The Veracode connector ingests application security (DAST) findings from Veracode into Qualys ETM for centralized analysis.
What is the Veracode API Connector?
The connector securely pulls application issues from Veracode APIs on a schedule and normalizes them for TruRisk-based prioritization in ETM.
Category
| Category | Supported Asset Type | Supported Finding Type |
|---|---|---|
| API Connector | Web Applications | App Issues |
Prerequisites
The Veracode Connector is available on demand. To activate it for your subscription, please contact your Technical Account Manager (TAM) or Qualys Support.
API Credentials
Generate API ID and API Key from the Veracode portal
- Login to the Veracode portal here.
- Account menu > API Credentials > Generate API Credentials.
Connector Configuration
Basic Details
- Provide Name and Description.
- Select findings type (App Issues).
- Enter API ID and API Key.
Authentication Details
| Name | Key | Type | Description / Example |
|---|---|---|---|
| API ID | api id |
String | Veracode API ID. |
| API Key | api key |
String | Veracode API Key. |
Data Model
The Veracode API Connector offers an out-of-box data model mapping for you to map with Qualys ETM schema. You can view the schema to understand the attributes in the data model.
Transform Maps
Default transform maps are provided. You can create or clone maps and set Transform Map Name, Source Data Model, and Target Data Model.
Profile
Create a profile with Name, Description, Transform Map, Status, and Schedule.
Scoring
Map vendor non-CVE scores to QDS 0–100; set Default Severity for unmatched values.
How Does a Connection Work?
On schedule (or on-demand), the connector fetches Veracode application findings and imports them into ETM.
In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.
Connector States
A successfully configured connector goes through 4 states.
- Registered - The connector is successfully created and registered to fetch data from the vendor.
- Scheduled - The connector is scheduled to execute a connection with the vendor.
- Processing - A connection is executed and the connector is fetching the asset and findings data.
- Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.
The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.
This entire process may take up to 2 hours for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).
View Assets and Findings in ETM
Applications: Inventory views for imported Veracode applications.
Findings: Risk Management > Findings. Filter finding.vendorProductName:"Veracode".
Activating Web Applications in WAS
Web applications synced from the Veracode Connector appear in:
-
ETM
-
CSAM
-
WAS
By default, these applications are not activated for scanning in WAS.
To activate web applications in WAS:
-
Navigate to CSAM > Web Applications.
-
Select the desired web application.
-
Choose Quick Actions > Activate WAS.
NOTE: Activating web applications will consume WAS licenses. You should activate only the required applications.
Additional Information
API Reference
| API Details | Endpoint | Notes |
|---|---|---|
| Authentication | Not required | Per spec. |
| List Applications | https://api.veracode.com/appsec/v1/applications |
API limitations may apply. |
| Application Findings | https://api.veracode.com/appsec/v2/applications/ |
API limitations may apply. |
Profile Details
| Name | Key | Type | Description |
|---|---|---|---|
| Raw Message | isEnabledRaw | CheckBox | Include raw API payload in findings. |
| Filter Query | filter | String | Filter expression to refine fetched results. |
| Detection of DataType | — | App Issues | Fetches Veracode application issues. |
Veracode DAST Data Model Map
Vulnerability Mapping
| Source Field | Target Field |
|---|---|
|
application_url |
webAppUrl |
|
profile.name |
webAppName |
|
findings[].issue_id |
externalFindingId |
|
findings[].finding_details.attack_vector |
findingName |
|
findings_severity |
findingSeverity |
|
findings[].description |
findingDescription |
|
findings[].finding_details.cwe.id [CWE-findings_cwe_id] |
cweId |
|
_links.self.href |
findingDetectionURL |
|
findings[].finding_status.status OPEN | CLOSED | NOT_EXPLOITABLE | |
findingStatus ACTIVE | FIXED | ACTIVE | |
|
findings[].finding_status.last_seen_date |
findingLastFoundOn |
|
findings[].finding_status.first_found_date |
findingFirstFoundOn |
|
finding_details.url |
sourceFindingURL |