As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Coverity Remote Provider
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.
For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API
Coverity User Account
Ensure that the Coverity account used for the ThreadFix integration has admin role/privilege on the Coverity side.
List of SOAP API requests that ThreadFix uses for the Coverity Remote Provider integration
- Scans: defectservice#getMergedDefectsForProjectScope
- Findings: defectservice#getStreamDefects
- Projects: configurationservice#getProjects
Parsing Vulnerabilities
Fields parsed and mapped from Coverity to ThreadFix:
- defectStateAttributeValues.DefectStatus -> used to determine vuln open / closed
- defectStateAttributeValues.Classification -> used to determine false positive
- defectStateAttributeValues.Comment -> comment
- defectStateAttributeValues.Severity -> severity
- defectInstances.longDescription -> long description
- defectInstances.cwe -> cwe
- defectInstances.checkerName -> vuln code
- defectInstances.events.lineNumber -> dataflow line number
- defectInstances.events.eventNumber -> dataflow sequence index
- defectIntances.events.fileId -> dataflow file name
Vulnerability Statuses
ThreadFix will mark findings False Positive if they have False Positive status in Coverity.
ThreadFix will not ingest findings with fixed status, closing them if they were ingested in a previous scan.
Default Severity Mappings
- Unspecified -> Info
- Major -> High
- Moderate -> Medium
- Minor -> Low
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.