Veracode - Automated Data Load

ZeroNorth Experts
,
1

While ZeroNorth provides an easy and convenient way to orchestrate Veracode scans of your code repositories and build artifacts, sometimes it is necessary or more practical to take the results from an existing Veracode scan and then load that into ZeroNorth, still benefiting from ZeroNorth’s dashboarding and analytics. This article describes the set-up and procedure for importing existing Veracode scan results into ZeroNorth.

Overview

The Veracode scan import process uses the Veracode API to extract the results directly from your Veracode account and then loads the results into your ZeroNorth account:

  1. Obtain the Application ID and the Build ID of the desired Veracode scan.
  2. Add a Veracode Scan Policy in ZeroNorth.
  3. Run the ZeroNorth Scan Policy to import the Veracode scan results directly from your Veracode account.

1. Veracode Application ID and Build ID

A scan in Veracode is identified by an Application ID and a Build ID. An Application represents, for example, your project’s nightly build artifact which you scan with Veracode. The Build ID represents a specific scan (e.g today’s scan vs. yesterday’s scan).

Method 1 - via the API

To obtain these two pieces of information, refer to the directions in the following article:

https://help.veracode.com/reader/LMv_dtSHyb7iIxAQznC~9w/vQaiUg6BaZ232dgDA7qleg

Using the instructions from the above article:

  1. Determine the Application ID - you do this just once. Below is an example using curl:

curl -u [api user]:[api user password] https://analysiscenter.veracode.com/api/5.0/getapplist.do

Look through the resulting list for the desired Application and write down the “app_id” value.
2. Determine the Build ID that represents the specific scans for the above Application ID. Below is an example using curl:

curl -u [api user]:[api user password] https://analysiscenter.veracode.com/api/5.0/getbuildlist.do -F "app_id=123456"

Look through the resulting list for the desired Build and write down the “build_id” value.

Alternatively, when you invoke Veracode via the API, the Build ID is provided in the output of the some of the important calls.

Method 2 - via the UI

If you have access to the Veracode UI ( veracode.com ) and can bring up your application’s profile, you can obtain the App ID and the Build ID from the URL:

image
image919×212 20.3 KB

In the above example, the app_id is 466190, and the build_id 3449496 represents the ID of the scan being viewed, which by default is the most recent scan.

2. Add a ZeroNorth Scan Policy

Start by adding a ZeroNorth Scan Policy in a standard manner, making sure of the following:

  • The Target must be of type “Artifact”.
  • The Veracode Scenario for the Scan Policy must have been activated with credentials that have access to the desired scan results.

Then, in the Veracode Application Parameters section of the Scan Policy definition:

image
image763×512 23.5 KB

  • Set Application Lookup Strategy to “Find existing application by ID”.
  • Enter the Application ID .
  • Build ID :
    • Enter a Build ID - this will cause ZeroNorth to import the results of that specific Veracode scan.
    • Leave this field blank - to pass it in as a run-time parameter (see below).

3. Run the ZeroNorth Scan Policy

There are a couple of recommended ways to run the Veracode Policy to import the scan results.

Policy Specifies both App ID and Build ID

If you specified both the App ID and the Build ID in your Policy, the Policy can be run from the UI:

  1. Go to znOPS > Policies .
  2. Locate the desired Policy in the Policies list.
  3. Click on to bring up the menu options.
  4. Select “Run Now”.

Specify the Build ID at Run Time

This option is useful for automating the Veracode scan imports. For example, if you scan your application with each nightly build, you can use the technique described below to specify the Build ID at the Policy run time:

  1. The Build ID is passed in as a run-time parameter.
  2. The procedure can be embedded into another process (e.g. your CI/CD pipeline).

To run the Scan Policy, use a curl (or similar) call like this:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: <API Key>' -d '{ "options": { "runOptions": { "buildId": "<Build ID>" } } }' 'https://api.zeronorth.io/v1/policies/<policy ID>/run'

where,

  • Replace <API Key> with your ZeroNorth API key (see this KB article ).
  • Replace <Build ID> with your Veracode scan Build ID.
  • Replace <policy ID> with the ID of the Scan Policy you created for this.

The import process should take under a minute.

2

Is it not possible to fetch the results from veracode and integrate directly into the pipeline by utilizing the security Step?.