ThreadFix Version Release Notes
For REST API updates, refer to the Change Log
3.1.0
October 2021
When upgrading to 3.1 you must first be on latest, 2.8.3.
Security Enhancements
SQL and Pent Test security enhancements [This will be removed?]
Snyk integration security enhancements [This will be removed?]
The two bullets above tie to:
Task TFN-2485 Validate PenTest security fix successfully gets merged in from 2.8/3.0.x
Task TFN-2593 SQL Injection (High, 4)
Task TFN-2594 Information Exposure (High 1, Medium 32, Low 5)
Task TFN-2729 Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection
Story TFN-2589 TF Snyk/assessment vulnerabilities
Task TFN-2590 XML External Entity (XXE) Injection (High 2, Medium 6)
Task TFN-2592 Deserialization of Untrusted Data (High 10, Medium 1)
Task TFN-2595 Denial of Service (DoS) [High 2, Medium 5)
Key Updates
Qualys WAS integration performance enhancement
Improvement DGTF-8386 [Infrastructure] Improve memory management of Qualys integration
Task TFN-1541 UI - Update React to latest stable version
Introduction of Remote Provider UI display cards and associated API
Remote provider import and scan ingestion statuses display on the Scan Queue page
Updates to the Scan Import Queue’s UI tooltips
Update to add a new Queue Management permissions level
New/Updated API
New GET ThreadFix application assets by import request ID API
New GET Remote Provider Import Requests API
New Pending Scan Status API
New Scan Queue Management report view API
Update to Remote Provider Import Request API
General Improvements
Improvements to user login session management
Task DGTF-8433 Update Local/LDAP/SAML login flows to save session information to an external datastore
Task DGTF-8434 Create custom kong plugin to handle additional session active
Task DGTF-8435 Remove session check mechanism from all upstream services
Task DGTF-8436 Update Local/LDAP/SAML logout flows to remove session from the external datastore
Task DGTF-8442 Add a redis configuration to the docker and k8s deployments
Task DGTF-8444 Remove the ability for a single user to have concurrent sessions
Leveraged new architecture to implement self-recovery for scan ingestion
New Scan Ingestion Allow List flag permission toggle for network settings [Tentative]New network vulnerability permissionsTask TFN-1644 Create new Permission for toggling the Scan Ingestion whitelist flag on network settings
Improvements to Manual Vulnerability Actions
Task TFN-2035 Update Manual Vulnerability Actions APIs/Controllers
Story TFN-2088 Update Manual Vulnerability Actions
Task TFN-2089 Reflect Queued Manual Vulnerability Actions in UI/API
Task TFN-2266 Manual Vulnerability Update Technical Design
Miscellaneous tickets not reflected in the key updates/general improvements above
Task TFN-2369 API - Add backend websocket support for Remote Provider Import Requests tab
Improvement DGTF-7849 Refactor of the Defect Tracker
Story TFN-2083 Scan Ingestion Events/Notifications
Task TFN-2155 Review defenses against allowing multiple Remote Provider configurations of the same channel mapping to a single TF App
Task TFN-2178 Configure queue management retention time from environment file for testing queue management page
Task TFN-2455 Consume and store events for scan import activity/history to Event table to match 2.x
Task TFN-2456 Consume and store Vulnerability history to Event table to match 2.x (Scan Uploads)
Story TFN-2499 Queue Management v.2 Report Mode History & Behavior
Story TFN-2589 TF Snyk/assessment vulnerabilities
Task TFN-2615 Disable/remove 3.1 UI elements that don't work anymore
Task TFN-2729 Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection
Task TFN-2752 Snyk: Arbitrary Code Execution affecting hibernate
Task TFN-2785 Snyk: org.jsoup:jsoup - Denial of Service
All tickets selected from Carla/Quico meetings
Improvement DGTF-7849 Refactor of the Defect Tracker
Improvement DGTF-8386 [Infrastructure] Improve memory management of Qualys integration
Task DGTF-8433 Update Local/LDAP/SAML login flows to save session information to an external datastore
Task DGTF-8434 Create custom kong plugin to handle additional session active
Task DGTF-8435 Remove session check mechanism from all upstream services
Task DGTF-8436 Update Local/LDAP/SAML logout flows to remove session from the external datastore
Task DGTF-8442 Add a redis configuration to the docker and k8s deployments
Task DGTF-8444 Remove the ability for a single user to have concurrent sessions
Task TFN-1541 UI - Update React to latest stable version
Task TFN-1644 Create new Permission for toggling the Scan Ingestion whitelist flag on network settings
Task TFN-2035 Update Manual Vulnerability Actions APIs/Controllers
Story TFN-2083 Scan Ingestion Events/Notifications
