Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
To open the correct user guide for your setup and version, go to the connector's setup page and click How to connect.
Connector details
About Veracode DAST
Veracode Web Application Scanning combines a DAST assessment tool with static analysis and other technologies to more effectively find, secure, and monitor websites and applications. The tool helps find hidden security issues often missed by other products, looking in directories, debug code, leftover source code, and resource files for information that hackers could exploit to gain access to the application. From hidden usernames and passwords to ODBC connectors and SQL strings, Veracode identifies potential vulnerabilities to enable faster fixes.
Support scope
Supported products | DAST - Dynamic Analysis
|
Category | Application Security - DAST |
Ingestion type | Assets and vulnerabilities |
Ingested asset type(s) | Code Projects
|
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
A Veracode SAST API user account with the following permissions:
"Reviewer" with "Results API Role"
See Create an API user in the Veracode Platform | Veracode Docs
Generating API Key ID and Secret
Click on the gear icon and select Admin.
Go to the Users tab and click Add New User.
Enter user details:
Provide a descriptive first and last name.
Check the Non-Human User box.
Note: You cannot convert an existing user account to an API service account. A new user account must be created with the Non-Human User checkbox selected.
Enter a valid email address for the API service account. Veracode will use this address to send notifications regarding error messages, password expirations, and other automated messages.
In the User Roles section, select the APIs the API service account should access.
For the "Restrict Loigin IP" option, select No.
Click Save to create and enable the user account.
The user will receive an activation email.
Note: Before accessing the APIs, users must activate their account, generate API credentials, and enable HMAC authentication.
Configuring the Veracode connector
Login to the Vulcan ExposureOS platform and go to Connectors > Add a Connector
Click on the Veracode icon.
Set up the Connector as follows:
If a gateway is required, refer to the Vulcan Gateway guide to configure the gateway before proceeding. If not, continue following the steps in this guide.
Select the region of your Veracode account (US, EU, or US Federal).
Enter the API Key ID and Secret you generated earlier.
Data pulling configuration:
This configuration has dynamic settings tailored to the specific connector and integration type. Below are the configurations relevant to this connector.
Veracode findings ingestion: Select Findings to fetch. The options to fetch are SAST ("Fetch SAST Findings"), DAST (Fetch dynamic analysis findings"), or both types of findings.
Note: All fetched findings, whether SAST or DAST, will be mapped as Code Projects. Once synchronization is complete, you can find them listed under this asset type in the Vulcan platform.
Asset Retention: Configure the retention period for inactive assets based on their last seen date. If an asset has not been detected or updated in a scan within the specified days, it will be automatically removed from the Vulcan ExposureOS platform. This ensures your asset inventory stays current and relevant.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Veracode instance.
Notes:
A successful connectivity test confirms that the platform can connect to the Veracode instance. However, it does not guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.
Example:
If the connectivity test fails, an error message with details about the issue will appear. Click the arrow next to the error message for more information about the exact error.
Example:
Connector scheduling: Set the connector's sync time and days. By default, all days are selected.
Click Create to start syncing the new connector, or Save Changes if editing an existing connector.
Allow some time for the sync to complete. Then, you can review the sync status on the Connectors main page or under Connector sync logs on the connector's specific setup page.
To confirm the sync is complete, navigate to the Connectors page. The sync is complete once the Veracode icon shows Connected.
Example:
Veracode in the Vulcan platform
Viewing findings
To view findings (instances) ingested by the Veracode connector:
Go to the Findings page.
Click on Filter and set the condition to Vulnerability > Source > is > Veracode.
Example:
To filter results by Veradoce SAST findings:
Go to the Findings page.
Click on Filter and set the condition to Veracode > Instance > Scan type is SAST.
To filter results by Veradoce SAST findings:
Go to the Findings page.
Click on Filter and set the condition to Veracode > Instance > Scan type is DAST
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on a finding for more details.
Viewing vulnerabilities
To view vulnerabilities ingested by the Veracode connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Source > is > Veracode.
Example:
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on a vulnerability for more details.
Viewing assets
To view assets ingested by the Veracode connector:
Go to the Assets page.
Click on Filter and set the condition to Asset > Source > is > Veracode.
Example:
You can also:
Filter by Business Group and add more filters to narrow your search further.
Filter by Connector-specific parameters (also known as Native Parameters) if available.
Click on an asset for more details.
Taking action on vulnerabilities and assets
To take remediation action on vulnerabilities and assets ingested by Veracode:
Go to the Vulnerabilities or Assets Page.
Use the Filter to view the assets/vulnerabilities by source. You can always filter by Business Group and add more filters to narrow your search.
Select the relevant vulnerabilities/assets from the results list.
Click on Take Action to proceed with remediation or further actions.
