Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.
-config
: path to JSON config file
A sample config file is below:
{
"auth": {
"credsFile": "/Users/bpitta/.veracode/credentials"
},
"scope": {
"allApps": false,
"appListTextFile": "applist.txt"
},
"mode":{
"logOnly": true,
"proposeOnly": false,
"proposeAndAccept": false
},
"targetFlaws": {
"cweList": "80, 79",
"requireTextInDesc": true,
"requiredText":"texToSearchFor",
"static": true,
"dynamic": true
},
"mitigationInfo":{
"mitigationType": "netenv",
"proposalComment": "Proposal text",
"approvalComment": "Approval text"
}
}
Configuration Notes:
- The
appsListTextFile
parameter should be used whenallApps
is set tofalse
. It should be a text file with target app IDs on separate lines. - The
cweList
parameter should be a comma separated list of CWEs to target for mitigation. - The
requiredTextInDesc
parameter will search for text in the flaw description. The text to search for should be placed in therequiredText
parameter. For example, you can use this to target flaws on a specific cookie from a dynamic scan by including the cookie name. - The
mitigationType
must becomment
,fp
,appdesign
,osenv
, ornetenv
.
The credentials file should be set up as follows:
veracode_api_key_id = ID HERE
veracode_api_key_secret = SECRET HERE
The executable is available in the release section of the repository: https://github.com/brian1917/vcodeAutoMitigate/releases
github.com/brian1917/vcodeapi (https://godoc.org/github.com/brian1917/vcodeapi)