As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Contrast Remote Provider
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers. For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.
Introduction
Contrast IAST Scanner Integration uses sensors to passively monitor the behavior of applications and discover vulnerabilities quickly and accurately.
List of API requests that ThreadFix uses for Contrast Remote Provider integration:
Organizations: /Contrast/api/ng/profile/organizations/default
Applications: /Contrast/api/ng/<orgId>/applications
Modules: /Contrast/api/ng/<orgId>/modules/<appId>
Issues: /Contrast/api/<orgId>/traces/<appId>
Events Summary: /Contrast/api/ng/<orgId>/traces/<traceId>/events/summary
Recommendation: /Contrast/api/ng/<orgId>/traces/<traceId>/recommendations
Scan Date and Updated Date are determined and set based on when a scan is imported into ThreadFix.
User Account Requirements
UI and “API Only” Contrast user account types are both able to integrate with ThreadFix. Use the Organization API Key and Personal Service Key found on user profile. To find the API Only user Service Key, from an admin account hover over the API Only label on list of users located at Organizational Settings > Users as shown in screenshot.
Organization Role
Both Contrast UI and API Only type users require Organizational Role “View” at a minimum.
Application Access Group
Both Contrast UI and API Only type users require Application Access Group “View” at a minimum.
Please note both user types, UI and API Only, require “UI Access” option toggled on. Although this does not allow login access for the API Only user, it is still required for ThreadFix integration.
Note: As of ThreadFix 2.8.6, existing Contrast connections will have Modules as the Application Type.
Status Mappings
As of 2.8.6, Contrast’s reported statuses are interpreted by ThreadFix as noted in the table below.
Contrast Status (Sub-Status) | ThreadFix Status | ThreadFix State |
---|---|---|
Reported | <unchanged> | Open |
Suspicious | <unchanged> | Open |
Confirmed | Scanner Exploitable | Open |
Remediated | <unchanged> | Closed |
Fixed | <unchanged> | Closed |
Not a Problem (False Positive) | False Positive | Open |
Not a Problem (Attack is defended by external control) | False Positive | Open |
Not a Problem (Goes through internal control) | False Positive | Open |
Not a Problem (URL is only accessible by trusted power users) | False Positive | Open |
Not a Problem (Other) | False Positive | Open |
API USAGE
Remote Provider Applications:
Organization:
/Contrast/api/ng/profile/organizations/default
Modules:
Applications:
/Contrast/api/ng/<orgId>/applications
Sub Modules:
/Contrast/api/ng/<orgId>/modules/<appId>
Environments:
/Contrast/api/ng/<orgId>/applications/filter?includeMerged=true
This call is made to Contrast for each type of environment, currently there is only support for Development, QA, and Production.
The ALL Remote Provider Application covers all three of the environments.
Import Scans:
Organization:
/Contrast/api/ng/profile/organizations/default
Vulnerabilities:
/Contrast/api/ng/<orgId>/orgtraces/filter
Events:
/Contrast/api/ng/<orgId>/traces/<traceId>/events/summary
Recommendation:
/Contrast/api/ng/<orgId>/traces/<traceId>/recommendation
Servers:
/Contrast/api/ng/<orgId>/servers/filter
Libraries:
/Contrast/api/ng/{orgUUID}/libraries/filter?expand=vulns
ThreadFix will only create Findings for libraries that have 1 or more vulnerabilities in the response from Contrast, all other libraries are ignored.
If you have any questions, please reach out to support@threadfix.it.
Table of Contents
- 1.1 Introduction
- 1.2 User Account Requirements
- 1.2.1 Organization Role
- 1.2.2 Application Access Group
- 1.2.3 Status Mappings
- 1.3 API USAGE
- 1.3.1 Remote Provider Applications:
- 1.3.2 Import Scans:
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.