This is a VSCode plugin which integrate with the Veracode platform and enables downloading of scan results (findings).
The plugin does not support upload for scan action.
This extension contributes the following settings (default values are shown in parenthesis):
veracode.credsFile
: (<your_home_directory>/.veracode/credentials)- a text file of the format
[default] veracode_api_key_id = <your_veracode_api_id> veracode_api_key_secret = <your_veracode_api_key>
veracode.API profile in configuration file
: The profile (or section) of API credentials to be used for communicating with Veracode Platform. (showingdefault
in the above example).veracode.scanCount
: (10) Number of scans to show for each app. Scans will be shown from newest to oldest.veracode.sandboxCount
: (5) Number of sandboxes to show for each appveracode.logLevel
: (info) Logging level that shows in the Debug Console. Will require a restart for changes to take effect.veracode.proxyHost
: (none) Proxy host name (e.g., https://my-proxy.com)veracode.proxyPort
: (none) Port on the proxy host (e.g., 8080)veracode.proxyName
: (none) Username if the proxy host requires a loginveracode.proxyPassword
: (none) Password if the proxy host requires a login
One of the latest features enable bringing in only a single application and specific sandbox to the current workspace.
To enable this, please add the a file name veracode-plugin.conf
to the project root directory. The file content should be as follow:
[import]
# Application name filtering
application=Teast CSharp
# Sandbox filtering
sandbox=__policy
The configuration allow to filter with exact name (application and/or sandbox).
To get only the scans in the main policy (not in sandbox), set: sandbox=__policy
User can propose mitigations for none mitigated flaws and comments to all flaws. The annotations assosiated with the annotations will be saved to the cloud platform.
The menu (from the Veracode tree explorer pane) have few sorting and filtering options.
- Sort by Severity: will organize flaws by their severity
- Medium
- #6 - CWE-80 - <File_Name>:<line number>
- Medium
- Sort by CWE: will organize the findings by CWE with a title:
- CWE-80 - Medium - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- #4 - <File_Name>:<line number>
- CWE-80 - Medium - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- Sort by Flaw Category: will organize and group findings by the flaw Category
- <Flaw Category Name>
- #5 - <Severity> - CWE-XXX - <File_Name>:<line number>
- <Flaw Category Name>
- Mitigations : will allow to include or exclude mitigated findings
- Effecting Policy : Will enable to remove findings which are not effecting policy associate with the Application Profile
Note: The selected grouping and the filtering you can view at the IDE status bar
Additional menu option was added in VSCode project (files) explorer for files with the following extensions to run pipeline scan: JAR, WAR, EAR, ZIP, APK
The scan progress will get open in its own dedicated output
At the end of the scan, a text output report of the scan will open in the editor.
Few new options for reporting from the Sandbox/Policy right-click menu within the Heirarchy at the Veracode view which was added by this extension. (see first screenshot image above)
Get a view of the vulnerabilities associate with the application policy or sandbox scan
The import menu option is available at the POLICY/sandbox level
Clicking on the option will open (with a delay of few seconds) a new page (web view) in the IDE of the SCA findingsFetch the summary report of the Policy/Sandbox as a menu option - from the right click menu of the POLICY or the Sandbox Name.
Note - results includes also mitigated findings
In addition of automatically open up at the end of the scan, you can also use the right-click menu option of the JSON out result file
The file name is default to: veracode-pipeline-scan-results.json
- You can configure the filename in the Veracode VSCode extention setting name:
Pipeline Scan Results Filename
Note: The extension options enables 4 different output style. Check the Pipeline Scan Results Display Style
settings.
If your project producing API and/or OpenAPI specification file, the plugin also has the ability to submit the specification file to the veracode platform.
To enable Dynamic API functionalities, please the following section to you veracode project configuration file (veracode-plugin.conf)
[api.security]
specName=Petstore API Specification
specPath=swagger/petstore-swagger.json
baseURL=http://www.example.com/api
Use the VSCode command palette to upload the API Specificaiton file
> Veracode: Submit API Specification file (Swagger/HAR) to veracode platform
Please log an issue.
While it's true that I work at Veracode at the time of writing this plugin - this is not an official supported plugin by Veracode.
The initial code base of this plugin was created by a colleague of mine - Kevin Rise.
Few features added using code written by another colleague - Chris Campbell