Integrating with Bugzilla

Ticketing Systems

Veracode offers an integration for the Bugzilla defect tracking system. You can use the integration to import findings that Veracode has detected in your application from the Veracode Platform to Bugzilla. You can then manage the findings as defects in Bugzilla.

You can download a sample integration script that automatically publishes data from the Veracode Results API to Bugzilla using Bugzilla's built-in XML import capability.

This integration is based on standard Bugzilla configuration settings for priority, severity, and other values. If you have customized any fields, you can edit the provided XSL file veracode_bugzilla.xsl to update the logic for mapping fields between the Veracode Platform and Bugzilla. The XSL file is included in the integration package.

Configure Bugzilla

To allow the integration script to work, a Bugzilla user with Administrator permissions must configure Bugzilla to use its XML import capability as follows:
  1. Enable bug moving: in Bugzilla, navigate to Administration > Settings and select Bug Moving on the left side, then set Move-enabled to On.
  2. Define a default product and component: in the Bug Moving screen, enter the name of a valid product and component to use if the values provided in the import feed are not valid.

Customize the Import Business Logic

The business logic to map Veracode fields to Bugzilla fields is contained in the veracode_bugzilla.xslt file. The file contains three parameters at the top that you must customize with information from your local Bugzilla implementation: urlbase, maintainer, and exporter. To perform the necessary customizations:
  1. Open veracode_bugzilla.xslt in a text editor or XML editor.
  2. Find the line that begins <xsl:param name="urlbase" and change the value in quotation marks to the urlbase of your Bugzilla instance. Ensure the value matches the urlbase that appears on the Administration > Settings page in Bugzilla.
  3. Find the line that begins <xsl:param name="maintainer" and change the value in quotation marks to the email address of the person responsible for maintaining the Bugzilla account.
  4. Find the line that begins <xsl:param name="exporter" and change the value in quotation marks to the email address of a valid Bugzilla user in your local implementation. Ensure the value matches the user that appears on the Administration > Settings page in Bugzilla.

If you have changed the default Severity and Priority field values, update these in the XSLT file as well. Veracode assigns these values based on the severity of the finding. You can search for @severity and make the changes in the XSLT wherever that field is referenced.

Finally, the XSLT file suppresses importing fixed findings, but populates new, open, and reopened findings. If you use the XSLT file on multiple builds of the same application, you can suppress open findings as well. To suppress open findings, you can edit the two <xsl:choose> sections in the file.

Add Veracode API Credentials

To use the integration in real time, you must have valid Veracode API credentials. After generating Veracode API credentials, update these lines in the script importresults.pl with the API ID and API key for the API service account:

my $user='username';
my $passwd='password'

You can update other variables in the script. See the README file in the ZIP file for more information.

Test the Integration

After you have made the changes, deploy the Perl code and the XSLT file to your Bugzilla server. Then, run the following command to start the integration:

perl importresults.pl

The importresults.pl script connects to the Veracode Results API, downloads all available results, parses them to the Bugzilla format, and then imports them using the Bugzilla importxml.pl library.