Mantis as a Vulnerability Tracking Tool?

General discussion of Mantis.

Moderators: Developer, Contributor

Post Reply
noloader
Posts: 1
Joined: 02 Jan 2022, 22:47

Mantis as a Vulnerability Tracking Tool?

Post by noloader »

Hi Everyone,

We are trying to locate a tool that allows us to track bugs and security vulnerabilities from external tools like GitHub, Coverity and Veracode. Because external tools generate the finding, we need some sort of integration, whether it is an API or webhook. And the rub with vulnerabilities is, there's often a Severity, SLA, CVE, CWE or weakness associated with the report, so we need to track the source and the CWE(s) and CVE(s), too.

I'm hoping Mantis fits the bill. I've used it in the past for standard bug tracking and I really liked it. I also like that Mantis (a) is open source, (b) has a community to ask questions, and (c) runs on just about any modern Linux platform. This is opposed to solutions like DefectDojo, that does not have a mailing list or forums, and only runs on bleeding-edge developer machines.

We are willing to modify Mantis and contribute back the changes so the features are available to all users, and not just our team. Our team includes vulnerability researchers who regularly test free and open source software with tools like Coverity and Veracode.

My question is, has anyone had success in using Mantis as a vulnerability tracking tool?
Mophilly
Posts: 66
Joined: 24 Feb 2005, 23:47
Location: California
Contact:

Re: Mantis as a Vulnerability Tracking Tool?

Post by Mophilly »

I haven't used Mantis to track vulnerabilites. As you point out, there is a fair number of ifs and buts that need to be addressed.

Extending Mantis is not too hard as the data model is reasonable. I have integrated Mantis into our internal engineering tracking and billing. It works pretty well, and we continue to find ways to enhance it.

Shameless plug: My crew has built a number of plugins for our private use. We haven't published mostly due to time required to make a plugin easy to adopt... the documentation, etc.. Nonetheless, we have skills in building plugins for Mantis, have used it for twenty years, and have experience with enterprise database management systems and applications. We also use NextCloud, Koozali SME server, and other open source projects that may fit your project concept.

Please feel free to contact me if you would like more info about Mophilly Technology Inc..
Post Reply