Skip to content

Latest commit

 

History

History
112 lines (61 loc) · 10.3 KB

README.md

File metadata and controls

112 lines (61 loc) · 10.3 KB

Veracode Community Open Source Projects

A collection of useful open source projects that integrate with the CA Veracode APIs to automate scanning, results retrieval and other tasks.

These projects are community contributed and not supported by CA Veracode. For a list of supported projects, please see the listing of projects on Veracode.com.

Automating common Veracode Platform tasks

  • VcodeAutoMitigate (Brian1917) - Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.

  • VcodeMitigationExpire (Brian1917) - Utility designed to be run on a regular cadence (e.g., weekly cron job) to expire mitigations. The types of mitigations, expiration references, and other settings are controlled in a JSON config file.

  • Veracode mitigation copier (Brian1917) - Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes: issueid, cweid, type, sourcefile, and line. The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.

  • Veracode BCA Builder (Brian1917) - Shell script to generate the BCA package to scan an iOS app.

Developer tools

  • Ansible (Telus Digital) - allows uploading and scanning with Veracode from Ansible, with an option to send results to a Slack channel

  • Bamboo (Buzzcode) - full featured Bamboo plugin including configuration UI, wait for scan to complete, and "break the build" functionality

  • Bamboo/Jira (Buildcom) - provides a pair of simple plugins for upload and results handling from within Bamboo, and a lightweight script to create Jira issues

  • CircleCI (Unregistered436) - Veracode Upload and Scan Shell Script, originally written for CircleCI but can be used for any build system that can run a shell script in bash.

  • ConcourseCI, Gitlab, Travis (Ctcampbell) - Example configurations for integrating Veracode scanning in various continuous integration systems.

  • Dynamic Scan and Wait for Result (Christyson) - Extends the Java API Wrapper to provide "break the build" style scanning. Includes instructions on how to integrate this workflow into Jenkins.

  • Flowdock (Brian1917) - Utility designed to be run in a build process after a Veracode scan to notify a Flowdock flow that the scan completed. Optional to include policy compliance info in notification.

  • Gitlab (Ctcampbell) - An example configuration for Veracode integration with GitLab.

  • Gradle (Kctang) - Set of Gradle tasks, usable either as a command line submission tool or integrated as part of a continuous integration build process, to perform Veracode submission for applications and scan results for flaws.

  • Insomnia (Ctcampbell) - Adds an HMAC authentication header to Veracode API requests in Insomnia.

  • PowerShell (Unregistered436) - PowerShell script for pushing binaries to Veracode using Java API.

  • Slack (Ctcampbell) - AWS Lambda commands that provide the ability to access Veracode application and build information from Slack.

  • Veracode QuickScan (relaxnow) - PHP example of how to connect to the APIs, scan a couple of files and get results.

Results collection and display

Application vulnerability correlation

  • DefectDojo - DefectDojo is an open-source application vulnerability correlation and security orchestration application. DefectDojo supports importing Veracode results.

HMAC Signing libraries

Projects in this category implement HMAC digest signing, which is required to use Veracode APIs that use a Veracode ID and Key.

  • NodeJS - NodeJS lib to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist

  • vcodeHMAC (Brian1917) - Go package that creates an authorization header using Veracode API Key and ID.

  • vcodeHMAC-CLI (Brian1917) - CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.

  • Using curl and openssl to access the Veracode API endpoint (m9aertner) - short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.

Other integrations

Secure coding examples

Insecure applications

  • VeraDemo (Jtsmith2020) - Sample insecure application written in Java and Javascript, showing vulnerabilities in realistic Java code.