Veracode Batch Fix

.github/workflows/ado-workitems.yml

@@ -0,0 +1,25 @@
+on:
+  workflow_dispatch:
+
+jobs:
+  import-policy-flaws:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: import flaws as issues
+        uses: julz0815/ado-workitems-action@api_and_close
+        with:
+          ado-token: ${{ secrets.ADO_PAT }}
+          ado-org: jtotzek
+          ado-project: MeijerTest
+          work-item-type: Bug
+          area-path: "MeijerTest"
+          iteration-path: "MeijerTest"
+          open-state: New
+          close-state: Closed
+          repopen-state: New
+          veracode-api-id: ${{ secrets.VID }}
+          veracode-api-key: ${{ secrets.VKEY }}
+          veracode-app-profile: "test-action"
+          scan-type: "Static Analysis and SCA"
+          import-type: "All Unmitigated Flaws Violating Policy"

.github/workflows/backgroundnotifier.yml

@@ -0,0 +1,68 @@
+on:
+#  pull_request:
+#    branches: [main]
+  workflow_dispatch:
+
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-java@v3
+      with:
+        distribution: 'zulu'
+        java-version: 8
+    - name: Cache Maven packages
+      uses: actions/cache@v3
+      with:
+        path: ~/.m2
+        key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+    - name: Build with Maven
+      run: mvn clean package
+
+    - uses: actions/upload-artifact@v4
+      with:
+        name: verademo.war
+        path: target/verademo.war
+
+  pipeline_scan:
+      needs: build
+      runs-on: ubuntu-latest
+      name: pipeline scan
+      steps:
+        - name: Background timer notifier
+          run: |
+              (
+                i=0
+                while true; do
+                  i=$((i+1))
+                  curl -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+                    -H "Accept: application/vnd.github.v3+json" \
+                    https://api.github.com/repos/${{ github.repository }}/issues/1/comments \
+                    -d "{\"body\":\"⏱️ Job running for $((i * 1)) minutes...\"}"
+                  sleep 60
+                done
+              ) &
+        - name: checkout repo
+          uses: actions/checkout@v3
+
+        - name: get archive
+          uses: actions/download-artifact@v4
+          with:
+            name: verademo.war
+        - name: pipeline-scan action step
+          id: pipelien-scan
+          uses: veracode/[email protected]
+          with:
+            vid: ${{ secrets.VID }}
+            vkey: ${{ secrets.VKEY }}
+            #file: "auth.js.zip"
+            file: "verademo.war" 
+            request_policy: "VeraDemo Policy"
+            #store_baseline_file: true
+            #store_baseline_file_branch: "feature-123"
+            #create_baseline_from: "standard"
+            debug: 1
+            fail_build: false

.github/workflows/containerscan.yml

@@ -13,10 +13,10 @@ jobs:
       steps:
         - name: checkout
           uses: actions/checkout@v2
-
+          
         - name: container-scan action step
           id: container-scan
-          uses: veracode/container_iac_secrets_scanning@v1.0.1
+          uses: veracode/container_iac_secrets_scanning@addPolicySupport
           with:
             vid: ${{ secrets.VID }}
             vkey: ${{ secrets.VKEY }}
@@ -26,3 +26,4 @@ jobs:
             format: "json"
             debug: true
             fail_build: true
+            policy: "Container/IaC/Secrets"

.github/workflows/dast.yml

@@ -0,0 +1,17 @@
+on:
+  workflow_dispatch:
+
+name: Veracode DAST
+
+jobs:
+    Submit-DAST-Scan:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Submit Veracode DAST Scan
+              uses: veracode/veracode-dast-action@resultsToIssues
+              with:
+                vid: ${{ secrets.VID }}
+                vkey: ${{ secrets.VKEY }}
+                action_type: load-results
+                profile_name: "Verademo API"
+                token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/importflaws.yml

