Veracode Connectors - API and XML

 

Veracode Static Analysis is a Static Application Security Testing (SAST) solution that enables you to automate the identification and remediation of application security findings, secure your web, mobile, and third-party software, and integrate with your IDE.

 

To import your data from Veracode to the Kenna.AppSec module, you will need to leverage the Veracode Connector under the “Static Analysis” tools. There are two different Veracode Connectors: the API Connector and the XML Connector. To learn about the differences between API and XML connectors, please see the help page here.

We recommend the API Connector for ease of use.

 

What Types of Veracode Data does Kenna Support?

  • SAST

  • SCA

  • DAST

Please note that changes are not required to be made during connector set-up to import different types of data. Veracode’s detailed report has two sections, one for each severity of static or dynamic flaw, with flaws grouped by CWE id, and one for static_component_analysis, with child nodes of type component. As such, Kenna parses SAST and DAST flaws (CWEs) together, and SCA vulnerabilities separately but all within the same Connector.

 

User Prerequisites/Connector Setup:

  • Given that Veracode is a cloud-based SaaS tool, no Virtual Tunnel or Kenna Agent is required.

  • Must have API Access

  • User role required is any account with read access to the scan data.

    • *Note*: The Connector will only fetch reports the user has access to. The connector operates at lowest level of privilege for enhanced security.

Configuring your Veracode Connector in Kenna

First we will want to determine which Veracode Connector to use. We recommend using the API Connector as it is automated. The XML is a drag & drop connector and can be used for more one off scans on one-off applications. For consistent apps, please use the API Connector.

To set up the Connector, navigate to the Connectors tab in your Kenna deployment (you must be a Kenna Administrator to do so). On the Connectors page, select Static Analysis from the left hand bar, or scroll down to the Static Analysis category.

Note: that despite the fact that Kenna accepts all types of Data (SAST, DAST, SCA) we have selected to house it under the one category(SAST)  to avoid duplication of connectors under Dynamic Assessment and SCA.

lm.png

Once you select the Veracode API Connector, the following screen will appear:

lmk.png

  • Enter a name for the connector, or leave it as “Veracode” if you wish.

  • Enter the API ID and API Key for the account

  • Schedule the Connector. Select the frequency at which you’d like your Kenna Veracode Connector to run. (we recommend mirroring the cadence of your Veracode Scans).

  • Save and Verify

  • If you’d like to set a connector level asset inactivity limit, you can do that at this time, or later. (We recommend 2-3x the scan cadence of your Veracode Scans).

What Veracode Items does Kenna Import and what API Calls are involved?

Kenna will import all of the applications associated with the user leveraged for the connector. We will pull:

  • Applications

  • Assets

  • Findings/Vulnerabilities

  • Tags

  • Associated Dates

The Kenna Connector does not pull in the following:

  • Custom Fields

  • Sandbox Applications (all applications regardless of status have sandbox_id, we filter out Sandbox Apps via <getappbuilds.do> which only pulls non-sandbox Applications)

The API endpoints we leverage (API Connector only) are:

  •  Initial API sign-in endpoint https://analysiscenter.veracode.com

  • /api/4.0/getappbuilds.do

  • applicationbuilds/application/build/@build_id

  • /api/5.0/detailedreport.do?build_id

  • fetch_report(build_id)

 

What Veracode items are turned into Kenna Tags?

  • Platform

  • Appname

  • business_owner

  • business_unit

  • build_id

  • version

Note: Only the API version of the Connector supports Tag Ingestion. If you are using an XML, tags will not be imported. 


Optional Settings

The following settings can be enabled on the backend for Veracode Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.

  • Exclude Informationals

    • When this option is enabled, Kenna will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.

  • Skip Tags

    • This setting will allow you to NOT create any Tags within Kenna based on the Veracode metadata.

  • Ignore Scanner Last Seen Time

    • If you do not want the asset last seen time in Kenna to be the scanner reported last seen time.

  • LookBack Range (default 1-Day)

    • For incremental Veracode Connector runs, how many days back from the last successful run we look for builds.

  • Tag Reset

    • This setting will assist in keeping your Veracode metadata in sync with Kenna. Each time the connector is run, ALL tags within Kenna will be removed and the Veracode tag metadata re-created.

    • If you have created any manual tags OR any tags were created off of metadata from other connectors that tag info will be removed and will be refreshed once those other connectors are rerun.

  • Custom Ordered Locators

    • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information see the help article here.

 

Common Reasons for Veracode Connector Run Failures

  • Bad Credentials

    • This one is pretty self explanatory. If Kenna has bad credentials input for the connectors, we will not have access to the Veracode environment to make the API calls.

  • If no reports are found we will abort the Connector run, rather than fail it outright.

  • If an API call fails, the Connector will fail.

  • Unexpected data returned

    • If Kenna receives data that is not in the expected format and we are unable to process it, the connector will fail.

  • If more than 1% of connector payloads fail to import cleanly, Kenna will auto-fail the Connector Run

 

Additional Assistance:

Please contact Kenna Support should you require any additional assistance with the Veracode Connector(s).

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.