As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

📙 You will learn

How to upgrade from 2.8.5.1 to 2.8.6.

Prerequisites

Audience: IT Professional and/or End User
Difficulty: Advanced
Time needed: Approximately 60 minutes
Tools required: Tomcat

ALWAYS PERFORM A FULL BACKUP OF YOUR DATABASE BEFORE ATTEMPTING ANY UPGRADE!

MySQL Server: You can run the mysqldump command from the MySQL server, e.g., mysqldump -u mydbuser -p mydatabase > path/to/backup.sql (we do not recommend using MySQL Workbench to perform the backup).

MS SQL Server: Using SSMS, right-click on the database, select Tasks → Back Up…, then choose the location & name of the backup file and click OK.

If you have any questions or concerns or if you wish to upgrade from an older version of ThreadFix, please reach out to our support team here: support@threadfix.it

ThreadFix Deployment Update

Follow these steps to deploy the updated version of ThreadFix:

  1. Stop the Tomcat instance on which ThreadFix is running.

  2. Move your current ThreadFix deployment directory from your Tomcat webapps folder into a backup directory.

    1. webapps directory location: //TOMCAT_HOME/webapps

  3. Copy the updated ThreadFix folder from your new artifact into your webapps directory.

    1. webapps directory location: //TOMCAT_HOME/webapps

  4. Copy the following files from your backed up ThreadFix directory to the newly updated ThreadFix directory:
    (FROM: <previous-threadfix-deploy>/WEB-INF/classes/TO: <new-threadfix-deploy>/WEB-INF/classes/, except as noted below)

    1. custom.properties

    2. ESAPI.properties (See REQUIRED update below)

      1. Be sure that Log4jfactory is no longer referenced as the ESAPI.Logger in your ESAPI.properties.

      2. Replace with ESAPI.Logger=com.denimgroup.threadfix.logging.esapi.slf4j.CustomESAPISlf4jLogFactory in your upgraded ThreadFix 2.8.5.1 instance.

    3. jdbc.properties

    4. jms.properties

    5. threadfix.license

    6. If you've updated any of these in your previous deployment, copy them as well:

      1. <threadfix-deploy>/WEB-INF/security.xml (See REQUIRED update below)

        • Replace bean definition in security.xml file:
          <bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/>

        • With:
          <bean id="velocityEngine" class="com.denimgroup.threadfix.service.saml.CustomSamlVelocityFactory" factory-method="getEngine"/>

      2. <threadfix-deploy>/WEB-INF/classes/security/samlKeystore.jks (and/or any other Java keystore that you've saved in this directory)

      3. Note: As of version 2.8.5.1, log4j.xml was replaced with logback.xml, so there’s no need to copy log4j.xml from your previous artifact.

        • Any changes that you had made in log4j.xml will need to be made in logback.xml if you want them to persist.

  5. Copy the velocityTemplates directory from your backed up ThreadFix directory to the newly-updated ThreadFix directory.
    (FROM: <previous-threadfix-deployTO:<new-threadfix-deploy>)

     

  6. In Linux environments, you may need to grant your tomcat user/group ownership and permissions to the newly-deployed artifact.
    Examples:

    sudo chown -R tomcat:tomcat /opt/tomcat
    sudo chmod -R 775 /opt/tomcat
    

     

  7. Cleanup - Delete the following:

    1. The contents of the <tomcat-deploy>/work directory

    2. Your web browser's cache/history

Defects created from unmapped vulnerabilities with the default velocity template will appropriately include scanner details.
Defects created from vulnerabilities with dynamic finding data using the default velocity template will not print Parameter: ${parameter} when no parameter is present.

Start Tomcat/ThreadFix

  1. Restart Tomcat/ThreadFix.

  2. Navigate to the login page to ensure that it loads as expected. If so, you may now log in and verify that the new version is installed; the version is included in the page footer after logging in.

When launching the new deployment for the first time after deploying the update, ThreadFix may take a few minutes to make necessary schema updates, so there may be a delay in accessing the login page.

Monitor the <tomcat-deploy>/logs/threadfix.log file to determine when it has finished, look for the second instance of the following event: Finished updating Enterprise Tags.

Please do not interrupt this process by stopping Tomcat.

Table of Contents

  • No labels