Skip to main content Skip to search

Powered by Zoomin Software. For more details please contactZoomin

Veracode Vulnerability Integration

Watch

Save as PDF

Share this page

Feedback

Print

Table of contents

Security Operations

HomeYokohama Security ManagementSecurity OperationsAttack surface management applicationsApplication Vulnerability ResponseIntegrating Application Vulnerability Response with other applicationsVeracode Vulnerability Integration

Table of Contents

Veracode Vulnerability Integration

Release version:
Yokohama
Xanadu
Washington DC
Vancouver
UpdatedJan 30, 2025
5 minutes to read

Yokohama
Application Vulnerability Response

The Vulnerability Response Integration with Veracode application uses data imported from the Veracode product to help you determine the impact and priority of flaws in your code.

Veracode Vulnerability Integration

The Veracode product collects Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and manual scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

Starting with v19.0 of Vulnerability Response, you can import Software Composition Analysis (SCA) vulnerabilities and Software Bill of Materials (SBOM) vulnerability data to help you identify weaknesses in your software applications. For more information, see Exploring Software Bill of Materials.

A shared API ingests DAST, SAST, SCA data and manual penetration testing results.

There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

Every day, scheduled jobs invoke the integrations automatically in the order they are listed. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

Get more details from Veracode

Starting with v4.2, select Get More Details on application vulnerable items (AVITs) that have Veracode as the Source on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following Veracode data.

HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
Solution recommendations from Veracode are displayed on the Findings related list.
HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response Vulnerability Response workspaces.
The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.

Available versions


Release version	Release Notes
Veracode v4.3 Veracode v4.2 Veracode v4.1	Application Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

User group and roles

The Veracode Vulnerability Integration is installed by a system administrator [admin] and configured by a member of the App-Sec Manager group. See Application Vulnerability Response user groups and roles for more information.

Veracode Vulnerability Integration

To view the Veracode vulnerability integrations, navigate to All > Veracode Vulnerability Integration > Integrations.

The following integrations are included in the base system.

Search:

Table 1. Veracode Vulnerability Integration
Integration	Description
Beginning with v4.1: Veracode Link projects Integration	This integration is activated by default. Retrieves all associated projects for each application from Veracode. Applications can have multiple projects in the Veracode application. Imported data from this integration is displayed on the following records: Last SCA Scan Date, App Creation Date, and App Update Date are listed on records in Discovered Applications. On Application Vulnerability Scan Summary records and application vulnerable items (AVITs), the Source SDLC status (Software Development Life Cycle) is displayed. Source exploitability is displayed on application vulnerable item (AVI) records.
Veracode Application List Integration (JSON)	This integration is inactive by default. Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data. Retrieves scan records from Veracode via a JSON-based API.
Veracode Application List Integration (XML)	This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data. This integration is set to run daily at 00:00:00. Note: A JSON-based API from Veracode is used to retrieve the list of applications. This API imports the ‘last policy compliance check date’ for these applications, signifying when these applications were last scanned by Veracode.
Veracode Software Bill of Materials (SBOM) Integration	Version 4.3 of the Veracode Vulnerability Integration includes the following enhancements with Veracode SBOM files: If you have installed SBOM Response, you have the option to include vulnerabilities found by Veracode for the SBOM files you upload. Veracode is mapped to the Source field for records in the Bill of Materials [sn_sbom_doc] table for the Veracode SBOM files. This integration is activated by default. Beginning with v4.2, imports Software Bill of Materials files in CycloneDX and SPDX formats generated by Veracode and queues them for parsing in your instance. You must have the Software Bill of Materials applications installed to import this data and view it.
Veracode Scan Summary Integration (JSON)	This integration is inactive by default. Retrieves scan records from Veracode via a JSON-based API. This integration replaces the XML-based API integration. It is chained and follows the Veracode Application List Integration when activated.
Veracode Scan Summary (XML)	This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves scan records from Veracode. This integration is chained and follows the Veracode Application List Integration when activated. Note: Automatically follows the Veracode Application List integration when it is activated. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration.
Veracode Application Vulnerable Item JSON Integration	Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations. This integration is inactive by default. Retrieves scan results with more vulnerability data than the XML-based integration from Veracode. It inserts AVIs and enriches your third-party vulnerability data.
Veracode Application Vulnerable Item Integration (XML)	Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations. This integration is inactive by default. Retrieves scan results from Veracode, inserts Application Vulnerable Items (AVITs) and enriches your third-party vulnerability data. By default, if the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated. This integration is chained and follows the Veracode Scan Summary integration when activated. The XML-based API is deprecated for the Veracode Scan Summary JSON integration. Note: Automatically follows the Veracode Scan Summary integration. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration.
Veracode Categories Integration	This integration is inactive by default. Retrieves enhanced Categories data from Veracode.
Veracode CWE Integration	This integration is activated by default. Retrieves Veracode - specific Common Weakness Enumeration (CWE) data for threat information and remediation recommendations. These data are populated and updated on Application Vulnerability Entry records. This CWE integration operates independently from the scheduled job for the CWE Comprehensive 2000 Integration you activate for the Vulnerability Response application. Your data is not duplicated if you have the Veracode CWE Integration and the CWE Comprehensive 2000 Integration activated.
Veracode DevOps Integration	This integration is inactive by default. The integration is viewable on the Application Vulnerability Integrations list in Application Vulnerability Response. If you have a DevOps Change Velocity license, this feature is structured so that DevOps users do not need a SecOps license to view summary details for third-party vulnerability scans. There is no impact or change to Application Vulnerability Response.

For integration run statuses see, View the Veracode Application Vulnerability Integration import run status.

To view data in third-party vulnerabilities, see View vulnerability libraries.

On this page

Veracode Vulnerability Integration
Get more details from Veracode
Available versions
User group and roles
Veracode Vulnerability Integration

Was this topic helpful?

Previous

Invicti Vulnerability Integration state mapping

Next

Preparing for the Veracode Vulnerability Integration

Previous

Invicti Vulnerability Integration state mapping

Next

Preparing for the Veracode Vulnerability Integration

Log in to get a better experience