denimgroup / threadfix Goto Github PK
View Code? Open in Web Editor NEWThreadFix is a software vulnerability management platform. This GitHub site is far out of date. Please go to www.threadfix.it for up-to-date information.
ThreadFix is a software vulnerability management platform. This GitHub site is far out of date. Please go to www.threadfix.it for up-to-date information.
Reported by [email protected], May 23, 2013
Grant users the ability to either type a target item into a search box, or filter results on the scan history tab by (possible ideas):
*date range
*scanner type
*application
*team
Reported by [email protected], Nov 9, 2012
Provide the option to allow users to select a date range for running reports
Reported by [email protected], Jul 9, 2012
Our WebInspect importer needs more testing with more scan files to make sure that it works. We also need to make sure there are no format changes with the current version and that our vuln DB entries are up to date.
Reported by [email protected], Feb 8, 2013
What steps will reproduce the problem?
What is the expected output? What do you see instead?
VM will either crash ESXi or the VM will lockup
What version of the product are you using? On what operating system?
ESXi 5.1 on a Dell 720 Server
Please provide any additional information below.
Reported by [email protected], May 23, 2013
A lot, but not all, javascript was removed in the 1.2 codebase. There is still some work left to be done there, and the CSP is a very good idea.
Reported by [email protected], May 23, 2013
If I upload a scan file from May 2013 into ThreadFix, then I try to upload a scan file (of the same application) from April 2013 I receive an error message of "A newer scan from this scanner has been uploaded."
This means if I do not upload historical scan data (in order of oldest scan to newest scan), the system will not let me upload the scan at all.
Seems like a user should be able to upload a scan file (unless it's a duplicate of an existing file) regardless of the order in which they upload files.
Reported by [email protected], May 23, 2013
When tomcat is started the following log is shown:
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
.:/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java
It would be good to track this down and include it in the zip.
Reported by [email protected], Jul 12, 2012
While the output formats haven't changed much, it would be good to rerun these scans to stay up to date.
Reported by [email protected], Jan 19, 2013
Store scan result files that are uploaded. Then they could be downloaded at a later date.
Will need to address a couple of issues:
-File encryption while at rest (can use some form of what we do with issue tracker/service provider credentials)
-File/blob storage (DB or filesystem - will need to make compatible with both the ZIP and VM installations)
Reported by [email protected], May 20, 2013
What steps will reproduce the problem?
1.Navigate to an application in Internet Explorer with multiple pages of vulns
2.Use the go to page feature on the vulnerabilities list once
3. Attempt to use the go to feature again
What is the expected output? What do you see instead?
The user should be able to navigate to multiple pages with the go to feature. Also the user is unable to navigate off the application detail page without refreshing first. Only occurs in Internet Explorer. Release1.2
Please use labels and text to provide additional information.
Reported by [email protected], May 23, 2013
This would initially operate as a MAILTO: link with a designated email address to send the request access/request scan item. Would need a corresponding configuration page under settings
Reported by [email protected], Nov 9, 2012
Ability to assign vulnerability types to the application owner
Reported by egnambalaji, Mar 11, 2013
Mar 11, 2013 7:54:42 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/share/java/jdk1.6.0_43/jre/lib/i386/server:/usr/share/java/jdk1.6.0_43/jre/lib/i386:/usr/share/java/jdk1.6.0_43/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
Mar 11, 2013 7:54:42 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 540 ms
Mar 11, 2013 7:54:42 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Mar 11, 2013 7:54:42 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.36
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory docs
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ROOT
Mar 11, 2013 7:54:42 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Mar 11, 2013 7:54:42 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Mar 11, 2013 7:54:42 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/19 config=null
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 638 ms
Thanks
Reported by [email protected], Sep 10, 2012
This is an enhancement request for ThreadFix to support multiple database platforms from the manipulation of a configuration file.
