...

Overview

This page provides information on how to integrate Mend with the ThreadFix AVM application, and how to enable the integration to display information on the components' security vulnerabilities. The integration provides a dashboard that includes a summary view displaying the vulnerability assessment for the user’s ThreadFix deployment.

For more details about Mend integration with AVM applications, see Application Vulnerability Management (AVM) Platforms Mend Integration.

Prerequisites for Installing the AVM Agent for the ThreadFix AVM Platform 

• ThreadFix version 2.6, ThreadFix version 2.7, ThreadFix version 2.8. 

• A ThreadFix user with administrator privileges. Alternatively, the following are the minimum permissions needed for a ThreadFix user to operate the Mend Threadfix Agent:

  • Read Access (Any Role): User can read applications and application versions.

  • Manage  Application: Allows user to add applications to teams, delete applications, edit details, and add documents to existing applications. Allows user to change the properties of the application.

  • Tag Vulnerabilities: Allows users to add or remove tags from vulnerabilities.

  • Upload Scans: Allows users to upload scans from scan agents into ThreadFix for vulnerability tracking and reporting.

  • Modify Vulnerabilities: Allows users to close vulnerabilities and change tags. 

  • Manage Tags: Allows users to create or edit tags.

  • Manage Teams: Allows users to create or delete teams.

• Custom Scanner must be added to ThreadFix. See here for details.

Add Mend Scanner to Threadfix

The "Mend" scanner must be added to ThreadFix. See here in the ThreadFix Software user guide. After setup, select Administration > System Settings, and view the Mend scanner displayed in the System Settings page.

...

Installing and Running the AVM Agent for ThreadFix

Instructions and the parameters required for the configuration of the AVM agent can be found here.

However, the following parameters are specifically relevant for ThreadFix:

• avm.name must be set to threadfix 

• avm.apikey can be retrieved from the API Key that can be found in the Threadfix Dashboard (see here). 

If you want to use a specific Team to synchronize alerts, you must explicitly set the threadfix.team.name configuration parameter; otherwise, the Mend organization name will be used to create a new Team.

NOTE: The avm.user and avm.pass are NOT relevant for ThreadFix.

Generate Offline Reports for ThreadFix (Optional)

In Offline mode, it is possible to save the output of the vulnerability alerts into a Threadfix file format (see here). Note that in the Online mode, there is a process where the Agent extracts data from Mend via HTTPS, and then Mend sends it to ThreadFix via REST API. The Offline mode option is useful in case there is no connectivity (or limited connectivity) with ThreadFix.

By changing the configuration file to Offline mode, any execution of the Mend ThreadFix Agent will store the current configuration and metadata in a JSON file named WS_<application-name>_@_<application-version>_@_<scan-date_time>..threadfix. The content of the file is defined according to ThreadFix File Format of ThreadFix. The JSON file includes vulnerability alerts and related metadata. The output is located in the newly-created Mend directory, which can be found under the current working directory ($pwd or %cd%). This file can be manually uploaded later to a specific application within ThreadFix from its Scans section when the Mend Scanner has been properly defined.

• <application-name> is the value set in the Mend product/project tag AVM.application.name

• <application-version> is the value set in the Mend product/project tag AVM.application.version. If it is not set, the default value 1.0 will be used.

Uploading an Offline Request File

Upload via the command line: 

Execute the AVM Agent with the -requestFiles flag specifying the path to the WS_<application-name>_@_<application-version>_@_<scan-date_time>.threadfix file(s) you created in the above section. In order to send more than one file, separate the file names with commas.

java -jar /path/to/jar/whitesource-avm-agent-*.jar -requestFiles <full-file-path1>[,<full-file-path2>]

Viewing the Output in ThreadFix

Initial Dashboard View

The following screenshot displays the initial Dashboard view. This example displays the recent uploads of scan results from Mend to ThreadFix. In this example, there is a single application, QA_Tests_Product with two vulnerabilities.  

...

Drilling Down

• Clicking a specific application inside the Recent Uploads panel displays its vulnerabilities.

• Clicking the View More link in a specific vulnerability displays its Mend information.

The following screenshot displays the results of clicking View More for the CVE-2017-5645 option, including details on the vulnerability: 

...

Filtering by Severity

You have the option to filter the vulnerabilities severity (criticality in ThreadFix) as displayed here:

...

Mapping Vulnerabilities By Issue Type

You have the option to map the vulnerabilities by issue type (instead of unmapped) using the Secondary Pivot option in the ThreadFix UI as displayed here:

...

Viewing Effective Usage Analysis Data

Effective Usage Analysis analysis data is visible only for customers that purchased Prioritize and scanned their projects and products in Mend.

The Effective Usage Analysis will be visible as a new tag for a specific vulnerability in the application.

...

The following table describes the connection between the EUA texts in ThreadFix and the Shields in Mend. For more information on the shields, refer to the Prioritize documentation.

...

ThreadFix

...

Mend

...

Effective

...

Red Shield

...

Indirect Risk

...

Green Shield

...

Undetermined

...

Yellow Shield

...

other

...

This page is available at: https://docs.mend.io/bundle/integrations/page/setting_up_threadfix_application_vulnerability_management__avm__platform.html