denimgroup / threadfix Goto Github PK

Reported by [email protected], Nov 9, 2012
Add support for Cenzic Hailstorm

Reported by [email protected], Aug 16, 2012
We have an early ZAP plugin that allows ZAP users to pump scans into ThreadFix. Given the supporting Java libraries, it should be pretty easy to port this to BurpSuite

Reported by [email protected], Nov 13, 2012
Rapid7's Nexpose and Metasploit tools are widely used, and should be incorporated into ThreadFix.

Reported by [email protected], Feb 22, 2013
Add support for the DotDefender WAF:
http://www.applicure.com/Products/dotdefender

[this is based on a request from a presentation at the OWASP Phoenix chapter]

Reported by david.ferrest, Dec 6 (5 days ago)
Hello,

I downloaded the ThreadFix VM. I wanted to connect Qualys as a Remote Provider.

1. The tutorial "http://code.google.com/p/threadfix/wiki/RemoteProviders" contains a wrong picture in step 4. The picture refers to Veracode.
2. The tutorial is missing, that access to the Qualys API is needed, which has to be configured in the Qualys User settings.
3. The necessary permissions in Qualys has been configured, but providing the correct credentials to the TreadFix VM in the Qualys Remote Provider Configuration did always lead to the error message "We were unable to retrieve a list of applications using these credentials...."
   Checking the Activity Log in Qualys revealed that no login attempt was received. Therefore my suggestion is that the appliance does not work out of the box.
   Connection problems are not the issue since Ubuntu updates work.

At this moment I did not check any logs. Where should I have a look to identify any application error?

I use the ThreadFix_1_2_VM-disk1.vmdk which comes with the appliance.

Kind regards,
David

Reported by [email protected], Sep 17, 2012
When using remote connectors, corporate deployments may have a requirement to use a proxy for outside connections. This proxy may require authentication ( basic/ntlm/etc)

Reported by [email protected], Jul 12, 2012
While the output formats haven't changed much, it would be good to rerun these scans to stay up to date.

Reported by [email protected], Feb 22, 2013
feature request submitted by BPeckham

When I say automate, I mean using the ASE web services API (http://publib.boulder.ibm.com/infocenter/asehelp/v8r0m0/index.jsp?topic=/com.ibm.ase.help.doc/topics/c_webservices_overview.html) to automate the exporting and importing of the reports. In other words, for a 'project' in threadfix allow a user to specify an ASE report URL for that project. Threadfix could then use the ASE web services API to grab the issues from the report and import them into threadfix. Furthermore, it should allow users to specify a schedule to poll the report URL for updates as well as have an option to manually poll to get latest.

Reported by [email protected], May 23, 2013
A lot, but not all, javascript was removed in the 1.2 codebase. There is still some work left to be done there, and the CSP is a very good idea.

Reported by [email protected], May 23, 2013
This would initially operate as a MAILTO: link with a designated email address to send the request access/request scan item. Would need a corresponding configuration page under settings

Reported by andrevs, Aug 29, 2012

Currently everything seems to be in place to import the Qualys VM xml file. This can be achieved via the API as well. This would allow for combining the infrastructure results with the web app results to provide a more holistic approach to issues per device/business/application area.

Follow-up comment by kevev1 on Oct 14, 2013

What is the status of this request? I have lots of Qualys xml files that we would like to add to ThreadFix. Thank You.

Reported by [email protected], Jan 15, 2013

Add support for Checkmarx scan file. Exports CSV and XML.

Reported by [email protected], Feb 8, 2013
What steps will reproduce the problem?

1. Created a new VM using the steps provided
2. Start the VM

What is the expected output? What do you see instead?
VM will either crash ESXi or the VM will lockup

What version of the product are you using? On what operating system?
ESXi 5.1 on a Dell 720 Server

Please provide any additional information below.

Reported by [email protected], Nov 9, 2012
Ability to assign vulnerability types to the application owner

Reported by [email protected], May 20, 2013
What steps will reproduce the problem?
1.Navigate to an application in Internet Explorer with multiple pages of vulns
2.Use the go to page feature on the vulnerabilities list once
3. Attempt to use the go to feature again

What is the expected output? What do you see instead?
The user should be able to navigate to multiple pages with the go to feature. Also the user is unable to navigate off the application detail page without refreshing first. Only occurs in Internet Explorer. Release1.2

Please use labels and text to provide additional information.

Reported by [email protected], Jun 28, 2012
We need a JIRA account to test our integration and build new features.

Reported by [email protected], May 23, 2013
Self explanitory

Reported by [email protected], Feb 22, 2013
What steps will reproduce the problem?

1. Create an org, app, and then upload a scan with no date entries
2. Upload the same scan to the same app

Doing this should return to the same page with an error message, but instead allows the scan to be read. Since there is no date this will require another layer of validation on scans.

Reported by [email protected], May 23, 2013
It would be helpful to have more documentation included in-app or at least link to the google code tracker.

Reported by [email protected], Nov 12, 2012
ie. operating system, db, app owner, priority, location (test, staging, production)

Reported by [email protected], May 23, 2013
The wiki page is great and all, but providing users with additional help and assistance inside the ThreadFix application could provide for a better user experience.

Reported by [email protected], Sep 10, 2012
When editing an application after a scan has been uploaded, the 'Project Root' displays. In my case, it appears the directories, packages, and class names are derived from the Fortify FPR import.

The visualization is not meaningful and is very confusing. This should be changed to a more elegant metaphor such as a combination of tree and listgrid. Currently it's presented in a table with radio buttons and no explanation on why things are in certain cells. Only after careful examination does it make sense.

Additionally, only a small portion of the directories, packages and classes are listed so if the project root doesn't exist on this page, there is no way to set it. So, the results need to be dynamic, either through pagination or via ajax whenever a tree is expanded for example.

Reported by gnomemade, Nov 11, 2013
Are there any plans to include support for WhiteHat Sentinel Source into Threadfix?

Reported by [email protected], Mar 5, 2013

Add standard deviation to Vulnerability Progress ByType report.

This will allow folks to create a confidence interval.

Reported by [email protected], Aug 16, 2012
We have a plugin for ZAP that connects to ThreadFix to send along scan data. We can create comparable functionality for AppScan via their eXtensions API. (Note: eXtensions are Python or .NET versus our current Java support libraries)

More info on AppScan eXtensions can be found here
http://www.ibm.com/developerworks/rational/downloads/08/appscan_ext_framework/

Reported by [email protected], Sep 10, 2012
When importing a Fortify FPR in beta22, the number of vulnerabilities and the criticality (Fortify priority order) is not accurate.

The number of criticals that ThreadFix is displaying is lower than actual.

The number of highs that ThreadFix is displaying is 0, when the actual number is much higher.

The number of mediums that ThreadFix is displaying is much higher than actual.

The number of lows that ThreadFix is displaying is 0, when the actual number is much higher.

I am using the Prioritized High Risk Project Template which is defined in filtertemplate.xml

Reported by [email protected], May 23, 2013
We should use the "W3C HTML validator" to clean up all the ThreadFix HTML.

Reported by [email protected], May 23, 2013
When tomcat is started the following log is shown:

INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
.:/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java

It would be good to track this down and include it in the zip.

Reported by [email protected], Feb 26, 2012
The desire is to bring in more context data from the original vulnerability scanner to provide better information about what was merged and why. It should be easy to store more information, but we will need to think a bit about how we standardize this, what scanners support what additional data, etc.

Reported by [email protected], Nov 9, 2012
Add ability to bulk edit vulnerabilities

Reported by [email protected], Oct 31, 2012
Need the ability to auto-verify that importers are working as planned. This should track:
-Tool
-Tool version
-Across multiple example scans

Need to be able to verify at least correct number of vulns per severity and per type.

Implementation suggestions:
-Use the command-line client
-Create teams / apps based on tool and tool version and specific example file
-Leverage current Selenium test framework if possible (to check vuln counts for severity / type)

Reported by [email protected], Aug 29, 2012
It would be good to have a way to migrate from the HSQL database used in the ZIP installation of ThreadFix to the MySQL database used in the VM appliance. This would help support folks who got up and running with the ZIP but then wanted to transition to a better production environment without re-entering data and configurations.

This blog post might have some material that would be helpful:
http://ralf.schaeftlein.de/2012/02/18/migrating-hsqldb-to-mysql/

Reported by [email protected], May 23, 2013
Grant users the ability to either type a target item into a search box, or filter results on the scan history tab by (possible ideas):

*date range
*scanner type
*application
*team

Reported by [email protected], May 21, 2013

What steps will reproduce the problem?