@@ -6,27 +6,75 @@ on:
 #      - feature-123
 
 jobs:
-  get-policy-flaws:
-    runs-on: ubuntu-latest
-    container: 
-      image: veracode/api-signing:latest
-    steps:
-      - name: get policy flaws
-        run: |
-          cd /tmp
-          export VERACODE_API_KEY_ID=${{ secrets.VID }}
-          export VERACODE_API_KEY_SECRET=${{ secrets.VKEY }}
-          guid=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v1/applications?name=test-action" | jq -r '._embedded.applications[0].guid') 
-          echo GUID: ${guid}
-          total_flaws=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True" | jq -r '.page.total_elements')
-          echo TOTAL_FLAWS: ${total_flaws}
-          http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&size=${total_flaws}" > policy_flaws.json
+#  build:
+#    runs-on: ubuntu-latest
+#    steps:
+#    - uses: actions/checkout@v3
+#    - uses: actions/setup-java@v3
+#      with:
+#        distribution: 'zulu'
+#        java-version: 8
+##    - name: Cache Maven packages
+##      uses: actions/cache@v3
+##      with:
+##        path: ~/.m2
+##        key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+#    - name: Build with Maven
+#      run: mvn clean package
 
-      - name: save results file
-        uses: actions/upload-artifact@v3
-        with:
-          name: policy-flaws
-          path: /tmp/policy_flaws.json
+#    - uses: actions/upload-artifact@v4
+#      with:
+#        name: verademo.war
+#        path: target/verademo.war
+
+#  pipeline_scan:
+#      needs: build
+#      runs-on: ubuntu-latest
+#      name: pipeline scan
+#      steps:
+#        - name: checkout repo
+#          uses: actions/checkout@v3
+
+#        - name: get archive
+#          uses: actions/download-artifact@v4
+#          with:
+#            name: verademo.war
+#        - name: pipeline-scan action step
+#          id: pipelien-scan
+#          uses: veracode/Veracode-pipeline-scan-action@esd-true
+#          with:
+#            vid: ${{ secrets.VID }}
+#            vkey: ${{ secrets.VKEY }}
+#            file: "verademo.war" 
+#            request_policy: "VeraDemo Policy"
+#            debug: 1
+#            fail_build: true
+
+
+
+#  get-policy-flaws:
+#    runs-on: ubuntu-latest
+#    continue-on-error: true
+#    container: 
+#      image: veracode/api-signing:latest
+#    steps:
+#      - name: get policy flaws
+#        run: |
+#          cd /tmp
+#          export VERACODE_API_KEY_ID=${{ secrets.VID }}
+#          export VERACODE_API_KEY_SECRET=${{ secrets.VKEY }}
+#          guid=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v1/applications?name=test-app1" | jq -r '._embedded.applications[0].guid') 
+#          echo GUID: ${guid}
+#          total_flaws=$(http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&include_annot=TRUE" | jq -r '.page.total_elements')
+#          echo TOTAL_FLAWS: ${total_flaws}
+#          http --auth-type veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/${guid}/findings?scan_type=STATIC&violates_policy=True&size=${total_flaws}&include_annot=TRUE" > policy_flaws.json
+
+#      - name: save results file
+#        uses: actions/upload-artifact@v4
+#        with:
+#          name: policy-flaws
+#          path: /tmp/policy_flaws.json
+
 
 #  results_to_security_tab:
 #    needs: get-policy-flaws
@@ -51,19 +99,37 @@ jobs:
 #          source_base_path_2: "WEB-INF:src/main/webapp/WEB-INF"
 
   import-policy-flaws:
-    needs: get-policy-flaws
+#    needs: get-policy-flaws
     runs-on: ubuntu-latest
+#    if: always()
     steps:
-      - name: get flaw file
-        uses: actions/download-artifact@v3
-        with:
-          name: policy-flaws
-          path: /tmp
+#      - uses: actions/checkout@v3
+#      - name: get flaw file
+#        uses: actions/download-artifact@v4
+#        with:
+#          name: policy-flaws
+#          path: /tmp
+
+      #- name: Show folder
+      #  run: |
+      #    ls -laR /tmp
 
