- Created by Daniel Colon, last modified on May 15, 2023
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 7 Next »
Version Feature Changes
New versions of ThreadFix may deprecate, remove, and/or reintroduce features. To view a list of feature changes please see below:
3.3.2
May 2023
Microservice Project support added for Fortify on Demand
3.3.1
February 2023
Improvement of ThreadFix’s ability to identify and parse Fortify SCC external lists and filters to more accurately mark findings
Improved ThreadFix upgrade migration automation to have better error handling and recovery
3.3
January 2023
Ingestion Enhancements
ThreadFix File format now supports CVSS score values for both ingestion and export
Fortify SSC/FoD/SCA imports have improved filter parsing to support more custom filters from Microfocus
Fortify on Demand now supports dependency findings
Acunetix enhanced false positive support
Contrast findings support greater specificity in filtering on finding types based on finding data
Added Scan Agent configuration support for AppScan Standard and WebInspect allowing custom configuration for these scan agents
SonarQube integration has been updated to support changes in their API
Hotspot findings in version 8.9 and 9 are now supported
All previous versions of SonarQube are no longer supported
System Enhancements
Created UI driven customization for report caching times
Added OWASP Top 10 2021 report
API support added for custom severity name
Created a bulk-export for all unmapped vulnerability types to CSV file
Reintroduced Scan File Retention customization to the ThreadFix 3 architecture
Reintroduced LDAP linked SAML Authorization to the ThreadFix 3 architecture
The following Global FPR Filter Set API REST calls have been reintroduced:
Upload Global FPR Filter Set Override 3.X - API
Clear Global FPR Filter Set Override 3.X - API
Additional bug fixes and security enhancements
Removed Features
Acunetix & AppSpider scan agents have been disabled, with plans for re-introduction
Addressed Reported Issues and Security Updates
Importing LDAP users fails if any user have Title fields containing over 60 characters. The limit has been increased to 128.
In some instances, ThreadFix license expiration reminders can repeatedly post to the logs and create performance issues. The frequency of reminders has been adjusted to once per user login.
A manually closed vulnerability may be marked as “re-opened” if a scan containing the open vulnerability is uploaded from a date prior to when it was manually closed. ThreadFix will not mark a manually closed vulnerability as having been re-opened from an uploaded scan preceding the vulnerability having been manually closed.
3.2
September 2022
Azure Dev Ops
Significant improvements to our integration with Azure Dev Ops including
Support for unique datatypes natively in ThreadFix UI
Performance improvements
UI indication of all required fields
Autocomplete and picklist support of applicable fields
2.X Feature Parity (3.X only)
Implemented the Sonatype remote provider utilizing the new 3.1 ingestion pipeline
Added Remote Provider application names to the Finding Detail page
Integration Enhancements
The following remote providers now ingest and store CVSS values: Acunetix 360, Black Duck, Netsparker, NowSecure, and WhiteHat Sentinel Source
Checkmarx can now ingest additional scanner detail and scanner recommendations for findings
Contrast date management enhancements to provide greater accuracy on finding discovery dates
Improved SonarQube severity mappings
The maximum number of Defect Profiles that can be associated with a single defect tracker has been increased to 1024
Improvement to Fortify SCC findings filtering
Addressed Reported Issues and Security Updates
Upgraded dependencies and images including Debian, Kafka, and ActiveMQ
Fixed intermittent import errors with Acunetix 360/Netsparker
WhiteHat API updates to support new requirements from WhiteHat
Improvement to UI messaging indicating when all remote providers have been mapped
Improvement to UI messaging indicating when an invalid scanId was used
The ThreadFix UI Help button has been adjusted to now direct to the Coalfire Support Portal
3.1.2
May 2022
No feature changes in 3.1.2
3.1.1
April 2022
Note the following changes to features with the introduction of ThreadFix 3.1.1:
Reintroduced
The Check Remote Provider Application Import Status endpoint has been reintroduced
Coverity Remote Provider has been reintroduced
Deprecated and Removed
For other REST API updates, refer to the Change Log
The Black Duck call "/remediating" has been deprecated by Black Duck in version 2021.10.0 and has been replaced by "/upgrade"
The SSVL Converter Tool deprecated in 3.1 has been removed
3.1
October 2021
Note the following changes to features with the introduction of ThreadFix 3.1:
Deprecated and Removed
Support has been ended for the SSVL Converter
Bi-directional capability for Checkmarx and AppSpider has been removed
Service Delivery/Service Request feature set is no longer supported
Removed the Import All Vulnerabilities remote provider option
Saved scan files on the file system will not be migrated to 3.1 (NOTE: this only impacts the raw scan files. All vulnerability data is fully retained and migrated)
SonarQube Plugin removed from the Tools section. Remote Provider integration still behaves as before.
Support for the following integrations has been removed:
SkipFish
Swamp Scarf
Limitations, Scheduled for Enhancement Post 3.1
Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.
Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. (NOTE: this may impact created policies based on these filters)
Absent, Scheduled for Re-introduction Post 3.1
The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced
Scan File Retention feature has been removed, this feature is planned to be reintroduced
The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced
The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced
The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future
Time to Remediate Date policy override has been disabled, this feature will be reinstated
Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled
The Global FPR Filter Set API REST calls have been removed, with plans to be reintroduced
Support for the following integrations has been removed, with plans for reintroduction:
Acunetix File Importer
Brakeman
Coverity
Dependency Check
Sonatype
Table of Contents
- No labels