Vulnerability consolidation and management tool, enhances scan results by merging different findings of the same weakness across multiple static/dynamic scans
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs/wiki/img
lib/org/jetbrains/annotations/annotations/13
report-plugin
ssvl-converter
threadfix-astam
threadfix-cli-importers
threadfix-cli-lib
threadfix-cli
threadfix-data-access
threadfix-data-migration
threadfix-entities
threadfix-extras
threadfix-ham
threadfix-ide-plugin
threadfix-importers
threadfix-main
threadfix-offline
threadfix-plugin-examples
threadfix-service-interfaces
threadfix-sonar-plugin
threadfix-upgrade
.gitignore
.project
LICENSE.md
NOTICE
README.md
create-scanner-jar.sh
maven-deploy.sh
pom.xml

README.md

ASTAM Correlator

The ASTAM Correlator is a vulnerability consolidation and management tool for web applications, capable of correlating and merging different Static and Dynamic scans indicating the same vulnerability. This improves scan results by combining findings that are symptoms of the same weakness, providing:

  • More information on a vulnerability as a whole
  • Reduced duplicate vulnerabilities from multiple SAST/DAST scans

Supported Web Frameworks

The following frameworks are supported by the Correlator route detection process:

  • ASP.NET MVC / Web API / Core / Web Forms
  • Struts
  • Django
  • Ruby on Rails
  • Spring MVC
  • JSP

Referencing the Endpoint Detection HAM Module

The ASTAM Correlator HAM module for endpoint detection has been published to Maven. You can add it as a dependency by adding this to your pom.xml:

<dependency>
    <groupId>com.github.secdec.astam-correlator</groupId>
    <artifactId>threadfix-entities</artifactId>
    <version>1.3.5</version>
</dependency>
<dependency>
    <groupId>com.github.secdec.astam-correlator</groupId>
    <artifactId>threadfix-ham</artifactId>
    <version>1.3.5</version>
</dependency>

Documentation

Instructions for the usage and installation of the ASTAM Correlator can be found in this project's Wiki.

Contributors

This project is a modification of Denim Group's software ThreadFix, Community Edition, which provides the Hybrid Analysis Mapping (HAM) that runs the correlation. A collaboration between Denim Group Ltd., and Secure Decisions, a division of Applied Visions Inc., has improved upon the open-source ThreadFix tool with a focused interface and improved HAM capabilities.

The original ThreadFix project can be found here: https://github.com/denimgroup/threadfix


This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) via contract number HHSP233201600058C.