       - name: import flaws as issues
-        uses: veracode/veracode-flaws-to-issues@FixEmptyResults
+        uses: veracode/veracode-flaws-to-issues@ADO_workitems
         with:
+          dts_type: ADO
+          ADO_PAT: ${{ secrets.ADO_PAT }}
+          ADO_ORG: jtotzek
+          ADO_PROJECT: MeijerTest
+          ADO_WORK_ITEM_TYPE: Bug
+          ADO_OPEN_STATE: New
+          ADO_CLOSE_STATE: Closed
+          ADO_REOPEN_STATE: New
           scan-results-json: '/tmp/policy_flaws.json'
-#          debug: true
-          source_base_path_1: "com/:src/main/java/com/"
-          source_base_path_2: "WEB-INF:src/main/webapp/WEB-INF"
+          veracode-api-id: ${{ secrets.VID }}
+          veracode-api-key: ${{ secrets.VKEY }}
+          profile-name: "julian-veracode/python-test-repo"
+          #sandbox-name: "Feature123"
+          include-sca: true
+          autoCloseFindings: true
+          debug: true

.github/workflows/pipelinescan.yaml

@@ -22,7 +22,7 @@ jobs:
     - name: Build with Maven
       run: mvn clean package
 
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@v4
       with:
         name: verademo.war
         path: target/verademo.war
@@ -36,12 +36,12 @@ jobs:
           uses: actions/checkout@v3
 
         - name: get archive
-          uses: actions/download-artifact@v3
+          uses: actions/download-artifact@v4
           with:
             name: verademo.war
         - name: pipeline-scan action step
           id: pipelien-scan
-          uses: veracode/[email protected].12
+          uses: veracode/[email protected].18
           with:
             vid: ${{ secrets.VID }}
             vkey: ${{ secrets.VKEY }}
@@ -54,41 +54,42 @@ jobs:
             debug: 1
             fail_build: false
 
-  results_to_sarif:
-    needs: pipeline_scan
-    runs-on: ubuntu-latest
-    name: import pipeline results to sarif
-    steps:
-      - name: get flaw file
-        uses: actions/download-artifact@v2
-        with:
-          name: Veracode Pipeline-Scan Results
-      - name: Convert pipeline scan output to SARIF format
-        id: convert
-        uses: Veracode/veracode-pipeline-scan-results-to-sarif@support-saf-scanners
-        #uses: Veracode/[email protected]
-        with:
-          pipeline-results-json: results.json
-          output-results-sarif: veracode-results.sarif
+#  results_to_sarif:
+#    needs: pipeline_scan
+#    runs-on: ubuntu-latest
+#    name: import pipeline results to sarif
+#    steps:
+#      - name: get flaw file
+#        uses: actions/download-artifact@v2
+#        with:
+#          name: Veracode Pipeline-Scan Results
+#      - name: Convert pipeline scan output to SARIF format
+#        id: convert
+#        uses: Veracode/veracode-pipeline-scan-results-to-sarif@support-saf-scanners
+#        #uses: Veracode/[email protected]
+#        with:
+#          pipeline-results-json: results.json
+#          output-results-sarif: veracode-results.sari
 
-      - name: upload sarif file to repository
-        uses: github/codeql-action/upload-sarif@v2
-        with: # Path to SARIF file relative to the root of the repository
-          sarif_file: veracode-results.sarif
+#      - name: upload sarif file to repository
+#        uses: github/codeql-action/upload-sarif@v2
+#        with: # Path to SARIF file relative to the root of the repository
+#          sarif_file: veracode-results.sarif
 
 # This step will import flaws from the step above
   import-pipeline-flaws:
     needs: pipeline_scan
     runs-on: ubuntu-latest
     steps:
       - name: get flaw file
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
-          name: Veracode Pipeline-Scan Results
+          #name: Veracode Pipeline-Scan Results - 
           path: /tmp
 
       - name: import flaws as issues
-        uses: veracode/veracode-flaws-to-issues@v2.1.18
+        uses: veracode/veracode-flaws-to-issues@closeIssues
         with:
-          scan-results-json: '/tmp/filtered_results.json'
+          scan-results-json: '/tmp/Veracode Pipeline-Scan Results - /filtered_results.json'
+          debug: true