Sample Summary Output from Pipeline Scans

Pipeline Scan

Veracode provides sample output from builds using Pipeline Scans.

These examples show output from pipeline builds using Pipeline Scans.

Default Settings

This example shows the output using the default settings.

    java  
    -jar pipeline-scan-java.jar 
    --file "myapp.jar"
    --veracode_api_id "${VERACODE_API_ID}"
    --veracode_api_key "${VERACODE_API_KEY}" 
   
    
====================
Analysis Successful!
====================

===================
Analyzed 2 modules.
===================
Module1.war
Module2.war

======================
Analyzed 11 issues!
======================
-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): flawedpackage/Flawed.java:50
--------------------------------
Found 1 issues of High severity.
--------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): flawedpackage/Flawed.java:43
----------------------------------
Found 7 issues of Medium severity.
----------------------------------
CWE-326: Inadequate Encryption Strength: flawedpackage/GreenLightKeySizeHMAC.java:38
CWE-259: Use of Hard-coded Password: flawedpackage/Flawed.java:23
CWE-259: Use of Hard-coded Password: flawedpackage/Flawed.java:54
CWE-331: Insufficient Entropy: flawedpackage/Flawed.java:59
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: flawedpackage/Flawed.java:60
CWE-327: Use of a Broken or Risky Cryptographic Algorithm: flawedpackage/Flawed.java:61
CWE-326: Inadequate Encryption Strength: flawedpackage/Flawed.java:68
-------------------------------
Found 2 issues of Low severity.
-------------------------------
CWE-597: Use of Wrong Operator in String Comparison: flawedpackage/OneFlaw.java:5
CWE-404: Improper Resource Shutdown or Release: flawedpackage/Flawed.java:37

=========================
FAILURE: Found 11 issues!
=========================


   

Issue Details Expanded

This example shows the expanded information shown in the results if you specify --issue_details true.

    java 
    -jar pipeline-scan-java.jar 
    --file "myapp.jar"
    --veracode_api_id "${VERACODE_API_ID}"
    --veracode_api_key "${VERACODE_API_KEY}"
    --project_name "${CI_PROJECT_PATH}" 
    --project_url "${CI_PROJECT_URL}" --issue_details true
    
    ====================
    Analysis Successful!
    ====================
    
    ===================
    Analyzed 2 modules.
    ===================
    Module1.war
    Module2.war
    
    =====================
    Found 1 total issues!
    =====================
    ----------------------------------------------
    Found 1 issues of Low severity.
    ----------------------------------------------
    CWE-597: Use of Wrong Operator in String Comparison: flawedpackage/OneFlaw.java:5
    Details: Using '==' to compare two strings for equality actually compares the object references rather than their values.  
    It is unlikely that this reflects the intended application logic.
    Use the equals() method to compare strings, not the '==' operator.
    References:"http://cwe.mitre.org/data/definitions/597.html">CWE
    ===========================================
    FAILURE: Found 1 issues!
    ===========================================
   

Severity Filters Selected

This example shows the results if you specify --fail_on_severity ”Very High,High”.

Note: GitLab sometimes removes quotes when expanding variables, exposing any spaces in the variable to the shell. The entire parameter is not set correctly if it contains spaces. Because the Pipeline Scan recognizes filter parameters, both with and without spaces, you may need to remove all spaces from the parameter if you include the filter arguments in a variable. Otherwise, the command may fail.
    java 
    -jar pipeline-scan-java.jar 
    --file "myapp.jar"
    --veracode_api_id "${VERACODE_API_ID}"
    --veracode_api_key "${VERACODE_API_KEY}"
    --binary_file "build/libs/pipeline-scan-java-thin.jar" 
    --project_name "${CI_PROJECT_PATH}"
    --project_url "${CI_PROJECT_URL}" 
    --project_ref "${CI_COMMIT_REF_NAME}_self-test"
    --fail_on_severity "Very High, High"
    
    ====================
    Analysis Successful!
    ====================
    
    ===================
    Analyzed 2 modules.
    ===================
    Module1.war
    Module2.war
    
    =====================
    Found 1 total issues!
    =====================
    ----------------------------------
    Skipping 1 issues of Low Severity.
    ----------------------------------
    ===================================
    SUCCESS: All issues passed filters!
    ===================================
   

CWE Filters Selected

This example shows the expanded information shown in the results if you specify --fail_on_cwe. In this example, the filter is set for CWEs 89 and 331: --fail_on_cwe="89, 331".

