– Defect Tracker and Remote Provider credentials are now encrypted before being saved in the database.
– An IBM Rational AppScan Source Edition alpha importer is now included.
– A few changes have been made to ease the development of a custom Defect Tracker solution. Now users can add a database entry and drop a JAR in the ThreadFix lib to include custom Defect Tracker code.
– CWE names have been updated to stay current with the May 2012 2.2 release of the standard.
– Veracode and Qualys now import all of the scans in an application’s history instead of just the first one.
– Veracode vulnerabilities that were marked as false positives will now import to ThreadFix as false positives.
– A few Nessus vulnerability types have been added, but most Nessus findings will still not import to ThreadFix.
– All tables that display vulnerability or finding information have been moved to an asynchronous loading method to improve performance and memory usage.
– The queue for scans now behaves serially to enforce scan ordering.
– Several bugs have been fixed and small changes have been made to the UI.ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted. ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.
Threadfix database describes Vulnerability format :
We recommend downloading 4 things (if you don’t have them already, of course):
The latest Spring Source Tool Suite
The latest Tomcat 6 server
The latest Git for Windows client.
The Java JDK can be found here: http://www.oracle.com/technetwork/java/javase/downloads/index.html
Java 7 will work, although Java 6 was used during development.
The Spring Source download will be at their website: http://www.springsource.com/downloads/sts
Spring requires a JDK upon installation.
Tomcat 6 is here: http://tomcat.apache.org/download-60.cgi
and Git for Windows is here: http://code.google.com/p/msysgit/downloads/list
Vanilla settings for all of these programs should work.
Importing the code to Spring. In Spring Source:
Click File/Import… and select Git / Projects from Git
Enter https://code.google.com/p/threadfix/ into the URI field
Pick a local directory
Pick the repository that you just created
Set up the database
In Spring, select the file src/main/resources/threadfix-backup.script. Copy it.
Find the location on your filesystem where Spring is installed. On my install, it was C:Program Filesspringsourcests-2.8.1.RELEASE.
Create a folder named database in the sts-2.8.1.RELEASE folder.
Copy the threadfix-backup.script file into that folder, then rename it to threadfix.script.
If these steps don’t work or you aren’t on a Windows machine, try these steps:
Edit line 10 and replace “update” with “create”
Start the server
You may need to edit the time limit for starting the server if it doesn’t finish. You’ll also want to change it back to update after this initial creation.
Importing / starting the server Only a few more steps:
- In the servers box in the bottom left, right click and select New / Server
- Select Apache/Tomcat v6.0 Server, select the location where you saved the download (or had it installed), then click Finish.
- Right click the server in the servers box, then click Add and Remove…
- Select stonemill, then click Add, then click Finish
- Select the Tomcat server and click the play button in the server bar.
- Log in and edit the user accounts
- In a web browser, navigate to
If you don’t see a login screen with the ThreadFix logo, something went wrong.
Try to log in with the credentials:
Username : user
Password : password
If you don’t get an error message, then your database is also set up correctly and you have set up ThreadFix correctly. The first item of business is to delete the “user” account and create one for yourself and anyone else who is using the system. To add a new user, click the “Configuration” link in the header bar, then “Manage Users,” then “Add User,” pick a name and password, and submit the form. To delete the user “user”, click the “Configuration” link in the header bar, then “Manage Users,” then the name in table “user,” then “Delete.”
Getting Started !!
Download : ThreadFix_1_0_beta21.zip (111 MB)