Skip to main content
Veracode Connector
Updated over 2 months ago

Am I reading the correct user guide?

Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.

Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.


Overview

About Veracode

Veracode Web Application Scanning combines a DAST assessment tool with static analysis and other technologies to find, secure, and monitor websites and applications more effectively. Veracode’s assessment tool helps to find hidden security issues often missed by other products, such as looking in directories, debug code, leftover source code, and resource files to find information that hackers could exploit to gain access to the application. From hidden usernames and passwords to ODBC connectors and SQL strings, Veracode identifies potential vulnerabilities to enable faster fixes.

Why integrate Veracode into the Vulcan platform?

The Veracode Connector by Vulcan integrates with the Veracode platform to pull and ingest SAST and DAST findings (configurable) and their vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Veracode Connector Details

Supported products

Veracode SAST

Veracode DAST

Support note: DAST Essentials is not supported

Category

Application Security - DAST

Ingested asset type(s)

Code Projects

Note: SAST and DAST findings are ingested as Code Projects

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

Creating an API User Account in Veracode

  1. Click on the gear icon and select Admin.

  2. Go to the Users tab and click Add New User.

  3. Enter user details:

    • Provide a descriptive first and last name.

    • Check the Non-Human User box.

    Note: You cannot convert an existing user account to an API service account. A new user account must be created with the Non-Human User checkbox selected.

  4. Enter a valid email address for the API service account. Veracode will use this address to send notifications regarding error messages, password expirations, and other automated messages.

  5. In the User Roles section, select the APIs that the API service account should access.

  6. For the "Restrict Loigin IP" option, select No.

  7. Click Save to create and enable the user account.

    • The user will receive an activation email.

    Note: Before accessing the APIs, users must activate their account, generate API credentials, and enable HMAC authentication.

Configuring the Veracode Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Veracode icon.

  4. Set up the Connector as follows:

    • Enter the Region, API Key ID, and API Secret you generated earlier.

  5. Select Findings to Fetch: You’ll now see options to fetch SAST ("Fetch SAST Findings"), DAST (Fetch dynamic analysis findings"), or both types of findings.

    Note: All fetched findings, whether SAST or DAST, will be mapped as Code Projects. You can find them listed under this asset type in the Vulcan platform once synchronization is complete.

  6. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Veracode instance, then click Create (or Save Changes).

  7. The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.

  8. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  9. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  10. To confirm the sync is complete, navigate to the Connectors page. Once the Veracode icon shows Connected, the sync is complete.


Veracode in the Vulcan Platform

Viewing Veracode vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector:

  1. Go to the Vulnerabilities page.

  2. Click on Filter and set the condition to Vulnerability > Connector is Veracode.

To filter results by Veradoce SAST findings (vulnerabilities):

  1. Go to the Vulnerabilities (findings) page.

  2. Click on Filter and set the condition to Veracode > Instance > Scan type is SAST.

To filter results by Veradoce DAST findings (vulnerabilities):

  1. Go to the Vulnerabilities (findings) page.

  2. Click on Filter and set the condition to Veracode > > Instance > Scan type is DAST.

To filter results by Veradoce SAST and DAST findings (vulnerabilities):

  1. Go to the Vulnerabilities (findings) page.

  2. Click on Filter and set the condition to:
    Veracode > Instance > Scan type is DAST;

    add an 'or' condition;
    Veracode > Instance > Scan type is SAST;

Viewing Veracode assets in the Vulcan Platform

Viewing assets by Connector for users with the new platform view (Asset Hub):

  1. Go to the Assets page.

  2. Click on "Filter " and specify the condition as "Assets > Connector is Veracode".

Viewing assets by Connector for users with the older platform view:

  1. Go to the Assets page.

  2. Choose the relevant asset type tab.

  3. Click on "Filter" and specify the condition as "Assets > Connector is Veracode"

You can add more filters to narrow down your search further.
See the complete list of available asset filters.

Click on any asset for more asset details.

Note: Currently, there is no option to filter Veracode assets by Scan Type (SAST vs. DAST). This option is available only on the Vulnerabilities page.

Taking Action on vulnerabilities and assets detected by Veracode

To take remediation action on vulnerabilities and assets detected by Veracode:

  1. Go to the Vulnerabilities pr Assets Page.

  2. Use the Filter to filter vulnerabilities by the Veracode connector and display all synced vulnerabilities/assets along with their associated assets/vulnerabilities.

  3. Select the relevant vulnerabilities/assets from the results list.

  4. Click on Take Action to proceed with remediation or further actions.

Automating remediation actions on vulnerabilities detected by Veracode

Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.


From Veracode to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Veracode through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Code project fields mapping

All fetched findings, whether SAST or DAST, are mapped as Code Projects.

