Skip to content

Vulnerability Merging

Jump to bottom Edit New page
Zignat Abdisubhan edited this page Mar 18, 2015 · 18 revisions

This pages describes the method in which ThreadFix merges Vulnerabilities

<wiki:toc max_depth="1" />

Introduction

There are a few methods used to match vulnerabilities in ThreadFix. Since there are two types of vulnerabilities, dynamic and static, there are 3 merging strategies: Dynamic-Dynamic, Dynamic-Static, and Static-Static.

More information about the ThreadFix Vulnerability format can be found here: [ThreadFix Vulnerability Format] (Vulnerability-Format).

Merging now takes advantage of the HAM system. The HAM system can combine static findings to dynamic findings and vice versa and is run before the merge process described below. If you're interested in the technical details of the HAM system's processes, they are described in more detail here.

Dynamic-Dynamic Matching

Here’s an example of 9 merged dynamic vulnerabilities using the dynamic-dynamic matcher. This comparison is very simple and fairly reliable.

Three things are compared. If they all match, the vulnerabilities are merged. The three items are:

  • Path
  • Parameter
  • Generic Vulnerability Type

7-scanner-merge.png

This table enables quick comparison between the individual finding text so that you can check the mappings to make sure they are good, or to get more specific information for vague generic vulnerabilities.

Dynamic-Static Matching

Here’s an example of dynamic-static matching. ThreadFix has guessed the path correctly from the file location, and the parsed parameters and vulnerability types also matched, so the two findings were merged. This method is much more complicated than dynamic-dynamic matching.

dynamic-static-merged-finding.png

In the Fortify format, this vulnerability looks like this.

dynamic-static-fortify-xml.png

And in the Appscan format, it looks like this:

dynamic-static-appscan-xml.PNG

Static-Static Matching

Here is an example of static-static merging. In this strategy, ThreadFix attempts to find the common root of the paths and only compare the relative paths. In this way, static scans from the same application on different workstations can be merged.

fortify-static-static-merge.png

Combination Merging

ThreadFix picks the most appropriate merging strategy each time. Since dynamic-static matching is the least sure method, it is only used when there are no findings of the same type attached to the vulnerability. Once there are both types present, future merges take place with the more appropriate dynamic-dynamic or static-static matches. Here is an example of a merged finding from two static scanners and a dynamic scanner.

fortify-static-static-dynamic-1.PNG

fortify-static-static-dynamic-2.PNG

Add a custom sidebar
Clone this wiki locally