Veracode
Veracode performs application analysis including dynamic analysis, penetration testing, and static code testing to locate vulnerabilities that can lead to security breaches. You can bring application, code, and site data from Veracode into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Veracode and how to obtain that information from Veracode. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Veracode from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Veracode with Brinqa:
-
Service URL: The Veracode analysis center URL. The default URL is
https://api.veracode.com/. -
API ID and Secret key: The API credentials associated with the Veracode account, which must have permissions to log in to the API server and return data.
Generate Veracode API credentials
For the Veracode connector to use the Veracode API, you must provide API credentials. Veracode does not allow retrieving the API credentials for an existing user. To generate new API credentials, follow these steps:
-
Log in to your organization's Veracode Platform.
-
Click the username and select API Credentials from the drop-down.
-
Click Generate API Credentials.
The new API ID and secret key display. You cannot view the credentials again after this. Copy and save them to a secure location.
If you do not have the permissions to generate access keys, contact your Veracode administrator. For additional information, see Veracode documentation.
Additional settings
The Veracode connector contains an additional option for specific configuration:
- Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
Types of data to retrieve
The Veracode connector can retrieve the following types of data from the Veracode API:
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | Yes | Application |
| Component | Yes | Package |
| Dynamic Code Finding | Yes | Dynamic Code Finding |
| Dynamic Code Finding Definition | Yes | Dynamic Code Finding Definition |
| Open Source Finding | Yes | Open Source Finding |
| Open Source Finding Definition | Yes | Open Source Finding Definition |
| Pentest Finding | Yes | Pentest Finding |
| Pentest Finding Definition | Yes | Pentest Finding Definition |
| Site | Yes | Site |
| Static Code Finding | Yes | Static Code Finding |
| Static Code Finding Definition | Yes | Static Code Finding Definition |
The Veracode connector does not retrieve findings with a Remediated status from Veracode. Only findings with other statuses are ingested. The Brinqa team is working to update the connector to use the Veracode Reporting REST API, which supports this functionality.
For detailed steps on how to view the data retrieved from Veracode in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Application
Table 2: Application attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| app.id | uid |
| app.lastCompletedScanDate | lastAssessed |
| app.modified | sourceLastModified |
| app.profile.businessCriticality | Local variable (businessCriticality) |
| app.profile.businessOwners.email | owner |
| app.profile.description | description |
| app.profile.name | name |
| app.profile.policies.name | Local variable (policy) |
| app.profile.policies.policyComplianceStatus | Local variable (policy), Local variable (rulesStatus), Local variable (sourceComplianceStatus) |
| app.profile.tags | tags |
| app.profile.teams.teamName | Local variable (teams) |
| categories | categories |
| last_captured | lastCaptured |
| last_scan_name | Local variable (lastScanName) |
| last_scan_published | Local variable (lastScanPublished) |
| profile.archerAppName | Local variable (archerAppName) |
| scan.modifiedDate | Local variable (lastStaticScan), Local variable(lastDynamicScan) |
Component
Table 3: Component attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| finding.app.id | targets |
| finding.findingDetails.componentFileName | name, fileName |
| finding.findingDetails.componentId | uid |
| finding.findingDetails.licenses.licenseId | licenses |
| finding.findingDetails.version | currentVersion |
| finding.findingDetail.componentPath.path | Local variable (compFilePath), Local variable (filePaths) |