Story TFN-2088 Update Manual Vulnerability Actions
Task TFN-2089 Reflect Queued Manual Vulnerability Actions in UI/API
Task TFN-2155 Review defenses against allowing multiple Remote Provider configurations of the same channel mapping to a single TF App
Task TFN-2178 Configure queue management retention time from environment file for testing queue management page
Task TFN-2266 Manual Vulnerability Update Technical Design
Story TFN-2277 Queue Management Permissions
Task TFN-2279 Scan Import Queue - Update UI statuses and explanatory tooltips
Task TFN-2281 Remote Provider Import Activity UI Frame Buildout
Task TFN-2284 UI - Apply Full-text tooltip for Scan Import Queue Page
Story TFN-2291 Remote Provider Import Request Tab
Story TFN-2292 UI - Full-text Tooltips
Task TFN-2297 API - GET Remote Provider Import Requests
Task TFN-2306 Pending Scan Status API Endpoint
Task TFN-2307 Scan File Upload Response - Pending Scan Tracking Receipts
Task TFN-2343 Refine available RP import and scan ingestion statuses
Task TFN-2364 API - Get TF app assets by Import request id
Task TFN-2367 Update RP Import Request API to return tracking receipt
Task TFN-2369 API - Add backend websocket support for Remote Provider Import Requests tab
Task TFN-2377 Scan Queue Management API - Add new endpoint to support Report View
Task TFN-2435 Implement Health Check for AppSec Ingestion projects
Task TFN-2451 API - Create an endpoint to support RP card details
Task TFN-2455 Consume and store events for scan import activity/history to Event table to match 2.x
Task TFN-2456 Consume and store Vulnerability history to Event table to match 2.x (Scan Uploads)
Task TFN-2485 Validate PenTest security fix successfully gets merged in from 2.8/3.0.x
Story TFN-2499 Queue Management v.2 Report Mode History & Behavior
Story TFN-2589 TF Snyk/assessment vulnerabilities
Task TFN-2590 XML External Entity (XXE) Injection (High 2, Medium 6)
Task TFN-2592 Deserialization of Untrusted Data (High 10, Medium 1)
Task TFN-2593 SQL Injection (High, 4)
Task TFN-2594 Information Exposure (High 1, Medium 32, Low 5)
Task TFN-2595 Denial of Service (DoS) [High 2, Medium 5)
Task TFN-2615 Disable/remove 3.1 UI elements that don't work anymore
Task TFN-2729 Research and validate Data Access libraries usage of Restriction methods protect against SQL Injection
Task TFN-2752 Snyk: Arbitrary Code Execution affecting hibernate
Task TFN-2785 Snyk: org.jsoup:jsoup - Denial of Service
After 10/19 meeting
Epic TFN-1871 AppSec - VIP Service
Story TFN-1907 Migrate HAM
Task TFN-2547 Migrate GIT Repository Services
Task TFN-2778 Scalability, Stability and Performance Stablization
Sub-task TFN-2825 MS SQL Scan Ingestion Performance Stabilization
Bug TFN-2890 Veracode Single App Scan Updated Date Not Correct
Bug TFN-2893 Unable to extend Time to Remediate date
Bug TFN-2919 Fix MS SQL VulnerabilitySnapshot Generation Query
Feature Changes
Note the following changes to features with the introduction of ThreadFix 3.1:
Deprecated and Removed
Support has been ended for the SSVL Converter
Bi-directional capability for Checkmarx and AppSpider have been removed
Service Delivery/Service Request is no longer supported
Removed the Import All Vulnerabilities remote provider options
Saved scan files on the file system will not be migrated to 3.1
SonarQube Plugin removed from the Tools section. Remote Provider integration still behaves as before
Removed the ability for a single user to have concurrent sessions [need verification]
Limitations, Scheduled for Enhancement Post 3.1
Limit of 3000 vulnerabilities when exporting Vulnerability Search data to a .csv file.
Remediation filters do not update automatically in 3.1, they will update with a defect status call sync. This feature is planned to be reintroduced. Note: this may impact created policies based on these filters, [need QA verification]
Absent, Scheduled for Re-introduction Post 3.1
The Disable Vulnerability Merging option when creating a new application has been removed, this feature is planned to be reintroduced
Scan File Retention feature has been removed, this feature is planned to be reintroduced
The Vulnerability Close Settings option, allowing users to close vulnerabilities only when all scanners report them closed, has been removed, but is planned to be reintroduced
The Scan Agent tool API endpoints have not been migrated, this feature is planned to be reintroduced
The ability to cancel queued scans has been removed, this feature is planned to be reintroduced in the future
Time to Remediate Date policy creation has been disabled, this feature will be reinstated
Dashboard and Analytics page report caching time configuration has been disabled with plans to be re-enabled
The Global FPR Filter Set API REST calls have been removed, with plans to be reintroduced