Introduction
ModelOp Center provides the ability to integrate with Veracode to enable automated code scanning of registered models within ModelOp Center
Veracode Integration Setup
Prerequisites
This guide assumes the following prerequisites:
Spring property
mlc.veracode-task-monitor.username
set with Veracode usernameSpring property
mlc.veracode-task-monitor.password
set with Veracode passwordVeracode process configured to be triggered from a Jenkins Job
Security
The Veracode SDK is used to authenticate and communicate with Veracode. The Veracode credentials can be configured via Spring properties through direct property configuration, kubernetes secrets, or using Vault.
Task variables
APP_ID
- Veracode app idSANDBOX_ID
- Veracode sandbox id (one ofSANDBOX_ID
orSANDBOX_NAME
is required;SANDBOX_ID
has priority)SANDBOX_NAME
- Veracode sandbox name (one ofSANDBOX_ID
orSANDBOX_NAME
is required;SANDBOX_ID
has priority)VERACODE_BUILD_ID_FROM_JENKINS
- the build id of the Jenkins process that initiated the Veracode build
Optional Spring properties
http.proxyHost
is for a proxy host and defaults to nullhttp.proxyPort
is for a proxy port and defaults to nullmlc.veracode-task-monitor.poll-rate
specifies how often (in milliseconds) to check for Veracode tasks. The default is 5000 milliseconds
Veracode Task
At a high level, Veracode integration begins shortly after the Veracode process is running. The integration will poll until a summary report is found or a timeout occurs. To get a summary report the Veracode task:
Retrieves a list of sandboxes for the
APP_ID
Finds the sandbox matching the
SANDBOX_ID
orSANDBOX_NAME
Finds a list of builds matching the sandbox
Finds the Veracode build matching the
VERACODE_BUILD_ID_FROM_JENKINS
Retrieves the summary report using the id from the matching Veracode build
Saves the summary report to the
SUMMARY_REPORT
output parameter if a non-null policy compliance status is found
Example MLC Integration with Veracode
The Veracode MLC integration occurs after the initial Jenkins job has completed and the Veracode job has been invoked. The task will wait until a summary report is found or a timeout occurs.
For example:
Sample responses
This is a sample response for getting a list of sandboxes
Code Block |
---|
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <sandboxlist xmlns="https://analysiscenter.veracode.com/schema/4.0/sandboxlist" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" sandboxlist_version="1.0" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/sandboxlist https://analysiscenter.veracode.com/resource/4.0/sandboxlist.xsd"> <sandbox auto_recreate="false" last_modified="2020-10-15T14:49:53-04:00" owner="Owner Adams" sandbox_id="1111" sandbox_name="My first sandbox"> <customfield name="Custom 1" value=""/> <customfield name="Custom 2" value=""/> <customfield name="Custom 3" value=""/> <customfield name="Custom 4" value=""/> <customfield name="Custom 5" value=""/> </sandbox> <sandbox auto_recreate="false" last_modified="2020-10-30T12:46:56-04:00" owner="Owner Brown" sandbox_id="2222" sandbox_name="Sandbox the second"> <customfield name="Custom 1" value=""/> <customfield name="Custom 2" value=""/> <customfield name="Custom 3" value=""/> <customfield name="Custom 4" value=""/> <customfield name="Custom 5" value=""/> </sandbox> </sandboxlist> |
This is a sample response for getting a list of builds
Code Block |
---|
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <buildlist xmlns="https://analysiscenter.veracode.com/schema/2.0/buildlist" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" app_name="My Cool App" buildlist_version="1.3" sandbox_id="1111" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/buildlist https://analysiscenter.veracode.com/resource/2.0/buildlist.xsd"> <build build_id="111" version="SCAN_1.0.0-21"/> <build build_id="222" version="SCAN_1.0.0-23"/> <build build_id="333" version="SCAN_1.0.0-25"/> </buildlist> |
Finally, here is a sample summary report response
Code Block |
---|
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <summaryreport xmlns="https://www.veracode.com/schema/reports/export/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" analysis_id="1" app_id="999999" app_name="My Cool App" assurance_level="3" build_id="9455570" business_criticality="3" business_owner="Owner Adams" business_unit="ECS" first_build_submitted_date="2020-10-22 20:20:16 UTC" flaws_not_mitigated="1" generation_date="2020-11-03 20:48:57 UTC" grace_period_expired="false" is_latest_build="false" last_update_time="2020-10-30 16:46:56 UTC" legacy_scan_engine="false" life_cycle_stage="Not Specified" planned_deployment_date="" platform="Not Specified" policy_compliance_status="Did Not Pass" policy_name="Cool Policy" policy_rules_status="Did Not Pass" policy_version="6" report_format_version="1.3" sandbox_id="2222" sandbox_name="My first sandbox" scan_overdue="false" static_analysis_unit_id="1" submitter="PRD CM101 Automated Jenkins" tags="Cloud" teams="Cool Team" total_flaws="1" veracode_level="VL3 + SCA" version="SCAN_1.0.0-27" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 https://analysiscenter.veracode.com/resource/summaryreport.xsd"> <static-analysis analysis_size_bytes="8738" engine_version="20201014235120" next_scan_due="2021-10-30 16:46:55 UTC" published_date="2020-10-30 16:46:55 UTC" rating="A" score="99" submitted_date="2020-10-30 16:44:45 UTC" version="SCAN_1.0.0-27"> <modules> <module architecture="Python" compiler="Python" loc="826" name="Python.zip" numflawssev0="0" numflawssev1="0" numflawssev2="0" numflawssev3="1" numflawssev4="0" numflawssev5="0" os="" score="99"/> </modules> </static-analysis> <severity level="5"/> <severity level="4"/> <severity level="3"> <category categoryname="Cross-Site Scripting (XSS)" count="1" severity="Medium"/> </severity> <severity level="2"/> <severity level="1"/> <severity level="0"/> <flaw-status cannot-reproduce="0" fixed="0" new="0" not_mitigated="1" open="1" reopen="0" sev-1-change="0" sev-2-change="0" sev-3-change="0" sev-4-change="0" sev-5-change="0" total="1"/> <customfields> <customfield name="Sup" value="Cloud"/> </customfields> <software_composition_analysis blacklisted_components="0" components_violated_policy="0" third_party_components="0" violate_policy="false"> <vulnerable_components/> </software_composition_analysis> </summaryreport> |