   java 
    -jar pipeline-scan-java.jar 
    --file "myapp.jar"
    --veracode_api_id "${VERACODE_API_ID}"
    --veracode_api_key "${VERACODE_API_KEY}"
    --project_name "${CI_PROJECT_PATH}"
    --project_url "${CI_PROJECT_URL}" 
    --project_ref "${CI_COMMIT_REF_NAME}_self-test"
    --fail_on_cwe="89, 331"
    
    ====================
    Analysis Successful!
    ====================
    
    ===================
    Analyzed 2 modules.
    ===================
    Module1.war
    Module2.war
    
    ==================
    Analyzed 5 issues.
    ==================
    --------------------------
    Found 1 issues of CWE 331.
    --------------------------
    CWE-331: Insufficient Entropy: flawedPackage/Flawed.java:49
    -------------------------
    Found 1 issues of CWE 89.
    -------------------------
    CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): flawedPackage/Flawed.java:33
    
    ========================
    FAILURE: Found 2 issues!
    ======================== 
   

Baseline Filters Selected

This example shows the expanded information shown in the results if you specify --baseline [baseline_file_path].

    java 
    -jar pipeline-scan-java.jar
    --file "myapp.jar" 
    --veracode_api_id "${VERACODE_API_ID}"
    --veracode_api_key "${VERACODE_API_KEY}"
    --project_name "${CI_PROJECT_PATH}"
    --project_url "${CI_PROJECT_URL}" 
    --project_ref "${CI_COMMIT_REF_NAME}_self-test"
    --baseline [basline_file_path] 
    
    ====================
    Analysis Successful!
    ====================
    
    ===================
    Analyzed 2 modules.
    ===================
    Module1.war
    Module2.war
    
    ==================
    Analyzed 3 issues.
    ==================
    ----------------------------------
    Found 2 issues of Medium severity.
    ----------------------------------
    CWE-470: Use of Externally-Controlled Input to Select Classes or Code 
    ('Unsafe Reflection'): org/apache/sqoop/test/hive/MetastoreServerRunnerFactory.java:50
    CWE-470: Mock Issue 2 ('Mock Issue: Suser'): org/apache/sqoop/test/hive/MetastoreServerRunnerFactory.java:50
    ****************************************************************
    Total flaws found: 3, New flaws found: 2 as compared to baseline
    ****************************************************************
    
    ========================
    FAILURE: Found 2 issues!   
   

Duplicate Issues Not Uploaded to GitLab

When you create GitLab issues from the scan results, if the Pipeline Scan finds issues that are duplicates of issues previously uploaded to GitLab, Veracode ignores those issues, and sends only the new issues to GitLab.

In this example, the Pipeline Scan found seven issues, four of which are duplicates. Therefore, Veracode sends only the three new issues to GitLab.

   java 
   -jar pipeline-scan-java.jar
   --file "myapp.jar" 
   --veracode_api_id "${VERACODE_API_ID}"
   --veracode_api_key "${VERACODE_API_KEY}"
   --project_name "${CI_PROJECT_PATH}"
   --project_url "${CI_PROJECT_URL}" 
   --project_ref "${CI_COMMIT_REF_NAME}_self-test"
   --baseline [basline_file_path]
   -gig true 
   -gvg true

Scan Summary:
PIPELINE_SCAN_VERSION: null
DEV-STAGE: DEVELOPMENT
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 15021 bytes
====================
Analysis Successful.
====================
===================
Analyzed 1 modules.
===================
myapp.jar
==================
Analyzed 7 issues.
==================
----------------------------------
Found 7 issues of Medium severity.
----------------------------------
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'): org/apache/sqoop/test/hive/MetastoreServerRunnerFactory.java:50
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'): org/apache/sqoop/test/hive/HiveServerRunnerFactory.java:50
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'): org/apache/sqoop/test/hadoop/HadoopRunnerFactory.java:35
CWE-117: Improper Output Neutralization for Logs: org/apache/sqoop/test/hadoop/HadoopRealClusterRunner.java:50
CWE-73: External Control of File Name or Path: org/apache/sqoop/test/hadoop/HadoopRealClusterRunner.java:52
CWE-117: Improper Output Neutralization for Logs: org/apache/sqoop/test/hadoop/HadoopMiniClusterRunner.java:64
CWE-117: Improper Output Neutralization for Logs: org/apache/sqoop/test/hadoop/HadoopMiniClusterRunner.java:67
========================
FAILURE: Found 7 issues!
========================
[14 oct 2020 17:06:23,0792] PIPELINE-SCAN INFO: Uploading 7 issues to GitLab 
[14 oct 2020 17:06:25,0553] PIPELINE-SCAN INFO: Found 4 duplicates.