When downloading the ZIP archive, there doesn't seem to be an acceptable method of changing the configuration to use another database platform. For embedded databases, ThreadFix should support HSQL, H2 and Derby at a minimum and for external RDMS support ThreadFix should support PostgreSQL, MySQL, Microsoft SQL Server and Oracle. PostgreSQL, Microsoft SQL Server and Oracle being critical for Enterprise deployments IMHO.
When configuration has been changed (for example changing from the built-in HSQL to MySQL), ThreadFix should inspect the database upon server startup to ensure the schema exists and that the minimum set of data (if applicable) has been inserted. If not, the schema should automatically be created and populated with any default data if necessary.
Reported by [email protected], Sep 10, 2012
When editing an application after a scan has been uploaded, the 'Project Root' displays. In my case, it appears the directories, packages, and class names are derived from the Fortify FPR import.
The visualization is not meaningful and is very confusing. This should be changed to a more elegant metaphor such as a combination of tree and listgrid. Currently it's presented in a table with radio buttons and no explanation on why things are in certain cells. Only after careful examination does it make sense.
Additionally, only a small portion of the directories, packages and classes are listed so if the project root doesn't exist on this page, there is no way to set it. So, the results need to be dynamic, either through pagination or via ajax whenever a tree is expanded for example.
Reported by [email protected], Aug 16, 2012
We have a plugin for ZAP that connects to ThreadFix to send along scan data. We can create comparable functionality for AppScan via their eXtensions API. (Note: eXtensions are Python or .NET versus our current Java support libraries)
More info on AppScan eXtensions can be found here
http://www.ibm.com/developerworks/rational/downloads/08/appscan_ext_framework/
Reported by [email protected], May 23, 2013
We should use the "W3C HTML validator" to clean up all the ThreadFix HTML.
Reported by [email protected], May 23, 2013
It would be helpful to have more documentation included in-app or at least link to the google code tracker.
Reported by aaron.weaver2, Oct 18, 2012
Feature request for custom fields in a vulnerability. The ability to have either a drop-down list, single field and notes field.
Reported by [email protected], Feb 22, 2013
What steps will reproduce the problem?
Doing this should return to the same page with an error message, but instead allows the scan to be read. Since there is no date this will require another layer of validation on scans.
Reported by [email protected], Mar 19, 2012
What steps will reproduce the problem?
What is the expected output? What do you see instead?
A verification of some sort to ensure that the second scan covered the same functionality as first. However, I see that this might quickly get out of hand with multiple scans.
Some possible solutions for this issue would be to close the issue based on integration with the bugtracker or allow users to manually close issues or allow users to manually reopen issues?
What version of the product are you using? On what operating system?
ThreadFix_1_0_beta7
Please provide any additional information below.
Reported by gnomemade, Nov 11, 2013
Are there any plans to include support for WhiteHat Sentinel Source into Threadfix?
Reported by [email protected], Feb 4, 2013
What steps will reproduce the problem?
The channel column remains, when it should be hidden.
Reported by [email protected], Sep 10, 2012
When importing a Fortify FPR in beta22, the number of vulnerabilities and the criticality (Fortify priority order) is not accurate.
The number of criticals that ThreadFix is displaying is lower than actual.
The number of highs that ThreadFix is displaying is 0, when the actual number is much higher.
The number of mediums that ThreadFix is displaying is much higher than actual.
The number of lows that ThreadFix is displaying is 0, when the actual number is much higher.
I am using the Prioritized High Risk Project Template which is defined in filtertemplate.xml
Reported by [email protected], May 23, 2013
The wiki page is great and all, but providing users with additional help and assistance inside the ThreadFix application could provide for a better user experience.
Reported by [email protected], Sep 17, 2012
When using remote connectors, corporate deployments may have a requirement to use a proxy for outside connections. This proxy may require authentication ( basic/ntlm/etc)
Reported by [email protected], Mar 5, 2013
Add standard deviation to Vulnerability Progress ByType report.
This will allow folks to create a confidence interval.
