Hi Folks,
I went ahead and did a little tinkering/bludgeoning in the code today. Again my use case for Threadfix is almost strictly aggregator/normalizer rather than vulnerability management/sdlc/lifecycle work. These changes are with that in mind.
First set of changes were to eliminate the scan sequencing and auto-closing of vulnerabilities that are no longer in the results for a given channel. This was a hack job and simply comments out the relevant portions of code. I left no provisions to make it optional or modulate the behavior...it's built in to the code and going back requires another build. This required the following changes:
/threadfix-main/src/main/java/com/denimgroup/threadfix/service/channel/AbstractChannelImporter.java
int result = scan.getImportTime().compareTo(testDate);
if (result == 0)
return ScanImportStatus.DUPLICATE_ERROR;
//else if (result > 0)
// return ScanImportStatus.OLD_SCAN_ERROR;
}
}
}
/threadfix-main/src/main/java/com/denimgroup/threadfix/data/entities/Vulnerability.java
@Transient
public void closeVulnerability(Scan scan, Calendar closeTime) {
// active = false;
// if (closeTime == null) {
// this.closeTime = Calendar.getInstance();
// } else {
// this.closeTime = closeTime;
// }
//
//
// // This constructor maps the objects for us
// if (scan != null) {
// new ScanCloseVulnerabilityMap(this, scan);
// }
}
The effect of these two changes is that you can a) import scans regardless of when they were done relative to others within a given application, and b) vulnerabilities do not close automatically (or at all). This is good for cases where you have to run multiple scans from one product to get full coverage of the application.
The second set of changes begin to pull some of the attack/variant information into Threadfix. I basically extended the Finding entity to include the 'attack' or 'injection' string as well as a copy of the full HTTP request and response if available. This is highly scanner dependent, and i made changes to the NTObjectives, Netsparker, Burp and Arachni plugins to accomodate it. I then essentially wedged it into the UI and partially into the Vulnerability report so i could get the information back out.
The full diff, *including* the changes listed above, is here:
A couple of screenshots from the vulnerability and finding details are here:
There are clearly going to be bugs in this and there was absolutely no 'design' involved. I extended Finding rather than SurfaceArea because it seemed to be more likely that it would merge correctly that way, but a new entity would probably be the best option given that some scanners supply multiple copies of the pertinent information, including good/bad comparisons and screenshots.
Not sure if this is of any use to anyone. If you have any questions just drop me a note.
Thanks
Bob