Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.
Overview
About Veracode
Veracode Web Application Scanning combines a DAST assessment tool with static analysis and other technologies to find, secure, and monitor websites and applications more effectively. Veracode’s assessment tool helps to find hidden security issues often missed by other products, such as looking in directories, debug code, leftover source code, and resource files to find information that hackers could exploit to gain access to the application. From hidden usernames and passwords to ODBC connectors and SQL strings, Veracode identifies potential vulnerabilities to enable faster fixes.
Why integrate Veracode into the Vulcan platform?
The Veracode Connector by Vulcan integrates with the Veracode platform to pull and ingest SAST and DAST findings (configurable) and their vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Veracode Connector Details
Supported products | Veracode SAST Veracode DAST
Support note: DAST Essentials is not supported |
Category | Application Security - DAST |
Ingested asset type(s) | Code Projects
Note: SAST and DAST findings are ingested as Code Projects |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
A Veracode API user account with the following permissions:
"Reviewer" with "Results API Role"
See https://docs.veracode.com/r/admin_api
API TOKEN/KEY and SECRET KEY
Creating an API User Account in Veracode
Click on the gear icon and select Admin.
Go to the Users tab and click Add New User.
Enter user details:
Provide a descriptive first and last name.
Check the Non-Human User box.
Note: You cannot convert an existing user account to an API service account. A new user account must be created with the Non-Human User checkbox selected.
Enter a valid email address for the API service account. Veracode will use this address to send notifications regarding error messages, password expirations, and other automated messages.
In the User Roles section, select the APIs that the API service account should access.
For the "Restrict Loigin IP" option, select No.
Click Save to create and enable the user account.
The user will receive an activation email.
Note: Before accessing the APIs, users must activate their account, generate API credentials, and enable HMAC authentication.
Configuring the Veracode Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Veracode icon.
Set up the Connector as follows:
Enter the Region, API Key ID, and API Secret you generated earlier.
Select Findings to Fetch: You’ll now see options to fetch SAST ("Fetch SAST Findings"), DAST (Fetch dynamic analysis findings"), or both types of findings.
Note: All fetched findings, whether SAST or DAST, will be mapped as Code Projects. You can find them listed under this asset type in the Vulcan platform once synchronization is complete.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Veracode instance, then click Create (or Save Changes).
The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Veracode icon shows Connected, the sync is complete.
Veracode in the Vulcan Platform
Viewing Veracode vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Connector is Veracode.
You can add more filters to narrow down your search further.
See the complete list of available vulnerability filters.Click on a vulnerability for more vulnerability details.
Viewing Veracode assets in the Vulcan Platform
Viewing assets by Connector for users with the new platform view (Asset Hub):
Go to the Assets page.
Click on "Filter " and specify the condition as "Assets > Connector is Veracode".
Viewing assets by Connector for users with the older platform view:
Go to the Assets page.
Choose the relevant asset type tab.
Click on "Filter" and specify the condition as "Assets > Connector is Veracode"
You can add more filters to narrow down your search further.
See the complete list of available asset filters.
Click on any asset for more asset details.
Taking Action on vulnerabilities and assets detected by Veracode
To take remediation action on vulnerabilities and assets detected by Veracode:
Go to the Vulnerabilities pr Assets Page.
Use the Filter to filter vulnerabilities by the Veracode connector and display all synced vulnerabilities/assets along with their associated assets/vulnerabilities.
Select the relevant vulnerabilities/assets from the results list.
Click on Take Action to proceed with remediation or further actions.
Automating remediation actions on vulnerabilities detected by Veracode
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
From Veracode to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Veracode through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Code project fields mapping
All fetched findings, whether SAST or DAST, are mapped as Code Projects.