Reported by [email protected], Feb 6, 2013
What steps will reproduce the problem?
What is the expected output? What do you see instead?
-Expecting API key to be added, but get NPE error below instead.
What version of the product are you using? On what operating system?
-Using version 1.0.1 of the ThreadFix VM appliance in VirtualBox 4.1.22 on Mac OS X 10.7.5
Please provide any additional information below.
-Error:
java.lang.NullPointerException
at java.io.Reader.(Reader.java:78)
at java.io.InputStreamReader.(InputStreamReader.java:97)
at com.denimgroup.threadfix.service.remoteprovider.RemoteProvider.parse(RemoteProvider.java:81)
at com.denimgroup.threadfix.service.remoteprovider.WhiteHatRemoteProvider.fetchApplications(WhiteHatRemoteProvider.java:137)
at com.denimgroup.threadfix.service.remoteprovider.RemoteProviderFactory.fetchApplications(RemoteProviderFactory.java:59)
at com.denimgroup.threadfix.service.RemoteProviderApplicationServiceImpl.getApplications(RemoteProviderApplicationServiceImpl.java:153)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy72.getApplications(Unknown Source)
at com.denimgroup.threadfix.service.RemoteProviderTypeServiceImpl.checkConfiguration(RemoteProviderTypeServiceImpl.java:169)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy73.checkConfiguration(Unknown Source)
at com.denimgroup.threadfix.webapp.controller.RemoteProvidersController.configureFinish(RemoteProvidersController.java:224)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:471)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:402)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:329)
at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.denimgroup.threadfix.webapp.filter.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:212)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.denimgroup.threadfix.webapp.filter.ClickjackHeaderFilter.doFilter(ClickjackHeaderFilter.java:42)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:368)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)
Reported by [email protected], Aug 16, 2012
We have an early ZAP plugin that allows ZAP users to pump scans into ThreadFix. Given the supporting Java libraries, it should be pretty easy to port this to BurpSuite
Reported by [email protected], Nov 13, 2012
Rapid7's Nexpose and Metasploit tools are widely used, and should be incorporated into ThreadFix.
Reported by [email protected], Jun 28, 2012
We need a JIRA account to test our integration and build new features.
Reported by [email protected], May 21, 2013
tomcat/logs/catalina.out:
INFO [http-bio-8443-exec-9] QueueSenderImpl.addSubmitDefect(170) | User XYZ is adding a defect submission to the queue for 1 vulnerabilities from Application with ID 14.
INFO [QueueListener-1] DefectService.createDefect(146) | About to submit a defect to Jira.
java.io.IOException: Server returned HTTP response code: 400 for URL: http://**********:8080/rest/api/2/issue
..................
WARN [QueueListener-1] DefectService.createDefect(179) | There was an error submitting the defect to Jira.
INFO [QueueListener-1] JiraDefectTracker.getTrackerError(390) | Attempting to find the reason that JIRA integration failed.
INFO [QueueListener-1] JiraDefectTracker.hasValidUrl(210) | Checking JIRA RPC Endpoint URL.
INFO [QueueListener-1] JiraDefectTracker.hasValidUrl(215) | JIRA URL was valid, returned 401 error.
INFO [QueueListener-1] JiraDefectTracker.hasValidCredentials(174) | Checking JIRA credentials.
INFO [QueueListener-1] JiraDefectTracker.hasValidCredentials(184) | JIRA Credentials are valid.
INFO [QueueListener-1] JiraDefectTracker.getTrackerError(405) | The JIRA integration failed but the cause is not the URL, credentials, or the Project Name.
ThreadFix 1.1 (debian based distribution) and Jira 5.2.8 (openSUSE)
"Update Status from JIRA" works fine for me ("No Defects found, updating information is only useful after creating Defects. Exiting.")
Reported by david.ferrest, Dec 6 (5 days ago)
Hello,
I downloaded the ThreadFix VM. I wanted to connect Qualys as a Remote Provider.
