Veracode Plugin Details
Plugin Version: CloudOverview
Veracode Information:
Version Supported:
Plugin Operation:
Plugin operations are synchronous execution, they will wait for long running operations such as — prescan, Static/Dynamic scan. So, task execution will wait until this scans are complete. Calling api very frequently (without any delay) will overload the applications (veracode, kovairDevops) api engine. Hence, a delay is introduced and can be configured accordingly to check the status of long running task.
1. Static Analysis
Veracode Static Analysis is a Static Application Security Testing (SAST) solution that enables you to quickly identify and remediate application security findings.
Static Analysis includes following operations,
- Create application if not exist.
- Create build
- Upload war file into the scan
- Perform pre-scan
- Perform static scan
- Fetch report data
Input parameter(s):
Parameter | Is Mandatory | Help Text |
---|---|---|
Api ID | true | Provide the api id. for more information visit to API Credentials |
Api Key | true | Provide the api key. |
Application Name | true | Provide the application name. |
Create Application If not Exist? | true | On ‘Yes’ selection, the API will check whether the given application is present or not. If not, then it will create an application. |
Business Criticality | false | Provide the value of this field if create application is set to ‘Yes’. |
Scan Name | true | In the Scan Name field, enter a name for the static scan we want to submit to the Veracode Platform for this application. |
Upload files location | true | In the Upload field, To concat multiple file location use ‘||’ operator.Ex. E:\\Demo\\Jars\\Sample.war||E:\\Demo\\Jars\\Sample1.war. |
Wait for prescan to complete | true | Until or unless the prescan is not getting completed the static scan can’t be started, if this lookup value set to ‘No’ then no scan will be performed, only the prescan get triggered. |
Scan all top level modules | false | If this value set to Yes then by default veracode will choose all top level modules for scanning and if not it will choose all the module that has been uploaded. |
Wait for scan to complete | true | Until or unless the scan is not getting completed the result will not be available. If this lookup value set to ‘No’ then no proper output will be received. |
File path for Detailed GUI report | false | Full file path for detailed gui report in pdf form. Ex. E:\\Demo\\Jars\\DetailedReport.pdf |
File path for Summary GUI report | false | Full file path for summary gui report in pdf form. Ex. E:\\Demo\\Jars\\SummaryReport.pdf |
Waiting Time | false | Execution will wait for this time, provide the value in seconds. Note: if the provided value is 0 or left empty then default 20 seconds will be taken. |
Parameter | Help Text |
---|---|
Application_Name |
Application name. |
Build_Name |
Build name. |
Veracode_Rating |
Veracode rating. |
Veracode_Level |
Veracode level. |
Score |
Analysis score. |
Overall_Status |
Veracode overall status. |
Overall_Status |
Veracode overall status. |
Flaws_By_Severity_Total_Flaw_Count |
No. of total flaws by severity. |
Flaws_By_Severity_Very_High |
No. of very high severity flaws. |
Flaws_By_Severity_Very_High_Categories |
Very High level categories. |
Flaws_By_Severity_High |
No. of high severity flaws. |
Flaws_By_Severity_High_Categories |
High level categories. |
Flaws_By_Severity_Medium |
No. of medium severity flaws |
Flaws_By_Severity_Medium_Categories |
Medium level categories. |
Flaws_By_Severity_Low |
No. of low severity flaws |
Flaws_By_Severity_Low_Categories |
Low level categories. |
Flaws_By_Severity_Very_Low |
No. of very low severity flaws |
Flaws_By_Severity_Very_Low_Categories |
Very Low level categories. |
Flaws_By_Severity_Informational |
No. of informational severity flaws |
Flaws_By_Severity_Informational_Categories |
Informational level categories. |
Flaw_Status_Cannot_Reproduce |
Cannot reproduce flaws count. |
Flaw_Status_Fixed |
Fixed flaws count. |
Flaw_Status_New |
New flaws count. |
Flaw_Status_Not_Mitigated |
Not Mitigated flaws count. |
Flaw_Status_Open |
Open flaws count. |
Flaw_Status_Reopen |
Reopen flaws count. |
Detailed Report Link |
Hyperlink to download detailed report. |
Summary Report Link |
Hyperlink to download summary report. |
2. Dynamic Analysis
Veracode Dynamic Analysis is a Dynamic Application Security Testing (DAST) solution that delivers an automated and scalable dynamic scanning capability that enables broad coverage at speed.
