Veracode offers a plugin for the Bugzilla defect tracking system that enables you to import the application flaws Veracode discovers into Bugzilla.
- Enable bug moving: In Bugzilla, navigate to Bug Moving on the left side, then set Move-enabled to On. and select
- Define a default product and component: In the Bug Moving screen, enter the name of a valid product and component to use if the values provided in the import feed are not valid.
Customizing the Import Business Logic
- Open veracode_bugzilla.xslt in a text editor or XML editor.
- Find the line that begins <xsl:param name="urlbase" and change the value in quotation marks to the urlbase of your Bugzilla instance. This value should match the urlbase that appears on the page in Bugzilla.
- Find the line that begins <xsl:param name="maintainer" and change the value in quotation marks to the email address of the person responsible for maintaining the Bugzilla account.
- Find the line that begins <xsl:param name="exporter" and change the value in quotation marks to the email address of a valid Bugzilla user in your local implementation. This value should match the user that appears on the page in Bugzilla.
If you have changed the default Severity and Priority field values, you should update these in the XSLT file as well. Veracode assigns these values based on the severity of the flaw. You can search for @severity and make the changes in the XSLT wherever that field is referenced.
Finally, the XSLT file suppresses importing fixed flaws but populates new, open, and reopened flaws. If you use the XSLT file on multiple builds of the same application, you should suppress open flaws as well. Suppressing open flaws can be done by editing the two <xsl:choose> sections in the file.
Configuring the Results API Credentials
To use the integration in real time, you must have valid Veracode API credentials. After you have defined this login, update the script importresults.pl with the username and password for the API user. These values are set on the following lines:
my $user='username'; my $passwd='password';
You can update other variables in the script. See the README file in the zip file for more information.
Testing the Integration
After you have made the changes, deploy the Perl code and the XSLT file to your Bugzilla server and start the integration with the following command:
The importresults.pl script connects to the Veracode Results API, downloads all available results, parses them to the Bugzilla format, and then imports them using the Bugzilla importxml.pl library.