Veracode HP ALM Synchronizer

Ticketing Systems

Veracode offers a plugin for the HP ALM Synchronizer to be able to import into HP ALM all the flaws that Veracode finds in a Veracode Static Analysis scan or Veracode Dynamic Analysis scan. Micro Focus ALM is the name of the product previously known as HP ALM.

About Veracode HPE ALM Synchronizer

The Veracode HPE ALM Synchronizer plugin creates links between the HPE ALM endpoint and the Veracode endpoint and then imports to HPE ALM the flaws as defects.

Prerequisites

Before you can use the Veracode HPE ALM Synchronizer plugin you must:
  • Use HPE ALM 12.5x and have projects available into which to synchronize the flaws that Veracode finds.
  • Run the synchronizer server on a separate instance of Windows.
  • Install the HPE ALM desktop client from the HPE ALM server URL at http://<server ip>/qcbin/.
  • Create or have a user with HPE ALM administrator permissions assigned to the project to perform the synchronization with Veracode.

Installing the Veracode HPE ALM Synchronizer

The Veracode HPE ALM Synchronizer is a plugin for the HPE ALM Synchronizer tool. To enable this Veracode plugin:
  1. Download and extract the necessary files from https://tools.veracode.com/integrations/HPE-ALM/bin/VeracodeHPE-ALMSynchronizer.zip.
  2. Execute run.bat.

The Veracode HPE ALM Synchronizer plugin is now installed and when you log into the HPE ALM Synchronizer client and create a link, Veracode is now an option when setting the Endpoint 2 field.

Upgrading the Veracode HPE ALM Synchronizer

To upgrade your Veracode HPE ALM Synchronizer to the latest version:
  1. Stop the HPE ALM Synchronizer server.
  2. If you are upgrading from Veracode HPE ALM Synchronizer version 1.3 or earlier, navigate to <homedirectory>\HPE ALM Synchronizer\jave\lib\endorsed and delete the following files:
    • serializer-2.7.1.jar
    • xalan-2.7.1.jar
    • xercesImpl-2.9.0.jar
    • xml-apis-1.3.04.jar
  3. Install the latest version of the plugin.
  4. Start the HPE ALM Synchronizer server.

Connecting the Veracode HPE ALM Synchronizer

To connect the Veracode HPE ALM Synchronizer plugin to your HPE ALM Synchronizer server:
  1. Open the HPE ALM synchronizer client.
  2. In the Connect to Synchronizer Server window enter:
    • The name of your HPE ALM server
    • The port of your HPE ALM server
    • Your HTTPS preference, if applicable
    • The username and password credentials for connecting to the server.
  3. Click Connect.


Linking to the HPE ALM Synchronizer

You must create a direct link from the HPE ALM Synchronizer to Veracode to be able to synchronize with the HPE ALM server.

To create a link:
  1. Click Link > Create...
  2. In the General Properties window, enter a name and description for the link.
  3. In the Endpoint 1 type field, the type is always HPE-ALM.
  4. From the Endpoint 2 type dropdown menu, select Veracode.
  5. Click Next.

  6. In the HPE ALM Connection window:
    • Enter the URL of your HPE ALM server
    • Enter the name and password credentials for accessing the server
    • Select the domain and project to which you want this link to apply

  7. Click OK.
  8. In the Veracode Endpoint window, enter:
    • Your Veracode username and password credentials
    • The name of the Veracode application you want to synchronize with HPE ALM
    • The number that represents the development lifecycle stage this application is in:
      • 0 = Not specified
      • 1 = In Development (Pre-Alpha): All the flaws that match and affect this lifecycle stage will be imported
      • 2 = Internal or Alpha testing: All the flaws that match and affect this lifecycle stage will be imported
      • 3 External or Beta testing: All the flaws that match and affect this lifecycle stage will be imported
      • 4 = Deployed (In production and actively developed): All the flaws that match and affect this lifecycle stage will be imported
      • 5 = Maintenance (only bug fixes): All the flaws that match and affect this lifecycle stage will be imported
      • 6 = Cannot disclose: All the flaws that match and affect this lifecycle stage will be imported in.
  9. Click Next.

  10. In the Entity Type window, from the dropdown menus for the two endpoints, select Defect for HPE-ALM and Flaw for Veracode.
  11. Select Finish.

