Integrating with Maven

Build Systems

You can use Veracode APIs to integrate Veracode with your Maven build server. The integration seamlessly adds static scanning into the existing build processes that you use in your Software Development Life Cycle (SDLC).

To integrate with a Maven build server, you use the API suite provided in the Veracode Java API wrapper. The Java wrapper takes input from the command line, external tools, or existing build server integration workflows and returns a response from the Veracode Platform. You install the wrapper on the build server and it initiates communication between the build server and the Veracode Platform.

Prerequisites

Before integrating Veracode with your Maven build server, you must already have completed the following:
  • Created an application profile for each of the applications in your builds.
  • Configured the API user, ensuring you provide the IP address from which you are communicating with the Veracode Platform.
  • Downloaded the Veracode API Java API wrapper.
The installation of the API wrapper does not modify the pre-existing project’s pom.xml and other build files, but does assume the existing build files have target tasks called clean and build.

Configuration

To integrate Veracode with your Maven build server:
  1. Set your Maven environment variables:
    1. Set the environment variables MAVEN_HOME to your Maven environment.
    2. Add ${MAVEN_HOME}/bin(Unix) or %MAVEN_HOME%/bin (Windows) to your PATH.
    3. Verify these variables using echo%[environment variable name]%.
  2. Create a Java project with a Maven build script (pom.xml) that cleans, compiles, and packages the Java source code.
  3. In the pom.xml Maven build script, add a plugin section along with your other plugins in the build section. This plugin runs the Veracode API wrapper with arguments and values set in a property file. In addition, you can log the results and save it as a LOG file. This plugin runs in the Maven package phase by default.

Scanning

To submit Maven builds for static scanning:
  1. Create a Java project with a Maven build script (pom.xml) that cleans, compiles, and packages the Java source code.
  2. Modify the pom.xml file using the following steps. The pom.xml file configures your project based on your build lifecycle phases as well as configures the upload of applications to Veracode, which you change by modifying the arg line with the actual values. All steps are logged in a file called veracode.log that is created automatically.
    • Add the following sample target and properties sections to your pom.xml file, specifying the path to the VeracodeJavaAPI.jar file within the Java tag of the target section.
      <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-antrun-plugin</artifactId>
            <version>1.7</version>
            <executions>
              <execution>
                <phase>package</phase>
                <configuration>
                  <target name="UploadAndScan" description="Turns on debug symbols, logging. Cleans, builds, uploads binaries. Starts scan">
                      <property file="veracode.properties" prefix="veracode"/>
                            <!-- Create a timestamp value to use for the build id -->
                       <tstamp>
                          <format property="current.time" pattern="yyyyMMdd-kmmssS" />
                       </tstamp>
                            <!-- Log all output to veracode.log file -->
                       <record name="veracode_${current.time}.log" loglevel="verbose" append="false"/>
                            <!-- Call the Veracode wrapper to upload and scan -->
                       <java jar="VeracodeJavaAPI.jar" fork="true">
                        <arg line=" -action ${veracode.action} -vid ${veracode.vid} -vkey ${veracode.vkey} -criticality ${veracode.criticality}
            -createprofile ${veracode.createprofile} -version ${current.time} -appname ${veracode.appname} -filepath ${veracode.filepath}"/>
                   </java>
              </target>
            </configuration>
            <goals>
             <goal>run</goal>
               </goals>
           </execution>
        </executions>
      </plugin>
      
    • Create a sample properties file to set the values for the arguments in the sample Maven script above.
      # "action" holds the veracodeAPI commands. Refer the Java Wrapper as "java -jar VeracodeJavaAPI.jar -help" for full list of commands 
      action=UploadAndScan
      
      # The "createprofile" variable is used to specify whether a new application
      # profile should be created if one does not exist with the name represented
      # by the variable "appname". If createprofile=true and the application profile already
      # exists, the binaries will be uploaded to the existing profile.
      # It can be one of true or false, holds only Boolean data type. 
      createprofile=true
      
      #The business criticality can be set to one of "VeryHigh" (default), "High", "Medium", "Low",
      # or "VeryLow". Enclose the value in quotes if it includes spaces.
      # Value Data Type -> String
      criticality="VeryHigh"
      
      # This is the name of the application profile in the Veracode Platform that the
      # binaries will be uploaded to. It is case-sensitive and must match an existing
      # application profile name if createprofile=false.
      # Value Data Type -> String
      appname="??"
      
      # Path to the final packages binary (.JAR, .WAR, .ZIP, etc). Optionally, a
      # top-level folder can be specified and the script will upload all binaries in
      # that folder if not packaged. Escape backslashes using \\ and enclose value
      # in quotes if it includes spaces.
      # Multiple files can be assigned to file path separated by space
      
      # Path Data Type -> String(s)
      filepath="C:\\...\\...\\" "C:\\..\\"
      
      # The ID of the first and the second API (-api1 and -api2)
      # base64username is the Veracode Platform username encoded in Base64
      # base64password is the Veracode Platform password encoded in Base64
      # Data Type -> String
      base64username="??"
      base64password="??"
      
      # API Username and Password
      vid="??"
      vkey="??"
      
      # Optional proxy host, port and proxy credentials for the upload script to use.
      phost="??"
      pport="??"
      puser="??"
      ppass="??"
             
All steps are logged in a file called veracode.log that is created automatically and is located in the path where the project is saved.