Veracode offers a plugin for the HP ALM Synchronizer to be able to import into HP ALM all the flaws that Veracode finds in a Veracode Static Analysis scan or Veracode Dynamic Analysis scan. Micro Focus ALM is the name of the product previously known as HP ALM.
About Veracode HPE ALM Synchronizer
The Veracode HPE ALM Synchronizer plugin creates links between the HPE ALM endpoint and the Veracode endpoint and then imports to HPE ALM the flaws as defects.
- Use HPE ALM 12.5x and have projects available into which to synchronize the flaws that Veracode finds.
- Run the synchronizer server on a separate instance of Windows.
- Install the HPE ALM desktop client from the HPE ALM server URL at http://<server ip>/qcbin/.
- Create or have a user with HPE ALM administrator permissions assigned to the project to perform the synchronization with Veracode.
Installing the Veracode HPE ALM Synchronizer
- Download and extract the necessary files from https://tools.veracode.com/integrations/HPE-ALM/bin/VeracodeHPE-ALMSynchronizer.zip.
- Execute run.bat.
The Veracode HPE ALM Synchronizer plugin is now installed and when you log into the HPE ALM Synchronizer client and create a link, Veracode is now an option when setting the Endpoint 2 field.
Upgrading the Veracode HPE ALM Synchronizer
- Stop the HPE ALM Synchronizer server.
- If you are upgrading from Veracode HPE ALM Synchronizer version 1.3 or earlier, navigate to
<homedirectory>\HPE ALM Synchronizer\jave\lib\endorsed and delete the
- Install the latest version of the plugin.
- Start the HPE ALM Synchronizer server.
Connecting the Veracode HPE ALM Synchronizer
- Open the HPE ALM synchronizer client.
- In the Connect to Synchronizer Server window enter:
- The name of your HPE ALM server
- The port of your HPE ALM server
- Your HTTPS preference, if applicable
- The username and password credentials for connecting to the server.
- Click Connect.
Linking to the HPE ALM Synchronizer
You must create a direct link from the HPE ALM Synchronizer to Veracode to be able to synchronize with the HPE ALM server.
- In the General Properties window, enter a name and description for the link.
- In the Endpoint 1 type field, the type is always HPE-ALM.
- From the Endpoint 2 type dropdown menu, select Veracode.
- Click Next.
- In the HPE ALM Connection window:
- Enter the URL of your HPE ALM server
- Enter the name and password credentials for accessing the server
- Select the domain and project to which you want this link to apply
- Click OK.
- In the Veracode Endpoint window, enter:
- Your Veracode username and password credentials
- The name of the Veracode application you want to synchronize with HPE ALM
- The number that represents the development lifecycle stage this application is in:
- 0 = Not specified
- 1 = In Development (Pre-Alpha): All the flaws that match and affect this lifecycle stage will be imported
- 2 = Internal or Alpha testing: All the flaws that match and affect this lifecycle stage will be imported
- 3 External or Beta testing: All the flaws that match and affect this lifecycle stage will be imported
- 4 = Deployed (In production and actively developed): All the flaws that match and affect this lifecycle stage will be imported
- 5 = Maintenance (only bug fixes): All the flaws that match and affect this lifecycle stage will be imported
- 6 = Cannot disclose: All the flaws that match and affect this lifecycle stage will be imported in.
- Click Next.
- In the Entity Type window, from the dropdown menus for the two endpoints, select Defect for HPE-ALM and Flaw for Veracode.
- Select Finish.
The new link appears in the summary list of links.
The next step is to configure the link you just created. When you successfully create a link, you are prompted to configure the link. Click Yes to go to the link configuration page.
Configuring Links to HPE ALM Server
After you create a link between Veracode and the HPE ALM server, you must configure it to enable synchronizations. From the summary list of links, select a link to go the detailed information for that link.
The General tab provides all the overview information of the links you have created. You can check the status of links, verify the endpoints, and get the history logs for past synchronizations and integrity checks.
The Connectivity tab provides details of both the HPE ALM endpoint 1 and the Veracode endpoint 2. You can see is if there are issues with the connectivity before you perform an integrity check or synchronization.
- In the Scheduling tab, select Enable scheduling.
- Select Run full synchronization task, and select how often to
synchronize or at what specific time.
- All Flaws
- Only flaws that violate policy
- Only unmitigated flaws
Create a corresponding record in the other endpoint: Creates the relevant entry record when the synchronizer identifies a new flaw discovered and reported by Veracode.
Update its corresponding record in the other endpoint: Updates the relevant record when the synchronizer identifies any changes from the last synchronization.
Delete its corresponding record in the other endpoint: Deletes the relevant records when the synchronizer does not retrieve previously created records. This deletion only occurs during Full Synchronization.
The Field Mapping configuration is a crucial in ensuring you correctly map HPE ALM fields to Veracode fields so that each synchronization is successful.
- Red: These are required fields that you must map to HPE ALM. If you do not map these fields, your synchronization fails.
- Yellow: Veracode recommends that you map these fields, but nothing fails if you do not.
- Blue: These fields are completely optional.
You can map HPE ALM fields to Veracode fields by using the default field mapping XML file provided by Veracode in the VeracodeHPE-ALMSynchronizer.zip file. Click Import and navigate to the zip file and select DEFAULT_FIELD_MAPPING.xml.
- Select the HPE ALM field on the left and then select the corresponding Veracode field on the right.
- Click Map Selected Fields. The field then appears in the Mapped Fields.
- Click Refresh Schemas to see which fields are left to map.
- Repeat the mapping steps until you have mapped all the HPE ALM fields to a corresponding Veracode field, ensuring that fields with a red flag are definitely mapped. It is also important that the arrow in the Direction column of the Mapped Fields table is going from left to right ( →) .
To delete a mapping. select it in the Mapped Fields table and click the red X. To import a field mapping XML file, click the Import icon. To export the list of mapped fields, click the Export icon.
Performing a Synchronization
After you have created endpoint links and mapped the HPE ALM fields to Veracode fields, you are ready to perform a synchronization. Veracode recommends that you only perform a full synchronization.
Before performing a synchronization, you should run an integrity check to validate the link configuration and verify that all the connections, rules, filters, and mappings are valid. To perform an integrity check, select the link you want to verify in the summary list of links, and select.
Perform a Full Synchronization
- In the summary list of links, select the link you want to use for the full synchronization.
- Select .
To verify that the synchronization was successful, log into HPE ALM, go to your project and review the records.