Veracode Vulnerability Integration
The Vulnerability Response Integration with Veracode application uses data imported from the Veracode product to help you determine the impact and priority of flaws in your code.
Veracode Vulnerability Integration
The Veracode product collects Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and manual scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.
Starting with v19.0 of Vulnerability Response, you can import Software Composition Analysis (SCA) vulnerabilities and Software Bill of Materials (SBOM) vulnerability data to help you identify weaknesses in your software applications. For more information, see Exploring Software Bill of Materials.
A shared API ingests DAST, SAST, SCA data and manual penetration testing results.
There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.
Every day, scheduled jobs invoke the integrations automatically in the order they are listed. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.
Get more details from Veracode
Starting with v4.2, select Get More Details on application vulnerable items (AVITs) that have Veracode as the Source on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following Veracode data.
- HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
- Solution recommendations from Veracode are displayed on the Findings related list.
- HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response Vulnerability Response workspaces.
- The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.
Available versions
| Release version | Release Notes |
|---|---|
|
Veracode v4.3 Veracode v4.2 Veracode v4.1 |
For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes |
User group and roles
The Veracode Vulnerability Integration is installed by a system administrator [admin] and configured by a member of the App-Sec Manager group. See Application Vulnerability Response user groups and roles for more information.
Veracode Vulnerability Integration
To view the Veracode vulnerability integrations, navigate to .
The following integrations are included in the base system.
| Integration | Description |
|---|---|
| Beginning with v4.1: Veracode Link projects Integration | This integration is activated by default. Retrieves all associated projects for each application from Veracode. Applications can have multiple projects in the Veracode application. Imported data from this integration is displayed on the following records:
|
| Veracode Application List Integration (JSON) | This integration is inactive by default. Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data. Retrieves scan records from Veracode via a JSON-based API. |
| Veracode Application List Integration (XML) | This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data. This integration is set to run daily at 00:00:00. 注: A JSON-based API from Veracode is used to retrieve the list of applications. This API imports the ‘last policy compliance check date’ for these applications, signifying when these applications were last scanned by Veracode. |
| Veracode Software Bill of Materials (SBOM) Integration |
Version 4.3 of the Veracode Vulnerability Integration includes the following enhancements with Veracode
SBOM files:
This integration is activated by default. Beginning with v4.2, imports Software Bill of Materials files in CycloneDX and SPDX formats generated by Veracode and queues them for parsing in your instance. You must have the Software Bill of Materials applications installed to import this data and view it. |
| Veracode Scan Summary Integration (JSON) |
This integration is inactive by default. Retrieves scan records from Veracode via a JSON-based API. This integration replaces the XML-based API integration. It is chained and follows the Veracode Application List Integration when activated. |
| Veracode Scan Summary (XML) |
This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves scan records from Veracode. This integration is chained and follows the Veracode Application List Integration when activated. 注:
Automatically follows the Veracode Application List integration when it is activated. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration. |
| Veracode Application Vulnerable Item JSON Integration |
Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations. This integration is inactive by default. Retrieves scan results with more vulnerability data than the XML-based integration from Veracode. It inserts AVIs and enriches your third-party vulnerability data. |
| Veracode Application Vulnerable Item Integration (XML) |
Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations. This integration is inactive by default. Retrieves scan results from Veracode, inserts Application Vulnerable Items (AVITs) and enriches your third-party vulnerability data. By default, if the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated. This integration is chained and follows the Veracode Scan Summary integration when activated. The XML-based API is deprecated for the Veracode Scan Summary JSON integration. 注:
Automatically follows the Veracode Scan Summary integration. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration. |
| Veracode Categories Integration | This integration is inactive by default. Retrieves enhanced Categories data from Veracode. |
| Veracode CWE Integration |
This integration is activated by default. Retrieves Veracode - specific Common Weakness Enumeration (CWE) data for threat information and remediation recommendations. These data are populated and updated on Application Vulnerability Entry records. This CWE integration operates independently from the scheduled job for the CWE Comprehensive 2000 Integration you activate for the Vulnerability Response application. Your data is not duplicated if you have the Veracode CWE Integration and the CWE Comprehensive 2000 Integration activated. |
| Veracode DevOps Integration | This integration is inactive by default. The integration is viewable on the Application Vulnerability Integrations list in Application Vulnerability Response. If you have a DevOps Change Velocity license, this feature is structured so that DevOps users do not need a SecOps license to view summary details for third-party vulnerability scans. There is no impact or change to Application Vulnerability Response. |
For integration run statuses see, View the Veracode Application Vulnerability Integration import run status.
To view data in third-party vulnerabilities, see View vulnerability libraries.