Veracode UI field | Veracode API field | Vulcan field |
- | guid | Asset Uniqueness criteria |
Application name | profile.name | Code Project Name (name) |
- | - | Code Project Language (language) |
first scan date | created | Code Project First Seen (first_seen) |
last scan date | last_completed_scan_date | Code Project Last report (last_seen) |
Dynamic analysis name | Business criticality, Current policy compliance, Block code, IT Director, IT SLT Member - custom_fields Dynamic analysis name - :question_mark: URL - as codebase | Code Project details(added_data)
|
Tags | profile.tags | Code Project Tags - Vendor’s tags (tags) |
IT Director | custom_fields | Code Project Tags - Additional (tags) |
URL (unique urls) | - | Asset codebase - Source (SAST) (sast_file_name) |
- | issue_id | Vulnerability instance uniqueness criteria |
first detection date | finding_status.first_found_date | Vulnerability instance First seen (first_seen) |
last detection date | finding_status.last_seen_date | Vulnerability instance Last seen (last_seen) |
Flaw ID | if scan_type is DYNAMIC: Flaw ID - finding_category.id
For each :question_mark: we need to make api call for every finding. | Vulnerability instance details(added_data) |
- | finding_details.finding_category.name | Unique Vulnerability uniqueness criteria |
flaw name | finding_details.finding_category.name | Vulnerability title (title) |
| finding_details.severity | Vulnerability score (cvss_score) |
Description (inner) | description | Vulnerability description (description) |
Effort to fix | - | Vulnerability details(added_data) |
cve | - | CVE/S (report_item_cve) |
cwe | finding_details.cwe.id | CWE (cwe) |
- | finding_details.attack_vector | CVSS attack vector (cvss3_vector) |
- | - | cloud_vv_id Developer Field - not map to clients |
Fix recommendations from Veracode | Veracode recommendation for {{ name }} | Fix - Title (title) |
Recommendations | recommendation | Fix - Description(description) |
additional resources | description | Fix - References (reference + reference_link) |
Vulnerability status mapping
Veracode Status | Vulcan Status |
Open | Vulnerable |
Closed | Fixed |
False positive | Ignored - false positive |
Accept Risk, Wont fix | Ignored risk acknowledged |
Vulnerability score mapping
Veracode SAST score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
- | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).
The table below lists how the status update mechanism works in the Veracode connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not found on the Connector's last sync - Asset not seen for X days according to "Last Seen" |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. - Vulnerability status on the Connector's side changes to "CLOSED" |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API version: v1 , v2
API | Use in Vulcan |
{{base_url}}/appsec/v1/applications | Assets |
{{base_url}}/appsec/v2/applications/{{application_guid}}/findings?scan_type=STATIC,DYNAMIC | Findings, Unique Vulnerabilities |
{{base_url}}/appsec/v1/categories | Solution |
Data Validation
This section shows how to validate and compare Vulcan and the Veracode platform data.
Matching Assets
View Assets in Veracode
In Veracode, each application is treated as an individual asset.
To view the total number of applications (assets):
Navigate to the Applications screen in the Veracode platform.
The number of applications will be displayed in a highlighted square, similar to the screenshot below.
View Assets in Vulcan
In Vulcan, navigate to the Assets tab.
Apply a filter to only display the assets sourced from Veracode:
Click on Filter, select Asset > Connector, and choose Veracode from the dropdown.
Click Apply to see the filtered results.
The number of assets synced from Veracode will now be displayed. You should see the number of assets in Vulcan as shown below.
Possible Discrepancies
If the number of assets does not align, this could be due to duplicate or archived assets in Vulcan that are no longer active in Veracode.
Matching Vulnerabilities
Vulnerability categories in Veracode
Veracode presents vulnerabilities grouped into 32 different categories.
If a category has a finding, it is presented as a vulnerability in Vulcan.
View Vulnerabilities in Vulcan
In Vulcan, navigate to the Vulnerabilities tab.
Apply a filter to view vulnerabilities from the Veracode connector:
Go to Filter > Vulnerabilities > Source and choose Veracode.
Ensure that the number of unique vulnerabilities corresponds to the categories shown in Veracode.
Possible Discrepancies
If the counts do not align, it could be due to certain vulnerabilities not being tied to any asset or differences in categorization between the platforms.
Matching Findings (Vulnerability Instances)
In Veracode:
Go to the Applications page in Veracode.
You will see a list of all applications.
Click on any application from the list.
Once inside the application’s details, select View Results/Report.
Navigate to the Executive Summary tab to view the summary of the findings.
In the Total column, you will find the total number of findings for the selected application. For example, in this case, the number of findings is 12:
In Vulcan:
In Vulcan, go to the Findings tab.
Apply the following filter to view findings from Veracode:
Filter > Vulnerabilities > Source > Veracode
After applying the filter, the total number of findings will be visible in the top left, within the red square.
