Retrieves findings with APPROVED mitigations from an application's policy scan (or sandbox) and creates a baseline file for Pipeline Scan. Mitigations in a "proposed" state will not be retrieved.
Clone this repository:
git clone https://github.com/tjarrettveracode/veracode-pipeline-mitigation
Install dependencies:
cd veracode-pipeline-mitigation
pip install -r requirements.txt
(Optional) Save Veracode API credentials in ~/.veracode/credentials
[default]
veracode_api_key_id = <YOUR_API_KEY_ID>
veracode_api_key_secret = <YOUR_API_KEY_SECRET>
If you have saved credentials as above you can run:
python vcpipemit.py (arguments)
Otherwise you will need to set environment variables:
export VERACODE_API_KEY_ID=<YOUR_API_KEY_ID>
export VERACODE_API_KEY_SECRET=<YOUR_API_KEY_SECRET>
python vcpipemit.py (arguments)
Arguments supported include:
--application,-a(required if--promptnot used): Applications guid from which to retrieve mitigated findings.--prompt,-p(optional): Specify to be prompted to search by application name.--results,-rf(required): Location of a Pipeline Scan results file from which the baseline file will be created.--sandbox,-s(optional): Sandbox guid from which to retrieve mitigated findings in the application specified above.
All actions are logged to vcpipmit.log. The baseline file is created in the current directory and is named baseline-<appguid>.json.
We perform a naïve match between the mitigated findings and the pipeline findings based on CWE ID, source file and line number value. There is some
"slop" built into the match (checking a range in the pipeline finding around the original mitigated finding); you can adjust the constant
LINE_NUMBER_SLOP to get a more or less precise match.