Pre-requisites
Vulcan's Veracode SAST connector uses Veracode's XML API to pull scan's data.
Permission required: Reviewer with Results API Role
To grant access to the Veracode XML APIs, administrators assign the necessary API roles to users with non-human accounts. To see the roles assigned to your account, click Your Account --> Assign Roles.
Note: Vulcan's Veracode SAST Connector will only pull data the user has access to.
Configuring Veracode SAST
In the Connectors page, click on Add a Connector
Click on Veracode SAST connector
Fill in the relevant fields:
API Key - Key to communicate with Veracode API.
Secret Key - Key to authenticate with Veracode API.
NOTE: You can get the required credentials by navigating to API credentials section in your Veracode account
Click on Create
You can see the connector's progress in the Log tab
Viewing data from Veracode SAST in Vulcan
Vulcan provides the option to remediate vulnerabilities from 2 different angels:
Assets
Vulnerabilities
Asset
The data from Veracode SAST will be displayed under Code Projects - This tab gathers all data came from SAST and SCA tools. To filter only Veracode data, simply use the Search Bar
The Project column will display the Application Names that were scanned by Veracode SAST
Last Report column will indicate the last scanned time in Veracode.
Top Risk column will indicate the highest risk-value from all risks that exists in a project.
Vulnerabilities column will indicate the number of unique associated flaws. For example:
Tags column will indicate the following values from Veracode: 'tags',' veracode_level', 'teams' and 'business_criticality'.
Clicking on each project will open its Asset Card where you can view in project's data, including - All related vulnerabilities, affected code and details of projects and correlated data from other sources.
Codebase tab will indicate the exact location of the vulnerabilities:
Vulnerabilities
You can view all data from Veracode SAST in Vulnerabilities. In order to filter only Veracode data, simply use the Search Bar.
You can start the remediation process by clicking on a vulnerability and view all details fetched from your Veracode account.
All the data from Veracode including the descriptions, the offered solutions, available fixes and more are in Vulcan.
Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.
How Vulcan ingested Veracode severity into Vulcan Risk Score
In Vulcan, a vulnerability instance's risk score is a calculation of 3 factors:
Technical severity – CVSS or other scores as provided by the scanning vendor.
Threats – Exploits, malware, OWASP Top 10 and other threat intelligence in the wild.
Tags – The impact (High, medium, low) of tags on the vulnerable assets. This determines how impactful a breach of the vulnerability will be to your business.
Vulcan ingested Vercode severity levels into Vulcan Teachnica Severity by the following metric, and adding the other 2 factors (Threads, Tags) to the final Risk Score of 0-100.
How Veracode status is mapped to Vulcan status
In veracode each Vulnerability(Flaw) has a status, this also applies to vulnerabilities in Vulcan. The status may change during the lifecycle of the vulnerability in some cases the user can modify the status by taking action, some actions require approval.
Veracode actions are logged for each vulnerability in the vulcan activity log.
this is a mapping of the veracode status to vulcan status:
Veracode status | Vulcan status |
New, Open, Reopened | Vulnerable |
Potential False Positive | Ignored - False Positive |
Mitigated | Ignored - risk acknowledged |
Fixed | Fixed |
see link for more details about Veracode status