As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

2.X Version Feature Changes

Owned by Daniel Colon
Last updated: Feb 23, 2024
5 min read

Version Feature Changes

New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:

2.8.9.1

November 2023

  • Performance improvement for the Defect Reporter to Application Defect Tracker Mapping process

  • Performance improvement for scan upload processing

  • Improvement for error messaging in the UI

  • Fix for an issue where a users name that has been updated in the User Management page may not reflect onto the user Login page

  • Fix for an issue where the Vulnerability Search API exports may provide different results each time run

  • Fix for an issue where a Remote Provider will not be created if the user attempts to use a previously entered a name for it that was submitted but not allowed to complete the creation process by exiting the modal before successful completion

  • Performance improvement for the BlackDuck Remote Provider creation process, addressing an issue where it may timeout.

  • Fix for an issue where an exported CSV/SSVL report is generated using currently selected filters rather than currently applied filters

  • Fix for an issue where a users name that has been updated in the User Management page may not reflect onto the user Login page

2.8.9

October 2023

  • Integration support is discontinued for Bugzilla (ver 4.x & 5.x), IBM ClearQuest, and VersionOne

  • AppScan Enterprise identified and resolved an issue where some vulnerabilities reported finding details for multiple issue types as a single concatenated string via the AppScan API.  In this instance ThreadFix would ingest this data as if it was legitimate which could cause some display and merging issues if the instance of AppScan Enterprise in use is a version subject to this misbehavior. HCL has informed our impacted clients that the issues have been resolved; clients should prioritize updating their AppScan Enterprise instance to the latest HCL patch prior to updating ThreadFix.

  • Improvement to error messaging when uploading files

  • Fix for an issue where not all Pen Test teams would display in the Identity Management page

  • Fix for an issue where a user cannot create a Jira Defect Tracker instance with OAuth Token as the Authorization Type

  • Fix for an issue where if a Team is deleted in the Portfolio page and a newly created Team with the same name is created with an application, the previously deleted Team name may appear on the UI

  • defectProfileId and useDefaultDefectProfile have been added to the Submit Defect API calls

  • Several minor UI updates

2.8.8.5

August 2023

  • Minor UI updates

  • Fix for Black Duck ingesting invalid Finding CVE data

  • Fix for an issue when a user updates the File Upload location, any scans previously downloaded remain in the prior location

  • Fix for a NullPointerException error when trying to update an application, via the Update Application API, containing at least one unmapped vulnerability

  • Fix for Acunetix 360 and Netsparker Enterprise, where if the application is renamed on the scanner, the existing RemoteProviderApplication row is discarded. This occurred despite the nativeId value persisting.

  • Error addressed when a user tries to edit a JIRA defect tracker using a new longer API token

  • Fix for the following JIRA defect Tracker error:
    “Failure. Message was : ThreadFix encountered an error and could not complete the request. Please check the Error Messages page or server logs for more details.”

  • Fix for Fortify on Demand microservice registering more vulnerabilities than actually exist

2.8.8.4

July 2023

  • Fix for an application being able to be associated with a deleted policy ID through an API Call

  • Fix for “Invalid username/password combination” error when attempting to gather collections from a defect tracker in Azure DevOps

2.8.8.3

May 2023

  • Microservice Project support added for Fortify on Demand

  • Improved SSVL scan import date validation. Note ThreadFix will now only accept dates utilizing 12 hour (AM/PM) formatting.

2.8.8.2

February 2023

  • Improvement for ThreadFix’s ability to identify and parse Fortify external lists and filters to more accurately mark findings

2.8.8

Ingestion Enhancements

  • Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus

  • Contrast findings support greater specificity in filtering on finding types based on finding data

  • SonarQube integration has been updated to support changes in their API

    • Hotspot findings in version 8.9 and 9 are now supported

    • All previous versions of SonarQube are no longer supported 

System Enhancements

  • API support added for custom severity name

  • Created a bulk-export for all unmapped vulnerability types to CSV file

  • Additional bug fixes and security enhancements

 

Addressed Reported Issues and Security Updates

  • In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues. The frequency of reminders has been adjusted to once per user login.

  • Importing LDAP users fails if any user have Title fields containing over 60 characters. The limit has been increased to 128.

  • The Upload Scan API and Multiple File Scan Upload API have been updated.

  • The 2.X to 3.X migration process fails if the database for the Burp channel contains a channel vulnerability with a non-numerical code. This has been addressed in 2.8.8.

  • As of version 2.8.8, ThreadFix only supports importing Hotspot findings with the SonarQube v8(8.9) and V9 configurations.

 

2.8.7

September 2022

Integration Enhancements

  • The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source

  • Checkmarx can now ingest additional scanner detail and scanner recommendations for findings

  • Improved SonarQube severity mappings

  • The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024

  • Improvement to Fortify SCC findings filtering

  

Addressed Reported Issues and Security Updates

  • Fixed intermittent import errors with Acunetix 360/Netsparker

  • Resolved ASoC integration errors on import

  • Improvement to UI messaging indicating when all remote providers have been mapped

  • Improvement to UI messaging indicating when an invalid scanId was used

  • The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal

  • ThreadFix’s data retention behavior has been updated allowing all files to be properly deleted when the File Upload Location is disabled

2.8.6.1

July 2022

Note the following changes to features with the introduction of ThreadFix 2.8.6.1:

2.8.6

April 2022

Note the following changes to features with the introduction of ThreadFix 2.8.6:

Deprecated and Removed

For other REST API updates, refer to the Change Log

  • The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"

 

2.8.5.1

January 2022

  • No feature changes in 2.8.5.1

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.