Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.
Overview
About Veracode SAST
Veracode provides application developers with robust, cloud-based security analysis tools that can be integrated into the application development process. Our results are accurate and reliable and supported by the Veracode Community and our expert support team
Why integrate Veracode SAST into the Vulcan platform?
The Veracode SAST Connector by Vulcan integrates with the Veracode platform to pull and ingest Code Project assets and their vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Veracode SAST Connector Details
Supported products | |
Category | Application Security - SAST |
Ingested asset type(s) | Code Projects |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
A Veracode SAST API user account with the following permissions:
"Reviewer" with "Results API Role"
See https://docs.veracode.com/r/admin_api
API TOKEN/KEY and SECRET KEY
Creating an API User Account in Veracode SAST
Click on the gear icon and select Admin.
Go to the Users tab and click Add New User.
Enter user details:
Provide a descriptive first and last name.
Check the Non-Human User box.
Note: You cannot convert an existing user account to an API service account. A new user account must be created with the Non-Human User checkbox selected.
Enter a valid email address for the API service account. Veracode will use this address to send notifications regarding error messages, password expirations, and other automated messages.
In the User Roles section, select the APIs that the API service account should access.
For the "Restrict Loigin IP" option, select No.
Click Save to create and enable the user account.
The user will receive an activation email.
Note: Before accessing the APIs, users must activate their account, generate API credentials, and enable HMAC authentication.
Configuring the Veracode SAST Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Veracode SAST icon.
Set up the Connector as follows:
Enter the Region, API Key ID, and API Secret you generated earlier.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Veracode SAST instance, then click Create (or Save Changes).
The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Veracode SAST icon shows Connected, the sync is complete.
Veracode SAST in the Vulcan Platform
Viewing Veracode SAST vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Connector is Veracode SAST.
You can add more filters to narrow down your search further.
See the complete list of available vulnerability filters.Click on a vulnerability for more vulnerability details.
Viewing Veracode SAST assets in the Vulcan Platform
Viewing assets by Connector for users with the new platform view (Asset Hub):
Go to the Assets page.
Click on "Filter " and specify the condition as "Assets > Connector is Veracode SAST".
Viewing assets by Connector for users with the older platform view:
Go to the Assets page.
Choose the relevant asset type tab.
Click on "Filter" and specify the condition as "Assets > Connector is Veracode SAST"
You can add more filters to narrow down your search further.
See the complete list of available asset filters.
Click on any asset for more asset details.
Taking Action on vulnerabilities and assets detected by Veracode SAST
To take remediation action on vulnerabilities and assets detected by Veracode SAST:
Go to the Vulnerabilities pr Assets Page.
Use the Filter to filter vulnerabilities by the Veracode SAST connector and display all synced vulnerabilities/assets along with their associated assets/vulnerabilities.
Select the relevant Vulnerabilities/assets out of the results list.
Click on Take Action to proceed with remediation or further actions.
Automating remediation actions on vulnerabilities detected by Veracode SAST
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
From Veracode SAST to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Veracode SAST through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Code project fields mapping
Veracode SAST field | Vulcan field |
guid | Uniqueness criteria |
profile.name | Asset Name |
Code Projects | Asset type |
finding_details.module | Asset codebase - Source (SAST) |
file_path + file_line_number | Asset codebase - Location (SAST) |
Profile- profile App Profile Url Results Url Id Guid Scans | Asset details |
profile.tags | Asset Tags - Vendor’s tags |
Team Name Business Unit Business Criticality | Asset Tags - Additional |
finding_status.status [OPEN, CLOSE] | Asset’s Status |
last_completed_scan_date | Last report |
issue_id | Vulnerability instance uniqueness criteria |
finding_status.first_found_date | Vulnerability instance first seen |
finding_status.last_seen_date | Vulnerability instance Last seen |
finding_details.file_path | Vulnerability instance location path |
finding_details.finding_category.name | Unique Vulnerability uniqueness criteria |
finding_details.finding_category.name | Vulnerability title |
finding_details.severity | Vulnerability score |
description | Vulnerability description |
issue_id finding_details.severity finding_details.module finding_details.relative_location finding_details.procedure finding_details.attack_vector finding_details.file_line_number | Vulnerability details |
finding_details.severity | CVSS |
finding_details.cwe.id | CWE |
finding_details.attack_vector | CVSS attack vector |
issue_id finding_details.severity finding_details.module finding_details.relative_location finding_details.procedure finding_details.attack_vector finding_details.file_line_number | Vulnerability instance connection- additional information |
Veracode recommendation for {{ name }} | Fix - Title |
recommendation | Fix - Description |
description | Fix - References |
Vulnerability status mapping
Veracode SAST Status | Vulcan Status |
Open | Vulnerable |
Closed | Fixed |
Vulnerability score mapping
Veracode SAST score | Vulcan score |
0-5 | 2 * (Veracode severity score) |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).
The table below lists how the status update mechanism works in the Veracode SAST connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not found on the Connector's last sync - Asset not seen for X days according to "Last Seen" |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. - Vulnerability status on the Connector's side changes to "CLOSED" |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API version: v1 , v2
API | Use in Vulcan |
/appsec/v1/applications | Assets(Code Projects), Tags |
appsec/v2/applications/{{application_guid}}/findings | Unique Vulnerabilities |
appsec/v1/categories/?page={{sast_recommendation_page_index}} | Solution |