-
Notifications
You must be signed in to change notification settings - Fork 125
Vulnerability Merging
This pages describes the method in which ThreadFix merges Vulnerabilities
<wiki:toc max_depth="1" />
There are a few methods used to match vulnerabilities in ThreadFix. Since there are two types of vulnerabilities, dynamic and static, there are 3 merging strategies: Dynamic-Dynamic, Dynamic-Static, and Static-Static.
More information about the ThreadFix Vulnerability format can be found here: [ThreadFix Vulnerability Format] (Vulnerability-Format).
Merging now takes advantage of the HAM system. The HAM system can combine static findings to dynamic findings and vice versa and is run before the merge process described below. If you're interested in the technical details of the HAM system's processes, they are described in more detail here.
Here’s an example of 9 merged dynamic vulnerabilities using the dynamic-dynamic matcher. This comparison is very simple and fairly reliable.
Three things are compared. If they all match, the vulnerabilities are merged. The three items are:
- Path
- Parameter
- Generic Vulnerability Type
This table enables quick comparison between the individual finding text so that you can check the mappings to make sure they are good, or to get more specific information for vague generic vulnerabilities.
Here’s an example of dynamic-static matching. ThreadFix has guessed the path correctly from the file location, and the parsed parameters and vulnerability types also matched, so the two findings were merged. This method is much more complicated than dynamic-dynamic matching.
In the Fortify format, this vulnerability looks like this.
And in the Appscan format, it looks like this:
Here is an example of static-static merging. In this strategy, ThreadFix attempts to find the common root of the paths and only compare the relative paths. In this way, static scans from the same application on different workstations can be merged.
ThreadFix picks the most appropriate merging strategy each time. Since dynamic-static matching is the least sure method, it is only used when there are no findings of the same type attached to the vulnerability. Once there are both types present, future merges take place with the more appropriate dynamic-dynamic or static-static matches. Here is an example of a merged finding from two static scanners and a dynamic scanner.