Veracode offers an integration for the Bugzilla defect tracking system. You can use the integration to import findings that Veracode has detected in your application from the Veracode Platform to Bugzilla. You can then manage the findings as defects in Bugzilla.
This integration is based on standard Bugzilla configuration settings for priority, severity, and other values. If you have customized any fields, you can edit the provided XSL file veracode_bugzilla.xsl to update the logic for mapping fields between the Veracode Platform and Bugzilla. The XSL file is included in the integration package.
- Enable bug moving: in Bugzilla, navigate to Bug Moving on the left side, then set Move-enabled to On. and select
- Define a default product and component: in the Bug Moving screen, enter the name of a valid product and component to use if the values provided in the import feed are not valid.
Customize the Import Business Logic
- Open veracode_bugzilla.xslt in a text editor or XML editor.
- Find the line that begins <xsl:param name="urlbase" and change the value in quotation marks to the urlbase of your Bugzilla instance. Ensure the value matches the urlbase that appears on the page in Bugzilla.
- Find the line that begins <xsl:param name="maintainer" and change the value in quotation marks to the email address of the person responsible for maintaining the Bugzilla account.
- Find the line that begins <xsl:param name="exporter" and change the value in quotation marks to the email address of a valid Bugzilla user in your local implementation. Ensure the value matches the user that appears on the page in Bugzilla.
If you have changed the default Severity and Priority field values, update these in the XSLT file as well. Veracode assigns these values based on the severity of the finding. You can search for @severity and make the changes in the XSLT wherever that field is referenced.
Finally, the XSLT file suppresses importing fixed findings, but populates new, open, and reopened findings. If you use the XSLT file on multiple builds of the same application, you can suppress open findings as well. To suppress open findings, you can edit the two <xsl:choose> sections in the file.
Add Veracode API Credentials
To use the integration in real time, you must have valid Veracode API credentials. After generating Veracode API credentials, update these lines in the script importresults.pl with the API ID and API key for the API service account:
my $user='username'; my $passwd='password'
You can update other variables in the script. See the README file in the ZIP file for more information.
Test the Integration
After you have made the changes, deploy the Perl code and the XSLT file to your Bugzilla server. Then, run the following command to start the integration:
The importresults.pl script connects to the Veracode Results API, downloads all available results, parses them to the Bugzilla format, and then imports them using the Bugzilla importxml.pl library.