ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
Java JavaScript C# CSS Ruby Python Other
Latest commit 522a1bb Jul 6, 2016 @jblow jblow committed on GitHub Delete scan-agent-nessus-config1.png
Failed to load latest commit information.
docs/wiki/img Adds axway and rackspace logos Apr 10, 2014
lib/org/jetbrains/annotations/annotations/13 Updates maven config to take advantage of the parent pom. Nov 18, 2013
report-plugin Updates POMs to 2.3. Dec 14, 2015
ssvl-converter Update Spring and ActiveMQ dependencies. Jan 4, 2016
threadfix-cli-endpoints Updates POMs to 2.3. Dec 14, 2015
threadfix-cli-importers Use same findingIdRestriction set to determine which ScanRepeatVulner… Jan 14, 2016
threadfix-cli Updates POMs to 2.3. Dec 14, 2015
threadfix-data-access Switch from map<int, int> to map<int, list<int>> for the finding to S… Jan 18, 2016
threadfix-data-migration Update Spring WS version and remove incorrect HttpComponents dependen… Jan 4, 2016
threadfix-entities Rename static variable with name of CWE modified in CWE 2.9 (CWE 134) Dec 31, 2015
threadfix-extras Updated version number to 2.2 Nov 15, 2014
threadfix-ham Updates POMs to 2.3. Dec 14, 2015
threadfix-ide-plugin Merge pull request #1613 from denimgroup/update-rest-utils-file Nov 19, 2015
threadfix-importers Update checkmarx native ID generation. Jan 14, 2016
threadfix-main Fix CWE ignore filters and remove redundant filtering for application… Jan 15, 2016
threadfix-offline Update Spring WS version and remove incorrect HttpComponents dependen… Jan 4, 2016
threadfix-plugin-examples Updates POMs to 2.3. Dec 14, 2015
threadfix-scanner-plugin Upgrade Apache Commons Collections to v3.2.2 Mar 9, 2016
threadfix-service-interfaces Add Import LDAP Groups button to Groups page. Jan 15, 2016
threadfix-sonar-plugin Updates POMs to 2.3. Dec 14, 2015
threadfix-upgrade Update-Copyright-headers-to-2015 Jan 8, 2015
.gitignore fix dependency check native id Jul 22, 2015
.project These changes allow the code to work as-is in STS 3.1.3. Dec 4, 2012 Fixed minor typo Aug 17, 2015 Adds the scanner jar automation script. Dec 19, 2013
dependency-check-suppressions.xml Add suppressions file for DependencyCheck. Jan 5, 2016
license.scala Update-Copyright-headers-to-2015 Jan 8, 2015
pom.xml Updates OWASP Dependency Check to v1.3.6 Jun 16, 2016

NOTE: If you wish to download the latest build of ThreadFix please visit the ThreadFix download page. Please DO NOT use the "Download ZIP" function from GitHub. If you DO use the "Download ZIP" function from GitHub you will just get a dump of the source code, but no ready-to-run Tomcat webserver and other facilities that make it really easy to get up and running with ThreadFix quickly. The normal ThreadFix download build comes pre-packaged and ready-to-run and is the preferred way to start using ThreadFix. You can set up your own development environment but it is advised that first time users start with the pre-packaged build.

ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted. ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.

ThreadFix is licensed under the Mozilla Public License (MPL) version 2.0.

The main GitHub site for ThreadFix can be found here:

The Google Group for ThreadFix can be found here:!forum/threadfix

Instructions on setting up a development environment can be found here:

Further documentation can be found online here:

Submit bugs to the GitHub issue tracker:

ThreadFix is a platform with a number of components. Each subdirectory should have its own pom.xml files to support Maven builds. The major components in the repository include:

  • threadfix-cli-endpoints - Command-line utility to calculate the attack surface of an application and print it to standard output. This relies on the Hybrid Analysis Mapping (HAM) capabilities in the threadfix-ham/ component.
  • theadfix-cli - Command-line client for ThreadFix. This allows for scripting and automation of the ThreadFix platform.
  • threadfix-extras - Experimental tools and ThreadFix proof-of-concept projects.
  • threadfix-ham - Hybrid Analysis Mapping (HAM) technology used in ThreadFix that performs lightweight static analysis of application source code to calculate attack surfaces and map application attack surface endpoints to source code locations.
  • threadfix-ide-plugin - IDE plugins for Eclipse and IntelliJ that pulls vulnerability data from ThreadFix and highlights these vulnerabilities in application source code.
  • threadfix-main - Main ThreadFix server application. This is a Java-based Spring/Hibernate web application with associated web services. Other components of the ThreadFix platform call into the ThreadFix server.
  • threadfix-scanner-plugin - Scanner plugins that can connect to a ThreadFix server and import an application's attack surface to improve the thoroughness of dynamic scanning. Also allows for exporting scan results directly into ThreadFix (rather than saving files and uploading them.)
  • threadfix-update - Update scripts to upgrade the ThreadFix server database between versions.