You configure the Veracode Flaw Importer task to import flaws as part of a build pipeline in Azure DevOps or Team Foundation Server (TFS).
- Ensure the following projects are in the same Azure DevOps organization or
TFS team project collection:
- The project to which the running release or build job belongs, where the Flaw Importer task is running.
- The project to which you want to import the flaws.
- You have installed the Veracode Azure DevOps Extension. See Download and Install the Veracode Azure DevOps Extension.
To configure a Veracode Flaw Importer task in an Azure DevOps or TFS build pipeline:
- In your Azure DevOps or TFS project, select the Build tab and navigate to your build definition.
- Click Add build step...
.The Veracode Flaw Importer window opens.
Enter the following information:
Connection details: choose to connect to Veracode using an endpoint or
your Veracode credentials.
If you are connecting using an endpoint, you can use an existing endpoint name or create a new endpoint. Veracode recommends you use an endpoint with your Veracode API ID and secret key. However, for backward compatibility, continue to use credentials to maintain previous configurations that use the username and password combination.
- Flaw Source: enter the application name and sandbox name, if applicable, for which you want to import flaws from the Veracode Platform.
Work Item Settings:
- Import: select the type of flaws you want to
- All Flaws from all scans, including closed flaws. During the import process, the extension changes all mitigated or fixed flaws to closed.
- All Unmitigated Flaws from all scans, including closed flaws
- All Flaws Violating Policy, including all open flaws from all scans that affect policy
- All Unmitigated Flaws Violating Policy (default), including open flaws from all scans that affect policy
- Work Item Type: select a work item type for
imported flaws. This setting applies to all flaws imported from
the Veracode Platform.Note: The Scrum process template does not support the Issue work item type.
- Area: enter the path to the area where you want to group the work items. You can enter up to five levels in the path. To enter the area paths, use the format <project name>\<area 1>\<area 2>. The value in <project name> is the name of the project in the Build Pipeline or Release Pipeline task for which you want to import flaws.
- Import: select the type of flaws you want to import:
- Add CWE as a Tag checkbox: add a tag with the CWE number to all the work items generated from the current build.
- Add Custom Tag: enter a custom tag name to add user-defined tags to all work items generated from current build.
- Add Found in Build checkbox: add a tag to the work item showing the build number of the build that contains the flaw.
- Flaw Import Limit: enter the maximum number of flaws to import at one time. The default is 1000.
Advanced Scan Settings:
- Proxy Settings: if you use a proxy to access the Veracode Platform, enter the proxy settings. For
-phost abc.com - pport 5252 -puser proxyuser -ppassword proxypasswordNote: Do not enclose the values for proxy parameters in single or double quotations.
- Team Foundation Server Password: do not change this value from the default of $(password).
- Proxy Settings: if you use a proxy to access the Veracode Platform, enter the proxy settings. For example:
- Connection details: choose to connect to Veracode using an endpoint or your Veracode credentials.
- If you are using TFS, click the Variables tab. If using Azure DevOps, go directly to step 8.
- If you are using TFS 2017 or higher, set the enabletfs variable to true.
If you are using TFS 2015, configure the following variables:
- enablestfs: enter true.
- isTfs2015: enter true.
- username: enter your Windows username.
- password: enter your Windows password.
- domain: enter the Windows domain.
If you are using customized process templates, configure the following
predefined variables on the Variables tab in your build
or release configuration:
- enableCustomProcessTemplate: enter true to enable.
- customWorkItemType: enter the work item type:
- Test Case
- customPTActiveStatus: enter the state for in progress or active work.
- customPTNewStatus: enter the state for new or proposed work.
- customPTResolvedStatus: enter the state for resolved work.
- customPTDesignStatus: enter the state for work in design or test.
- customPTCloseStatus: enter the state for completed work.
You configure these variables for the work item type (WIT) of which you are creating work items in your build or release configuration. The variables ensure that flaws import correctly if the status of a work item changes. See the Azure DevOps documentation for information on the work item states.
For example, you might have a Bug work item with the following state changes.
In your build or release configuration, you configure these variables in the customized process template for the Bug work item.
- Click Save & queue to save your configurations and add the build to your queue.
You can use a variable to prevent a password from appearing in a console log. See Hide a Proxy Password.