ThreadFix 2.3RC1 Now Available

threadfix

We’re excited to have the first Release Candidate for the ThreadFix 2.3 development cycle now available. The team has been hard at work since the 2.2 release and we’re also thrilled to announce contributions from great organizations such as Samsung, Pearson Education, and VirtualForge. The ThreadFix Community has been a great force driving the product’s development and we wouldn’t be where we are without you all.

[Also if you’re interested in learning more about the ThreadFix Community, check out the talk I gave at OWASP LASCON 2015.]

ThreadFix 2.3RC1 can be downloaded from the ThreadFix Download site. We’d love to hear any feedback at our GitHub issue tracker and we’ll work to get the final 2.3 release available soon.

Here are the Release Notes for ThreadFix 2.3RC1:


System Enhancements

  • Adds ability to batch comment on vulnerabilities
  • Adds ability to change severity of imported vulnerabilities
  • Adds ability to create comment-specific and application-specific tags
  • Adds ability to download scans after upload
  • Adds ability to enable strict vulnerability closing process (where all scanners must first confirm that vulnerability is not present)
  • Adds ability to export vulnerability search tree data as SSVL
  • Adds ability to filter vulnerabilities by comments
  • Adds ability to modify vulnerabilities from team detail page (like was possible on the application page)
  • Adds ability to save sets of emails as email lists
  • Adds ability to save uploaded scans to specific folder
  • Adds ability to see a vulnerability’s CWE number by hovering over the vulnerability type
  • Adds ability to suppress vulnerabilities of a specified severity for a scanner
  • Adds ability to tag vulnerabilities
  • Adds ability to toggle fields for CSV export
  • Adds defect submission endpoint to the REST API and CLI
  • Adds DISA STIG report to Analytics section
  • Adds HAM support for checkout by Git commit
  • Adds HAM support for Subversion repositories
  • Adds remediation filters for sorting by defect status relative to scanner status
  • Adds support for custom reports plugins to Analytics section
  • Adds support for multi-file uploads that will sort scans by date and upload them sequentially
  • Adds support for WhiteHat Source as a remote provider
  • Adds tag endpoints to REST API
  • Adds the ability to configure a default associated file for the Sonar plugin when a relevant source file cannot be found (such as with dynamic findings)
  • Allows users to edit the description for vulnerabilities found by a scanner
  • Allows users to save a date range to use in filters
  • Expands what data can be exported for reports and allows customization of which fields to export
  • Improves filter performance
  • Improves logging for error messages by including last commit number
  • Improves VersionOne defect tracker performance
  • Improves warning messages for improper database configurations
  • Improves WhiteHat remote provider performance
  • Incorporates data flow info for static findings into SSVL
  • Incorporates line number info for static findings into SSVL
  • Makes UI improvements to navigation menu
  • Makes UI improvements to System Settings page
  • Various performance and display improvements
  • Adds a message displaying license expiration and application count information on login [Enterprise Feature]
  • Adds a user audit table to display user permissions and time of last login [Enterprise Feature]
  • Adds ability to create groups and assign group permissions and roles [Enterprise Feature]
  • Adds ability to custom map scanner severities to ThreadFix severities [Enterprise Feature]
  • Adds ability to define acceptance policies for applications [Enterprise Feature]
  • Adds ability to set custom names for ThreadFix severities [Enterprise Feature]
  • Adds ability to test LDAP settings from configuration page [Enterprise Feature]
  • Adds comments endpoints to REST API and CLI [Enterprise Feature]
  • Adds email notifications for policy status updates [Enterprise Feature]
  • Adds HAM support for Ruby on Rails [Enterprise Feature]
  • Adds HIPAA/HiTech report to Analytics section [Enterprise Feature]
  • Adds history page, detailing user actions [Enterprise Feature]
  • Adds new notification system, showing recent user actions [Enterprise Feature]
  • Adds support for Active Directory Groups [Enterprise Feature]
  • Adds support for AppSpider as a scan agent [Enterprise Feature]
  • Adds support for HP WebInspect as a scan agent [Enterprise Feature]
  • Adds support for SQL Server 2014 [Enterprise Feature]
  • Allows API Keys to be associated with users and reflect their permissions [Enterprise Feature]
  • Allows users to specify URLs when configuring a scan agent run [Enterprise Feature]
  • Improves security for running Scan Agent tasks [Enterprise Feature]
  • Minor improvements to Scan Agent usability [Enterprise Feature]
  • Improves Enterprise license notifications [Enterprise Feature]
  • Improves error reporting [Enterprise Feature]

System Enhancements:

Special thanks to Pearson Education for sponsoring the following features to the Enterprise and Community 2.3RC1 version

  • Adds ability to set default credentials for defect trackers
  • Adds ability to submit multi-file uploads as a single scan
  • Adds ability to suppress scanner results by scanner severity
  • Adds ability to view custom CWE text from vulnerability search REST endpoint
  • Adds ability to view full URL in vulnerability tree
  • Adds ability to view unmapped finding data via REST API
  • Adds deep linking after authentication
  • Adds multi-file uploads as a single scan endpoint to REST API
  • Adds scan details endpoint to REST API
  • Adds scan list endpoint to REST API
  • Adds set custom CWE text endpoint to REST API
  • Adds support for AppScan Enterprise as a remote provider
  • Adds support for custom CWE remediation advice on defects
  • Adds team and application update endpoints to REST API

System Enhancements:

Special thanks to Samsung for contributing the following features to the Enterprise and Community 2.3RC1 versions

  • Adds ability to schedule email reports for new vulnerabilities
  • Adds ability to select multiple vulnerabilities to review and navigate through
  • Adds ability to set default profiles for submitting defects
  • Adds ability to submit defects from vulnerability details page
  • Adds absolute linking (with email support and defect descriptions)

System Enhancements:

Special thanks to VirtualForge for contributing the following features to the Enterprise and Community 2.3RC1 versions

  • Adds VirtualForge support

Bug Fixes:

  • Various fixes

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *