Allows for bulk suppression of specific CVE across full application portfolio. Script can also be used to reverse the bulk suppression of CVE findings.
Note: This script requires Python 3!
Script leverages the mitigation workflow in Veracode to propose, approve and reject CVE findings in order to prevent them from affecting policy. In order to preserve any previous actions taken with regard to mitigations, the script is meant to operate only on issues that have no previous mitigation actions in place.
Script will only approve (Suppress) CVE findings if:
- No existing proposed mitigation exists
- No existing approved mitigation exists
Script will only reject (Unapprove) CVE findings that have been previously mitigated using this script. It matches the approval comment previously used to reject the mitigation. Otherwise, it will skip the finding.
Clone this repository:
git clone https://github.com/aszaryk/veracode-bulk-cve-suppression
Install dependencies:
cd veracode-bulk-cve-suppression
pip install -r requirements.txt
(Optional) Save Veracode API credentials in ~/.veracode/credentials
[default]
veracode_api_key_id = <YOUR_API_KEY_ID>
veracode_api_key_secret = <YOUR_API_KEY_SECRET>
Within the script, set the following options to meet your needs:
------------- CONFIGURATION ---------------
cve_to_mitigate = 'CVE-xxxx-xxxx' *#CVE To suppress. For example: 'CVE-2018-1199'*
propose_action = 'BYDESIGN' *#REASON in Propose action. Acceptable Values are: ['BYENV', 'BYDESIGN', 'FP', 'ACCEPTRISK']*
propose_comment = 'Proposal comment to auto suppress CVE' *#COMMENT required to propose a mitigation*
approve_comment = 'Bulk suppression of CVE Approval' *#COMMENT required to accept a mitigation*
reject_comment = 'Bulk rejection of CVE Rejection comment' *#COMMENT required to reject a mitigation*
bulk_action = 'SUPPRESS' *# Use 'SUPPRESS' to auto-approve a mitigation OR 'EXPOSE' to reject a previously auto-approved mitigation*
------------- END CONFIGURATION -------------
If you have saved credentials as above you can run:
python BulkCVESuppression.py
Otherwise you will need to set environment variables:
export VERACODE_API_KEY_ID=<YOUR_API_KEY_ID>
export VERACODE_API_KEY_SECRET=<YOUR_API_KEY_SECRET>
python BulkCVESuppression.py
The script creates a BulkCVESuppression.log
file.