Veracode Vulnerability Integration modifications and activities

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read

    • Configure optional modifications specifically for the Veracode Vulnerability Integration.

    Viewing additional data imported by the Veracode Vulnerability Integration

    Note:
    Changing other Veracode Vulnerability Integration settings, other than the ones listed here, requires advanced ServiceNow and Application Vulnerability Response expertise and is beyond the scope of the product documentation.

    Get more details from Veracode

    Starting with v4.2, select Get More Details on application vulnerable items (AVITs) that have Veracode as the Source on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following Veracode data.

    • HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
    • Solution recommendations from Veracode are displayed on the Findings related list.
    • HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response Vulnerability Response workspaces.
    • The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.

    Modify Veracode integration instance parameters

    After initial installation, you can modify parameters for the Veracode integrations in the Veracode Integration instance.

    Before you begin

    Role required: App-Sec Manager group

    About this task

    You can modify the parameters for an integration from its instance to determine what type of data you ingest. For some of these settings, you can also modify these parameters from the integration's configuration page.

    Procedure

    1. Navigate to All > Application Vulnerability Response > Administration > Integrations.
    2. Select Veracode Application Vulnerability in the Source Instance column for the Veracode integration that you want to modify.
    3. Select the Integration Instance Parameters tab and double-click a field in the Value column to modify the values.

      Starting with v19.0 of Vulnerability Response and v4.0 of the Veracode Vulnerability Integration, you can configure the following parameters for the Veracode integrations.

      import manual
      Enter true to import manual penetration testing results from Veracode. You can also modify this value from the integration configuration page.

      The penetration assessment tests in the Veracode Vulnerability Integration are manual findings from Veracode. These findings are not linked to any penetration test assessment requests you configure in Application Vulnerability Response. For more information about penetration test requests in Application Vulnerability Response, see Configure penetration testing.

      import_sca
      Enter true to import Software Composition Analysis (SCA) vulnerabilities. You can also modify this value from the integration configuration page.
      status
      Enter Open or Closed to import findings for the states you want. If you leave this field empty, the integration import findings for both Open and Closed states.
      policy_sandbox
      Enter a policy or sandbox to import records that correspond to a policy or to a sandbox. These records might be related to how applications are tested in your environment.
      policy_rule_passed
      Enter true or false to import records that have passed a policy rule. These records might be related to how applications are tested in your environment.
    4. Select Update to save your changes.

    Perform a manual Veracode application vulnerability import

    If your initial import failed, or you do not want to wait for the scheduled initial import, you can perform a full data import independent of the daily scheduled job.

    Before you begin

    Role required: App-Sec Manager group

    Procedure

    1. Navigate to All > Veracode Vulnerability Integration > Integrations.
    2. Choose and integration, for example, the Veracode Application List Integration.
    3. Click Execute Now.
      Note:
      Each of the Veracode application vulnerability integrations are intended to provide the most complete data retrieval. Running them out of order requires ServiceNow and Application Vulnerability Response expertise and could result in incomplete data.
      Once the import is complete, scheduled imports resume.
    4. For integration run statuses see, View the Veracode Application Vulnerability Integration import run status.
    5. If you want to modify other integration parameters, you must navigate to the integration instance.

    Set Veracode Vulnerability Integration import times

    For your convenience, you can reset the start time for the Veracode Vulnerability Integration.

    Before you begin

    Role required: App-Sec Manager group

    About this task

    After the initial import, the Veracode vulnerability integrations do a full import each time they runs. See Perform a manual Veracode application vulnerability import for more information on performing imports.

    Procedure

    1. Navigate to All > Veracode Vulnerability Integration > Integrations.
    2. Choose an integration.
    3. Set the new Start time.
      Time is calculated as Hours in local time. The default time for the Veracode Application List Integration imports is 00:00:00. The other integrations are On Demand and chained to run after the Veracode Application List Integration. Changing the Start time for either of these requires advanced ServiceNow and Application Vulnerability Management expertise.
    4. Click Update.
      The new time is used for the next scheduled import.

    Include Closed Veracode application vulnerable items

    By default, Closed application vulnerable items (AVIs) are not created during Veracode Vulnerable Item integration imports. If you want to create them, you must change a system property.

    Before you begin

    The Veracode Vulnerability Integration must be installed and running.

    Role required: admin

    Procedure

    1. In the left navigation Filter navigator text box, type sys_properties.list.
    2. In the Name search box for the list, enter sn_vul.create_closed.
    3. Double-click on the Value field and set to True
    4. Select the green check mark icon to save.
      Records in the Closed state in the next Veracode import are created as AVIs in Application Vulnerability Response.