Veracode Software Security Integration

Associating Veracode Security Scan to your Component Version.


Ortelius can associate Veracode Security Scan to your Component Version Associating these metrics enable compliance scoring for Application Versions since the metrics are rolled-up from the Component Versions to the Application Version. See an Application Compliance Scorecard Report below for details.

Example Scorecard Report

Scorecard with Veracode Metrics

Getting metrics from Veracode to Ortelius

The Ortelius CI/CD command line program is used to associate Veracode metrics to the Ortelius Component Version. See CLI Installation for instructions on basic setup in your CI/CD pipeline.

Restful API calls are needed in your pipeline to grab the metrics from Veracode. Shell commands using HTTPie, xmltojson and jq allow us to parse the data returned from Veracode and format it for storage with the Component Version. The component.toml file used by the Ortelius CLI is appended to with each new metric and upload to Ortelius at the end of the pipeline. See CI-CD Support for more details.

Note: Your codebase must be scanned with Veracode and the results uploaded to the Veracode Server. Veracode RestAPI calls will be made to fetch the metrics from the stored scanned results. HTTPie (http command) is used in order to authenticate using the veracode_hmac auth-type.

VerCode Score

Variable Value
VERACODE_USERNAME Username to login into
VERACODE_PASSWORD Password for Veracode login
build_id build_id that the Veracode scan is published under
COMPONENT_TOML The Ortelius Component TOML file that defined the Component Version to Ortelius. Typically called component.toml

http --auth-type=veracode_hmac "" "build_id==${build_id}" > detailedreport.xml
VERACODE_SCORE=$(xmltojson detailedreport.xml | jq -r '.detailedreport."static-analysis"."@score"')

echo "    VeracodeScore = \"${VERACODE_SCORE}\"" >> ${COMPONENT_TOML}