Dynamic Analysis includes following operations,
- Create application if not exist.
- Create dynamic analysis
- Fetch report data
Input parameter(s):
Parameter | Is Mandatory | Help Text |
---|---|---|
Api ID |
true |
Provide the api id. for more information visit to API Credentials |
Api Key |
true |
Provide the api key. |
Application Name |
true |
Provide the application name. Note: For dynamic analysis, don’t provide the application which is already linked with a dynamic analysis. |
Create Application If not Exist? |
true |
On ‘Yes’ selection, the API will check whether the given application is present or not. If not, then it will create an application. |
Business Criticality |
false |
Provide the value of this field if create application is set to ‘Yes’. |
Analysis Name |
true |
Analysis name must be unique. Analysis name must be minimum of 6 and maximum of 190 characters. |
Maximum Duration |
true |
Maximum duration (in hours). |
Target Url |
true |
Put Single url at a time. |
Wait for scan to complete |
true |
Until or unless the scan is not getting completed the result will not be available. If this lookup value set to ‘No’ then no proper output will be received. |
File path for Detailed GUI report |
false |
Full file path for detailed gui report in pdf form. Ex. E:\\Demo\\Jars\\DetailedReport.pdf. |
File path for Summary GUI report |
false |
Full file path for summary gui report in pdf form. Ex. E:\\Demo\\Jars\\SummaryReport.pdf |
Waiting Time |
false |
Execution will wait for this time, provide the value in seconds. Note: if the provided value is 0 or left empty then default 20 seconds will be taken. |
Parameter | Help Text |
---|---|
Application_Name |
Application name. |
Build_Name |
Build name. |
Veracode_Rating |
Veracode rating. |
Veracode_Level |
Veracode level. |
Score |
Analysis score. |
Overall_Status |
Veracode overall status. |
Overall_Status |
Veracode overall status. |
Flaws_By_Severity_Total_Flaw_Count |
No. of total flaws by severity. |
Flaws_By_Severity_Very_High |
No. of very high severity flaws. |
Flaws_By_Severity_Very_High_Categories |
Very High level categories. |
Flaws_By_Severity_High |
No. of high severity flaws. |
Flaws_By_Severity_High_Categories |
High level categories. |
Flaws_By_Severity_Medium |
No. of medium severity flaws |
Flaws_By_Severity_Medium_Categories |
Medium level categories. |
Flaws_By_Severity_Low |
No. of low severity flaws |
Flaws_By_Severity_Low_Categories |
Low level categories. |
Flaws_By_Severity_Very_Low |
No. of very low severity flaws |
Flaws_By_Severity_Very_Low_Categories |
Very Low level categories. |
Flaws_By_Severity_Informational |
No. of informational severity flaws |
Flaws_By_Severity_Informational_Categories |
Informational level categories. |
Flaw_Status_Cannot_Reproduce |
Cannot reproduce flaws count. |
Flaw_Status_Fixed |
Fixed flaws count. |
Flaw_Status_New |
New flaws count. |
Flaw_Status_Not_Mitigated |
Not Mitigated flaws count. |
Flaw_Status_Open |
Open flaws count. |
Flaw_Status_Reopen |
Reopen flaws count. |
Detailed Report Link |
Hyperlink to download detailed report. |
Summary Report Link |
Hyperlink to download summary report. |
Pass/Fail Condition
- No application details found. Unable to proceed….
- Application is not exist, neither create application flag set to Y. Unable to proceed….
- Scan name already exists. Please provide the unique name. Unable to proceed….
- Wait for prescan field set to Yes otherwise won’t proceed with the execution….
- Neither modules are selected nor the top level modules are chosen for scanning. Unable to proceed….
- There is an error while performing the static scan :
- No app details found. Unable to proceed….
- Scan in progress. result is not available….
- No result available as scan is not completed….
- No build details found….
- Unable to fetch application details….
- No application present named :
Note:
The plugin is tested with the user having below accesses:
- Creator
- Delete Scans
- Security Insights
- Security Labs User
- Greenlight IDE User
- Mitigation Approver
- Vendor Manager
- Reviewer
- Workspace Editor
Limitations:
- Providing input at runtime is not supported.
- Don’t use -no-color as additional option. This is already used internally.
Release Details:
Initial version with basic functionalities.