Kovair DevOps and Veracode Integration Plugin

Veracode Plugin Details

Plugin Version: Cloud

Overview

Veracode enables you to quickly and cost-effectively scan software for flaws and get actionable source code analysis results.

Veracode Information:

 More information can be found at Veracode.

Version Supported:

This plugin was developed and tested against version : Cloud

Plugin Operation:

Plugin operations are synchronous execution, they will wait for long running operations such as — prescan, Static/Dynamic scan. So, task execution will wait until this scans are complete. Calling api very frequently (without any delay) will overload the applications (veracode, kovairDevops) api engine. Hence, a delay is introduced and can be configured accordingly to check the status of long running task.

1. Static Analysis
Veracode Static Analysis is a Static Application Security Testing (SAST) solution that enables you to quickly identify and remediate application security findings.

Static Analysis includes following operations,

  1. Create application if not exist.
  2. Create build
  3. Upload war file into the scan
  4. Perform pre-scan
  5. Perform static scan
  6. Fetch report data

Input parameter(s):

Parameter Is Mandatory Help Text
Api ID true Provide the api id. for more information visit to API Credentials
Api Key true Provide the api key.
Application Name true Provide the application name.
Create Application If not Exist? true On ‘Yes’ selection, the API will check whether the given application is present or not. If not, then it will create an application.
Business Criticality false Provide the value of this field if create application is set to ‘Yes’.
Scan Name true In the Scan Name field, enter a name for the static scan we want to submit to the Veracode Platform for this application.
Upload files location true In the Upload field, To concat multiple file location use ‘||’ operator.Ex. E:\\Demo\\Jars\\Sample.war||E:\\Demo\\Jars\\Sample1.war.
Wait for prescan to complete true Until or unless the prescan is not getting completed the static scan can’t be started, if this lookup value set to ‘No’ then no scan will be performed, only the prescan get triggered.
Scan all top level modules false If this value set to Yes then by default veracode will choose all top level modules for scanning and if not it will choose all the module that has been uploaded.
Wait for scan to complete true Until or unless the scan is not getting completed the result will not be available. If this lookup value set to ‘No’ then no proper output will be received.
File path for Detailed GUI report false Full file path for detailed gui report in pdf form. Ex. E:\\Demo\\Jars\\DetailedReport.pdf
File path for Summary GUI report false Full file path for summary gui report in pdf form. Ex. E:\\Demo\\Jars\\SummaryReport.pdf
Waiting Time false Execution will wait for this time, provide the value in seconds. Note: if the provided value is 0 or left empty then default 20 seconds will be taken.
Output parameter(s):

Parameter Help Text

Application_Name

Application name.

Build_Name

Build name.

Veracode_Rating

Veracode rating.

Veracode_Level

Veracode level.

Score

Analysis score.

Overall_Status

Veracode overall status.

Overall_Status

Veracode overall status.

Flaws_By_Severity_Total_Flaw_Count

No. of total flaws by severity.

Flaws_By_Severity_Very_High

No. of very high severity flaws.

Flaws_By_Severity_Very_High_Categories

Very High level categories.

Flaws_By_Severity_High

No. of high severity flaws.

Flaws_By_Severity_High_Categories

High level categories.

Flaws_By_Severity_Medium

No. of medium severity flaws

Flaws_By_Severity_Medium_Categories

Medium level categories.

Flaws_By_Severity_Low

No. of low severity flaws

Flaws_By_Severity_Low_Categories

Low level categories.

Flaws_By_Severity_Very_Low

No. of very low severity flaws

Flaws_By_Severity_Very_Low_Categories

Very Low level categories.

Flaws_By_Severity_Informational

No. of informational severity flaws

Flaws_By_Severity_Informational_Categories

Informational level categories.

Flaw_Status_Cannot_Reproduce

Cannot reproduce flaws count.

Flaw_Status_Fixed

Fixed flaws count.

Flaw_Status_New

New flaws count.

Flaw_Status_Not_Mitigated

Not Mitigated flaws count.

Flaw_Status_Open

Open flaws count.

Flaw_Status_Reopen

Reopen flaws count.

Detailed Report Link

Hyperlink to download detailed report.

Summary Report Link

Hyperlink to download summary report.

2. Dynamic Analysis

Veracode Dynamic Analysis is a Dynamic Application Security Testing (DAST) solution that delivers an automated and scalable dynamic scanning capability that enables broad coverage at speed.

