Before you run the integration on your instance, the installation and configuration steps must be completed so the Veracode product properly integrates with Application Vulnerability Response. This application is available as a separate subscription.

Before you begin

Complete the following setup checklist prior to installation. These setup tasks are required for a smooth installation and configuration.
Note: This process applies only to applications that are downloaded to production instances. If you're downloading applications to non-production or development instances, it's not necessary to get entitlements. Proceed to Activate a ServiceNow Store application.
Setup tasks Description
Verify that the Vulnerability Response application is installed and activated.

To verify that this application is activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions your organization has purchased.

If the application is not installed and activated see, Install Vulnerability Response.
Verify that the Vulnerability Response Integration with Veracode application is installed and activated.

To verify that this application is activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions your organization has purchased.

If the application is not installed and activated see, Install the ServiceNow Vulnerability Response Integration with Veracode.
Verify that you have the required ServiceNow roles for your instance. The following roles are required for configuration, and verification of expected results:
  • If not already assigned, the System Administrator [admin] installs the app and assigns users to the App-Sec Manager user group.
  • The App-Sec Manager oversees configuration and verifies expected results.

For the Veracode Application Vulnerability integration, have your API id and API key ready.

Contact Veracode to obtain theAPI id and API key. See Preparing for the Veracode Vulnerability Integration.

Starting with version 4.0, if you are using the Veracode Vulnerability Integration, the penetration assessment tests in the Veracode Vulnerability Integration are manual findings from Veracode. These findings are not linked to any penetration test assessment requests you configure in Application Vulnerability Response. For more information about penetration test requests in Application Vulnerability Response, see Configure penetration testing.
Role required: App-Sec Manager user group

Procedure

  1. Navigate to All > Veracode Vulnerability Integration > Configuration.
  2. Fill in the API ID and API Key fields.
  3. Choose your testing results.
    OptionDescription
    Version 4.0:
    1. Select DAST or SAST data types to include in the import.
      Note: You can choose one or the other, or both, but you must select at least one.
    2. Select SCA to import Software Composition Analysis (SCA) vulnerabilities.
    3. Select Include Manual to import manual penetration testing results from Veracode. AVITs are created for these results.
    Version 3.0 Select DAST or SAST data types to include in the import.
    Note: You can choose one or the other, or both, but you must select at least one.
    Version 1.0:

    Dynamic Application Security testing results are selected, by default.
    Update SCA findings from
    ‘Default’ is the set value until you change it. You must select the Include SCA findings check box and choose one from the list:
    • Agent – the agent scan results make the final updates to SCA findings
    • Upload – the upload scan results make the final updates to SCA findings
    • Default – the last scan processed, either the agent or upload scan, makes the final updates to SCA findings
    Note: If you do not select the Include SCA findings check box on the configuration page, the scan you selected from the list is not used, and the last scan that is processed makes the final updates.
  4. Add the Veracode Severity level to filter your imported data.
    This value is imported from Veracode. You can add multiple values to the field. If populated, the import only gathers data that matches the Severity levels you've added.
  5. Save and validate your choices.
    OptionDescription
    Version 3.0:
    Click Save and Test Credentials.
    Note: Configuration is successfully completed unless an error message is displayed. If an error message is displayed during the configuration, reenter your data.
    Version 1.0:

    Click Save.

    Verify successful configuration by clicking Test Credentials.

    Note: Configuration is successfully completed unless an error message is displayed. If an error message is displayed during the configuration, reenter your data.
  6. Select how you want to manage exceptions and false positives for AVITs upon import.
    Options to manage AVITs upon import with the ServiceNow Exception management and False positive workflows are activated by default. The workflows are triggered based on how the Source states on the AVITs are mapped in your instance. For an example use case, see Managing state mapping for deferrals and false positives in Application Vulnerability Response.
    Activated
    Manage exceptions in ServiceNow
    Leave this option activated if you want to triage imported AVITs marked for the Deferred state.

    AVITs with Source states that normally are mapped to a Deferred state in your instance are instead mapped to Open.

    You Request an exception from the AVI record.

    Manage false positives in ServiceNow
    Leave this option activated if you want to triage imported AVITs with Source states marked as False Positive or Potential False Positive.

    AVITs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open.

    You request a False positive from the AVIT record.
    Deactivated

    Deactivate one or both check boxes if you want to preserve the Source states imported from your scanner.

    These AVITs are mapped to the Target and Target reason states as they are imported but are not triaged by the exception and false positive workflows. The Request exception and False Positive actions are not visible on AVITs.
  7. Starting with v4.3, choose or verify settings for the following parameters.
    ParameterDescription
    API region Select a region from the list.
    API timeout The default is 30K. You might prefer to leave this field in its default setting.
    Include SBOM vulnerabilities

    Select to include any vulnerabilities that are ingested by the Veracode integrations in the Veracode SBOM files you upload.

    Leave the field cleared so Veracode vulnerabilities are not parsed on Veracode SBOM files.
  8. Select Save and Test Credentials.

What to do next

If your environment requires domain-separated imports, see Create domain-separated imports for an integration.

On initial installation, refer to Configure Application Vulnerability Response for further instructions.

After initial installation, for modifications refer to Veracode Vulnerability Integration modifications and activities.