Overview


About

ShiftLeft application security testing left to make fixes earlier in the development cycle. Fix quickly by using an AppSec tool built on the DevOps principles of quick feedback, automation, and developer collaboration.


Prerequisites

To configure the connector, you need to:

  • Make sure you are using an "Admin" user role on ShiftLeft

  • Obtain the Organizational ID and Access Token from ShiftLeft

  1. Go to your ShiftLEft platform

  2. Make sure you are in the right organization using an Admin-level user

  3. Go to Account Settings and copy the Org ID and Access Token to your clipboard:


Configure ShiftLeft SCA/SAST connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the relevant ShiftLeft scanner icon

  4. Enter the Org ID and Access Token as retrieved above.

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your ShiftLEft instance, then click Create (or Save Changes).

  6. Allow some time for the sync to complete. You can review the sync status under Log.

  7. To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the ShiftLeft icon shows Connected, the connection is complete.


From ShiftLeft to the Vulcan Platform - Fields Mapping

Connector Fields Mapping - ShiftLeft SAST

ShiftLeft field / component

Vulcan field

Value Example

Application name

Asset name

-

Code Project

Asset type

-

Call stack

Asset codebase - source

org.owasp.benchmark.testcode

Call stack line number

Asset codebase - location

org/owasp/benchmark/testcode/BenchmarkTest02553.java

Asset data

Asset details

"Lab for the development of Dependababot and Code Scanning connectors"

Tags

Asset tags

Vulnerability title in Shiftleft

Vulnerability title

"Hard coded credentials"

Vulnerability description in Shiftleft

Vulnerability description

Vulnerability score in Shiftleft

Vulnerability score

"Critical"

Vulnerability details in Shiftleft

Vulnerability details

Taken from: “ShiftLeft Recommendations for {vulnerability title}”

Fix - Title

Countermeasures

Fix - Description

This vulnerability can be prevented by using parameterized queries or input sanitization/validation techniques (e.g., whitelisting).

Additional information

Fix - References

CWE-90

OWASP-A1

Connector Fields Mapping - ShiftLeft SCA

ShiftLeft field / component

Vulcan field

Value Example

Application name

Asset name

Benchmark

Code Project

Asset type

-

Asset library name in Shiftleft

Asset libraries - Name

Xerces

Asset libraries version in Shiftleft

Asset libraries- Version

2.12.0

Asset details in ShiftLeft

Asset details

Vulnerability title in Shiftleft

Vulnerability title

pkg:maven/xerces/xercesImpl@2.12.0

Vulnerability score in Shiftleft

Vulnerability score

Moderate

Description of a vulnerability in ShiftLeft

Vulnerability description

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Vulnerability data

Vulnerability details

Taken from: Use: “ShiftLeft Recommendations for {vulnerability title}”

Fix - Title

ShiftLeft Recommendations for pkg:maven/xerces/xercesImpl@2.12.0

Suggested Mitigation

Fix - Description

Vulnerability Status Mapping - ShiftLeft SAST/SCA

ShiftLeft SAST/SCA Status

Vulcan Status

None

Vulnerable

Fixed

Fixed

N/A

Ignored - false positive

Ignored

Ignored r- risk acknowledged

Vulnerability Score Mapping - ShiftLeft SAST/SCA

ShiftLeft SAST/SCA Score

Vulcan Score

Notes

Critical

10

7

N/A on Shiftleft

Moderate

5

3

N/A on ShiftLeft

Info

0

Vulnerabilities with score "info" aren't fetched into the Vulcan Platform


Locate ShiftLeft vulnerabilities in the Vulcan Platform

As ShiftLeft discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities, discovering specific vulnerabilities via source is made easy with filters.

  1. Go to Vulnerabilities.

  2. Click on the "Search or filter vulnerabilities" search box.

  3. Scroll and select the Vulnerability Source option.

  4. Locate ShiftLeft on the vulnerability source list and click to filter results.

  5. Click on any vulnerability/CVE to view further information and potentially take action by clicking the Take Action drop-down.


Locate ShiftLeft Code Projects assets in the Vulcan Platform

  1. Go to Assets > Code Projects tab.

  2. Click on the Search or filter codeProjects input box and select Connector from the drop-down selection.

  3. Scroll to select the ShiftLeft option and view the results.


Automating ShiftLeft vulnerability remediation actions in the Vulcan Platform

Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the ShiftLeft connector.

Learn how to create automation

Did this answer your question?