Veracode Vulnerability Integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Veracode Vulnerability Integration

    The Veracode Vulnerability Integration enables ServiceNow customers to import and synchronize vulnerability data from Veracode’s security testing tools directly into their Vulnerability Response application. This integration supports Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Software Bill of Materials (SBOM) data to help identify, prioritize, and remediate software vulnerabilities effectively.

    Show full answer Show less

    With daily automated scheduled jobs and a shared API, the integration keeps your instance updated with the latest vulnerability findings and enriched third-party vulnerability data. It also supports manual execution of individual jobs for flexibility.

    Key Features

    • Data Import: Imports vulnerability and scan metadata, including DAST, SAST, SCA, manual scanner data, and SBOM files (CycloneDX and SPDX formats) from Veracode into ServiceNow.
    • Integration Components: Multiple integrations are provided, such as Application List, Scan Report, Scan Summary, Application Vulnerable Item (AVI), CWE data, Link Projects, and SBOM integrations, each designed to import specific types of data.
    • Enhanced Vulnerability Data: Provides detailed Veracode-specific vulnerability information, including HTTP request/response details, solution recommendations, and exploitability data, accessible via Vulnerability Response Workspaces and related lists.
    • Retry Mechanism: Built-in retry logic handles transient HTTP errors to ensure reliable data import without manual intervention.
    • Compatibility and Roles: Installed and managed by system administrators and App-Sec Managers, with defined user groups and roles for secure configuration and operation.
    • Deprecation and Updates: Supports JSON-based APIs preferred over deprecated XML-based APIs for better performance and reliability.
    • DevOps Integration: Optional, inactive-by-default integration allowing DevOps users to view third-party vulnerability scan summaries without requiring SecOps licenses, provided a DevOps Change Velocity license is in place.

    Key Outcomes

    • Improved Vulnerability Management: Automates import and enrichment of Veracode scan and vulnerability data, allowing teams to prioritize remediation efforts based on comprehensive, up-to-date insights.
    • Enhanced Visibility: Provides rich contextual data for each vulnerability, including source request/response details and remediation guidance, directly within the ServiceNow Vulnerability Response application.
    • Efficient Lifecycle Synchronization: Scheduled jobs ensure your vulnerability data remains current with Veracode scans, minimizing manual overhead and reducing the risk of missing critical vulnerabilities.
    • Comprehensive SBOM Support: Facilitates the import and analysis of SBOM files to identify weaknesses in software supply chains, supporting compliance and security initiatives.
    • Seamless Integration Experience: Preconfigured integrations with default run-as user settings ensure secure and consistent operation without requiring customization.

    The Vulnerability Response Integration with Veracode application uses data imported from the Veracode product to help you determine the impact and priority of flaws in your code.

    Veracode Vulnerability Integration

    The Veracode product collects Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and manual scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

    Starting with v19.0 of Vulnerability Response, you can import Software Composition Analysis (SCA) vulnerabilities and Software Bill of Materials (SBOM) vulnerability data to help you identify weaknesses in your software applications. For more information, see Exploring Software Bill of Materials.

    A shared API ingests DAST, SAST, SCA data and manual penetration testing results.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Every day, scheduled jobs invoke the integrations automatically in the order they are listed. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Get more details from Veracode

    Starting with v4.2, select Get More Details on application vulnerable items (AVITs) that have Veracode as the Source on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following Veracode data.

    • HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
    • Solution recommendations from Veracode are displayed on the Findings related list.
    • HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response Vulnerability Response workspaces.
    • The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.
    • To support deleted applications Veracode Link Projects and Veracode SBOM Integrations for these two integrations, you can choose to skip 403 and 404 errors and retry 50x errors. The following parameters are included in a retry mechanism in a script include: VeracodeLinkProjectsIntegration and VeracodeSBOMIntegration
      • HTTP_CODES_TO_SOFT_RETRY: [500, 501, 502, 503, 504, 429]
      • HTTP_CODES_TO_SKIP_RETRY: [404, 403]

    Available versions

    Release version Release Notes

    Veracode v4.3

    Veracode v4.2

    Veracode v4.1

    		 Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    User group and roles

    The Veracode Vulnerability Integration is installed by a system administrator [admin] and configured by a member of the App-Sec Manager group. See Application Vulnerability Response user groups and roles for more information.