Example:
Automating remediation actions on vulnerabilities
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
Data Mapping
The Vulcan Platform integrates with Veracode DAST through an API that pulls relevant vulnerability and asset data and maps it to the platform's pages and fields. The vulnerabilities and/or assets data is ingested from the vendor platform and mapped into the Vulcan ExposureOs platform.
Code Project data mapping
Asset data
Veracode UI field | Veracode API field | Vulcan field |
- | guid | Asset Uniqueness criteria |
Application name | profile.name | Code Project Name (name) |
first scan date | created | Code Project First Seen (first_seen) |
last scan date | last_completed_scan_date | Code Project Last report (last_seen) |
URL | Business Criticality, Current Policy Compliance, Block Code, IT Director, IT SLT Member - custom_fields URL - as codebase | Code Project details (added_data) |
Tags | profile.tags | Code Project Tags - Vendor’s tags (tags) |
IT Director | custom_fields | Code Project Tags - Additional (tags) |
Unique vulnerability data
Veracode UI field | Veracode API field | Vulcan field |
- | finding_details.finding_category.name | Unique Vulnerability uniqueness criteria |
Flaw Name | finding_details.finding_category.name | Vulnerability title (title) |
| finding_details.severity | Vulnerability score (cvss_score) |
Description (inner)
| description | Vulnerability description (description) |
- | - | Vulnerability details(added_data) |
- | - | CVE/S (report_item_cve) |
cwe | finding_details.cwe.id | CWE (cwe) |
- | finding_details.attack_vector | CVSS attack vector (cvss3_vector) |
Finding data (asset-instance connection)
Veracode UI field | Veracode API field | Vulcan field |
- | issue_id | Vulnerability instance uniqueness criteria |
first detection date | finding_status.first_found_date | Vulnerability instance First seen (first_seen) |
last detection date | finding_status.last_seen_date | Vulnerability instance Last seen (last_seen) |
Both: Issue Id
DAST: URL
SAST: Module
| Both: Issue Id - issue_id
DAST: URL - finding_details.url
SAST: Module - finding_details.module | Vulnerability instance details(added_data) |
Vulnerability status mapping
Findings (instances) ingested from connectors are mapped into the Vulcan platform by status.
Based on
finding_status.statusfield
Veracode Status | Vulcan Status |
OPEN | Vulnerable |
CLOSE | Fixed |
False positive | Ignored - false positive |
Accept Risk, Wont fix | Ignored - risk acknowledged |
The statuses are mapped into the Findings page > Show <status> view:
Vulnerability score mapping
Risk scores ingested from connectors are converted into numeric scores and mapped into the Vulcan platform risk score field, which eventually impacts the contextualized risk calculation.
Based on
finding_details.severity * 2field
Veracode score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
- | 0 |
The scores are mapped into the Score field of the Vulnerability details:
Status update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones.
The table below lists how the status update mechanism works in the Veracode for the vulnerabilities and assets in the Vulcan Platform.
Status change | When? |
The asset is archived | - Asset not found on the Connector's last sync - Asset not seen for X days according to "Last Seen" |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. - Vulnerability status on the Connector's side changes to "CLOSED" |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
Support limitations and expected behavior
This section outlines any irregularities, expected behaviors, or limitations related to integrating the Vulcan Cyber ExposureOS platform and Veracode. It also highlights details about ingested and non-ingested data to clarify data handling and functionality within this integration.
In Veracode, each application is treated as a single asset of type code_project. The Veracode API supports fetching both SAST and DAST vulnerabilities, but there are key differences in how these vulnerabilities are managed:
SAST Vulnerabilities
Directly linked to applications, allowing findings to be seamlessly mapped to their corresponding code_project asset.
DAST Vulnerabilities
Veracode allows scanning additional URLs that may not be directly associated with an application.
However, the Veracode API has a limitation—it only supports fetching DAST data when the scan is explicitly linked to an application.
To ensure DAST scan results are correctly linked to applications, refer to Veracode’s guide: Link Dynamic Analysis Results to an Application Profile
Handling DAST Findings Within API Constraints
Ideally, DAST findings and scanned URLs would be mapped to a distinct asset type, such as website. However, due to API restrictions, Vulcan can only retrieve DAST findings explicitly associated with applications.
To maintain consistency and ensure accurate linking of findings, DAST vulnerabilities are classified under the code_project asset type rather than introducing a separate asset type without a direct application association. This approach aligns with API limitations while preserving clear asset-to-finding relationships.
API endpoints in use
API version: v1 , v2
API | Use in Vulcan |
{{base_url}}/appsec/v1/applications | Assets |
{{base_url}}/appsec/v2/applications/{{application_guid}}/findings?scan_type=STATIC,DYNAMIC | Findings, Unique Vulnerabilities |
{{base_url}}/appsec/v1/categories | Solution |