| finding.findingStatus.isNew | Local variable (isNew) |
| violatesPolicy | Local variable (policyViolations) |
Dynamic Code Finding
Table 4: Dynamic Code Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| app.id | targets |
| app.profile.name | Local variable (appName) |
| categories | categories |
| cwe.description | description |
| cwe.id | cweIds, weaknesses |
| cwe.references | references |
| cwe.severity | severity, sourceSeverity, severityScore |
| finding.buildId | Local variable (buildId) |
| finding.count | Local variable (count) |
| finding.description | description |
| finding.findingDetail.exploitability | Local variable (exploitLevel) |
| finding.findingDetail.fileLineNumber | results, Local variable (lineNumber) |
| finding.findingDetail.fileName | results, Local variable (sourceFile) |
| finding.findingDetail.filePath | results, Local variable (sourceFilePath) |
| finding.findingDetail.findingCategory.name | Local variable (flawType) |
| finding.findingDetail.module | results, Local variable (module) |
| finding.findingDetails.cwe.id | type, uid |
| finding.findingDetails.cwe.name | name |
| finding.findingDetails.url.getHost | targets, uid, url, name |
| finding.findingDetails.url.getPath | path |
| finding.findingDetails.url.getPort | port |
| finding.findingStatus.firstFoundDate | firstFound |
| finding.findingStatus.isNew | Local variable (isNew) |
| finding.findingStatus.lastSeenDate | lastFound |
| finding.findingStatus.mitigationReviewStatus | Local variable (mitigationStatus) |
| finding.findingStatus.resolution | Local variable (resolution) |
| finding.findingStatus.resolutionStatus | Local variable (resolutionStatus) |
| finding.findingStatus.status | status, sourceStatus, statusCategory |
| finding.issueId | Local variable (issueId) |
| recommendation | recommendation |
| uid | uid |
Dynamic Code Finding Definition
Table 5: Dynamic Code Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| category.name | categories |
| category.recommendation | recommendation |
| cwe.description | description |
| cwe.id | cweIds, weaknesses |
| cwe.references | references |
| cwe.severity | severity, sourceSeverity, severityScore |
Open Source Finding
Table 6: Open Source Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| finding.app.id | targets |
| finding.findingDetails.componentFileName | Local variable (compName), Local variable (compFileName) |
| finding.findingDetails.componentId | targets |
| finding.findingDetails.cve.name | type, uid, name, cveRecords, cveIds |
| finding.findingDetails.cve.cvss | cvssV2BaseScore |
| finding.findingDetails.cve.cve.cvss3.score | cvssV3BaseScore |
| finding.findingDetails.cve.cve.cvss3.vector | Use CVSS calculator |
| finding.findingDetails.cve.vector | Use CVSS calculator |
| finding.findingDetails.cwe.id | cweIds, weaknesses |
| finding.findingDetails.severity | severity, sourceSeverity, severityScore |
| finding.findingDetails.version | Local variable (compVersion) |
| finding.findingDetail.version | Local variable (compVersion) |
| finding.findingStatus.isNew | Local variable (isNew) |
| finding.findingStatus.lastSeenInstant | lastFound |
| finding.findingStatus.status | status, sourceStatus, statusCategory |
| last_fixed | lastFixed |
| recommendation | recommendation |
| uid | uid |
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.
Open Source Finding Definition
Table 7: Open Source Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| finding.description | description |
| finding.findingDetails.cve.name | type, uid, name, cveRecords, cveIds |
| finding.findingDetails.cve.cvss | cvssV2BaseScore |
| finding.findingDetails.cve.cve.cvss3.score | cvssV3BaseScore |
| finding.findingDetails.cve.cve.cvss3.vector | Use CVSS calculator |
| finding.findingDetails.cve.vector | Use CVSS calculator |
| finding.findingDetails.cwe.id | cweIds, weaknesses |
| finding.findingDetails.severity | severity, sourceSeverity, severityScore |
| recommendation | recommendation |
| violatesPolicy | Local variable (policyViolations) |
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.