At this moment I did not check any logs. Where should I have a look to identify any application error?
I use the ThreadFix_1_2_VM-disk1.vmdk which comes with the appliance.
Kind regards,
David
Reported by [email protected], Nov 9, 2012
Add support for Cenzic Hailstorm
Reported by [email protected], May 23, 2013
Self explanitory
Reported by [email protected], Nov 12, 2012
ie. operating system, db, app owner, priority, location (test, staging, production)
Reported by [email protected], Nov 9, 2012
Create a unique ID for each vulnerability/application
Reported by [email protected], Oct 31, 2012
Need the ability to auto-verify that importers are working as planned. This should track:
-Tool
-Tool version
-Across multiple example scans
Need to be able to verify at least correct number of vulns per severity and per type.
Implementation suggestions:
-Use the command-line client
-Create teams / apps based on tool and tool version and specific example file
-Leverage current Selenium test framework if possible (to check vuln counts for severity / type)
Reported by [email protected], Aug 29, 2012
It would be good to have a way to migrate from the HSQL database used in the ZIP installation of ThreadFix to the MySQL database used in the VM appliance. This would help support folks who got up and running with the ZIP but then wanted to transition to a better production environment without re-entering data and configurations.
This blog post might have some material that would be helpful:
http://ralf.schaeftlein.de/2012/02/18/migrating-hsqldb-to-mysql/
Reported by [email protected], Nov 9, 2012
Add ability to bulk edit vulnerabilities
Reported by [email protected], May 23, 2013
This feature would walk new users through system setup: (adding users/roles, adding teams/apps, configuring DT and WAFs, etc)
Reported by [email protected], Feb 22, 2013
Add support for the DotDefender WAF:
http://www.applicure.com/Products/dotdefender
[this is based on a request from a presentation at the OWASP Phoenix chapter]
Reported by [email protected], Nov 9, 2012
TF would maintain an audit log of all events, incidents, and activities with time stamp
Reported by [email protected], Jan 15, 2013
Add support for Checkmarx scan file. Exports CSV and XML.
Reported by andrevs, Aug 29, 2012
Currently everything seems to be in place to import the Qualys VM xml file. This can be achieved via the API as well. This would allow for combining the infrastructure results with the web app results to provide a more holistic approach to issues per device/business/application area.
Follow-up comment by kevev1 on Oct 14, 2013
What is the status of this request? I have lots of Qualys xml files that we would like to add to ThreadFix. Thank You.
Reported by [email protected], Feb 26, 2012
The desire is to bring in more context data from the original vulnerability scanner to provide better information about what was merged and why. It should be easy to store more information, but we will need to think a bit about how we standardize this, what scanners support what additional data, etc.
Reported by [email protected], Apr 2, 2013
The VM image should include a compiled version of the command-line interface in a sensible location.
The README should probably also point toward the command-line interface as well as the documentation.
Reported by [email protected], Jan 28, 2013
Add import support for McAfee Secure outputs (either via files or web services API).
Reported by [email protected], Feb 22, 2013
feature request submitted by BPeckham
When I say automate, I mean using the ASE web services API (http://publib.boulder.ibm.com/infocenter/asehelp/v8r0m0/index.jsp?topic=/com.ibm.ase.help.doc/topics/c_webservices_overview.html) to automate the exporting and importing of the reports. In other words, for a 'project' in threadfix allow a user to specify an ASE report URL for that project. Threadfix could then use the ASE web services API to grab the issues from the report and import them into threadfix. Furthermore, it should allow users to specify a schedule to poll the report URL for updates as well as have an option to manually poll to get latest.
Reported by [email protected], Mar 27, 2013
What steps will reproduce the problem?
1.Choose an application and add burp channel for scans
2.attempt to upload a non burp scan (I used a fortify scan)
3.
What is the expected output? What do you see instead?
Error message describing correct burp scan format to upload
What version of the product are you using? On what operating system?
1.1 running on windows 7
Please provide any additional information below.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.