Veracode
Veracode performs application analysis including dynamic analysis, penetration testing, and static code testing to locate vulnerabilities that can lead to security breaches. You can bring application, code, and site data from Veracode into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Veracode and how to obtain that information from Veracode. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Veracode from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Veracode with Brinqa:
-
Server URL: The Veracode Platform URL. The default URL is
https://analysiscenter.veracode.com/. -
API ID and Secret key: The API credentials associated with the Veracode account, which must have permissions to log in to the API server and return data.
Generate Veracode API credentials
For the Veracode connector to use the Veracode API, you must provide API credentials. Veracode does not allow retrieving the API credentials for an existing user. To generate new API credentials, follow these steps:
-
Log in to your organization's Veracode Platform.
-
Click the username and select API Credentials from the drop-down.
-
Click Generate API Credentials.
The new API ID and secret key display. You cannot view the credentials after this, so copy and save them to a secure location.
If you do not have the permissions to generate access keys, contact your Veracode administrator. For additional information, see Veracode documentation.
Types of data to retrieve
The Veracode connector can retrieve the following types of data from the Veracode API:
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | Yes | Application |
| Component | Yes | Package |
| Dynamic Code Finding | Yes | Dynamic Code Finding |
| Dynamic Code Finding Definition | Yes | Dynamic Code Finding Definition |
| Open Source Finding | Yes | Open Source Finding |
| Open Source Finding Definition | Yes | Open Source Finding Definition |
| Pentest Finding | Yes | Pentest Finding |
| Pentest Finding Definition | Yes | Pentest Finding Definition |
| Site | Yes | Site |
| Static Code Finding | Yes | Static Code Finding |
| Static Code Finding Definition | Yes | Static Code Finding Definition |
The Veracode connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Veracode in the Brinqa Platform, see How to view your data.
APIs
The Veracode connector uses the Veracode XML API. Specifically, it uses the following endpoints:
-
/api/4.0/getappbuilds.do -
/api/5.0/getappinfo.do -
/api/5.0/getapplist.do -
/api/5.0/getbuildinfo.do -
/api/5.0/detailedreport.do -
/api/getmitigationinfo.do
Changelog
The Veracode connector has undergone the following changes:
3.0.11
- Added the ARCHER_APP_NAME attribute to the Application object.
3.0.10
- Changed the data type of the ISSUE_ID attribute to Integer for sorting purposes.
3.0.9
- Stopped retrying the error elements in the Veracode API responses.
3.0.8
-
Added all the statuses as multi-valued fields.
-
Assigned the last approved remediation action to the REMEDIATION_STATUS attribute.
3.0.7
Revised the logic for creating finding definitions to be based on the Common Weakness Enumeration (CWE) descriptions.
3.0.6
- Added Component, Open Source Finding, and Open Source Finding Definition as connector objects.
3.0.5
- Added Pentest Finding and Pentest Finding Definition as connector objects.
3.0.1
- Added new attributes, MITIGATION_STATUS and MITIGATION_STATUS_DESCRIPTION, in the Dynamic Code Finding and Static Code Finding object.
3.0.0
- Initial Integration+ release.