Pentest Finding
Table 8: Pentest Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| app.id | targets |
| app.profile.name | Local variable (appName) |
| category.recommendation | recommendation |
| cvss_v2_base_score | cvssV2BaseScore |
| finding.buildId | Local variable (buildId) |
| finding.count | Local variable (count) |
| finding.description | description |
| finding.findingDetail.exploitability | Local variable (exploitLevel) |
| finding.findingDetail.fileLineNumber | results, Local variable (lineNumber) |
| finding.findingDetail.fileName | results, Local variable (sourceFile) |
| finding.findingDetail.filePath | results, Local variable (sourceFilePath) |
| finding.findingDetail.findingCategory.name | Local variable (flawType) |
| finding.findingDetail.module | results, Local variable (module) |
| finding.findingDetails.cwe.id | type, uid |
| finding.findingDetails.cwe.name | name |
| finding.findingStatus.firstFoundDate | firstFound |
| finding.findingStatus.isNew | Local variable (isNew) |
| finding.findingStatus.lastSeenDate | lastFound |
| finding.findingStatus.mitigationReviewStatus | Local variable (mitigationStatus) |
| finding.findingStatus.resolution | Local variable (resolution) |
| finding.findingStatus.resolutionStatus | Local variable (resolutionStatus) |
| finding.findingStatus.status | status, sourceStatus, statusCategory |
| finding.issueId | Local variable (issueId) |
| recommendation | recommendation |
| tags | tags |
| uid | uid |
Pentest Finding Definition
Table 9: Pentest Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| category.name | categories |
| category.recommendation | recommendation |
| cwe.description | description |
| cwe.id | cweIds, weaknesses |
| cwe.references | references |
| cwe.severity | severity, sourceSeverity, severityScore |
| tags | tags |
Site
Table 10: Site attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| finding.findingDetails.url.getHost | name, targets, uid, url |
| lastUpdated | lastCaptured |
Static Code Finding
Table 11: Static Code Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| app.id | targets |
| app.profile.name | Local variable (appName) |
| category.recommendation | recommendation |
| cvss_v2_base_score | cvssV2BaseScore |
| finding.buildId | Local variable (buildId) |
| finding.count | Local variable (count) |
| finding.description | description |
| finding.findingDetail.exploitability | Local variable (exploitLevel) |
| finding.findingDetail.fileLineNumber | results, Local variable (lineNumber) |
| finding.findingDetail.fileName | results, Local variable (sourceFile) |
| finding.findingDetail.filePath | results, Local variable (sourceFilePath) |
| finding.findingDetail.findingCategory.name | Local variable (flawType) |
| finding.findingDetail.module | results, Local variable (module) |
| finding.findingDetails.cwe.id | type, uid, cweIds, weaknesses |
| finding.findingDetails.cwe.name | name |
| finding.findingStatus.firstFoundDate | firstFound |
| finding.findingStatus.isNew | Local variable (isNew) |
| finding.findingStatus.lastSeenDate | lastFound |
| finding.findingStatus.mitigationReviewStatus | Local variable (mitigationStatus) |
| finding.findingStatus.resolution | Local variable (resolution) |
| finding.findingStatus.resolutionStatus | Local variable (resolutionStatus) |
| finding.findingStatus.status | status, sourceStatus, statusCategory |
| finding.issueId | Local variable (issueId) |
| recommendation | recommendation |
| uid | uid |
Static Code Finding Definition
Table 12: Static Code Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| category.name | categories |
| category.recommendation | recommendation |
| cwe.references | references |
| cwe.severity | severity, sourceSeverity, severityScore |
| cvss_v2_base_score | cvssV2BaseScore |
| finding.description | description |
| finding.findingDetails.cwe.id | type, uid, cweIds, weaknesses |
| finding.findingDetails.cwe.name | name |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Veracode connector supports the following operation options. See connector operation options for information about how to apply them.
Table 13: Veracode connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Application | business_unit | Any business unit name | A comma-separated list of business unit names. Return only the applications associated with the specified business unit names. | Key: business_unit Value: Finance,HR. This key and value combination only retrieves applications associated with the Finance and HR business units. |
| modified_after | Any date in yyyy-MM-dd format | Return only the applications modified after the specified date. | Key: modified_after Value: 2024-08-01. This key and value combination only retrieves applications that have been modified since August 1, 2024. | |
| name | Any application name | A comma-separated list of application names. Return only the applications with the specified names. | Key: name Value: VeracodeApp1,VeracodeApp2. This key and value combination only retrieves the specified applications. | |
