Skip to content

Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.

License

Notifications You must be signed in to change notification settings

brian1917/vcodeAutoMitigate

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Veracode Auto Mitigate

Description

Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.

Parameters

-config: path to JSON config file

Configuration File

A sample config file is below:

{
    "auth": {
      "credsFile": "/Users/bpitta/.veracode/credentials"
    },
    "scope": {
        "allApps": false,
        "appListTextFile": "applist.txt"
    },
    "mode":{
      "logOnly": true,
      "proposeOnly": false,
      "proposeAndAccept": false
    },
    "targetFlaws": {
      "cweList": "80, 79",
      "requireTextInDesc": true,
      "requiredText":"texToSearchFor",
      "static": true,
      "dynamic": true
    },
    "mitigationInfo":{
        "mitigationType": "netenv",
        "proposalComment": "Proposal text",
        "approvalComment": "Approval text"
    }
}

Configuration Notes:

  1. The appsListTextFile parameter should be used when allApps is set to false. It should be a text file with target app IDs on separate lines.
  2. The cweList parameter should be a comma separated list of CWEs to target for mitigation.
  3. The requiredTextInDesc parameter will search for text in the flaw description. The text to search for should be placed in the requiredText parameter. For example, you can use this to target flaws on a specific cookie from a dynamic scan by including the cookie name.
  4. The mitigationType must be comment, fp, appdesign, osenv, or netenv.

Credentials File

The credentials file should be set up as follows:

veracode_api_key_id = ID HERE
veracode_api_key_secret = SECRET HERE

Executables

The executable is available in the release section of the repository: https://github.com/brian1917/vcodeAutoMitigate/releases

Third-party Packages

github.com/brian1917/vcodeapi (https://godoc.org/github.com/brian1917/vcodeapi)

About

Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages