...

This page provides information on how to integrate WhiteSource Mend with the ThreadFix AVM application, and how to enable the integration to display information on the components' security vulnerabilities. The integration provides a dashboard that includes a summary view displaying the vulnerability assessment for the user’s ThreadFix deployment.

For more details about WhiteSource Mend integration with AVM applications, see Application Vulnerability Management (AVM) Platforms WhiteSource Mend Integration.

Prerequisites for Installing the AVM Agent for the ThreadFix AVM Platform 

• ThreadFix version 2.6, ThreadFix version 2.7, ThreadFix version 2.8. 

• A ThreadFix user with administrator privileges. Alternatively, the following are the minimum permissions needed for a ThreadFix user to operate the WhiteSource Mend Threadfix Agent:

  • Read Access (Any Role): User can read applications and application versions.

  • Manage  Application: Allows user to add applications to teams, delete applications, edit details, and add documents to existing applications. Allows user to change the properties of the application.

  • Tag Vulnerabilities: Allows users to add or remove tags from vulnerabilities.

  • Upload Scans: Allows users to upload scans from scan agents into ThreadFix for vulnerability tracking and reporting.

  • Modify Vulnerabilities: Allows users to close vulnerabilities and change tags. 

  • Manage Tags: Allows users to create or edit tags.

  • Manage Teams: Allows users to create or delete teams.

• Custom Scanner must be added to ThreadFix. See here for details.

Add WhiteSource Mend Scanner to Threadfix

The "WHITESOURCEMend" scanner must be added to ThreadFix. See here in the ThreadFix Software user guide. After setup, select Administration > System Settings, and view the WHITESOURCE Mend scanner displayed in the System Settings page.

...

If you want to use a specific Team to synchronize alerts, you must explicitly set the threadfix.team.name configuration parameter; otherwise, the WhiteSource the Mend organization name will be used to create a new Team.

...

In Offline mode, it is possible to save the output of the vulnerability alerts into a Threadfix file format (see here). Note that in the Online mode, there is a process where the Agent extracts data from WhiteSource from Mend via HTTPS, and then WhiteSource Mend sends it to ThreadFix via REST API. The Offline mode option is useful in case there is no connectivity (or limited connectivity) with ThreadFix.

By changing the configuration file to Offline mode, any execution of the WhiteSource Mend ThreadFix Agent will store the current configuration and metadata in a JSON file named WS_<application-name>_@_<application-version>_@_<scan-date_time>..threadfix. The content of the file is defined according to ThreadFix File Format of ThreadFix. The JSON file includes vulnerability alerts and related metadata. The output is located in the newly-created whitesource Mend directory, which can be found under the current working directory ($pwd or %cd%). This file can be manually uploaded later to a specific application within ThreadFix from its Scans section when the WhiteSource Mend Scanner has been properly defined.

• <application-name> is the value set in the Whitesource Mend product/project tag AVM.application.name

• <application-version> is the value set in the Whitesource Mend product/project tag AVM.application.version. If it is not set, the default value 1.0 will be used.

...

The following screenshot displays the initial Dashboard view. This example displays the recent uploads of scan results from WhiteSource Mend to ThreadFix. In this example, there is a single application, QA_Tests_Product with two vulnerabilities.  

...

• Clicking a specific application inside the Recent Uploads panel displays its vulnerabilities.

• Clicking the View More link in a specific vulnerability displays its WhiteSource Mend information.

The following screenshot displays the results of clicking View More for the CVE-2017-5645 option, including details on the vulnerability: 

...

Effective Usage Analysis analysis data is visible only for customers that purchased Prioritize and scanned their projects and products in WhiteSourceMend.

The Effective Usage Analysis will be visible as a new tag for a specific vulnerability in the application.

...

The following table describes the connection between the EUA texts in ThreadFix and the Shields in WhiteSourceMend. For more information on the shields, refer to the Prioritize documentation.

...