About
ShiftLeft application security testing left to make fixes earlier in the development cycle. Fix quickly by using an AppSec tool built on the DevOps principles of quick feedback, automation, and developer collaboration.
Prerequisites
To configure the connector, you need to:
Make sure you are using an "Admin" user role on ShiftLeft
Obtain the Organizational ID and Access Token from ShiftLeft
Go to your ShiftLEft platform
Make sure you are in the right organization using an Admin-level user
Go to Account Settings and copy the Org ID and Access Token to your clipboard:
Configure ShiftLeft SCA/SAST connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the relevant ShiftLeft scanner icon
Enter the Org ID and Access Token as retrieved above.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your ShiftLEft instance, then click Create (or Save Changes).
Allow some time for the sync to complete. You can review the sync status under Log.
To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the ShiftLeft icon shows Connected, the connection is complete.
From ShiftLeft to the Vulcan Platform - Fields Mapping
Connector Fields Mapping - ShiftLeft SAST
ShiftLeft field / component | Vulcan field | Value Example |
Application name | Asset name | - |
Code Project | Asset type | - |
Call stack | Asset codebase - source | org.owasp.benchmark.testcode |
Call stack line number | Asset codebase - location | org/owasp/benchmark/testcode/BenchmarkTest02553.java |
Asset data | Asset details | "Lab for the development of Dependababot and Code Scanning connectors" |
Tags | Asset tags |
|
Vulnerability title in Shiftleft | Vulnerability title | "Hard coded credentials" |
Vulnerability description in Shiftleft | Vulnerability description |
|
Vulnerability score in Shiftleft | Vulnerability score | "Critical" |
Vulnerability details in Shiftleft | Vulnerability details |
|
Taken from: “ShiftLeft Recommendations for {vulnerability title}” | Fix - Title |
|
Countermeasures | Fix - Description | This vulnerability can be prevented by using parameterized queries or input sanitization/validation techniques (e.g., whitelisting). |
Additional information | Fix - References | CWE-90 OWASP-A1 |
Connector Fields Mapping - ShiftLeft SCA
ShiftLeft field / component | Vulcan field | Value Example |
Application name | Asset name | Benchmark |
Code Project | Asset type | - |
Asset library name in Shiftleft | Asset libraries - Name | Xerces |
Asset libraries version in Shiftleft | Asset libraries- Version | 2.12.0 |
Asset details in ShiftLeft | Asset details |
|
Vulnerability title in Shiftleft | Vulnerability title | pkg:maven/xerces/xercesImpl@2.12.0 |
Vulnerability score in Shiftleft | Vulnerability score | Moderate |
Description of a vulnerability in ShiftLeft | Vulnerability description | There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. |
Vulnerability data | Vulnerability details |
|
Taken from: Use: “ShiftLeft Recommendations for {vulnerability title}” | Fix - Title | ShiftLeft Recommendations for pkg:maven/xerces/xercesImpl@2.12.0 |
Suggested Mitigation | Fix - Description |
|
Vulnerability Status Mapping - ShiftLeft SAST/SCA
ShiftLeft SAST/SCA Status | Vulcan Status |
None | Vulnerable |
Fixed | Fixed |
N/A | Ignored - false positive |
Ignored | Ignored r- risk acknowledged |
Vulnerability Score Mapping - ShiftLeft SAST/SCA
ShiftLeft SAST/SCA Score | Vulcan Score | Notes |
Critical | 10 |
|
| 7 | N/A on Shiftleft |
Moderate | 5 |
|
| 3 | N/A on ShiftLeft |
Info | 0 | Vulnerabilities with score "info" aren't fetched into the Vulcan Platform |
Locate ShiftLeft vulnerabilities in the Vulcan Platform
As ShiftLeft discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities, discovering specific vulnerabilities via source is made easy with filters.
Go to Vulnerabilities.
Click on the "Search or filter vulnerabilities" search box.
Scroll and select the Vulnerability Source option.
Locate ShiftLeft on the vulnerability source list and click to filter results.
Click on any vulnerability/CVE to view further information and potentially take action by clicking the Take Action drop-down.
Locate ShiftLeft Code Projects assets in the Vulcan Platform
Go to Assets > Code Projects tab.
Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.
Scroll to select the ShiftLeft option and view the results.
Automating ShiftLeft vulnerability remediation actions in the Vulcan Platform
Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the ShiftLeft connector.