Dynamic Analysis includes following operations,

  1. Create application if not exist.
  2. Create dynamic analysis
  3. Fetch report data

Input parameter(s):

Parameter Is Mandatory Help Text

Api ID

true

Provide the api id. for more information visit to API Credentials

Api Key

true

Provide the api key.

Application Name

true

Provide the application name. Note: For dynamic analysis, don’t provide the application which is already linked with a dynamic analysis.

Create Application If not Exist?

true

On ‘Yes’ selection, the API will check whether the given application is present or not. If not, then it will create an application.

Business Criticality

false

Provide the value of this field if create application is set to ‘Yes’.

Analysis Name

true

Analysis name must be unique. Analysis name must be minimum of 6 and maximum of 190 characters.

Maximum Duration

true

Maximum duration (in hours).

Target Url

true

Put Single url at a time.

Wait for scan to complete

true

Until or unless the scan is not getting completed the result will not be available. If this lookup value set to ‘No’ then no proper output will be received.

File path for Detailed GUI report

false

Full file path for detailed gui report in pdf form. Ex. E:\\Demo\\Jars\\DetailedReport.pdf.

File path for Summary GUI report

false

Full file path for summary gui report in pdf form. Ex. E:\\Demo\\Jars\\SummaryReport.pdf

Waiting Time

false

Execution will wait for this time, provide the value in seconds. Note: if the provided value is 0 or left empty then default 20 seconds will be taken.

Output parameter(s):
Parameter Help Text

Application_Name

Application name.

Build_Name

Build name.

Veracode_Rating

Veracode rating.

Veracode_Level

Veracode level.

Score

Analysis score.

Overall_Status

Veracode overall status.

Overall_Status

Veracode overall status.

Flaws_By_Severity_Total_Flaw_Count

No. of total flaws by severity.

Flaws_By_Severity_Very_High

No. of very high severity flaws.

Flaws_By_Severity_Very_High_Categories

Very High level categories.

Flaws_By_Severity_High

No. of high severity flaws.

Flaws_By_Severity_High_Categories

High level categories.

Flaws_By_Severity_Medium

No. of medium severity flaws

Flaws_By_Severity_Medium_Categories

Medium level categories.

Flaws_By_Severity_Low

No. of low severity flaws

Flaws_By_Severity_Low_Categories

Low level categories.

Flaws_By_Severity_Very_Low

No. of very low severity flaws

Flaws_By_Severity_Very_Low_Categories

Very Low level categories.

Flaws_By_Severity_Informational

No. of informational severity flaws

Flaws_By_Severity_Informational_Categories

Informational level categories.

Flaw_Status_Cannot_Reproduce

Cannot reproduce flaws count.

Flaw_Status_Fixed

Fixed flaws count.

Flaw_Status_New

New flaws count.

Flaw_Status_Not_Mitigated

Not Mitigated flaws count.

Flaw_Status_Open

Open flaws count.

Flaw_Status_Reopen

Reopen flaws count.

Detailed Report Link

Hyperlink to download detailed report.

Summary Report Link

Hyperlink to download summary report.

 

Pass/Fail Condition

  1. No application details found. Unable to proceed….
  2. Application is not exist, neither create application flag set to Y. Unable to proceed….
  3. Scan name already exists. Please provide the unique name. Unable to proceed….
  4. Wait for prescan field set to Yes otherwise won’t proceed with the execution….
  5. Neither modules are selected nor the top level modules are chosen for scanning. Unable to proceed….
  6. There is an error while performing the static scan :
  7. No app details found. Unable to proceed….
  8. Scan in progress. result is not available….
  9. No result available as scan is not completed….
  10. No build details found….
  11. Unable to fetch application details….
  12. No application present named :

 

Note:

The plugin is tested with the user having below accesses:

  1. Creator
  2. Delete Scans
  3. Security Insights
  4. Security Labs User
  5. Greenlight IDE User
  6. Mitigation Approver
  7. Vendor Manager
  8. Reviewer
  9. Workspace Editor

 

Limitations:

  1. Providing input at runtime is not supported.
  2. Don’t use -no-color as additional option. This is already used internally.

Release Details:

Veracode : V.1.0
Initial version with basic functionalities.

Contact us:

    Yes, I accept the Privacy Statement and want to receive latest information from Kovair.
    [tracking]