In this article you will find:

  • Pre-requisites
  • Configure Veracode SAST connector
  • How to view data from Veracode SAST
  • How Veracode severity is mapped to Vulcan Risk Score
  • How Veracode status is mapped to Vulcan status

1. Pre-requisites

Vulcan's Veracode SAST connector uses Veracode's XML API to pull scan's data.
Permission required: Reviewer with Results API Role
To grant access to the Veracode XML APIs, administrators assign the necessary API roles to users with non-human accounts. To see the roles assigned to your account, click Your Account --> Assign Roles.

Note: Vulcan's Veracode SAST Connector will only pull data the user has access to.

2. Configuring Veracode SAST

In the Connectors page, click on Add a Connector

Click on Veracode SAST connector

Fill in the relevant fields:
API Key - Key to communicate with Veracode API.
Secret Key - Key to authenticate with Veracode API.

NOTE: You can get the required credentials by navigating to API credentials section in your Veracode account

Click on Create

You can see the connector's progress in the Log tab

3. Viewing data from Veracode SAST in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets
  • Vulnerabilities

Asset
The data from Veracode SAST will be displayed under Code Projects  - This tab gathers all data came from SAST and SCA tools. To filter only Veracode data, simply use the Search Bar

The Project column will display the Application Names that were scanned by Veracode SAST

Last Report column will indicate the last scanned time in Veracode.
Top Risk column will indicate  the highest risk-value from all risks that exists in a project.
Vulnerabilities column will indicate the number of unique associated flaws. For example: 

Tags column will indicate the following values from Veracode:  'tags',' veracode_level', 'teams' and 'business_criticality'.

Clicking on each project will open its Asset Card where you can view in project's data, including - All related vulnerabilities, affected code and details of projects and correlated data from other sources.

Codebase tab will indicate the exact location of the vulnerabilities:


Vulnerabilities 

You can view all data from Veracode SAST in Vulnerabilities.  In order to filter only Veracode data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Veracode account.
All the data from Veracode including the descriptions, the offered solutions, available fixes and more are in Vulcan.

Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.

4. How Vulcan ingested Veracode severity into Vulcan Risk Score

In Vulcan, a vulnerability instance's risk score is a calculation of 3 factors:

  • Technical severity – CVSS or other scores as provided by the scanning vendor.
  • Threats – Exploits, malware, OWASP Top 10 and other threat intelligence in the wild.
  • Tags – The impact (High, medium, low) of tags on the vulnerable assets. This determines how impactful a breach of the vulnerability will be to your business.

Vulcan ingested Vercode severity levels into Vulcan Teachnica Severity by the following metric, and adding the other 2 factors (Threads, Tags) to the final Risk Score of 0-100.

5. How Veracode status is mapped to Vulcan status

In veracode each Vulnerability(Flaw) has a status, this also applies to vulnerabilities in Vulcan. The status may change during the lifecycle of the vulnerability in some cases the user can modify the status by taking action, some actions require approval.

Veracode actions are logged for each vulnerability in the vulcan activity log.

this is a mapping of the veracode status to vulcan status:

Veracode status

Vulcan status

New, Open, Reopened

Vulnerable

Potential False Positive

Ignored - False Positive

Mitigated

Ignored - risk acknowledged

Fixed

Fixed

see link for more details about Veracode status

Did this answer your question?