Veracode Software Security Integration

Veracode

DeployHub Pro can associate Veracode Security Scan to your Component Version Associating these metrics enable compliance scoring for Application Versions since the metrics are rolled-up from the Component Versions to the Application Version. See an Application Compliance Scorecard Report below for details.

Example Scorecard Report

Getting Metrics from Veracode to DeployHub Pro

DeployHub Pro uses the Command Line Interface from the Ortelius Open Source project incubating at the Linux Foundation. The Ortelius CI/CD command line program is used to associate Veracode metrics to the DeployHub Pro Component Version. See [CLI Installation](https://docs.DeployHub Pro.com/userguide/installation-and-support/0-commandlineinterface/) for instructions on basic setup in your CI/CD pipeline.

Restful API calls are needed in your pipeline to grab the metrics from Veracode. Shell commands using HTTPie, xmltojson and jq allow us to parse the data returned from Veracode and format it for storage with the Component Version. The component.toml file used by the DeployHub Pro CLI is appended to with each new metric and upload to DeployHub Pro at the end of the pipeline. See [CI-CD Integration](https://docs.DeployHub Pro.com/userguide/integrations/ci-cd_integrations/) for more details.

Note: Your codebase must be scanned with Veracode and the results uploaded to the Veracode Server. Veracode RestAPI calls will be made to fetch the metrics from the stored scanned results. HTTPie (http command) is used in order to authenticate using the veracode_hmac auth-type.

VerCode Score

VERACODE_API_KEY_ID=${VERACODE_USERNAME}
VERACODE_API_KEY_SECRET=${VERACODE_PASSWORD}

http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/detailedreport.do" "build_id==${build_id}" > detailedreport.xml
VERACODE_SCORE=$(xmltojson detailedreport.xml | jq -r '.detailedreport."static-analysis"."@score"')

echo "    VeracodeScore = \"${VERACODE_SCORE}\"" >> ${COMPONENT_TOML}