As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Create Defect Tracker
You will learn
Prerequisites
Audience: IT Professional or End User
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A
Creating a Defect Tracker
Example Configuration Using JIRA
Creating a defect tracker in ThreadFix follows the same process for every supported tracker. The following example walks through the process using JIRA.
Users must complete two actions before submitting a defect from ThreadFix. First create the defect tracker within ThreadFix, then attach the defect tracker to an application in ThreadFix.
Create a Defect Tracker
To set up JIRA up as a defect tracker in ThreadFix click:
From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.
To create a new Defect Tracker, click the Create New Tracker button. A New Defect Tracker modal will appear. Complete the form using the credentials for a JIRA account; ensure that the Type dropdown list is set to JIRA.
For JIRA Cloud customers who are using username and password:For the Default Username, enter the JIRA profile's email address. For the Default Password, enter the profile's API token (create one, if it doesn't exist).
For On-Premise JIRA deployments that don't support API tokens, use username/password basic authentication
To configure a Jira Defect Tracker using username/password. Select Basic Auth for Auth Type.
Click the Get Product Names button. A Product Names drop-down will appear, populated with the products from the user JIRA server. Select the product associated with the application and click the Create Defect Tracker button.
Upon creation, validation of the URL takes place. If the URL is malformed, a URL is invalid error message will be received. If ThreadFix is unable to communicate with the JIRA instance because of a mistyped URL, a URL is not associated with selected defect tracker message will be received.
Note to users utilizing Basic Auth
Users who enter incorrect credentials multiple times while creating a JIRA defect tracker with Basic Auth will receive an error indicating “There was a problem connecting to Jira. Check if captcha is enabled…HTTP status was 500”. To resolve the error, users must manually log into their Jira instance then return to ThreadFix and complete creating the Jira defect tracker.
Users creating a defect tracker using OAuth are not affected by the error mentioned above.
Attach Defect Tracker
Navigate to the details page of the application that needs a tracker attached to it. Once on the application’s detail page, click the Action drop-down button, highlight Manage Defect Trackers and select Edit Defect Trackers.
The Manage Defect Trackers for Application <application name> page displays a list of attached defect trackers, if any.
To attach a defect tracker to the application, click the Add Defect Tracker button. A modal dialogue will appear.
For the Defect Tracker, from the drop-down list select the created JIRA Defect Tracker. Then either select the Use Default Credentials checkbox or fill in the Username and Password fields with the necessary credentials. The defaults are the credentials supplied when the Defect Tracker was created.
If there is a default product defined in JIRA, users may select the Use Default Product checkbox. If not, or to select a different product, click the Get Product Names button. After JIRA verifies the credentials, a Product Name drop-down appears. Select the JIRA product that is associated with the application and click the Add Defect Tracker button.
The added defect tracker will now appear in the Defect Trackers page.
Submit Defects
To submit a defect to the defect tracker, expand a section in an application's vulnerability tree. Either select the instance(s) of the vulnerability(ies) to submit to the tracker or select the Check All checkbox to select all instances.
Click on the lower Action button and highlight Create Defect then select <defect tracker name>.
A Submit Defect modal will appear; fill out the fields and click the Submit Defect button. A success message will appear at the top of the screen.
Opening the vulnerability in the tree now shows these issues opened and assigned in the JIRA defect tracker, as seen below.
Clicking on the defect badge will open another window showing the defect in JIRA.
Add to Existing Defect
Users can add one or more vulnerabilities to an existing defect.
Either select the instance(s) of the vulnerability(ies) or select the Check All checkbox to select all instances.
Click on the lower Action button, highlight Add to Existing Defect and select <defect tracker name>.
In Add to Existing Defect modal, enter the defect ID and click the Submit Defect button.
Just like when creating a new defect, ThreadFix will add a badge to the vulnerability(ies) with the defect ID and its status.
Update Defect Status
If the issue is closed in JIRA, users can request an update for the defects in ThreadFix on the application’s details page.
Click on the upper Action button, highlight Manage Defect Trackers and select Update Defect Status.
ThreadFix will get the current status of all defects submitted for the application and update the label accordingly if one or more defects are closed. Refresh the page to see the updated status.
Creating a Defect Status Update Schedule
Once one or more defect trackers are configured, users can create a schedule or schedules to automatically check their status for changes. This removes the need to manually update the defect status to see if an issue has been resolved by a development team or not.
First, return to the Defect Trackers. From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.
Select the Scheduled Updates tab and click the Schedule New Update button. This brings up a Defect Tracker Update modal which contains scheduling options.
Select the time and frequency for when to run the status update check. Users can alternatively define a Cron expression. Click the Add Scheduled Update to save it to the list of defect status update schedules.
Optionally, an “Update status for deleted defects” checkbox is provided. If selected this option will allow ThreadFix to update each defect, including marking deleted defects as “Issue not found”.
