beju0506
commented
8 years ago Here is the original post from the Google Groups page for ThreadFix in case some of the details help any: https://groups.google.com/forum/#!topic/threadfix/qquOzHfAuCI
Open beju0506 opened 8 years ago
beju0506
commented
8 years ago Here is the original post from the Google Groups page for ThreadFix in case some of the details help any: https://groups.google.com/forum/#!topic/threadfix/qquOzHfAuCI
d-maldonado
commented
8 years ago Justin,
Sorry for the delayed response.
We found some deltas(from 2.2.x to 2.3RC) in our REST responses after releasing ThreadFix 2.3RC. The two fields (tags in applications, and rawFinding in vulnerabilities) were, unintentionally, added and caught in testing. The reason these fields are not present in 2.3RC3 is that we decided to keep REST responses as similar as possible across versions, so the fields was removed from the final responses.
Daniel Maldonado
beju0506
commented
8 years ago That's unfortunate... As far as we can tell, there's no direct way to get Tag information for an application or remediation information from scan results (which is normally in the rawFinding field) without manually consulting the GUI then? Or is there another way other than the REST API? Thank you, Justin
d-maldonado
commented
8 years ago Justin,
There are a few tag endpoints that you could use to retrieve tag information. The /rest/tags/index endpoint will return all tags in ThreadFix. The /rest/tags/{tagId}/listApplications endpoint will return the applications with this tag.
At the moment, there is no way to retrieve the raw finding field without navigating through the web client or directly interacting with the database(not recommended).
Daniel Maldonado
beju0506
commented
8 years ago Hi Daniel,
I see, thanks for letting me know. If we submitted a feature request in here, do you know how often they are typically considered and if selected, how long it usually takes before they're implemented? My associate suggested possibly making a change to the API call to allow verbose JSON outputs on the API calls, or possibly being able to select the fields returned by specifying fieldnames in the initial API call.
Thanks,
Justin
When using the REST API in a previous version, JSON responses when retrieving applications would include the "tags" field with the various tags associated with an application in ThreadFix. Also, JSON responses for vulnerabilities would include a "rawFinding" field which often contains remediation and business impact information for various scanners. In recent versions, these fields are now missing from the JSON strings returned by the REST API. We've tested using curl and also using the Python ThreadFix library (which utilizes the API) and both get the same results. We did some testing on the various versions we've used to see which are affected by this and which aren't, this is what we were able to gather:
Working version: (Windows Server 2012 R2) Version 2.3RC. Built on Oct 28, 2015 Not working version: (Ubuntu 14.04) Version 2.2.7.2. Built on Sep 4, 2015 Not working version: (Ubuntu 14.04) Version 2.3RC3. Built on Dec 4, 2015 Not working version: (CentOS6) Version 2.3RC3. Built on Dec 4, 2015
After installing new versions of ThreadFix on various Windows and Linux machines, we believe the issue is something that was introduced into the ThreadFix download packages between October 28, 2015 and September 4, 2015. I spent time looking through the source on Github, but was unable to determine anything that seemed like it would affect this. I posted in the Google Groups for ThreadFix to see if anyone had an idea of what was happening and it seems that it's still an open issue, so I thought I'd add a ticket to see if it can be looked at as part of the normal bug fix process.