1. add defect tracker (JIRA)
2. add team
3. add application
4. add vulnerabilities
5. tried submit the vuln. to defect tracker -> not working

What is the expected output? What do you see instead?

tomcat/logs/catalina.out:

INFO [http-bio-8443-exec-9] QueueSenderImpl.addSubmitDefect(170) | User XYZ is adding a defect submission to the queue for 1 vulnerabilities from Application with ID 14.
INFO [QueueListener-1] DefectService.createDefect(146) | About to submit a defect to Jira.
java.io.IOException: Server returned HTTP response code: 400 for URL: http://**********:8080/rest/api/2/issue
..................
WARN [QueueListener-1] DefectService.createDefect(179) | There was an error submitting the defect to Jira.
INFO [QueueListener-1] JiraDefectTracker.getTrackerError(390) | Attempting to find the reason that JIRA integration failed.
INFO [QueueListener-1] JiraDefectTracker.hasValidUrl(210) | Checking JIRA RPC Endpoint URL.
INFO [QueueListener-1] JiraDefectTracker.hasValidUrl(215) | JIRA URL was valid, returned 401 error.
INFO [QueueListener-1] JiraDefectTracker.hasValidCredentials(174) | Checking JIRA credentials.
INFO [QueueListener-1] JiraDefectTracker.hasValidCredentials(184) | JIRA Credentials are valid.
INFO [QueueListener-1] JiraDefectTracker.getTrackerError(405) | The JIRA integration failed but the cause is not the URL, credentials, or the Project Name.

What version of the product are you using? On what operating system?

ThreadFix 1.1 (debian based distribution) and Jira 5.2.8 (openSUSE)

Please provide any additional information below.

"Update Status from JIRA" works fine for me ("No Defects found, updating information is only useful after creating Defects. Exiting.")

Reported by [email protected], Jan 19, 2013
Store scan result files that are uploaded. Then they could be downloaded at a later date.

Will need to address a couple of issues:
-File encryption while at rest (can use some form of what we do with issue tracker/service provider credentials)
-File/blob storage (DB or filesystem - will need to make compatible with both the ZIP and VM installations)

Reported by [email protected], May 23, 2013
If I upload a scan file from May 2013 into ThreadFix, then I try to upload a scan file (of the same application) from April 2013 I receive an error message of "A newer scan from this scanner has been uploaded."

This means if I do not upload historical scan data (in order of oldest scan to newest scan), the system will not let me upload the scan at all.

Seems like a user should be able to upload a scan file (unless it's a duplicate of an existing file) regardless of the order in which they upload files.

Reported by [email protected], Feb 6, 2013
What steps will reproduce the problem?

1. Attempt to add a WhitHat Sentinel API Key under "Remote Providers."
2. Paste key into "API Key:" field and click the "Save" button.
3. Receive error.

What is the expected output? What do you see instead?
-Expecting API key to be added, but get NPE error below instead.

What version of the product are you using? On what operating system?
-Using version 1.0.1 of the ThreadFix VM appliance in VirtualBox 4.1.22 on Mac OS X 10.7.5

Please provide any additional information below.
-Error:
java.lang.NullPointerException
at java.io.Reader.(Reader.java:78)
at java.io.InputStreamReader.(InputStreamReader.java:97)
at com.denimgroup.threadfix.service.remoteprovider.RemoteProvider.parse(RemoteProvider.java:81)
at com.denimgroup.threadfix.service.remoteprovider.WhiteHatRemoteProvider.fetchApplications(WhiteHatRemoteProvider.java:137)
at com.denimgroup.threadfix.service.remoteprovider.RemoteProviderFactory.fetchApplications(RemoteProviderFactory.java:59)
at com.denimgroup.threadfix.service.RemoteProviderApplicationServiceImpl.getApplications(RemoteProviderApplicationServiceImpl.java:153)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy72.getApplications(Unknown Source)
at com.denimgroup.threadfix.service.RemoteProviderTypeServiceImpl.checkConfiguration(RemoteProviderTypeServiceImpl.java:169)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy73.checkConfiguration(Unknown Source)
at com.denimgroup.threadfix.webapp.controller.RemoteProvidersController.configureFinish(RemoteProvidersController.java:224)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:684)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:471)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:402)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:329)
at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.denimgroup.threadfix.webapp.filter.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:212)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.denimgroup.threadfix.webapp.filter.ClickjackHeaderFilter.doFilter(ClickjackHeaderFilter.java:42)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:368)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)

Reported by [email protected], May 23, 2013
This feature would walk new users through system setup: (adding users/roles, adding teams/apps, configuring DT and WAFs, etc)

Reported by [email protected], Mar 19, 2012
What steps will reproduce the problem?

