Open dancornell opened 10 years ago
pstvm
commented
9 years ago Hi,
is there any progress regarding the import of FindBugs-files? I tried several ThreadFix versions as well as FindBugs-versions and report-formats. Additionally, since the feature of manually choosing the import type was removed (or did i miss something?), I am not able to successful upload FindBugs-reports to ThreadFix as it fails with the message "Failed to determine the scan type."
Regards
d-maldonado
commented
9 years ago Hello,
Wondering if you would be able to post your error logs when attempting to import a FindBugs file. We have removed the manual selection of the import type and it is now done automatically. Would it be possible for you to send us a FindBugs file that you are having trouble uploading?
Thanks, Daniel
pstvm
commented
9 years ago Hi,
tanks for the fast response. I created a Gist with the FindBugs-Report: https://gist.github.com/pstvm/c810a3841aabedc06e74 - it was created running FindBugs 3.0.0 on a testcase taken from the "Juliet Test Suite for Java".
The ThreadFix-logs unfortunately did not show any unusual behaviour, although I changed the Log-Level to DEBUG, the only line was:
INFO [http-bio-8443-exec-2] UploadScanController.uploadScan(80) | Received REST request to upload a scan to application 1.
The result was the message "Failed to determine the scan type". I am using Threadfix 2.2M6 on a x64 Ubuntu machine, although I ran into the same issues using the Community Version 2.1 as well as FindBugs 2.0.3 to create the report.
Many thanks and kind regards
We tried to import a FindBugs file and autodetect didn't work. But when we told it it was a findbugs file, the import worked properly.
I saw your comment that you only import security findings and ignore others. It would be good to tell the user this when the import is complete. Something like: Imported X security findings, Y non-security findings were identified but not imported. Also, when I tried to import FindBugs findings for WebGoat, there were only 8-9 and all of them were unmapped. There were only 2 types of findings, SQL Injection and Empty DB Password.
I know you said that not all findbugs security issues were mapped properly. But you did identify these as security issues, but didn't map them for some reason. Not sure what's going on here.