Integrate with Veracode

Owned by Dave Trier
Last updated: Mar 10, 2022 by Earl Cahill (Unlicensed)

ModelOp Center seamlessly integrates with existing code scanning and security systems, such as Veracode, to allow enterprises to leverage existing IT investments.

Table of Contents

 

Introduction

ModelOp Center provides the ability to integrate with Veracode to enable automated code scanning of registered models within ModelOp Center

Veracode Integration Setup

Prerequisites

This guide assumes the following prerequisites

  • your Veracode username stored in either VERACODE_USERNAMEin your config.yamlor in the Spring property mlc.veracode-task-monitor.username

  • your Veracode password stored in either VERACODE_PASSWORDin your config.yaml or in the Spring property mlc.veracode-task-monitor.password

  • the Spring property mlc.process.global.veracodeAppid is available and contains your Veracode application id

  • the variableVERACODE_BUILD_ID_FROM_JENKINS is set and contains the build id of the Jenkins process that initiated the Veracode build we will be looking for

  • a running Veracode process, invoked from Jenkins

Task variables

  • APP_ID - Veracode app id (required)

  • One of these variables is required

    • SANDBOX_ID - Veracode sandbox id

    • SANDBOX_NAME - Veracode sandbox name

  • VERACODE_BUILD_ID_FROM_JENKINS - the build id of the Jenkins process that initiated the Veracode build

Spring properties

  • http.proxyHost is for a proxy host and defaults to null

  • http.proxyPort is for a proxy port and defaults to null

  • mlc.veracode-task-monitor.poll-rate specifies how often (in milliseconds) to check for Veracode tasks. The default is 5000 milliseconds

Veracode Task

At a high level, we want our Veracode integration to begin shortly after the Veracode process is running, and then the MLC will poll until a summary report is found. To get a summary report the Veracode task

  1. Retrieves the task variables from above

  2. Using the APP_ID, retrieves a list of sandboxes

  3. Finds the sandbox that matches the SANDBOX_ID or SANDBOX_NAME

  4. Using the SANDBOX_ID from the matching sandbox, retrieves a list of builds

  5. Finds the Veracode build that matches the VERACODE_BUILD_ID_FROM_JENKINS

  6. Retrieves the summary report using the id from the matching Veracode build

  7. Given a non-null policy compliance status, saves the summary report to the SUMMARY_REPORTfield

 

Example MLC Integration with Veracode

The Veracode MLC integration occur after the initial Jenkins job has completed and the Veracode job has been invoked. The task will wait until a summary report is found.

For example:

Sample responses

This is a sample response for getting a list of sandboxes

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <sandboxlist xmlns="https://analysiscenter.veracode.com/schema/4.0/sandboxlist" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" sandboxlist_version="1.0" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/sandboxlist https://analysiscenter.veracode.com/resource/4.0/sandboxlist.xsd"> <sandbox auto_recreate="false" last_modified="2020-10-15T14:49:53-04:00" owner="Owner Adams" sandbox_id="1111" sandbox_name="My first sandbox"> <customfield name="Custom 1" value=""/> <customfield name="Custom 2" value=""/> <customfield name="Custom 3" value=""/> <customfield name="Custom 4" value=""/> <customfield name="Custom 5" value=""/> </sandbox> <sandbox auto_recreate="false" last_modified="2020-10-30T12:46:56-04:00" owner="Owner Brown" sandbox_id="2222" sandbox_name="Sandbox the second"> <customfield name="Custom 1" value=""/> <customfield name="Custom 2" value=""/> <customfield name="Custom 3" value=""/> <customfield name="Custom 4" value=""/> <customfield name="Custom 5" value=""/> </sandbox> </sandboxlist>

 

This is a sample response for getting a list of builds

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <buildlist xmlns="https://analysiscenter.veracode.com/schema/2.0/buildlist" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" app_name="My Cool App" buildlist_version="1.3" sandbox_id="1111" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/buildlist https://analysiscenter.veracode.com/resource/2.0/buildlist.xsd"> <build build_id="111" version="SCAN_1.0.0-21"/> <build build_id="222" version="SCAN_1.0.0-23"/> <build build_id="333" version="SCAN_1.0.0-25"/> </buildlist>

 

Finally, here is a sample summary report response

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <summaryreport xmlns="https://www.veracode.com/schema/reports/export/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" analysis_id="1" app_id="999999" app_name="My Cool App" assurance_level="3" build_id="9455570" business_criticality="3" business_owner="Owner Adams" business_unit="ECS" first_build_submitted_date="2020-10-22 20:20:16 UTC" flaws_not_mitigated="1" generation_date="2020-11-03 20:48:57 UTC" grace_period_expired="false" is_latest_build="false" last_update_time="2020-10-30 16:46:56 UTC" legacy_scan_engine="false" life_cycle_stage="Not Specified" planned_deployment_date="" platform="Not Specified" policy_compliance_status="Did Not Pass" policy_name="Cool Policy" policy_rules_status="Did Not Pass" policy_version="6" report_format_version="1.3" sandbox_id="2222" sandbox_name="My first sandbox" scan_overdue="false" static_analysis_unit_id="1" submitter="PRD CM101 Automated Jenkins" tags="Cloud" teams="Cool Team" total_flaws="1" veracode_level="VL3 + SCA" version="SCAN_1.0.0-27" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 https://analysiscenter.veracode.com/resource/summaryreport.xsd"> <static-analysis analysis_size_bytes="8738" engine_version="20201014235120" next_scan_due="2021-10-30 16:46:55 UTC" published_date="2020-10-30 16:46:55 UTC" rating="A" score="99" submitted_date="2020-10-30 16:44:45 UTC" version="SCAN_1.0.0-27"> <modules> <module architecture="Python" compiler="Python" loc="826" name="Python.zip" numflawssev0="0" numflawssev1="0" numflawssev2="0" numflawssev3="1" numflawssev4="0" numflawssev5="0" os="" score="99"/> </modules> </static-analysis> <severity level="5"/> <severity level="4"/> <severity level="3"> <category categoryname="Cross-Site Scripting (XSS)" count="1" severity="Medium"/> </severity> <severity level="2"/> <severity level="1"/> <severity level="0"/> <flaw-status cannot-reproduce="0" fixed="0" new="0" not_mitigated="1" open="1" reopen="0" sev-1-change="0" sev-2-change="0" sev-3-change="0" sev-4-change="0" sev-5-change="0" total="1"/> <customfields> <customfield name="Sup" value="Cloud"/> </customfields> <software_composition_analysis blacklisted_components="0" components_violated_policy="0" third_party_components="0" violate_policy="false"> <vulnerable_components/> </software_composition_analysis> </summaryreport>