| policy_compliance | CONDITIONAL_PASS, DETERMINING, DID_NOT_PASS, NOT_ASSESSED, PASSED, VENDOR_REVIEW | A comma-separated list of policy compliance statuses. Return only the applications with the specified policy compliance statuses. | Key: policy_compliance Value: DID_NOT_PASS,NOT_ASSESSED. This key and value combination only retrieves applications with the specified policy compliance statuses. | |
| Dynamic Code Finding, Pentest Finding, Static Code Finding | new | true, false | Return only the findings that are marked as new or not new based on the specified value. | Key: new Value: true. This key and value combination only retrieves findings that are marked as new. |
| severity_gte | 0,1,2,3,4,5 | Return all findings with a severity value greater than or equal to the specified value. | Key: severity_gte Value: 3. This key and value combination retrieves all findings with a severity value of 3 or higher. | |
| violates_policy | true or false | Return only the findings that violate policy or do not violate policy based on the specified value. | Key: violates_policy Value: true. This key and value combination only retrieves findings that violate policy. | |
| Open Source Finding, Open Source Finding Definition | cve | Any CVE ID | Return only the findings associated with the specified CVE IDs. | Key: cve Value: CVE-2023-12345. This key and value combination only retrieves findings associated with the specified CVE ID. |
| sca_dep_mode | BOTH, DIRECT, TRANSITIVE, UNKNOWN | A comma-separated list of dependency modes. Return only the findings with the specified dependency mode. | Key: sca_dep_mode Value: DIRECT,UNKNOWN. This key and value combination only retrieves findings with a direct or unknown dependency mode. | |
| sca_scan_mode | AGENT, BOTH, UPLOAD | Return only the findings with the specified scan mode. | Key: sca_scan_mode Value: AGENT. This key and value combination only retrieves findings with an agent scan mode. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Veracode connector uses the Veracode REST API v1 and v2. Specifically, it uses the following endpoints:
Table 14: Veracode REST API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Application | GET /appsec/v1/applications |
| Component | GET /appsec/v2/applications/{application_guid}/findings |
| Dynamic Code Finding | GET /appsec/v2/applications/{application_guid}/findings |
| Dynamic Code Finding Definition | GET /appsec/v2/applications/{application_guid}/findings |
| Open Source Finding | GET /appsec/v2/applications/{application_guid}/findings |
| Open Source Finding Definition | GET /appsec/v2/applications/{application_guid}/findings |
| Pentest Finding | GET /appsec/v2/applications/{application_guid}/findings |
| Pentest Finding Definition | GET /appsec/v2/applications/{application_guid}/findings |
| Site | GET /appsec/v2/applications/{application_guid}/findings |
| Static Code Finding | GET /appsec/v2/applications/{application_guid}/findings |
| Static Code Finding Definition | GET /appsec/v2/applications/{application_guid}/findings |
Changelog
The Veracode connector has undergone the following changes:
3.1.7
-
Fixed data type mismatches for the following objects:
- Component and Static Code Finding: Changed the TARGETS attribute type from long to string.
- Dynamic Code Finding Definition, Open Source Finding Definition, and Static Code Finding Definition: Changed the SOURCE_SEVERITY attribute type from long to string.
3.1.6
- Updated the CWE_IDS attribute on the Dynamic Code Finding Definition object to use a properly formatted list of strings. CWE IDs for Dynamic Code Finding Definitions are now formatted as
CWE-123, whereas previously, they were coming in as integers, such as123.
3.1.5
- Added applications as a target for Dynamic Code Findings.
3.1.4:
- Added support for Data lifecycle management to the Application, Dynamic Code Finding, Open Source Finding, Pentest Finding, Site, and Static Code Finding objects.
3.1.3
- Fixed an issue where open source findings were not being retrieved.
3.1.2
-
Added a rate limiter to help improve API performance.
-
Code clean up and maintenance.
3.1.1
- Fixed an issue where the CWE ID on Findings were displayed in an incorrect format.
3.0.12
- The LAST_DYNAMIC_SCAN and LAST_STATIC_SCAN attributes are now used to separately capture the published dates for dynamic and static scans on the Application object. This allows for more precise tracking and compliance assessment of scan dates.
3.0.11
- Added the ARCHER_APP_NAME attribute to the Application object.
3.0.10
- Changed the data type of the ISSUE_ID attribute to Integer for sorting purposes.
3.0.9
- Stopped retrying the error elements in the Veracode API responses.
3.0.8
-
Added all the statuses as multi-valued fields.
-
Assigned the last approved remediation action to the REMEDIATION_STATUS attribute.
3.0.7
- Revised the logic for creating finding definitions to be based on the Common Weakness Enumeration (CWE) descriptions.
3.0.6
- Added Component, Open Source Finding, and Open Source Finding Definition as connector objects.
3.0.5
- Added Pentest Finding and Pentest Finding Definition as connector objects.
3.0.1
- Added new attributes, MITIGATION_STATUS and MITIGATION_STATUS_DESCRIPTION, in the Dynamic Code Finding and Static Code Finding object.
3.0.0
- Initial Integration+ release.