Veracode Tools (vt) is a Gradle project that aims to ease effort required to work with Veracode application security scanning activities.
As a set of Gradle tasks, it is meant to be usable either as a command line submission tool or integrated as part of a continuous integration build process.
It helps perform the following tasks:
- Perform Veracode submission for applications.
- Scan results for flaws.
- Perform flaws triage. TODO: not done
- Veracode account & application to perform scanning.
- Veracode Java API JAR file (copy to
lib
directory). - JDK 7 is a requirement for Veracode Java API.
- Clone project.
- Copy
VeracodeJavaAPI.jar
(from Veracode) to a newly createdlib
directory. - Rename
sample-gradle.properties
togradle.properties
and edit its contents to setup Veracode credentials. - Execute
gradle tasks
to see available tasks. - Execute
gradle veracodeApplicationList
to see available applications along with itsappId
.
Sequence of tasks to perform Veracode scan for application involves:
- Download application to scan (manual).
- Install the application (manual).
generateToUpload
Prepare JAR files installed by the application for upload. This involves stripping timestamp information. TODO: rename task to "prepareUpload"?veracodeCreateBuild
Create a new build for application to scan (build and application in this case are Veracode concepts).veracodeUpload
Upload files to Veracode. This process will upload each file prepared bygenerateToUpload
to Veracode's site. Once a file has been uploaded, it will be deleted. If a network error occurred during upload, just re-run this task to continue uploading outstanding files.veracodePreScan
Perform pre-scan for current build. This task will take some time, depending on number of files being processed. ** Wait for pre-scan to complete with theveracodeBuildInfo
task. It should return "status=Pre-Scan Success".
veracodePreScanResults
and preScanModuleVerify
Once pre-scan has completed successfully, we need to perform a
pre-scan module verification. This task ensures all modules in pre-scan results are accounted for within the
white/black list of modules in src/apps/${appId}/modules-*.txt
. Any unaccounted module should be manually resolved by
updating the appropriate modules-*.txt
file.
Described as Gradle tasks, a typical submission workflow might look like this:
# Download application from Jenkins (manual).
# Install the application so that we can scan for files to upload & scan (manual).
gradle veracodeCreateBuild -PappId=20299 -Pversion="my-product#913"
gradle generateToUpload -Pdir="C:\temp\my-product#913"
gradle veracodeUpload -PappId=20299
gradle veracodePreScan -PappId=20299
gradle veracodePreScanResults -PappId=20299
gradle preScanModuleVerify -PappId=20299
gradle veracodeScan -PappId=20299
gradle veracodeScanResults -PbuildId=xxxxx OR
gradle veracodeScanResultsInCsv -PbuildId=xxxxx
To use the example above, change:
- Replace "20299" with the appropriate application ID to process.
- Use "gradle -q veracodeAppList" to list available applications.
- Replace "my-product" with the appropriate Jenkins job name or other build names if you prefer.
- Replace "913" with the appropriate Jenkins job build number.
- Replace "C:\temp\my-product#913" with the directory where the application is installed.
Rename sample-gradle.properties
to gradle.properties
and enter your Veracode login credentials.
Provide a list of available tasks for this project.
gradle -q tasks
Most Veracode related tasks will generate a relevant build/xxx.xml
file. It might be useful to analyze the contents
of this file to gain additional insight into the task that was just executed.
This tasks is used to check (Note: this task can take some time to complete): gradle -q veracodePreScanResults -PappId=20299
Pre-scan can be time consuming. To check the status of a build after pre-scan submission, do this:
gradle -q veracodeBuildInfo -PappId=20299
[Build]
version=my-product#123
build_id=123
submitter=Xxx
platform=Not Specified
lifecycle_stage=Xxx
results_ready=false
policy_name=Xxx
policy_version=999
policy_compliance_status=Xxx
rules_status=Xxx
grace_period_expired=false
scan_overdue=false
[Analysis Unit]
analysis_type=Static
*status=Pre-Scan Submitted*
Note: This task can be executed anytime.
To abandon a build with partially uploaded files or pre-scanned files, execute the delete build task:
gradle -q veracodeDeleteBuild -PappId=20299