For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.

Introduction

ThreadFix uses Dependency Track API Client to authenticate and pull both application and scan information.

Fetching Applications

ThreadFix uses this endpoint to pull applications from the Dependency Track instance:

/api/v1/project

ThreadFix does paginate this request.

Fetching Scans

ThreadFix uses this endpoint to get vulnerability information from Dependency Track Client API:

/api/v1/vulnerability/project/{projectNativeId}

From the returned data ThreadFix extracts severity, status, datecreated, location, and issuetype dependency values of each finding from all new, open, and reopened issues for the specified application
Because the results set does not provide a scan date, ThreadFix will report the date the scan was imported as the scan date
ThreadFix does paginate this request
Users need to have the Vulnerability_Analysis permission to import scans, as seen below:

Parsing Vulnerabilities

The JSON returned by Dependency Track vulnerabilities endpoint maps directly to these ThreadFix Finding Mappings:

Native Id - vulnerability.uuid
Vulnerability code - vulnerability.cwe.name (if cwe.name is null it will map to Configuration)
Severity code - vulnerability.severity
Path - “Dependencies”
Dependency.reference - vulnerability.vulnId
dependency.componentName - component.name
dependency.componentFilePath - component.fileName
dependency.description - vulnerability.description
CVE - vulnerability.vulnId

ThreadFix Documentation

Dependency Track Remote Provider

Introduction

Fetching Applications

Fetching Scans

Parsing Vulnerabilities

Table of Contents