the method below to map the scanner’s severity with the desired one in ThreadFix.

By utilizing the Customize Scanner Severities page, users can globally have Exceptions to automatically set future Unassigned findings to their desired severity.

 

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.