Veracode V2 Connector Guide
Summary: How to set up and use the Veracode V2 connector in Ivanti Neurons for RBVM/ASPM/VULN KB.
Veracode V2 Connector Overview
The RBVM platform provides an API-based connector that integrates with Veracode (SAST and DAST) that enables customers to bring their Veracode findings into RBVM/ASPM/VULN KB to gain visibility into their overall risk due to vulnerabilities in their applications, thereby enabling a more simplified and efficient way to manage those vulnerabilities.
Ivanti Neurons for RBVM/ASPM/VULN KB users can configure the connector to pull scan data from Veracode V2 on a periodic basis. Data from Veracode V2 is ingested as both Applications and Application Findings. Ivanti Neurons for RBVM/ASPM/VULN KB pulls both SCA and MPT findings from Veracode V2.
Veracode V2 Overview
Veracode V2 is a cloud-based solution used for scanning both SAST and DAST of the application module. Veracode V2 also provides manual penetration testing of applications.
Veracode V2 Connector Setup Prerequisites
-
Connector setup in Ivanti Neurons for RBVM/ASPM/VULN KB requires the user credentials for their cloud platform via this link.
-
Perform scans for the desired applications, both SAST and DAST.
-
The Veracode V2 connector pulls these files based on the schedule defined during configuration and processes the data, categorizing them into Applications and Application Findings.
-
For information on performing a sample DAST scan in Veracode V2, see Veracode DAST Data Export Guide.
-
Please note that when using the guide referenced above, skip the report download and upload to Ivanti Neurons for RBVM/ASPM/VULN KB steps.
-
User Access and Permissions
To set up the connector, the user account must have API access to Veracode V2.
To obtain API Credentials from Veracode V2, Click on Organization in the top-right corner. Go to the API Credentials page. Click Generate API Credentials and copy this information for later use.
Creating the Connector in Ivanti Neurons
Navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type Veracode to find the connector.
Locate the Veracode card on the page and click Configuration.
In the Connection section, enter the following details:
-
Name: Connector name.
-
Region: Select the required region from the list.
-
Regional URL: Add the Veracode cloud instance URL: https://analysiscenter.veracode.com/.
-
ID: Veracode ID retrieved earlier in this guide’s User Access and Permissions section.
-
API Key: Veracode API credentials retrieved earlier in this guide’s User Access and Permissions section.
-
Select Network: Network name in Ivanti Neurons for RBVM/ASPM/VULN KB. Ingested data will be associated with this network.
Once the fields are complete, click Test Credentials to verify the credentials are correct and can connect to the Veracode V2 instance.
Configure the desired schedule for the connector to retrieve results from the Veracode V2 instance.
Oldest Scan Data Pull: Maximum number of days the connector should go back to pull scan results from Veracode V2. It is a drop-down value that currently supports 30, 60, 90, and 180 days and one-year old data.
Once connector configuration is complete, click Save to create the connector.
After creating the connector, it starts pulling data from Veracode V2. After configuring the connector, a new entry for it appears at the top of the Integrations page. The connector’s card shows the next scheduled time and date it will fetch results. Check the connector’s status by clicking the History button.
View files pulled from Veracode on the Configuration (
) > Uploads page.
Data Visualization in Ivanti Neurons for RBVM/ASPM/VULN KB
Scan data pulled from Veracode V2 via the connector is available on the Manage > Applications and Manage > Application Findings pages.
Based on the type of scan performed in Veracode, either SAST or DAST, Ivanti Neurons fingerprints them correspondingly, and their scanner name is VERACODE for all types of findings such as STATIC, DYNAMIC, SCA, and MANUAL. Fingerprinting is done at the file level, and applications are created based out of it. Application findings are also individually marked as VeracodeSAST / VeracodeDAST scanner types.
Assets discovered from the scan data are added to the Manage > Applications page.
The Manage > Application Findings page displays all identified vulnerability details, as shown below.
Veracode V2 Data Mapping in Ivanti Neurons for RBVM/ASPM/VULN KB
The Scanner Name associated with these scans is VeracodeDAST/VeracodeSAST, which can be used as a filter on the Applications page in Ivanti Neurons for RBVM/ASPM/VULN KB.
Applications Page
The following table provides a high-level mapping of Ivanti Neurons Applications fields to Veracode SAST/DAST fields.
|
Ivanti Neurons Field |
Veracode SAST Field |
Veracode DAST Field |
|---|---|---|
|
Name |
app_name |
app_name |
|
Address |
app_name |
app_name |
|
Discovered on |
first assessment date |
first assessment date |
|
Last Found on |
latest assessment date |
latest assessment date |
|
Scanner Name |
VeracodeSAST |
VeracodeDAST |
Application Findings Page
The following table provides a high-level mapping of Ivanti Neurons Application Findings fields to Veracode SAST/DAST fields.
|
Ivanti Neurons Field |
Veracode SAST Field |
Veracode DAST Field |
|---|---|---|
|
Title |
categoryname |
categoryname |
|
Location |
combination of values from module + sourcefilepath + sourcefile |
url |
|
Description |
description |
description |
|
Scanner Plugin |
combination of values from cweid or cveid + issueid |
combination of values from cweid or cveid + issueid |
|
Possible Solution |
recommendations |
recommendations |
|
Discovered on |
date_first_occurrence |
date_first_occurrence |
|
Last Found on |
latest assessment date |
latest assessment date |
|
Finding Type |
SAST |
DAST |