Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes:
- Static:
cweid,type,sourcefile, andline(see Note 1 below) - Static (no debug information):
cweid,type,procedureandrelative_location - Dynamic:
cweid,pathandvulnerable_parameter
The script will copy all accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.
Note: This script requires Python 3!
Clone this repository:
git clone https://github.com/tjarrettveracode/veracode-mitigation-copier
Install dependencies:
cd veracode-mitigation-copier
pip install -r requirements.txt
(Optional) Save Veracode API credentials in ~/.veracode/credentials
[default]
veracode_api_key_id = <YOUR_API_KEY_ID>
veracode_api_key_secret = <YOUR_API_KEY_SECRET>
If you have saved credentials as above you can run:
python MitigationCopier.py (arguments)
Otherwise you will need to set environment variables:
export VERACODE_API_KEY_ID=<YOUR_API_KEY_ID>
export VERACODE_API_KEY_SECRET=<YOUR_API_KEY_SECRET>
python MitigationCopier.py (arguments)
Arguments supported include:
-f,--fromapp- Application GUID that you want to copy mitigations from.-fn,--fromappname- (optional) - Application Name that you want to copy mitigations from. Overrides--fromapp.fsn,--fromsandboxname(optional) - Sandbox Name to copy from.-fs,--fromsandbox(optional) - Sandbox GUID that you want to copy mitigations from. Ignored if--promptis set.-t,--toapp- Application GUID that you want to copy mitigations to.-tn,--toappnames- (optional) - Comma-delimited list of Application Names to copy mitigations to. Overrides--toapp.-ts,--tosandbox(optional) - Sandbox GUID that you want to copy mitigations to. Ignored if--promptis set.-tsn,--tosandboxnames(optional) - Comma-delimited list of Sandbox Names to copy to - should be in the same order as--toappnames.-st,--scan_types(optional) - Comma-delimited list of scan types to copy mitigations (default: SAST, DAST).-sit,--sca_import_type(optional) - Comma-delimited list of types of SCA issues to import (default: licenses, vulnerabilities).-p,--prompt- Specify to prompt for the applications to copy from and to.-d,--dry_run(optional) - Specify to log potential copied mitigations rather than actually mitigating the findings.-l,--legacy_ids(optional) - Specify to use legacy Veracode application IDs rather than application GUIDs.-po,--propose-only(optional) - If specified, only propose mitigations; do not approve the copied mitigations.-i,--id_list(optional) - If specified, only copy mitigations from thefromappfor the flaw IDs inid_list.-si,--skip_id_list(optional) - Skip mitigations for the flaws in theskip_id_list(replaces--id_list).-vid,--veracode_api_key_id- VERACODE_API_KEY_ID to use (if combined with --to_veracode_api_key_id and --to_veracode_api_key_secret, allows for moving mitigations between different instances of the platform).-vkey,--veracode_api_key_secret- VERACODE_API_KEY_SECRET to use (if combined with --to_veracode_api_key_id and --to_veracode_api_key_secret, allows for moving mitigations between different instances of the platform).-tid,--to_veracode_api_key_id- VERACODE_API_KEY_ID to use for TO apps/sandboxes (allows for moving mitigations between different instances of the platform).-tkey,--to_veracode_api_key_secret- VERACODE_API_KEY_SECRET to use for TO apps/sandboxes (allows for moving mitigations between different instances of the platform).-io,--include_original_user- Set to include original submitter/approver into the copied mitigation comments.-in,--include_profile_name- Set to include original application profile name instead of GUID into the copied mitigation comments.
The script creates a MitigationCopier.log file. All actions are logged.
python MitigationCopier.py -fn "Origin App Name" -tn "Target App 1, Target App 2, Target App 3"
python MitigationCopier.py --prompt
python MitigationCopier.py --fromapp abcdefgh-1234-abcd-1234-123456789012 --toapp 12345678-abcd-1234-abcd-abcdefghijkl
python MitigationCopier.py --fromapp abcdefgh-1234-abcd-1234-123456789012 --toapp 12345678-abcd-1234-abcd-abcdefghijkl --id_list 1 2 3
python MitigationCopier.py --fromapp abcdefgh-1234-abcd-1234-123456789012 --toapp 12345678-abcd-1234-abcd-abcdefghijkl --skip_id_list 1 2 3
You must provide the application GUID values for both application profiles. You can look these up by calling the Veracode Applications API (or use the --prompt argument and copy the GUIDs from the console output).
python MitigationCopier.py --fromapp 1234567 --toapp 7654321
You must provide the legacy Veracode application ID values for both application profiles. These IDs are available from the Veracode XML APIs.
python MitigationCopier.py --prompt --dry_run
- For static findings, when matching by line number, we automatically look within a range of line numbers around the original finding line number to allow for drift. This is controlled by the constant
LINE_NUMBER_SLOPdeclared at the top of the file. - For static findings when source file information is not available, we try to use procedure and relative location. This is less predictable so it is recommended that you perform a dry run when copying mitigations from non-debug code. Unlike when source file information is available, we do not use "sloppy matching" in this case -- we have observed that mitigations in non-debug code are most common when a binary dependency is being reused across teams and thus locations are less likely to change.
- The API credentials used are picked with the following priority:
- For data on the "to" side:
-tid/--to_veracode_api_key_idand-tkey,--to_veracode_api_key_secretparameters.VERACODE_API_KEY_IDandVERACODE_API_KEY_SECRETenvironment variables- Credentials file
- For data on the "from" side:
-vid/--veracode_api_key_idand-vkey,--to_veracode_api_key_secretparameters.VERACODE_API_KEY_IDandVERACODE_API_KEY_SECRETenvironment variables- Credentials file
- For data on the "to" side: