diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 592acca..da08cdf 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -108,10 +108,15 @@ Auto Package:
- git -C ${PROJECT_PATH} checkout ${COMMIT_SHA}
- cd $(basename -s .git ${CLONE_URL})
- cd ../../
- - ${CLI_FOLDER}/veracode package --source clonePath/* --output $ARTIFACTS_FOLDER --trust --debug
+ - |
+ if [ "$DEBUG" = "true" ]; then
+ ${CLI_FOLDER}/veracode package --source clonePath/* --output "$ARTIFACTS_FOLDER" --trust --verbose
+ else
+ ${CLI_FOLDER}/veracode package --source clonePath/* --output "$ARTIFACTS_FOLDER" --trust
+ fi
<<: *artifacts_template
rules:
- - if: '$EXECUTE_PIPELINE == "true" || $EXECUTE_POLICY == "true" || $EXECUTE_IAC == "true" || $EXECUTE_SANDBOX == "true"'
+ - if: '$EXECUTE_PIPELINE == "true" || $EXECUTE_POLICY == "true" || $EXECUTE_SANDBOX == "true"'
when: always
.veracode_scan: &veracode_scan
diff --git a/utility/utils.js b/utility/utils.js
index e44b285..3f7b0ba 100644
--- a/utility/utils.js
+++ b/utility/utils.js
@@ -402,12 +402,10 @@ function iacResult(scanResult){
let IaCVulnerabilities = extractIaCVulnerabilities(scanResult);
let IaCMisconfigurations = extractIaCMisconfigurations(scanResult);
let IaCSecrets = extractIaCSecrets(scanResult);
- let IaCPolicyResults = extractIaCPolicyResults(scanResult);
output += IaCVulnerabilities;
output += IaCMisconfigurations;
output += IaCSecrets;
- output += IaCPolicyResults;
return output;
}
@@ -431,16 +429,17 @@ function extractIaCVulnerabilities(scanResult){
INSTALLED : result.artifact.version,
FIXED_IN : result.vulnerability.fix.versions[0] || "N/A",
TYPE : result.artifact.type,
+ MESSAGE : result.vulnerability.description
}));
formattedVulnerabilities.sort((a, b) => severityRank[b.SEVERITY] - severityRank[a.SEVERITY]);
output+= '\n'+
'Vulnerability Scan Details
\n\n'+
- '| Severity | Name | Vulnerability | Installed | Fixed-In | Type |\n' +
- '| -------- | -------- | ------------- | --------- | --------------| ----------- |\n';
+ '| Severity | Name | Vulnerability | Installed | Fixed-In | Type | Message |\n' +
+ '| -------- | -------- | ------------- | --------- | --------------| ----------- | -------------- |\n';
formattedVulnerabilities.forEach((result) => {
- output += `| ${result.SEVERITY} | ${result.NAME} | ${result.VULNERABILITY} | ${result.INSTALLED} | ${result["FIXED_IN"]} | ${result.TYPE} |\n`;
+ output += `| ${result.SEVERITY} | ${result.NAME} | ${result.VULNERABILITY} | ${result.INSTALLED} | ${result["FIXED_IN"]} | ${result.TYPE} | ${result.MESSAGE} |\n`;
});
output += '\n \n';
@@ -449,9 +448,9 @@ function extractIaCVulnerabilities(scanResult){
function extractIaCMisconfigurations(scanResults) {
let output = "";
- const Misconfigurations = scanResults?.configs?.Results?.[0]?.Misconfigurations;
+ const Misconfigurations = scanResults?.configs;
- if (!Misconfigurations || Misconfigurations.length === 0) {
+ if (Misconfigurations.length === 0) {
output += "\n\n";
output += "Misconfiguration Details
\n\n";
output += "No Misconfigurations found.\n";
@@ -464,19 +463,21 @@ function extractIaCMisconfigurations(scanResults) {
TITLE : result.Title,
ID : result.ID,
PROVIDER : result.CauseMetadata.Provider,
+ MESSAGE : result.Message === "No issues found" ? "-" : result.Message
}));
formattedData.sort((a, b) => severityRank[b.SEVERITY] - severityRank[a.SEVERITY]);
output += '\n\n' +
'Misconfiguration Details
\n\n' +
- '| SEVERITY | TITLE | ID | PROVIDER |\n' +
- '| ------- | -------- | ----- | ---------|\n';
+ '| SEVERITY | TITLE | ID | PROVIDER | MESSAGE |\n' +
+ '| ------- | -------- | ----- | --------- | -------------- |\n';
formattedData.forEach((result) => {
output +=
`| ${result.SEVERITY} ` +
`| ${result.TITLE} ` +
`| ${result.ID} ` +
- `| Line ${result.PROVIDER} |\n`;
+ `| Line ${result.PROVIDER} `+
+ `| ${result.MESSAGE} |\n`
});
output += '\n \n';
@@ -485,9 +486,9 @@ function extractIaCMisconfigurations(scanResults) {
function extractIaCSecrets(scanResult){
let output = "";
- const IacSecreteData = scanResult?.secrets?.Results || [];
+ const IacSecreteData = scanResult?.secrets || [];
- if(!IacSecreteData || IacSecreteData.length == 0 ){
+ if(IacSecreteData.length == 0){
output += "\n\n";
output += "Secrets Scan Details
\n";
output += "No Secrets found.\n";
@@ -496,59 +497,25 @@ function extractIaCSecrets(scanResult){
}
const formattedIacSecret = IacSecreteData.map((result) => ({
- SEVERITY : result.Secrets[0].Severity,
- SECRET_TYPE : result.Secrets[0].Title,
- FILE : result.Target
+ SEVERITY : result.Severity,
+ SECRET_TYPE : result.Title,
+ FILE : result.Target,
+ MESSAGE : result.Match
}));
formattedIacSecret.sort((a, b) => severityRank[b.SEVERITY] - severityRank[a.SEVERITY]);
output+= '\n'+
'Secrets Scan Details
\n\n'+
- '| Severity | SECRET_TYPE | FILE |\n' +
- '| -------- | ----------- | -------------|\n';
+ '| Severity | SECRET_TYPE | FILE | MESSAGE |\n' +
+ '| -------- | ----------- | ------------- | ----------------- |\n';
formattedIacSecret.forEach((result) => {
- output += `| ${result.SEVERITY} | ${result.SECRET_TYPE} | ${result.FILE} |\n`;
+ output += `| ${result.SEVERITY} | ${result.SECRET_TYPE} | ${result.FILE} | ${result.MESSAGE} |\n`;
});
output += '\n \n';
return output;
}
-function extractIaCPolicyResults(scanResult){
- let output = "";
- const IacPolicyResult = scanResult?.["policy-results"][0]?.failures || [];
-
- if(!IacPolicyResult|| IacPolicyResult.length == 0 ){
- output += "\n";
- output += "Policy Evaluation Details
\n";
- output += "No Policy found.\n";
- output += " \n";
- return output;
- }
-
- const formattedIacPolicyResult = IacPolicyResult.map((result) => {
- const severityMatch = result.msg.match(/Found (Critical|High|Medium|Low|Very_low|Informational)/);
- const ghsaMatch = result.msg.match(/GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}/);
- return {
- SEVERITY : severityMatch ? severityMatch[1] : "Unknown",
- VULNERABILITY : ghsaMatch ? ghsaMatch[0] : "Unknown",
- MESSAGE : result.msg // Or extract this from the message if it varies
- };
- });
- formattedIacPolicyResult.sort((a, b) => severityRank[b.SEVERITY] - severityRank[a.SEVERITY]);
-
- output+= '\n'+
- 'Policy Evaluation Details
\n\n'+
- '| SEVERITY | VULNERABILITY | MESSAGE |\n' +
- '| -------- | ----------- | -------------|\n';
- formattedIacPolicyResult.forEach((result) => {
- output += `| ${result.SEVERITY} | ${result.VULNERABILITY} | ${result.MESSAGE} |\n`;
- });
- output += '\n ';
-
- return output;
-}
-
module.exports = {
processStaticResultsXML,
attacheResult,
diff --git a/veracode-scans/iac-scan/iac-scan.js b/veracode-scans/iac-scan/iac-scan.js
index 700f959..a2806e5 100644
--- a/veracode-scans/iac-scan/iac-scan.js
+++ b/veracode-scans/iac-scan/iac-scan.js
@@ -4,7 +4,7 @@ const { exitOnFailure, updateErrorMessage, uploadArtifact } = require('../../uti
const execa = require('execa');
const displayScanResult = require('../../displayScanResult');
-async function iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage) {
+async function iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, debug) {
const veracodeDir = path.dirname(require.main.filename);
const veracodeCliPath = path.resolve(veracodeDir, 'veracode-cli');
const veracodeExecutable = path.join(veracodeCliPath, 'veracode');
@@ -28,7 +28,7 @@ async function iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, use
'--type', 'directory',
'--format', 'json',
'--output', 'results.json',
- '--verbose'
+ ...(debug === "true" ? ['--verbose'] : [])
],
{
reject: false,
@@ -47,10 +47,12 @@ async function iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, use
'--type', 'directory',
'--format', 'table',
'--output', 'results.txt',
- '--verbose'
+ ...(debug === "true" ? ['--verbose'] : [])
],
{
reject: false,
+ stderr: 'inherit',
+ stdout: 'inherit',
env: {
VERACODE_API_KEY_ID: process.env.VERACODE_API_ID,
VERACODE_API_KEY_SECRET: process.env.VERACODE_API_KEY
diff --git a/veracode-scans/pipeline-scan/pipeline.js b/veracode-scans/pipeline-scan/pipeline.js
index 096f9a7..ad673ff 100644
--- a/veracode-scans/pipeline-scan/pipeline.js
+++ b/veracode-scans/pipeline-scan/pipeline.js
@@ -9,7 +9,7 @@ const pipelineScanIssue = require('../../veracode-issues/pipelineScanIssue');
const displayScanResult = require('../../displayScanResult');
const { execSync } = require('child_process');
-async function pipelineScan(apiId, apiKey, appProfileName, filterMitigatedFlaws, breakBuildOnFinding, breakBuildOnError, userErrorMessage, policyName, breakBuildOnInvalidPolicy, createIssue) {
+async function pipelineScan(apiId, apiKey, appProfileName, filterMitigatedFlaws, breakBuildOnFinding, breakBuildOnError, userErrorMessage, policyName, breakBuildOnInvalidPolicy, createIssue, debug) {
const veracodeArtifactsDir = path.join(__dirname, '../../veracode-artifacts');
try {
@@ -30,7 +30,7 @@ async function pipelineScan(apiId, apiKey, appProfileName, filterMitigatedFlaws,
const artifacts = await fs.promises.readdir(veracodeArtifactsDir);
const scanResults = await Promise.all(
artifacts.map((artifact) =>
- executePipelineScan(veracodeArtifactsDir, artifact, apiId, apiKey)
+ executePipelineScan(veracodeArtifactsDir, artifact, apiId, apiKey, debug)
)
);
@@ -122,15 +122,16 @@ async function pipelineScan(apiId, apiKey, appProfileName, filterMitigatedFlaws,
}
}
-async function executePipelineScan(veracodeArtifactsDir, artifactName, apiId, apiKey) {
+async function executePipelineScan(veracodeArtifactsDir, artifactName, apiId, apiKey, debug) {
const pipelineResultFileName = `${artifactName}-` + appConfig().pipelineScanFile;
const filteredResultFileName = `${artifactName}-` + appConfig().filteredScanFile;
try {
const artifactFilePath = path.join(veracodeArtifactsDir, artifactName);
const pipelineScanJarPath = path.join(__dirname, 'pipeline-scan.jar');
- const pipelineScanCommand = `java -jar ${pipelineScanJarPath} -vid ${apiId} -vkey ${apiKey} -f ${artifactFilePath} -jf ${pipelineResultFileName} -fjf ${filteredResultFileName}`;
-
+ let pipelineScanCommand = `java -jar ${pipelineScanJarPath} -vid ${apiId} -vkey ${apiKey} -f ${artifactFilePath} -jf ${pipelineResultFileName} -fjf ${filteredResultFileName}`;
+ if(debug === "true")
+ pipelineScanCommand += ' -V true';
execSync(pipelineScanCommand, { stdio: 'inherit' });
return { artifact: artifactName, success: true, results: [] };
} catch (error) {
diff --git a/veracode-scans/policy-scan/policy.js b/veracode-scans/policy-scan/policy.js
index bb7a1b0..124f539 100644
--- a/veracode-scans/policy-scan/policy.js
+++ b/veracode-scans/policy-scan/policy.js
@@ -9,7 +9,7 @@ const policyScanIssue = require('../../veracode-issues/policyScanIssue');
const displayScanResult = require('../../displayScanResult');
const exitStatus = true;
-async function policyScan(apiId, apiKey, appName, buildId, policyName, teams, createprofile, breakBuildOnFinding, breakBuildOnError, userErrorMessage, breakBuildOnInvalidPolicy, createIssue, repoUrl) {
+async function policyScan(apiId, apiKey, appName, buildId, policyName, teams, createprofile, breakBuildOnFinding, breakBuildOnError, userErrorMessage, breakBuildOnInvalidPolicy, createIssue, repoUrl, debug) {
try {
const invalidPolicy = await veracodePolicyVerification(apiId, apiKey, policyName, breakBuildOnInvalidPolicy);
if (invalidPolicy) {
@@ -29,7 +29,7 @@ async function policyScan(apiId, apiKey, appName, buildId, policyName, teams, cr
}
try {
- const result = await triggerPolicyScan(apiId, apiKey, policyResult, resApp, veracodeArtifactsDir, buildId, breakBuildOnError, userErrorMessage, createIssue);
+ const result = await triggerPolicyScan(apiId, apiKey, policyResult, resApp, veracodeArtifactsDir, buildId, breakBuildOnError, userErrorMessage, createIssue, debug);
if (result.status === STATUS.Findings) {
exitOnFailure(breakBuildOnFinding);
}
@@ -48,10 +48,12 @@ async function policyScan(apiId, apiKey, appName, buildId, policyName, teams, cr
}
}
-async function triggerPolicyScan(apiId, apiKey, policyResult, resApp, artifactFilePath, buildId, breakBuildOnError, userErrorMessage, createIssue) {
+async function triggerPolicyScan(apiId, apiKey, policyResult, resApp, artifactFilePath, buildId, breakBuildOnError, userErrorMessage, createIssue, debug) {
console.log(`Veracode: Policy scan executing...`);
// let policyScanCommand = `java -jar ${__dirname}/api-wrapper-LATEST/VeracodeJavaAPI.jar -action UploadAndScanByAppId -vid ${apiId} -vkey ${apiKey} -appid ${resApp?.appId} -filepath ${artifactFilePath} -version "${buildId}" -scanpollinginterval 30 - include -autoscan false -scanallnonfataltoplevelmodules false`;
let debugCommand = `java -jar ${__dirname}/api-wrapper-LATEST/VeracodeJavaAPI.jar -action UploadAndScanByAppId -vid *** -vkey *** -appid ${resApp?.appId} -filepath ${artifactFilePath} -version "${buildId}" -scanpollinginterval 30 - include -autoscan true -scanallnonfataltoplevelmodules true -includenewmodules true -deleteincompletescan 2`;
+ if(debug === "true")
+ debugCommand += ' -debug true';
let scan_id = '';
try {
console.log(`Command to execute the policy scan : ${debugCommand}`);
