Skip to main content

Azure DevOps YAML properties for Flaw Importer

This table describes the YAML properties and their values for adding the Veracode Flaw Importer task to an Azure DevOps build pipeline.

PropertyTypeDescription
ConnectionDetailsSelection
Required
StringOne of these methods for connecting to Veracode:
  • Endpoint to use an existing service connection that includes your API credentials. Include AnalysisService to specify a service connection name.
  • Credentials to enter your Veracode API credentials. Include apiId to enter your API ID and apiKey to enter your API key.
ConnectionDetailsSelection
Required
StringOne of these methods for connecting to Veracode:
  • Endpoint to use an existing service connection that includes your API credentials. Include AnalysisService to specify a service connection name.
  • Credentials to enter your Veracode API credentials. Include apiId to enter your API ID and apiKey to enter your API key.
veracodeAppProfile
Required
StringName of the application profile. The name is case-sensitive.
AnalysisServiceStringIf you set ConnectionDetailsSelection to Endpoint, the name of the service connection for accessing Veracode.

If a service connection does not exist, you can create a new service connection.
apiIdStringIf you set ConnectionDetailsSelection to Credentials, your Veracode API ID.
apiKeyStringIf you set ConnectionDetailsSelection to Credentials, your Veracode API key.
proxySettingsStringIf using a proxy to access Veracode, your proxy settings. For example:

-phost abc.com -pport 5252 -puser proxyuser -ppassword proxypassword

NOTE:
Do not enclose any of the values in single or double quotations.
sandboxNameStringFor development sandbox scans, the name of the sandbox in which to run the scan. If the sandbox does not exist, include createSandBox to create it with the specified name.
scanTypeStringScan types from which to import flaws or vulnerabilities. One of these values:
Dynamic, Static
SCA
, Static, SCA, Dynamic, Static, SCA
importTypeStringOne of these flaw types to import:
  • All Flaws: includes mitigated and remediated flaws and vulnerabilities from all scans. During the import process, the extension changes the state of the work items for all mitigated and remediated flaws to resolved or closed. After you fix or remediate the flaw, during the next scan, its status changes to fixed or mitigated in the Detailed Report. During the next import, the related work items change to closed. This option imports all flaws without any restrictions.
  • All Unmitigated Flaws: includes flaws and vulnerabilities from all scans.
  • All Flaws Violating Policy: includes all open flaws and vulnerabilities from all scans that affect policy.
  • All Unmitigated Flaws Violating Policy: includes open flaws and vulnerabilities from all scans that affect policy. The default.
    When generating new work items for imported flaws, the extension also imports mitigation and annotation comments. If you add comments to a previously imported flaws with work items, the extension does not import the new comments to work items during subsequent imports.
workItemTypeStringOne of these work item types to apply to all imported flaws:Bug, Issue, Task, Epic, Feature, Test Case

NOTE:
The Scrum process template does not support the Issue work item type. Also, the Veracode Flaw Importer task can only import flaws to customized work item types that do not contain required fields. If your customized work item types contain required fields, you must select different work item types that do not contain required fields, or the flaws fail to import.
areaStringPath to the area where you want to group the work items. You can enter up to five levels in the path. To enter the area paths, use the format <project_name>\<area_1>\<area_2>. For <project_name>, enter the name of the project in the Build Pipeline or Release Pipeline task for which you want to import flaws.
overwriteAreaPathInWorkItemsOnImportBooleanSet to true to replace the area path in new and existing work items with the value specified for area. If set to false existing work items retain their current area path.
addCustomTagStringAdd a tag with a custom string to all work items for all imported flaws.
addCweAsATagBooleanAdd a tag with the CWE ID for the discovered flaw to the corresponding work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
addCveAsATagBooleanFor SCA scans, add a tag with the CVE ID for the finding to the work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
addScanTypeTagBooleanAdd a tag with the scan type, such as Static or Dynamic, that found the finding to the work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
addSeverityTagBooleanAdd a tag with the finding severity to the work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
addDueDateTagBooleanAdd a tag to the work item with the due date for your team to fix the finding. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
foundInBuildBooleanAdd a tag with the build number of the build in which Veracode discovered the flaw to the corresponding work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
addScanNameAsATagBooleanAdd a tag to each work item showing the name of the Veracode scan that found the imported flaw. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
flawImportLimitIntegerMaximum number of flaws to import at the same time. Default is 1000.
customFieldsStringAdd custom fields from process templates to generated work items of imported flaws. Enter key-value pairs to specify each field name and value. Add each key-value pair, separated with a colon, on a new line. For example: field.name:value

NOTE:
Ensure these field names match the field names you define in Azure and that all values are valid for a given field type. If there are any mismatch or validation errors, you can only see these errors in the console after importing flaws.