Vulnerability Merging
Describes the way ThreadFix merges Vulnerabilities
<wiki:toc max_depth="1" />
There are a few methods used to match vulnerabilities in Threadfix. Since there are two types of vulnerabilities, dynamic and static, there are 3 merging strategies: Dynamic-Dynamic, Dynamic-Static, and Static-Static.
More information about the Threadfix Vulnerability format can be found here: [Threadfix Vulnerability Format] (Vulnerability-Format)
Here’s an example of 9 merged dynamic vulnerabilities using the dynamic-dynamic matcher. This comparison is very simple and fairly reliable.
Three things are compared. If they all match, the vulnerabilities are merged. The three items are:
- Path
- Parameter
- Generic Vulnerability Type
This table enables quick comparison between the individual finding text so that you can check the mappings to make sure they are good, or to get more specific information for vague generic vulnerabilities.
Here’s an example of dynamic-static matching. Threadfix has guessed the path correctly from the file location, and the parsed parameters and vulnerability types also matched, so the two findings were merged. This method is much more complicated than dynamic-dynamic matching.
In the CAT.NET format, this vulnerability looks like this.
And in the Appscan format, it looks like this:
Here is an example of static-static merging. In this strategy, Threadfix attempts to find the common root of the paths and only compare the relative paths. In this way, static scans from the same application on different workstations can be merged.
Threadfix picks the most appropriate merging strategy each time. Since dynamic-static matching is the least sure method, it is only used when there are no findings of the same type attached to the vulnerability. Once there are both types present, future merges take place with the more appropriate dynamic-dynamic or static-static matches. Here is an example of a merged finding from two static scanners and a dynamic scanner.
- Supported Threadfix [Dynamic Scanners] (https://github.com/denimgroup/threadfix/wiki/Dynamic-Scanners), [Static Scanners] (https://github.com/denimgroup/threadfix/wiki/Static-Scanners), [Remote Providers] (https://github.com/denimgroup/threadfix/wiki/Remote-Providers)
- Supported Threadfix [Software Defect Trackers] (https://github.com/denimgroup/threadfix/wiki/Software-Defect-Trackers)
- Supported Threadfix [WAF Types] (https://github.com/denimgroup/threadfix/wiki/WAF-Types)
- ThreadFix Plugins: Zap Plugin, [Burp Plugin] (Burp-Plugin), [Eclipse IDE Plugin] (Eclipse-IDE-Plugin), [IntelliJ IDEA Plugin] (IntelliJ-IDEA-Plugin)
- Threadfix [Vulnerability Merging] (https://github.com/denimgroup/threadfix/wiki/Vulnerability-Merging)
- Threadfix [Vulnerability Format] (https://github.com/denimgroup/threadfix/wiki/Vulnerability-Format)