Integrate with Veracode

ModelOp Center seamlessly integrates with existing code scanning and security systems, such as Veracode, to allow enterprises to leverage existing IT investments.

Table of Contents

 

Introduction

ModelOp Center provides the ability to integrate with Veracode to enable automated code scanning of registered models within ModelOp Center

Veracode Integration Setup

Prerequisites

This guide assumes the following prerequisites:

  • Spring property mlc.veracode-task-monitor.username set with Veracode username

  • Spring property mlc.veracode-task-monitor.password set with Veracode password

  • Veracode process configured to be triggered from a Jenkins Job

Security

The Veracode SDK is used to authenticate and communicate with Veracode. The Veracode credentials can be configured via Spring properties through direct property configuration, kubernetes secrets, or using Vault.

Task variables

  • APP_ID - Veracode app id

  • SANDBOX_ID - Veracode sandbox id (one of SANDBOX_ID or SANDBOX_NAME is required; SANDBOX_ID has priority)

  • SANDBOX_NAME - Veracode sandbox name (one of SANDBOX_ID or SANDBOX_NAME is required; SANDBOX_ID has priority)

  • VERACODE_BUILD_ID_FROM_JENKINS - the build id of the Jenkins process that initiated the Veracode build

Optional Spring properties

  • http.proxyHost is for a proxy host and defaults to null

  • http.proxyPort is for a proxy port and defaults to null

  • mlc.veracode-task-monitor.poll-rate specifies how often (in milliseconds) to check for Veracode tasks. The default is 5000 milliseconds

Veracode Task

At a high level, Veracode integration begins shortly after the Veracode process is running. The integration will poll until a summary report is found or a timeout occurs. To get a summary report the Veracode task:

  1. Retrieves a list of sandboxes for the APP_ID

  2. Finds the sandbox matching the SANDBOX_ID or SANDBOX_NAME

  3. Finds a list of builds matching the sandbox

  4. Finds the Veracode build matching the VERACODE_BUILD_ID_FROM_JENKINS

  5. Retrieves the summary report using the id from the matching Veracode build

  6. Saves the summary report to the SUMMARY_REPORT output parameter if a non-null policy compliance status is found

 

Example MLC Integration with Veracode

The Veracode MLC integration occurs after the initial Jenkins job has completed and the Veracode job has been invoked. The task will wait until a summary report is found or a timeout occurs.

For example:

 

Sample responses

This is a sample response for getting a list of sandboxes

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <sandboxlist xmlns="https://analysiscenter.veracode.com/schema/4.0/sandboxlist" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" sandboxlist_version="1.0" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/4.0/sandboxlist https://analysiscenter.veracode.com/resource/4.0/sandboxlist.xsd"> <sandbox auto_recreate="false" last_modified="2020-10-15T14:49:53-04:00" owner="Owner Adams" sandbox_id="1111" sandbox_name="My first sandbox"> <customfield name="Custom 1" value=""/> <customfield name="Custom 2" value=""/> <customfield name="Custom 3" value=""/> <customfield name="Custom 4" value=""/> <customfield name="Custom 5" value=""/> </sandbox> <sandbox auto_recreate="false" last_modified="2020-10-30T12:46:56-04:00" owner="Owner Brown" sandbox_id="2222" sandbox_name="Sandbox the second"> <customfield name="Custom 1" value=""/> <customfield name="Custom 2" value=""/> <customfield name="Custom 3" value=""/> <customfield name="Custom 4" value=""/> <customfield name="Custom 5" value=""/> </sandbox> </sandboxlist>

 

This is a sample response for getting a list of builds

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <buildlist xmlns="https://analysiscenter.veracode.com/schema/2.0/buildlist" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" app_id="999999" app_name="My Cool App" buildlist_version="1.3" sandbox_id="1111" xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/buildlist https://analysiscenter.veracode.com/resource/2.0/buildlist.xsd"> <build build_id="111" version="SCAN_1.0.0-21"/> <build build_id="222" version="SCAN_1.0.0-23"/> <build build_id="333" version="SCAN_1.0.0-25"/> </buildlist>

 

Finally, here is a sample summary report response

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <summaryreport xmlns="https://www.veracode.com/schema/reports/export/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" account_id="11111" analysis_id="1" app_id="999999" app_name="My Cool App" assurance_level="3" build_id="9455570" business_criticality="3" business_owner="Owner Adams" business_unit="ECS" first_build_submitted_date="2020-10-22 20:20:16 UTC" flaws_not_mitigated="1" generation_date="2020-11-03 20:48:57 UTC" grace_period_expired="false" is_latest_build="false" last_update_time="2020-10-30 16:46:56 UTC" legacy_scan_engine="false" life_cycle_stage="Not Specified" planned_deployment_date="" platform="Not Specified" policy_compliance_status="Did Not Pass" policy_name="Cool Policy" policy_rules_status="Did Not Pass" policy_version="6" report_format_version="1.3" sandbox_id="2222" sandbox_name="My first sandbox" scan_overdue="false" static_analysis_unit_id="1" submitter="PRD CM101 Automated Jenkins" tags="Cloud" teams="Cool Team" total_flaws="1" veracode_level="VL3 + SCA" version="SCAN_1.0.0-27" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 https://analysiscenter.veracode.com/resource/summaryreport.xsd"> <static-analysis analysis_size_bytes="8738" engine_version="20201014235120" next_scan_due="2021-10-30 16:46:55 UTC" published_date="2020-10-30 16:46:55 UTC" rating="A" score="99" submitted_date="2020-10-30 16:44:45 UTC" version="SCAN_1.0.0-27"> <modules> <module architecture="Python" compiler="Python" loc="826" name="Python.zip" numflawssev0="0" numflawssev1="0" numflawssev2="0" numflawssev3="1" numflawssev4="0" numflawssev5="0" os="" score="99"/> </modules> </static-analysis> <severity level="5"/> <severity level="4"/> <severity level="3"> <category categoryname="Cross-Site Scripting (XSS)" count="1" severity="Medium"/> </severity> <severity level="2"/> <severity level="1"/> <severity level="0"/> <flaw-status cannot-reproduce="0" fixed="0" new="0" not_mitigated="1" open="1" reopen="0" sev-1-change="0" sev-2-change="0" sev-3-change="0" sev-4-change="0" sev-5-change="0" total="1"/> <customfields> <customfield name="Sup" value="Cloud"/> </customfields> <software_composition_analysis blacklisted_components="0" components_violated_policy="0" third_party_components="0" violate_policy="false"> <vulnerable_components/> </software_composition_analysis> </summaryreport>

 

 

Related Articles

 

Â