Import findings into Azure DevOps
You can add the Veracode Flaw Importer task to your Azure DevOps build pipelines. The task uses the Veracode Azure DevOps Extension to automatically import flaws and vulnerabilities as work items.
You can also use YAML to configure Azure DevOps pipelines for importing flaws.
Before you begin:
Before you can import flaws or vulnerabilities into Azure DevOps, you must meet these prerequisites:
- Ensure these projects are in the same Azure DevOps organization:
- The project to which the running release or build job belongs, where the Flaw Importer task is running
- The project to which you want to import the flaws or vulnerabilities
- You have installed the Veracode Azure DevOps Extension.
- You have generated Veracode API credentials. If your credentials contain variables, you must start each variable with a
$
and wrap the variable value in parentheses. For example, you enter theid
variable as$(Id)
. - The Veracode Flaw Importer generates work items based on the Agile, Scrum, and CMMI process templates in Azure DevOps. You can customize the default fields in the process templates, such as changing the state names to match the names of your actual states and their transition values. When configuring the Flaw Importer you can specify the custom fields to add to work items when importing flaws or vulnerabilities. If you use custom process templates, and you also want to add custom fields to generated work items, before specifying the custom fields ensure you have configured the required predefined variables in your build or release configurations.
- If you are using customized work item types that contain required fields, you must do one or both of the following to ensure all flaws import successfully.
- In each customized work item type, specify the default value for the required field. The required field must not be blank.
- Select different work item types that do not contain required fields.
To complete this task:
-
In your Azure DevOps project, go to your build definition.
-
Add Veracode Flaw Importer as a build task.
-
Select the Import flaws task to open the Veracode Flaw Importer window.
-
In the Flaw Importer window, from the Connection Details section, select a connection source for connecting to Veracode:
- Service Connection: select an existing service connection that uses your Veracode API credentials or select New to create a new service connection. For a new connection, in the New service connection window, by default, the Server URL is populated with the URL for accessing Veracode. Enter your Veracode API credentials, a name for the service connection and, then, click Save. The new connection is selected in the Select Service Connection dropdown menu.
- Credentials: enter your Veracode API credentials. If you use variables for your credentials, you must start each variable with a
$
and wrap the variable value in parentheses. For example, for a variable namedid
, enter$(Id)
.
-
In the Flaw Source section, enter the application profile name (case-sensitive) and sandbox name, if applicable, for which you want to import flaws from Veracode. If you remediate SCA vulnerabilities in a sandbox, the integration can only close the corresponding work items after you promote the sandbox to a policy scan.
-
In the Work Item Settings section, from the Scan Type dropdown menu, select the scan types from which to import flaws or vulnerabilities.
-
From the Import dropdown menu, select the flaw type to import as work items:
- All Flaws: includes mitigated and remediated flaws and vulnerabilities from all scans. During the import process, the extension changes the state of the work items for all mitigated and remediated flaws to resolved or closed. After you fix or remediate the flaw, during the next scan, its status changes to fixed or mitigated in the Detailed Report. During the next import, the related work items change to closed. This option imports all flaws without any restrictions.
- All Unmitigated Flaws: includes flaws and vulnerabilities from all scans.
- All Flaws Violating Policy: includes all open flaws and vulnerabilities from all scans that affect policy.
- All Unmitigated Flaws Violating Policy: includes open flaws and vulnerabilities from all scans that affect policy. The default.
When you generate new work items for imported flaws, the extension also imports mitigation and annotation comments. If you add comments to a previously imported flaw with work items, the extension does not import the new comments to work items during subsequent imports.
-
From the Work Item Type dropdown menu, select the work item type to generate for all imported flaws.
noteThe Scrum process template does not support the Issue work item type.
-
In the Area Path field, enter the path to the area where you want to group the work items by team, product, or feature area. You can enter up to five levels in the path. To enter the area paths, use the format
<project name>\<area 1>\<area 2>
. The value in<project name>
is the name of the project in the Build Pipeline or Release Pipeline task for which you want to import flaws. -
Optionally, select the Overwrite Area Path in Work Items on Import checkbox to replace the area path in new and existing work items with the value in the Area Path field. If you clear this checkbox, existing work items retain their current area path.
-
In the Iteration Path field, enter the path to the area where you want to group work items into sprints, milestones, or other events or periods. Similar to the value in the Area Path field, use the format
<project name>\<iteration 1>
. -
In the Add Custom Tag field, enter a custom tag name to add user-defined tags to all work items that the current build generates.
-
Optionally, to add useful information about imported findings as tags in work items, select one or more of the following options:
- Add CVE as a Tag: for SCA scans, adds the CVE ID for the finding.
- Add CWE as a Tag: adds the CWE ID for the finding.
- Add Build ID as a Tag: adds the build number of the build that contains the finding.
- Add Scan Name as a Tag: adds the name of the scan that found the finding.
- Add Scan Type as a Tag: adds the scan type, such as Static or SCA, that found the finding.
- Add Severity as a Tag: adds the severity of the finding.
- Add Due Date as a Tag: For Static Analysis and Dynamic Analysis scans, adds the due date for your team to fix the finding.
-
In the Flaw Import Limit section, enter the maximum number of flaws to import at one time. The default is
1000
. -
For Custom Fields, if you are using customized process templates with custom fields, you can specify the custom fields to add to new, but not existing, work items. Enter key-value pairs to specify each field name and value. Add each key-value pair separated with a colon on a new line.
For example, to add Agile-based custom fields for story points (
3
), priority (1
), work estimate (4
), and test system information (My Test System
), add these values:<_field reference name_>.StoryPoints:3
<_field reference name_>.Priority:1
<_field reference name_>.OriginalEstimate:4
<_field reference name_>.SystemInfo:My Test SystemFor field reference name, ensure the field names match the field reference names in Azure and that all values are valid for a given field type. If there are any mismatch or validation errors, you can only see these errors in the console after importing flaws.
-
In the Advanced Scan Settings section, configure these options:
-
Proxy Settings: if you use a proxy to access Veracode, enter the proxy settings. For example:
-phost abc.com - pport 5252 -puser proxyuser -ppassword proxypassword
noteDo not enclose any of the values in single or double quotations.
-
Team Foundation Server Password: do not change this value from the default of
$(password)
.
-
-
Optionally, to add debugging to your pipeline, add a new variable and enter these values in the New variable window:
- Name:
system.debug
- Value:
true
- Name:
-
Select Save & queue to save your configurations and add the build to your queue.
To keep the status of imported findings in your ticketing system in sync with the status of the actual findings in the Veracode Platform, you must routinely run the integration.
After the Flaw Import task has completed successfully, the work items related to flaws or vulnerabilities in a given application appear in Azure DevOps. In Azure DevOps, you can search on the Work or Queries pages, for example, to find the work items you created.
Identify a field reference name
- In Azure DevOps, select Organization settings.
- Under Boards, select Process.
- On the All processes page, on the Processes tab, select the relevant process template.
- On the Work item types tab, select the type of work items you want to create.
- Locate the custom field you want to configure.
- From the three-dot menu on the field, select Edit.
- In the Edit window, select Options.
- Make a note of the value you see after Field Reference Name: and any value you see in the Default value field.