Veracode Connectors - API and XML

Veracode Static Analysis is a Static Application Security Testing (SAST) solution that enables you to automate the identification and remediation of application security findings, secure your web, mobile, and third-party software, and integrate with your IDE.

To import your data from Veracode to the Application Security Module, you will need to use the Veracode Connector under the Static Analysis section of the Cisco Vulnerability Management UI. There are two different Veracode Connectors: the API Connector and the XML Connector. To learn about the differences between API and XML connectors, refer to the help page here.

Cisco recommends the API Connector for ease of use.

What Types of Veracode Data does Cisco Vulnerability Management Support?

  • SAST

  • SCA

  • DAST

Note that changes are not required to be made during connector set-up to import different types of data. Veracode’s detailed report has two sections: one for each severity of static or dynamic flaw, with flaws grouped by CWE id, and one for static_component_analysis, with child nodes of type component. Therefore, Cisco Vulnerability Management parses SAST and DAST flaws (CWEs) together, and SCA vulnerabilities separately but all within the same Connector.

Prerequisites

  • Since Veracode is a cloud-based SaaS tool, no Virtual Tunnel or Agent is required.

  • You must have API Access

  • The user role that is required is any account with read access to the scan data.

    • Note: The Connector will only fetch reports that the user has access to. The connector operates at lowest level of privilege for enhanced security.

  • You must be a Cisco Vulnerability Management Administrator.

Configuring the Veracode Connector in Cisco Vulnerability Management

First we will want to determine which Veracode Connector to use. Cisco recommends using the API Connector because it is automated. The XML is a drag-and-drop connector and can be used for more one-off scans on one-off applications. For consistent apps, use the API Connector.

Note: Despite the fact that Cisco Vulnerability Management accepts all types of Data (SAST, DAST, SCA) Cisco lists it under the SAST category to avoid duplication of connectors under Dynamic Assessment and SCA.

1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Static Analysis section, click Veracode API.
Veracode.png

4. On the Veracode page, enter the following information:

Veracode-2.png

  • Name: Enter a name for the connector, or leave it as Veracode.
  • API ID and API Key: Enter the API ID and API Key for the account that you're using.
  • Schedule: Select the frequency that you’d like your Connector to run. ( recommends mirroring the cadence of your Scans).
  • Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans.

5. Click Save and Verify.

What Veracode items are synchronized with Cisco Vulnerability Management items?

Veracode Field

Cisco Vulnerability Management Field

Notes

detailed_report > app_name OR (One Customer - Custom Field Name)

Application identifier

Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:""

sourcefilepath/sourcefile

File

 

flaw > URL

URL

 

sca_vuln [cve_id | cwe_id]
OR
CWE-[flaw{cwe_id}]


External ID

 

status

Finding Status

 Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Cisco Vulnerability Management will autoclose the vulnerability.

name

Vulnerability Name

 

severity

scanner_score

 0-5

issue_id

unique_identifier on the vulnerability

 

CWE_Data

CWE

 

cve.attributes

CVE

 

description

Description

 

pci_related

PCI Related?

Default is false

last_update_time

Last Seen

mapped from report

Platform
Appname
business_owner
business_unit
build_id
version



Tags



These items are turned into Tags in Cisco Vulnerability Management.

What Veracode Items does Cisco Vulnerability Management Import and what API Calls are involved?

Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. 

  • Applications

  • Assets

  • Findings/Vulnerabilities

  • Associated Dates

The Connector does not import the following:

  • Custom Fields

  • Tags
  • Sandbox Applications (all applications regardless of status have sandbox_id, we filter out Sandbox Apps via <getappbuilds.do> which only pulls non-sandbox Applications)

The API endpoints that Cisco Vulnerability Management leverages (API Connector only) are:

  •  Initial API sign-in endpoint https://analysiscenter.veracode.com

  • /api/4.0/getappbuilds.do

  • applicationbuilds/application/build/@build_id

  • /api/5.0/detailedreport.do?build_id

  • fetch_report(build_id)

What Veracode items are turned into Cisco Vulnerability Management Tags?

  • Platform

  • Appname

  • business_owner

  • business_unit

  • build_id

  • version

Note: The Connector does not import Tags from the <tags> node at this time. 

Optional Settings

The following settings can be enabled for Veracode Connectors. To have these settings enabled, or for more information, contact Cisco Support, or your Customer Success Engineer.

Exclude Informationals

When you enable this option, Cisco Vulnerability Management will only import vulnerabilities that include a CVE, CWE, or WASC ID.

Ignore Scanner Last Seen Time

Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

Look Back Range (default 1-Day)

For incremental Veracode Connector runs, how many days back from the last successful run that Cisco Vulnerability Management looks for builds.

Tag Reset

This setting assists you with keeping your scanner metadata synchronized with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.

If you have created any manual tags or any tags were created from metadata from other connectors, that tag information will be removed and will be refreshed once those other connectors are rerun.

Custom Ordered Locators

Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, see the help article here.

Common Reasons for Veracode Connector Run Failures

  • Bad Credentials. If you enter the incorrect connector credentials during the connector setup, Cisco Vulnerability Management will not have access to the environment to make the API calls.
  • If no reports are found, Cisco Vulnerability Management will abort the Connector run, rather than fail it outright.
  • If an API call fails (no data available, or other reasons).
  • If Cisco Vulnerability Management receives data that is not in the expected format and cannot process it, the connector will fail.
  • If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector run.

Additional Assistance

Contact Support if you require any additional assistance with the Veracode Connectors.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.