Veracode Vulnerability Integration
Summarize
Summary of Veracode Vulnerability Integration
The Veracode Vulnerability Integration enables ServiceNow customers to import and synchronize application security testing data from Veracode into the ServiceNow Vulnerability Response application. This integration consolidates Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), Software Composition Analysis (SCA), and manual scanner data to help assess the impact and prioritize remediation of code vulnerabilities. It supports automatic daily data imports and enhances vulnerability management by enriching your instance with third-party vulnerability details.
Show less
Key Features
- Data Integration: Imports DAST, SAST, SCA, and manual penetration testing results through a shared API, keeping your vulnerability data current and comprehensive.
- Software Bill of Materials (SBOM) Support: Starting with version 4.2, the integration supports importing SBOM files in CycloneDX and SPDX formats generated by Veracode, enabling detailed software component vulnerability tracking. SBOM Response application is required to view this data.
- Multiple Integration Types: Includes several integrations such as Veracode Link Projects (active by default), Application List (JSON and deprecated XML), Scan Summary (JSON and deprecated XML), Application Vulnerable Item (AVI) integrations, CWE data, Categories data, and DevOps integration. Most integrations are inactive by default except core components.
- Scheduled Jobs and Automation: Integrations run automatically daily, with options to manually execute jobs, ensuring your instance stays synchronized with Veracode scan data and vulnerability lifecycle updates.
- Detailed Vulnerability Data: From version 4.2 onward, users can view HTTP request/response details and Veracode solution recommendations directly within Vulnerability Response workspaces to aid in remediation decisions.
- User Roles and Access: Installed by system administrators and configured by App-Sec Managers, with permissions structured to facilitate secure management of vulnerability data.
Practical Benefits for ServiceNow Customers
- Enhanced Vulnerability Prioritization: By importing rich security testing data, customers can better understand the severity, exploitability, and remediation guidance for application vulnerabilities.
- Improved Visibility: Integration with ServiceNow’s Vulnerability Response allows centralized tracking of vulnerabilities from Veracode alongside other sources, streamlining security operations workflows.
- Support for Software Supply Chain Security: SBOM integration helps identify vulnerabilities in software components, supporting compliance and risk management strategies.
- Automation and Efficiency: Scheduled imports reduce manual effort and ensure timely updates, enabling faster response to emerging vulnerabilities.
- Seamless API Usage: The integration uses Veracode’s JSON-based APIs for improved data retrieval and deprecates older XML methods, ensuring modern and reliable data exchange.
Configuration and Compatibility
The integration requires installation of the Vulnerability Response and optionally the Software Bill of Materials applications. Default system users such as VR.System handle integration tasks and should not be altered. Compatibility information and version-specific features are documented to assist with upgrade and maintenance planning. Customers can monitor integration run statuses and view enriched vulnerability data within the ServiceNow interface.
The Vulnerability Response Integration with Veracode application uses data imported from the Veracode product to help you determine the impact and priority of flaws in your code.
Veracode Vulnerability Integration
The Veracode product collects Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and manual scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.
Starting with v19.0 of Vulnerability Response, you can import Software Composition Analysis (SCA) vulnerabilities and Software Bill of Materials (SBOM) vulnerability data to help you identify weaknesses in your software applications. For more information, see Exploring Software Bill of Materials.
A shared API ingests DAST, SAST, SCA data and manual penetration testing results.
There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.
Every day, scheduled jobs invoke the integrations automatically in the order they are listed. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.
Get more details from Veracode
Starting with v4.2, select Get More Details on application vulnerable items (AVITs) that have Veracode as the Source on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following Veracode data.
- HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
- Solution recommendations from Veracode are displayed on the Findings related list.
- HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response Vulnerability Response workspaces.
- The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.
Available versions
| Release version | Release Notes |
|---|---|
|
Veracode v4.3 Veracode v4.2 Veracode v4.1 |
Application Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes |
User group and roles
The Veracode Vulnerability Integration is installed by a system administrator [admin] and configured by a member of the App-Sec Manager group. See Application Vulnerability Response user groups and roles for more information.
Veracode Vulnerability Integration
To view the Veracode vulnerability integrations, navigate to .
The following integrations are included in the base system.
| Integration | Description |
|---|---|
| Beginning with v4.1: Veracode Link projects Integration | This integration is activated by default. Retrieves all associated projects for each application from Veracode. Applications can have multiple projects in the Veracode application. Imported data from this integration is displayed on the following records:
|
| Veracode Application List Integration (JSON) | This integration is inactive by default. Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data. Retrieves scan records from Veracode via a JSON-based API. |
| Veracode Application List Integration (XML) | This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data. This integration is set to run daily at 00:00:00. Note: A JSON-based API from Veracode is used to retrieve the list of applications. This API imports the ‘last policy compliance check date’ for these applications, signifying when these applications were last scanned by Veracode. |
| Veracode Software Bill of Materials (SBOM) Integration |
Version 4.3 of the Veracode Vulnerability Integration includes the following enhancements with Veracode
SBOM files:
This integration is activated by default. Beginning with v4.2, imports Software Bill of Materials files in CycloneDX and SPDX formats generated by Veracode and queues them for parsing in your instance. You must have the Software Bill of Materials applications installed to import this data and view it. |
| Veracode Scan Summary Integration (JSON) |
This integration is inactive by default. Retrieves scan records from Veracode via a JSON-based API. This integration replaces the XML-based API integration. It is chained and follows the Veracode Application List Integration when activated. |
| Veracode Scan Summary (XML) |
This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves scan records from Veracode. This integration is chained and follows the Veracode Application List Integration when activated. Note:
Automatically follows the Veracode Application List integration when it is activated. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration. |
| Veracode Application Vulnerable Item JSON Integration |
Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations. This integration is inactive by default. Retrieves scan results with more vulnerability data than the XML-based integration from Veracode. It inserts AVIs and enriches your third-party vulnerability data. |
| Veracode Application Vulnerable Item Integration (XML) |
Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations. This integration is inactive by default. Retrieves scan results from Veracode, inserts Application Vulnerable Items (AVITs) and enriches your third-party vulnerability data. By default, if the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated. This integration is chained and follows the Veracode Scan Summary integration when activated. The XML-based API is deprecated for the Veracode Scan Summary JSON integration. Note:
Automatically follows the Veracode Scan Summary integration. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration. |
| Veracode Categories Integration | This integration is inactive by default. Retrieves enhanced Categories data from Veracode. |
| Veracode CWE Integration |
This integration is activated by default. Retrieves Veracode - specific Common Weakness Enumeration (CWE) data for threat information and remediation recommendations. These data are populated and updated on Application Vulnerability Entry records. This CWE integration operates independently from the scheduled job for the CWE Comprehensive 2000 Integration you activate for the Vulnerability Response application. Your data is not duplicated if you have the Veracode CWE Integration and the CWE Comprehensive 2000 Integration activated. |
| Veracode DevOps Integration | This integration is inactive by default. The integration is viewable on the Application Vulnerability Integrations list in Application Vulnerability Response. If you have a DevOps Change Velocity license, this feature is structured so that DevOps users do not need a SecOps license to view summary details for third-party vulnerability scans. There is no impact or change to Application Vulnerability Response. |
For integration run statuses see, View the Veracode Application Vulnerability Integration import run status.
To view data in third-party vulnerabilities, see View vulnerability libraries.