Veracode Connectors - API and XML

Veracode Static Analysis is a Static Application Security Testing (SAST) solution that enables you to automate the identification and remediation of application security findings, secure your web, mobile, and third-party software, and integrate with your IDE.

To import your data from Veracode to the Kenna.AppSec module, you will need to leverage the Veracode Connector under the “Static Analysis” tools. There are two different Veracode Connectors: the API Connector and the XML Connector. To learn about the differences between API and XML connectors, please see the help page here.

We recommend the API Connector for ease of use.

What Types of Veracode Data does Cisco Vulnerability Management Support?

• SAST

• SCA

• DAST

Please note that changes are not required to be made during connector set-up to import different types of data. Veracode’s detailed report has two sections, one for each severity of static or dynamic flaw, with flaws grouped by CWE id, and one for static_component_analysis, with child nodes of type component. As such, Cisco Vulnerability Management parses SAST and DAST flaws (CWEs) together, and SCA vulnerabilities separately but all within the same Connector.

User Prerequisites/Connector Setup:

• Given that Veracode is a cloud-based SaaS tool, no Virtual Tunnel or Kenna Agent is required.

• Must have API Access

• User role required is any account with read access to the scan data.

  • *Note*: The Connector will only fetch reports the user has access to. The connector operates at lowest level of privilege for enhanced security.

Configuring your Veracode Connector in Cisco Vulnerability Management

First we will want to determine which Veracode Connector to use. We recommend using the API Connector as it is automated. The XML is a drag & drop connector and can be used for more one off scans on one-off applications. For consistent apps, please use the API Connector.

To set up the Connector, navigate to the Connectors tab in your Cisco Vulnerability Management deployment (you must be a Cisco Vulnerability Management Administrator to do so). On the Connectors page, select Static Analysis from the left hand bar, or scroll down to the Static Analysis category.

Note: that despite the fact that Cisco Vulnerability Management accepts all types of Data (SAST, DAST, SCA) we have selected to house it under the one category(SAST)  to avoid duplication of connectors under Dynamic Assessment and SCA.

Once you select the Veracode API Connector, the following screen will appear:

• Enter a name for the connector, or leave it as “Veracode” if you wish.

• Enter the API ID and API Key for the account

• Schedule the Connector. Select the frequency at which you’d like your Veracode Connector to run. (we recommend mirroring the cadence of your Veracode Scans).

• Click Save and Verify.

• If you’d like to set a connector level asset inactivity limit, you can do that at this time, or later. (We recommend 2-3x the scan cadence of your Veracode Scans).

What Veracode items are synced with Cisco Vulnerability Management items?

What Veracode Items does Cisco Vulnerability Management Import and what API Calls are involved?

Cisco Vulnerability Management will import all of the applications associated with the user leveraged for the connector. We will pull:

• Applications

• Assets

• Findings/Vulnerabilities

• Associated Dates

The Connector does not pull in the following:

• Custom Fields

• Tags

• Sandbox Applications (all applications regardless of status have sandbox_id, we filter out Sandbox Apps via <getappbuilds.do> which only pulls non-sandbox Applications)
  

The API endpoints we leverage (API Connector only) are:

•  Initial API sign-in endpoint https://analysiscenter.veracode.com

• /api/4.0/getappbuilds.do

• applicationbuilds/application/build/@build_id

• /api/5.0/detailedreport.do?build_id

• fetch_report(build_id)

What Veracode items are turned into Cisco Vulnerability Management Tags?

• Platform

• Appname

• business_owner

• business_unit

• build_id

• version

NOTE*: The Connector does not pull Tags from the <tags> node at this time. 

Optional Settings

The following settings can be enabled on the backend for Veracode Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

• Exclude Informationals

  • When this option is enabled, Cisco Vulnerability Management will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.

• Ignore Scanner Last Seen Time

  • If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

• LookBack Range (default 1-Day)

  • For incremental Veracode Connector runs, how many days back from the last successful run we look for builds.

• Tag Reset

  • This setting will assist in keeping your Veracode metadata in sync with Cisco Vulnerability Management. Each time the connector is run, ALL tags within Cisco Vulnerability Management will be removed and the Veracode tag metadata re-created.

  • If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.

• Custom Ordered Locators

  • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.

Common Reasons for Veracode Connector Run Failures

• Bad credentials
• No reports are found, Cisco Vulnerability Management will abort
• Failed API calls
• Inability to process unexpected data/format
• If more than 1% of connector payloads fail, Cisco Vulnerability Management will auto-fail the Connector Run.

Additional Assistance:

Please contact Support should you require any additional assistance with the Veracode Connector(s).