Integrate with Veracode
ModelOp Center seamlessly integrates with existing code scanning and security systems, such as Veracode, to allow enterprises to leverage existing IT investments.
Table of Contents
Â
Introduction
ModelOp Center provides the ability to integrate with Veracode to enable automated code scanning of registered models within ModelOp Center
Veracode Integration Setup
Prerequisites
This guide assumes the following prerequisites
your Veracode username stored in either
VERACODE_USERNAME
in yoursecrets/secrets.json
or in the Spring propertymlc.veracode-task-monitor.username
your Veracode password stored in either
VERACODE_PASSWORD
in yoursecrets/secrets.json
or in the Spring propertymlc.veracode-task-monitor.password
the Spring property
mlc.process.global.veracodeAppid
is available and contains your Veracode application idthe variable
VERACODE_BUILD_ID_FROM_JENKINS
is set and contains the build id of the Jenkins process that initiated the Veracode build we will be looking fora running Veracode process, invoked from Jenkins
Task variables
APP_ID
- Veracode app idSANDBOX_ID
- Veracode sandbox idSANDBOX_NAME
- Veracode sandbox nameVERACODE_BUILD_ID_FROM_JENKINS
- the build id of the Jenkins process that initiated the Veracode build
Spring properties
http.proxyHost
is for a proxy host and defaults to nullhttp.proxyPort
is for a proxy port and defaults to nullmlc.veracode-task-monitor.poll-rate
specifies how often (in milliseconds) to check for Veracode tasks. The default is 5000 milliseconds
Veracode Task
At a high level, we want our Veracode integration to begin shortly after the Veracode process is running, and then the MLC will poll until a summary report is found. To get a summary report the Veracode task
Retrieves the task variables from above
Using the
APP_ID
, retrieves a list of sandboxesFinds the sandbox that matches the
SANDBOX_ID
orSANDBOX_NAME
Using the
SANDBOX_ID
from the matching sandbox, retrieves a list of buildsFinds the Veracode build that matches the
VERACODE_BUILD_ID_FROM_JENKINS
Retrieves the summary report using the id from the matching Veracode build
Given a non-null policy compliance status, saves the summary report to the
SUMMARY_REPORT
field
Â
Example MLC Integration with Veracode
The Veracode MLC integration occur after the initial Jenkins job has completed and the Veracode job has been invoked. The task will wait until a summary report is found.
For example:
Sample responses
This is a sample response for getting a list of sandboxes
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<sandboxlist
xmlns="https://analysiscenter.veracode.com/schema/4.0/sandboxlist"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" sandboxlist_version="1.0" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/sandboxlist https://analysiscenter.veracode.com/resource/4.0/sandboxlist.xsd">
<sandbox auto_recreate="false" last_modified="2020-10-15T14:49:53-04:00" owner="Owner Adams" sandbox_id="1111" sandbox_name="My first sandbox">
<customfield name="Custom 1" value=""/>
<customfield name="Custom 2" value=""/>
<customfield name="Custom 3" value=""/>
<customfield name="Custom 4" value=""/>
<customfield name="Custom 5" value=""/>
</sandbox>
<sandbox auto_recreate="false" last_modified="2020-10-30T12:46:56-04:00" owner="Owner Brown" sandbox_id="2222" sandbox_name="Sandbox the second">
<customfield name="Custom 1" value=""/>
<customfield name="Custom 2" value=""/>
<customfield name="Custom 3" value=""/>
<customfield name="Custom 4" value=""/>
<customfield name="Custom 5" value=""/>
</sandbox>
</sandboxlist>
Â
This is a sample response for getting a list of builds
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<buildlist
xmlns="https://analysiscenter.veracode.com/schema/2.0/buildlist"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" app_name="My Cool App" buildlist_version="1.3" sandbox_id="1111" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/buildlist https://analysiscenter.veracode.com/resource/2.0/buildlist.xsd">
<build build_id="111" version="SCAN_1.0.0-21"/>
<build build_id="222" version="SCAN_1.0.0-23"/>
<build build_id="333" version="SCAN_1.0.0-25"/>
</buildlist>
Â
Finally, here is a sample summary report response
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<summaryreport
xmlns="https://www.veracode.com/schema/reports/export/1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" analysis_id="1" app_id="999999" app_name="My Cool App" assurance_level="3" build_id="9455570" business_criticality="3" business_owner="Owner Adams" business_unit="ECS" first_build_submitted_date="2020-10-22 20:20:16 UTC" flaws_not_mitigated="1" generation_date="2020-11-03 20:48:57 UTC" grace_period_expired="false" is_latest_build="false" last_update_time="2020-10-30 16:46:56 UTC" legacy_scan_engine="false" life_cycle_stage="Not Specified" planned_deployment_date="" platform="Not Specified" policy_compliance_status="Did Not Pass" policy_name="Cool Policy" policy_rules_status="Did Not Pass" policy_version="6" report_format_version="1.3" sandbox_id="2222" sandbox_name="My first sandbox" scan_overdue="false" static_analysis_unit_id="1" submitter="PRD CM101 Automated Jenkins" tags="Cloud" teams="Cool Team" total_flaws="1" veracode_level="VL3 + SCA" version="SCAN_1.0.0-27" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 https://analysiscenter.veracode.com/resource/summaryreport.xsd">
<static-analysis analysis_size_bytes="8738" engine_version="20201014235120" next_scan_due="2021-10-30 16:46:55 UTC" published_date="2020-10-30 16:46:55 UTC" rating="A" score="99" submitted_date="2020-10-30 16:44:45 UTC" version="SCAN_1.0.0-27">
<modules>
<module architecture="Python" compiler="Python" loc="826" name="Python.zip" numflawssev0="0" numflawssev1="0" numflawssev2="0" numflawssev3="1" numflawssev4="0" numflawssev5="0" os="" score="99"/>
</modules>
</static-analysis>
<severity level="5"/>
<severity level="4"/>
<severity level="3">
<category categoryname="Cross-Site Scripting (XSS)" count="1" severity="Medium"/>
</severity>
<severity level="2"/>
<severity level="1"/>
<severity level="0"/>
<flaw-status cannot-reproduce="0" fixed="0" new="0" not_mitigated="1" open="1" reopen="0" sev-1-change="0" sev-2-change="0" sev-3-change="0" sev-4-change="0" sev-5-change="0" total="1"/>
<customfields>
<customfield name="Sup" value="Cloud"/>
</customfields>
<software_composition_analysis blacklisted_components="0" components_violated_policy="0" third_party_components="0" violate_policy="false">
<vulnerable_components/>
</software_composition_analysis>
</summaryreport>
Â
Â
Related Articles
Â
Â