@@ -68,7 +70,8 @@ async function triggerPolicyScan(apiId, apiKey, policyResult, resApp, artifactFi
'-autoscan', 'true',
'-scanallnonfataltoplevelmodules', 'true',
'-includenewmodules', 'true',
- '-deleteincompletescan', '2'
+ '-deleteincompletescan', '2',
+ ...(debug === "true" ? ['-debug', 'true'] : [])
];
const { stdout } = await execa('java', args);
diff --git a/veracode-scans/policy-scan/sandbox.js b/veracode-scans/policy-scan/sandbox.js
index 6a5cbf5..eb58943 100644
--- a/veracode-scans/policy-scan/sandbox.js
+++ b/veracode-scans/policy-scan/sandbox.js
@@ -5,7 +5,7 @@ const { getVeracodeApplication, veracodePolicyVerification } = require('../../ut
const execa = require('execa');
const { exitOnFailure } = require('../../utility/utils');
-async function sandboxScan(apiId, apiKey, sourceBranch, policyName, teams, createprofile, buildId, appName, breakBuildOnInvalidPolicy, repoUrl) {
+async function sandboxScan(apiId, apiKey, sourceBranch, policyName, teams, createprofile, buildId, appName, breakBuildOnInvalidPolicy, repoUrl, debug) {
let resApp;
try {
const invalidPolicy = await veracodePolicyVerification(apiId, apiKey, policyName, breakBuildOnInvalidPolicy);
@@ -32,14 +32,14 @@ async function sandboxScan(apiId, apiKey, sourceBranch, policyName, teams, creat
}
try {
- triggerSandboxScan(apiId, apiKey, resApp, veracodeArtifactsDir, sourceBranch, buildId);
+ triggerSandboxScan(apiId, apiKey, resApp, veracodeArtifactsDir, sourceBranch, buildId, debug);
} catch (error) {
console.log(`Error while executing sandbox scan on ${sourceBranch} branch: `, error);
return;
}
}
-async function triggerSandboxScan(apiId, apiKey, resApp, artifactFilePath, sourceBranch, buildId) {
+async function triggerSandboxScan(apiId, apiKey, resApp, artifactFilePath, sourceBranch, buildId, debug) {
const sandboxName = `${veracodeConfig().sandboxScanName}${sourceBranch}`;
const args = [
'-jar', `${__dirname}/api-wrapper-LATEST/VeracodeJavaAPI.jar`,
@@ -56,7 +56,8 @@ async function triggerSandboxScan(apiId, apiKey, resApp, artifactFilePath, sourc
'-autoscan', 'true',
'-scanallnonfataltoplevelmodules', 'true',
'-includenewmodules', 'true',
- '-deleteincompletescan', '2'
+ '-deleteincompletescan', '2',
+ ...(debug === "true" ? ['-debug', 'true'] : [])
];
try {
diff --git a/veracode-scans/sca-scan/sca-scan.js b/veracode-scans/sca-scan/sca-scan.js
index d1ce28f..2948e99 100644
--- a/veracode-scans/sca-scan/sca-scan.js
+++ b/veracode-scans/sca-scan/sca-scan.js
@@ -4,9 +4,11 @@ const { attacheResult, exitOnFailure, updateErrorMessage } = require('../../util
const scaScanIssue = require('../../veracode-issues/scaScanIssue');
const displayScanResult = require('../../displayScanResult');
-async function scaScan(clone_url, scaAgenToken, scaUrl, sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, createIssue) {
+async function scaScan(clone_url, scaAgenToken, scaUrl, sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, createIssue, debug) {
try {
- const command = `curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan --url ${clone_url} --ref ${sourceBranch} --recursive --allow-dirty`;
+ let command = `curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan --url ${clone_url} --ref ${sourceBranch} --recursive --allow-dirty`;
+ if(debug === "true")
