Veracode Software Security Integration

Veracode

Ortelius can associate Veracode Security Scan to your Component Version Associating these metrics enable compliance scoring for Application Versions since the metrics are rolled-up from the Component Versions to the Application Version. See an Application Compliance Scorecard Report below for details.

Example Scorecard Report

Getting metrics from Veracode to Ortelius

The Ortelius CI/CD command line program is used to associate Veracode metrics to the Ortelius Component Version. See CLI Installation for instructions on basic setup in your CI/CD pipeline.

Restful API calls are needed in your pipeline to grab the metrics from Veracode. Shell commands using HTTPie, xmltojson and jq allow us to parse the data returned from Veracode and format it for storage with the Component Version. The component.toml file used by the Ortelius CLI is appended to with each new metric and upload to Ortelius at the end of the pipeline. See CI-CD Support for more details.

Note: Your codebase must be scanned with Veracode and the results uploaded to the Veracode Server. Veracode RestAPI calls will be made to fetch the metrics from the stored scanned results. HTTPie (http command) is used in order to authenticate using the veracode_hmac auth-type.

VerCode Score

VERACODE_API_KEY_ID=${VERACODE_USERNAME}
VERACODE_API_KEY_SECRET=${VERACODE_PASSWORD}

http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/detailedreport.do" "build_id==${build_id}" > detailedreport.xml
VERACODE_SCORE=$(xmltojson detailedreport.xml | jq -r '.detailedreport."static-analysis"."@score"')

echo "    VeracodeScore = \"${VERACODE_SCORE}\"" >> ${COMPONENT_TOML}