Skip to content

Allows for bulk suppression of specific CVE across full application portfolio.

License

Notifications You must be signed in to change notification settings

aszaryk/veracode-bulk-cve-suppression

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Bulk Approve or Reject Veracode CVE Findings

Allows for bulk suppression of specific CVE across full application portfolio. Script can also be used to reverse the bulk suppression of CVE findings.

Note: This script requires Python 3!

Expected Results

Script leverages the mitigation workflow in Veracode to propose, approve and reject CVE findings in order to prevent them from affecting policy. In order to preserve any previous actions taken with regard to mitigations, the script is meant to operate only on issues that have no previous mitigation actions in place.

APPROVALS:

Script will only approve (Suppress) CVE findings if:

  1. No existing proposed mitigation exists
  2. No existing approved mitigation exists

UNAPPROVALS:

Script will only reject (Unapprove) CVE findings that have been previously mitigated using this script. It matches the approval comment previously used to reject the mitigation. Otherwise, it will skip the finding.

Setup

Clone this repository:

git clone https://github.com/aszaryk/veracode-bulk-cve-suppression

Install dependencies:

cd veracode-bulk-cve-suppression
pip install -r requirements.txt

(Optional) Save Veracode API credentials in ~/.veracode/credentials

[default]
veracode_api_key_id = <YOUR_API_KEY_ID>
veracode_api_key_secret = <YOUR_API_KEY_SECRET>

Configuration

Within the script, set the following options to meet your needs:

------------- CONFIGURATION ---------------
cve_to_mitigate = 'CVE-xxxx-xxxx' *#CVE To suppress. For example: 'CVE-2018-1199'*
propose_action = 'BYDESIGN' *#REASON in Propose action. Acceptable Values are: ['BYENV', 'BYDESIGN', 'FP', 'ACCEPTRISK']*
propose_comment = 'Proposal comment to auto suppress CVE' *#COMMENT required to propose a mitigation*
approve_comment = 'Bulk suppression of CVE Approval' *#COMMENT required to accept a mitigation*
reject_comment = 'Bulk rejection of CVE Rejection comment' *#COMMENT required to reject a mitigation*
bulk_action = 'SUPPRESS' *# Use 'SUPPRESS' to auto-approve a mitigation OR 'EXPOSE' to reject a previously auto-approved mitigation*
------------- END CONFIGURATION -------------

Run

If you have saved credentials as above you can run:

python BulkCVESuppression.py 

Otherwise you will need to set environment variables:

export VERACODE_API_KEY_ID=<YOUR_API_KEY_ID>
export VERACODE_API_KEY_SECRET=<YOUR_API_KEY_SECRET>
python BulkCVESuppression.py

Logging

The script creates a BulkCVESuppression.log file.

About

Allows for bulk suppression of specific CVE across full application portfolio.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages