Integrating with Bugzilla

Ticketing Systems

Veracode offers a plugin for the Bugzilla defect tracking system that enables you to import the application flaws Veracode discovers into Bugzilla.

You can download a sample integration script that automatically publishes data from the Veracode Results API to Bugzilla using Bugzilla's built-in XML import capability.

Note: This integration was created based on standard Bugzilla configuration settings for priority, severity, and other values. You can update the logic of how Veracode data is mapped to Bugzilla data to accommodate any customizations that you have made to these fields by editing the XSLT file included in the integration package, veracode_bugzilla.xsl.

Configuring Bugzilla

To allow the integration script to work, a Bugzilla user with Administrator permissions must configure Bugzilla to use its XML import capability as follows:
  1. Enable bug moving: In Bugzilla, navigate to Administration > Settings and select Bug Moving on the left side, then set Move-enabled to On.
  2. Define a default product and component: In the Bug Moving screen, enter the name of a valid product and component to use if the values provided in the import feed are not valid.

Customizing the Import Business Logic

The business logic to map Veracode fields to Bugzilla fields is contained in the veracode_bugzilla.xslt file. The file contains three parameters at the top that you must customize with information from your local Bugzilla implementation: urlbase, maintainer, and exporter. To perform the necessary customizations:
  1. Open veracode_bugzilla.xslt in a text editor or XML editor.
  2. Find the line that begins <xsl:param name="urlbase" and change the value in quotation marks to the urlbase of your Bugzilla instance. This value should match the urlbase that appears on the Administration > Settings page in Bugzilla.
  3. Find the line that begins <xsl:param name="maintainer" and change the value in quotation marks to the email address of the person responsible for maintaining the Bugzilla account.
  4. Find the line that begins <xsl:param name="exporter" and change the value in quotation marks to the email address of a valid Bugzilla user in your local implementation. This value should match the user that appears on the Administration > Settings page in Bugzilla.

If you have changed the default Severity and Priority field values, you should update these in the XSLT file as well. Veracode assigns these values based on the severity of the flaw. You can search for @severity and make the changes in the XSLT wherever that field is referenced.

Finally, the XSLT file suppresses importing fixed flaws but populates new, open, and reopened flaws. If you use the XSLT file on multiple builds of the same application, you should suppress open flaws as well. Suppressing open flaws can be done by editing the two <xsl:choose> sections in the file.

Configuring the Results API Credentials

To use the integration in real time, you must have valid Veracode API credentials. After you have defined this login, update the script importresults.pl with the username and password for the API user. These values are set on the following lines:


my $user='username';
my $passwd='password';
        

You can update other variables in the script. See the README file in the zip file for more information.

Testing the Integration

After you have made the changes, deploy the Perl code and the XSLT file to your Bugzilla server and start the integration with the following command:

perl importresults.pl

The importresults.pl script connects to the Veracode Results API, downloads all available results, parses them to the Bugzilla format, and then imports them using the Bugzilla importxml.pl library.