+ command += ' --debug';
const output = execSync(command, { encoding: 'utf-8', env: { ...process.env, SRCCLR_API_TOKEN: scaAgenToken, SRCCLR_API_URL: scaUrl }, maxBuffer: 1024 * 1024 * 10 });
const jsonCommand = `curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan --url ${clone_url} --ref ${sourceBranch} --json=scaScan.json --recursive --allow-dirty`;
const jsonOutput = execSync(jsonCommand, { encoding: 'utf-8', env: { ...process.env, SRCCLR_API_TOKEN: scaAgenToken, SRCCLR_API_URL: scaUrl }, maxBuffer: 1024 * 1024 * 10 });
diff --git a/veracode.yml b/veracode.yml
index 1cfc039..3c64803 100644
--- a/veracode.yml
+++ b/veracode.yml
@@ -1,3 +1,5 @@
+debug:
+ false
veracode_static_scan:
push:
trigger: true
diff --git a/veracodeScan.js b/veracodeScan.js
index 8d65e65..615fe36 100644
--- a/veracodeScan.js
+++ b/veracodeScan.js
@@ -35,18 +35,19 @@ async function veracodeScan() {
const breakBuildOnInvalidPolicy = process.env.BREAK_BUILD_ON_INVALID_POLICY || false;
const repoUrl = process.env.PROJECT_URL;
+ const debug = process.env.DEBUG;
if (executePipeline) {
console.log(`Executing pipeline scan on ${projectName} repo for ${sourceBranch} branch`);
- await pipelineScan(apiId, appKey, appProfileName, filterMitigatedFlaws, breakBuildOnFinding, breakBuildOnError, userErrorMessage, policyName, breakBuildOnInvalidPolicy, createIssue);
+ await pipelineScan(apiId, appKey, appProfileName, filterMitigatedFlaws, breakBuildOnFinding, breakBuildOnError, userErrorMessage, policyName, breakBuildOnInvalidPolicy, createIssue, debug);
}
if (executeSandbox) {
console.log(`Executing sandbox scan on ${projectName} repo for ${sourceBranch} branch`);
- sandboxScan(apiId, appKey, sourceBranch, policyName, '', createProfile, ciPipelineId, appProfileName, breakBuildOnInvalidPolicy, repoUrl)
+ sandboxScan(apiId, appKey, sourceBranch, policyName, '', createProfile, ciPipelineId, appProfileName, breakBuildOnInvalidPolicy, repoUrl, debug)
}
if (executePolicy) {
console.log(`Executing policy scan on ${projectName} repo for ${sourceBranch} branch`);
- await policyScan(apiId, appKey, appProfileName, ciPipelineId, policyName, '', createProfile, breakBuildOnFinding, breakBuildOnError, userErrorMessage, breakBuildOnInvalidPolicy, createIssue, repoUrl);
+ await policyScan(apiId, appKey, appProfileName, ciPipelineId, policyName, '', createProfile, breakBuildOnFinding, breakBuildOnError, userErrorMessage, breakBuildOnInvalidPolicy, createIssue, repoUrl, debug);
}
if (executeRemoveSandbox) {
console.log(`Executing removed sandbox scan on ${projectName} repo for ${sourceBranch} branch`);
@@ -54,11 +55,11 @@ async function veracodeScan() {
}
if (executeSca) {
console.log(`Executing sca scan on ${projectName} repo for ${sourceBranch} branch`);
- await scaScan(sourceRepoCloneUrl, scaAgenToken, scaUrl, sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, createIssue);
+ await scaScan(sourceRepoCloneUrl, scaAgenToken, scaUrl, sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, createIssue, debug);
}
if (executeIac) {
console.log(`Executing iac scan on ${projectName} repo for ${sourceBranch} branch`);
- await iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage)
+ await iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, debug)
}
}
veracodeScan();