    Veracode Vulnerability Integration

    To view the Veracode vulnerability integrations, navigate to All > Veracode Vulnerability Integration > Integrations.

    The following integrations are included in the base system.

    Table 1. Veracode Vulnerability Integration
    Integration Description
    Veracode Application List Integration (JSON) This integration is inactive by default. Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data.

    Retrieves scan records from Veracode via a JSON-based API.
    Veracode Application List Integration (XML) This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data. This integration is set to run daily at 00:00:00.
    Note:
    A JSON-based API from Veracode is used to retrieve the list of applications. This API imports the ‘last policy compliance check date’ for these applications, signifying when these applications were last scanned by Veracode.
    Veracode Scan Report Integration This integration uses the reporting API to import scan information. It solves the existing problem of Veracode Scan Summary Integration failing intermittently and backdating integration taking longer than expected to complete. The existing Veracode Scan Summary Integration is deprecated.
    Veracode Scan Summary Integration (JSON)

    This integration is inactive by default. Retrieves scan records from Veracode via a JSON-based API. This integration replaces the XML-based API integration. It is chained and follows the Veracode Application List Integration when activated.
    Veracode Scan Summary (XML)

    This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves scan records from Veracode. This integration is chained and follows the Veracode Application List Integration when activated.

    Note:
    Automatically follows the Veracode Application List integration when it is activated. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration.
    Veracode Application Vulnerable Item JSON Integration

    Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations.

    This integration is inactive by default. Retrieves scan results with more vulnerability data than the XML-based integration from Veracode. It inserts AVIs and enriches your third-party vulnerability data.
    Veracode Application Vulnerable Item Integration (XML)

    Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations.

    This integration is inactive by default. Retrieves scan results from Veracode, inserts Application Vulnerable Items (AVITs) and enriches your third-party vulnerability data. By default, if the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated.

    This integration is chained and follows the Veracode Scan Summary integration when activated. The XML-based API is deprecated for the Veracode Scan Summary JSON integration.

    Note:
    Automatically follows the Veracode Scan Summary integration. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration.
    Veracode Categories Integration This integration is inactive by default. Retrieves enhanced Categories data from Veracode.
    Veracode CWE Integration

    This integration is activated by default. Retrieves Veracode - specific Common Weakness Enumeration (CWE) data for threat information and remediation recommendations. These data are populated and updated on Application Vulnerability Entry records.

    This CWE integration operates independently from the scheduled job for the CWE Comprehensive 2000 Integration you activate for the Vulnerability Response application.

    Your data is not duplicated if you have the Veracode CWE Integration and the CWE Comprehensive 2000 Integration activated.
    Beginning with v4.1:Veracode Link projects Integration This integration is activated by default. Retrieves all associated projects for each application from Veracode.
    Applications can have multiple projects in the Veracode application. Imported data from this integration is displayed on the following records:
    • Last SCA Scan Date, App Creation Date, and App Update Date are listed on records in Discovered Applications.
    • On Application Vulnerability Scan Summary records and application vulnerable items (AVITs), the Source SDLC status (Software Development Life Cycle) is displayed.
    • Source exploitability is displayed on application vulnerable item (AVI) records.
    Veracode Software Bill of Materials (SBOM) Integration
    Version 4.3 of the Veracode Vulnerability Integration includes the following enhancements with Veracode SBOM files:
    • If you have installed SBOM Response, you have the option to include vulnerabilities found by Veracode for the SBOM files you upload.
    • Veracode is mapped to the Source field for records in the Bill of Materials [sn_sbom_doc] table for the Veracode SBOM files.

    This integration is activated by default. Beginning with v4.2, imports Software Bill of Materials files in CycloneDX and SPDX formats generated by Veracode and queues them for parsing in your instance. You must have the Software Bill of Materials applications installed to import this data and view it.
    Veracode DevOps Integration This integration is inactive by default. The integration is viewable on the Application Vulnerability Integrations list in Application Vulnerability Response. If you have a DevOps Change Velocity license, this feature is structured so that DevOps users do not need a SecOps license to view summary details for third-party vulnerability scans. There is no impact or change to Application Vulnerability Response.

    For integration run statuses see, View the Veracode Application Vulnerability Integration import run status.

    To view data in third-party vulnerabilities, see View vulnerability libraries.