1. I performed a complete scan of an application and uploaded results.
2. Then I scanned a subset functionality of the same app for verification of some issue fixes.
3. When I uploaded the second scan, ThreadFix seem to assume that all the issues that are missing in the second scan have been fixed. In my case, the issues were missing because I did not test the entire app the second time.

What is the expected output? What do you see instead?
A verification of some sort to ensure that the second scan covered the same functionality as first. However, I see that this might quickly get out of hand with multiple scans.
Some possible solutions for this issue would be to close the issue based on integration with the bugtracker or allow users to manually close issues or allow users to manually reopen issues?

What version of the product are you using? On what operating system?
ThreadFix_1_0_beta7

Please provide any additional information below.

Reported by egnambalaji, Mar 11, 2013
Mar 11, 2013 7:54:42 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/share/java/jdk1.6.0_43/jre/lib/i386/server:/usr/share/java/jdk1.6.0_43/jre/lib/i386:/usr/share/java/jdk1.6.0_43/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
Mar 11, 2013 7:54:42 AM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 540 ms
Mar 11, 2013 7:54:42 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Mar 11, 2013 7:54:42 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.36
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory docs
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ROOT
Mar 11, 2013 7:54:42 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Mar 11, 2013 7:54:42 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Mar 11, 2013 7:54:42 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/19 config=null
Mar 11, 2013 7:54:42 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 638 ms

Thanks

Reported by aaron.weaver2, Oct 18, 2012

Feature request for custom fields in a vulnerability. The ability to have either a drop-down list, single field and notes field.

Reported by [email protected], Nov 9, 2012
Create a unique ID for each vulnerability/application

Reported by [email protected], Apr 2, 2013
The VM image should include a compiled version of the command-line interface in a sensible location.

The README should probably also point toward the command-line interface as well as the documentation.

Reported by [email protected], Jul 9, 2012
Our WebInspect importer needs more testing with more scan files to make sure that it works. We also need to make sure there are no format changes with the current version and that our vuln DB entries are up to date.

Reported by [email protected], Nov 9, 2012
Provide the option to allow users to select a date range for running reports

Reported by [email protected], Jan 28, 2013
Add import support for McAfee Secure outputs (either via files or web services API).

Reported by [email protected], Feb 4, 2013
What steps will reproduce the problem?

1. Create an org / app / upload 2 scans on different channels
2. Delete one of the scans
3. Click Reports and select "Channel Comparison By Vulnerability Types" from the drop down.

The channel column remains, when it should be hidden.

Reported by [email protected], Nov 9, 2012
TF would maintain an audit log of all events, incidents, and activities with time stamp

Reported by [email protected], Mar 27, 2013
What steps will reproduce the problem?
1.Choose an application and add burp channel for scans
2.attempt to upload a non burp scan (I used a fortify scan)
3.

What is the expected output? What do you see instead?
Error message describing correct burp scan format to upload

What version of the product are you using? On what operating system?
1.1 running on windows 7

Please provide any additional information below.

Reported by [email protected], Sep 10, 2012
This is an enhancement request for ThreadFix to support multiple database platforms from the manipulation of a configuration file.

When downloading the ZIP archive, there doesn't seem to be an acceptable method of changing the configuration to use another database platform. For embedded databases, ThreadFix should support HSQL, H2 and Derby at a minimum and for external RDMS support ThreadFix should support PostgreSQL, MySQL, Microsoft SQL Server and Oracle. PostgreSQL, Microsoft SQL Server and Oracle being critical for Enterprise deployments IMHO.

When configuration has been changed (for example changing from the built-in HSQL to MySQL), ThreadFix should inspect the database upon server startup to ensure the schema exists and that the minimum set of data (if applicable) has been inserted. If not, the schema should automatically be created and populated with any default data if necessary.