Veracode UI field

Veracode API field

Vulcan field

-

guid

Asset Uniqueness criteria

Application name

profile.name

Code Project Name (name)

-

-

Code Project Language (language)

first scan date

created

Code Project First Seen (first_seen)

last scan date

last_completed_scan_date

Code Project Last report (last_seen)

Dynamic analysis name
URL
business criticality
current policy compliance
block code
IT Director
IT SLT Member

Business criticality, Current policy compliance, Block code, IT Director, IT SLT Member - custom_fields

Dynamic analysis name - :question_mark:

URL - as codebase

Code Project details(added_data)

Tags

profile.tags

Code Project Tags - Vendor’s tags (tags)

IT Director
IT SLT Member

custom_fields

Code Project Tags - Additional (tags)

URL (unique urls)

-

Asset codebase - Source (SAST) (sast_file_name)

-

issue_id

Vulnerability instance uniqueness criteria

first detection date

finding_status.first_found_date

Vulnerability instance First seen (first_seen)

last detection date

finding_status.last_seen_date

Vulnerability instance Last seen (last_seen)

Flaw ID
URL
vulnerable parameter
injected value
original value
method
FIx by
Review Notes
Path
Type (sca/ sast/ dast)

if scan_type is DYNAMIC:

Flaw ID - finding_category.id
URL - url
vulnerable parameter - vulnerable_parameter
injected value - :question_mark:
original value - :question_mark:
method - :question_mark:
FIx by - :question_mark:
Review Notes - :question_mark:
Path - path
Type (sca/ sast/ dast) - scan_type

For each :question_mark: we need to make api call for every finding.

Vulnerability instance details(added_data)

-

finding_details.finding_category.name

Unique Vulnerability uniqueness criteria

flaw name

finding_details.finding_category.name

Vulnerability title (title)


Severity

finding_details.severity

Vulnerability score (cvss_score)

Description (inner)

description

Vulnerability description (description)

Effort to fix
Flaw category name
Flaw category description

-

Vulnerability details(added_data)

cve

-

CVE/S (report_item_cve)

cwe

finding_details.cwe.id

CWE (cwe)

-

finding_details.attack_vector

CVSS attack vector (cvss3_vector)

-

-

cloud_vv_id

Developer Field - not map to clients

Fix recommendations from Veracode

Veracode recommendation for {{ name }}

Fix - Title (title)

Recommendations

recommendation

Fix - Description(description)

additional resources

description

Fix - References (reference + reference_link)

Vulnerability status mapping

Veracode Status

Vulcan Status

Open

Vulnerable

Closed

Fixed

False positive

Ignored - false positive

Accept Risk, Wont fix

Ignored risk acknowledged

Vulnerability score mapping

Veracode SAST score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

-

0

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).

The table below lists how the status update mechanism works in the Veracode connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan

Mechanism (When?)

The asset is archived

- Asset not found on the Connector's last sync

- Asset not seen for X days according to "Last Seen"

The vulnerability instance status changes to "Fixed"

- If the vulnerability no longer appears in the scan findings.

- Vulnerability status on the Connector's side changes to "CLOSED"

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API Endpoints in Use

API version: v1 , v2

API

Use in Vulcan

{{base_url}}/appsec/v1/applications

Assets

{{base_url}}/appsec/v2/applications/{{application_guid}}/findings?scan_type=STATIC,DYNAMIC

Findings, Unique Vulnerabilities

{{base_url}}/appsec/v1/categories

Solution


Data Validation

This section shows how to validate and compare Vulcan and the Veracode platform data.

Matching Assets

View Assets in Veracode

In Veracode, each application is treated as an individual asset.

To view the total number of applications (assets):

Navigate to the Applications screen in the Veracode platform.

The number of applications will be displayed in a highlighted square, similar to the screenshot below.

View Assets in Vulcan

  1. In Vulcan, navigate to the Assets tab.

  2. Apply a filter to only display the assets sourced from Veracode:

    • Click on Filter, select Asset > Connector, and choose Veracode from the dropdown.

  3. Click Apply to see the filtered results.

  4. The number of assets synced from Veracode will now be displayed. You should see the number of assets in Vulcan as shown below.

Possible Discrepancies

If the number of assets does not align, this could be due to duplicate or archived assets in Vulcan that are no longer active in Veracode.

Matching Vulnerabilities

Vulnerability categories in Veracode

  • Veracode presents vulnerabilities grouped into 32 different categories.

  • If a category has a finding, it is presented as a vulnerability in Vulcan.

View Vulnerabilities in Vulcan

  1. In Vulcan, navigate to the Vulnerabilities tab.

  2. Apply a filter to view vulnerabilities from the Veracode connector:

    Go to Filter > Vulnerabilities > Source and choose Veracode.

  3. Ensure that the number of unique vulnerabilities corresponds to the categories shown in Veracode.

Possible Discrepancies

If the counts do not align, it could be due to certain vulnerabilities not being tied to any asset or differences in categorization between the platforms.

Matching Findings (Vulnerability Instances)

In Veracode:

  1. Go to the Applications page in Veracode.

  2. You will see a list of all applications.

  3. Click on any application from the list.

  4. Once inside the application’s details, select View Results/Report.

  5. Navigate to the Executive Summary tab to view the summary of the findings.

  6. In the Total column, you will find the total number of findings for the selected application. For example, in this case, the number of findings is 12:

In Vulcan:

  1. In Vulcan, go to the Findings tab.

  2. Apply the following filter to view findings from Veracode:
    Filter > Vulnerabilities > Source > Veracode

  3. After applying the filter, the total number of findings will be visible in the top left, within the red square.

Did this answer your question?