ModelOp Center provides the ability to integrate with Veracode to enable automated code scanning of registered models within ModelOp Center
This guide assumes the following prerequisites
your Veracode username stored in either VERACODE_USERNAME
in your config.yaml
or in the Spring property mlc.veracode-task-monitor.username
your Veracode password stored in either VERACODE_PASSWORD
in your config.yaml
or in the Spring property mlc.veracode-task-monitor.password
the Spring property mlc.process.global.veracodeAppid
is available and contains your Veracode application id
the variableVERACODE_BUILD_ID_FROM_JENKINS
is set and contains the build id of the Jenkins process that initiated the Veracode build we will be looking for
a running Veracode process, invoked from Jenkins
APP_ID
- Veracode app id (required)
One of these variables is required
SANDBOX_ID
- Veracode sandbox id
SANDBOX_NAME
- Veracode sandbox name
VERACODE_BUILD_ID_FROM_JENKINS
- the build id of the Jenkins process that initiated the Veracode build
http.proxyHost
is for a proxy host and defaults to null
http.proxyPort
is for a proxy port and defaults to null
mlc.veracode-task-monitor.poll-rate
specifies how often (in milliseconds) to check for Veracode tasks. The default is 5000 milliseconds
At a high level, we want our Veracode integration to begin shortly after the Veracode process is running, and then the MLC will poll until a summary report is found. To get a summary report the Veracode task
Retrieves the task variables from above
Using the APP_ID
, retrieves a list of sandboxes
Finds the sandbox that matches the SANDBOX_ID
or SANDBOX_NAME
Using the SANDBOX_ID
from the matching sandbox, retrieves a list of builds
Finds the Veracode build that matches the VERACODE_BUILD_ID_FROM_JENKINS
Retrieves the summary report using the id from the matching Veracode build
Given a non-null policy compliance status, saves the summary report to the SUMMARY_REPORT
field
The Veracode MLC integration occur after the initial Jenkins job has completed and the Veracode job has been invoked. The task will wait until a summary report is found.
For example:
This is a sample response for getting a list of sandboxes
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <sandboxlist xmlns="https://analysiscenter.veracode.com/schema/4.0/sandboxlist" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" sandboxlist_version="1.0" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/sandboxlist https://analysiscenter.veracode.com/resource/4.0/sandboxlist.xsd"> <sandbox auto_recreate="false" last_modified="2020-10-15T14:49:53-04:00" owner="Owner Adams" sandbox_id="1111" sandbox_name="My first sandbox"> <customfield name="Custom 1" value=""/> <customfield name="Custom 2" value=""/> <customfield name="Custom 3" value=""/> <customfield name="Custom 4" value=""/> <customfield name="Custom 5" value=""/> </sandbox> <sandbox auto_recreate="false" last_modified="2020-10-30T12:46:56-04:00" owner="Owner Brown" sandbox_id="2222" sandbox_name="Sandbox the second"> <customfield name="Custom 1" value=""/> <customfield name="Custom 2" value=""/> <customfield name="Custom 3" value=""/> <customfield name="Custom 4" value=""/> <customfield name="Custom 5" value=""/> </sandbox> </sandboxlist> |
This is a sample response for getting a list of builds
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <buildlist xmlns="https://analysiscenter.veracode.com/schema/2.0/buildlist" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" app_name="My Cool App" buildlist_version="1.3" sandbox_id="1111" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/buildlist https://analysiscenter.veracode.com/resource/2.0/buildlist.xsd"> <build build_id="111" version="SCAN_1.0.0-21"/> <build build_id="222" version="SCAN_1.0.0-23"/> <build build_id="333" version="SCAN_1.0.0-25"/> </buildlist> |
Finally, here is a sample summary report response
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <summaryreport xmlns="https://www.veracode.com/schema/reports/export/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" analysis_id="1" app_id="999999" app_name="My Cool App" assurance_level="3" build_id="9455570" business_criticality="3" business_owner="Owner Adams" business_unit="ECS" first_build_submitted_date="2020-10-22 20:20:16 UTC" flaws_not_mitigated="1" generation_date="2020-11-03 20:48:57 UTC" grace_period_expired="false" is_latest_build="false" last_update_time="2020-10-30 16:46:56 UTC" legacy_scan_engine="false" life_cycle_stage="Not Specified" planned_deployment_date="" platform="Not Specified" policy_compliance_status="Did Not Pass" policy_name="Cool Policy" policy_rules_status="Did Not Pass" policy_version="6" report_format_version="1.3" sandbox_id="2222" sandbox_name="My first sandbox" scan_overdue="false" static_analysis_unit_id="1" submitter="PRD CM101 Automated Jenkins" tags="Cloud" teams="Cool Team" total_flaws="1" veracode_level="VL3 + SCA" version="SCAN_1.0.0-27" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 https://analysiscenter.veracode.com/resource/summaryreport.xsd"> <static-analysis analysis_size_bytes="8738" engine_version="20201014235120" next_scan_due="2021-10-30 16:46:55 UTC" published_date="2020-10-30 16:46:55 UTC" rating="A" score="99" submitted_date="2020-10-30 16:44:45 UTC" version="SCAN_1.0.0-27"> <modules> <module architecture="Python" compiler="Python" loc="826" name="Python.zip" numflawssev0="0" numflawssev1="0" numflawssev2="0" numflawssev3="1" numflawssev4="0" numflawssev5="0" os="" score="99"/> </modules> </static-analysis> <severity level="5"/> <severity level="4"/> <severity level="3"> <category categoryname="Cross-Site Scripting (XSS)" count="1" severity="Medium"/> </severity> <severity level="2"/> <severity level="1"/> <severity level="0"/> <flaw-status cannot-reproduce="0" fixed="0" new="0" not_mitigated="1" open="1" reopen="0" sev-1-change="0" sev-2-change="0" sev-3-change="0" sev-4-change="0" sev-5-change="0" total="1"/> <customfields> <customfield name="Sup" value="Cloud"/> </customfields> <software_composition_analysis blacklisted_components="0" components_violated_policy="0" third_party_components="0" violate_policy="false"> <vulnerable_components/> </software_composition_analysis> </summaryreport> |