    The new link appears in the summary list of links.

    The next step is to configure the link you just created. When you successfully create a link, you are prompted to configure the link. Click Yes to go to the link configuration page.

Configuring Links to HPE ALM Server

After you create a link between Veracode and the HPE ALM server, you must configure it to enable synchronizations. From the summary list of links, select a link to go the detailed information for that link.

General

The General tab provides all the overview information of the links you have created. You can check the status of links, verify the endpoints, and get the history logs for past synchronizations and integrity checks.



Connectivity

The Connectivity tab provides details of both the HPE ALM endpoint 1 and the Veracode endpoint 2. You can see is if there are issues with the connectivity before you perform an integrity check or synchronization.



Scheduling

In the Scheduling tab you can schedule the automatic synchronization of a link. Veracode recommends that you always run a full synchronization. To configure a scheduled full synchronization:
  1. In the Scheduling tab, select Enable scheduling.
  2. Select Run full synchronization task, and select how often to synchronize or at what specific time.

Filters

To accelerate the synchronization and achieve more accurate flaw import results, you can apply filters to the synchronization. In the Filters tab, in the HPE-ALM section, select No Filter, and in the Veracode section, select Use filter (for creation events): and choose which of the following types of flaws you want to import:
  • All Flaws
  • Only flaws that violate policy
  • Only unmitigated flaws


Rules

In the Rules tab, you must set rules for the creation, updating, and deletion of flaw records when Veracode imports them to HPE ALM. For each of the create, update, and delete actions, on the HPE-ALM side, you can leave the default value of Do nothing. You cannot use the default values on the Veracode side of the page but must set the following rules:
  • Create a corresponding record in the other endpoint: Creates the relevant entry record when the synchronizer identifies a new flaw discovered and reported by Veracode.

  • Update its corresponding record in the other endpoint: Updates the relevant record when the synchronizer identifies any changes from the last synchronization.

  • Delete its corresponding record in the other endpoint: Deletes the relevant records when the synchronizer does not retrieve previously created records. This deletion only occurs during Full Synchronization.

Field Mapping

The Field Mapping configuration is a crucial in ensuring you correctly map HPE ALM fields to Veracode fields so that each synchronization is successful.

In the Field Mapping tab, focus on the VERACODE Flaw Schema panel. The flag icons reflect the suggested action, based on the colors, and you can filter the list of fields by these colors:
  • Red: These are required fields that you must map to HPE ALM. If you do not map these fields, your synchronization fails.
  • Yellow: Veracode recommends that you map these fields, but nothing fails if you do not.
  • Blue: These fields are completely optional.

You can map HPE ALM fields to Veracode fields by using the default field mapping XML file provided by Veracode in the VeracodeHPE-ALMSynchronizer.zip file. Click Import and navigate to the zip file and select DEFAULT_FIELD_MAPPING.xml.

Alternatively, to manually map HPE ALM fields to Veracode:
  1. Select the HPE ALM field on the left and then select the corresponding Veracode field on the right.
  2. Click Map Selected Fields. The field then appears in the Mapped Fields.
  3. Click Refresh Schemas to see which fields are left to map.
  4. Repeat the mapping steps until you have mapped all the HPE ALM fields to a corresponding Veracode field, ensuring that fields with a red flag are definitely mapped. It is also important that the arrow in the Direction column of the Mapped Fields table is going from left to right ( →) .

To delete a mapping. select it in the Mapped Fields table and click the red X. To import a field mapping XML file, click the Import icon. To export the list of mapped fields, click the Export icon.

Performing a Synchronization

After you have created endpoint links and mapped the HPE ALM fields to Veracode fields, you are ready to perform a synchronization. Veracode recommends that you only perform a full synchronization.

Prerequisites

Before performing a synchronization, you should run an integrity check to validate the link configuration and verify that all the connections, rules, filters, and mappings are valid. To perform an integrity check, select the link you want to verify in the summary list of links, and select Run Task > Integrity Check.

Perform a Full Synchronization

To perform a full synchronization:
  1. In the summary list of links, select the link you want to use for the full synchronization.
  2. Select Link > Enable.
  3. Select Run Task > Full Synchronization


To verify that the synchronization was successful, log into HPE ALM, go to your project and review the records.