Users may create as many as desired, however each one will run at the requested time. Some defect trackers require an API call per defect to determine status, so the user could inadvertently overwhelm their defect server if these are scheduled too frequently.
Defect Profiles
To help make the process of submitting a defect more efficient, users can create and use defect profiles which save the effort of filling out certain fields in the submission form. The following uses Jira with the above as an example for a user who wants to create a profile that preselects the type of defect and fills out several fields. Note as of version 2.8.7 ThreadFix allows a maximum of 1024 Defect Profiles to be associated with a single defect tracker.
From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.
Click the Show Default Profiles button, this will display a field for existing profiles and add a Create Profile button.
Click the Create Profile button.
Give the profile a name, select a product, then click Add new Default Profile.
Note the Name field has a 25 character limit.
Fill out the desired fields in the Set Defect Defaults form. Note tags can be used to help automate some of the content, like the severity, scanner vulnerability name, etc. (hover over the tags at the top for a description). When finished, click the Update Defaults button.
A confirmation banner will display showing the defaults were updated for the specified defect profile and see it listed within the Profile list. Create more as necessary.
To use a profile when submitting a defect, select it from the top pull-down menu, and the default values will appear in the form; edit as needed and submit the defect when done. Note the values corresponding with tags in the profile will appear in the form.
Azure DevOps - Security Configuration
In order to set up an integration between ThreadFix and Azure DevOps, a Personal Access Token is required.
In Azure DevOps, click on the profile icon toward the top right of the screen and select Personal access tokens from the menu.
From there create a Personal Access Token:
Note: For the token’s Scope, you’ll need to select Full access.
When creating the integration on the ThreadFix side, select Azure DevOps in the Type menu, enter the organization's URL (or dev.azure.com) URL and credentials, then click the Get Product Names button to select the desired project. Note the username can be anything as long as the field is not left blank.
Note 2.X supports pulling a maximum of 100 projects for an organization.
OAuth Support for JIRA - Security Configuration
OAuth is supported for Jira as of version 2.8.1. Please note OAuth 2.0 is not yet supported.
First configure Application links in JIRA to support OAuth. Then, within ThreadFix, navigate to Global → Administration → System Settings → Other Settings (tab) → OAuth Jira (heading). Provide the following details:
Jira URL: URL of Jira where OAuth is configured.
Consumer Key: The key assigned to JIRA by the service provider.
Private Key: Signed Private Key.
After providing the details, click on Populate Authorization Token URL button. This will generate a temporary Authorization Token URL. Click on the here link in For retrieving request token go to here and authorize it. This will expire in 10 minutes.
The link navigates to a permission page in JIRA. Allow the permission.
After allowing the permission, a verification code will be generated.
Copy and paste the verification code into the Secret Key text field in ThreadFix and click on the Populate Access token button. A new Access token is generated and will be active for 5 years.
Configuring Defect Tracker using Access Token
Jira can be set up as a defect tracker in ThreadFix.
From the Navigation sidebar, expand the Application menu, click the Integrations sub-menu and select the Defect Trackers page.
To create a new Defect Tracker, click the Create New Tracker button and select JIRA as Type.
Select OAuth Token for Auth Type. URL and Access Token will be automatically filled.
Click the Get Product Names button. A Product Names dropdown will appear, populated with the products from the user’s JIRA server. Select the product associated with the application and click the Create Defect Tracker button.
Attach Defect Tracker
Navigate to the details page of the application that needs a tracker attached to it. Once on the application detail page, click the upper Action button and highlight Manage Defect Trackers and select Edit Defect Trackers.
This will redirect to the Manage Defect Trackers for Application <application name> page, where attached defect trackers are listed, if any.
To attach a defect tracker to the application, click the Add Defect Tracker button. A modal dialogue will appear. Choose JIRA as the Defect Tracker, then the Access Token will be automatically added to text box.
If a default product is defined in JIRA, select the Use Default Product checkbox. If not, or to select a different product, click the Get Product Names button. After JIRA verifies credentials, a Product Name dropdown appears.
Select the JIRA product that is associated with your application and click the Add Defect Tracker button.
The added defect tracker will now appear in the Manage Defect Trackers page.
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.2 Creating a Defect Tracker
- 1.2.1 Example Configuration Using JIRA
- 1.2.1.1 Create a Defect Tracker
- 1.2.2 Attach Defect Tracker
- 1.2.3 Submit Defects
- 1.2.4 Add to Existing Defect
- 1.2.5 Update Defect Status
- 1.2.1 Example Configuration Using JIRA
- 1.3 Creating a Defect Status Update Schedule
- 1.4 Defect Profiles
- 1.5 Azure DevOps - Security Configuration
- 1.6 OAuth Support for JIRA - Security Configuration
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.