Configuration - SecureDevOps/veracode2rally GitHub Wiki
Before running Veracode2Rally, it must be configured to map a Veracode application to its corresponding Rally project, store credentials and designate any desired custom fields. Configuration information is saved to veracode2rally_config.xml in the resources folder.
The recommended method to configure Veracode2Rally is run the included configuration utility veracode2rallyConfig.jar. This application must use the Oracle version of Java, not OpenJDK. Launch the application by entering:
java -jar veracocde2rallyConfig.jar
to view the main screen.
Open the blank veracode2rally_config.xml file in the resources folder by clicking FILE, then OPEN and save back to that location by clicking FILE, then SAVE when configuration is complete. Each tab represents a needed configuration for Veracode2Rally.
#Project Mapping Tab#
The purpose of the Project Mapping tab is to map what application in Veracode corresponds to what project in Rally. Project mapping records are created with a 1:1 relationship. Each application in Veracode corresponds to a project in Rally. A single record or many project mapping records can be created. Each Veracode2Rally synchronization will cycle through all project mapping records created. Click New to create a new Project mapping record.
Veracode App Name - Optional The "Application Name" as listed in Veracode.
Veracode App ID - Required To find the appid of your application, navigate to the main profile page for that application in Veracode. The appid is the second number in the URL between the second and third colon.
The Veracode appid for the example above is: 123456
Rally Project Name - Optional The project name as listed in Rally. This field is not required.
Rally Project ID - Required To find the Rally ID for the project, navigate to the Rally dashboard for that project.The project ID is the first number listed in the URL.
The Rally Project ID for the example above is: 12345678901
Import - Required Pick one of the four choices of what flaws are to be exported out of Veracode and into Rally.
- All flaws
- Flaws affecting policy
- All unmitigated flaws
- Unmitigated flaws affecting policy
#Veracode Credentials Tab#
Veracode credentials are stored in veracode2rally_config.xml. A Username/Password combination, API ID/Key combination or both can be stored. For Veracode accounts that use Single sign-on (SSO), an API ID/Key should be used.
When using a human account, enter the Veracode Username/Veracode Password and select Username/Password in the "Login with" dropdown.
For an API account, enter the Veracode API ID/Veracode API Key and select API ID/Key in the "Login with" dropdown.
Credentials for both Username/Password and API ID/Key can be entered but only the credential selected by the "Login with" dropdown will be used during synchronization.
Encrypt Password and Key
Checking this box stores the Veracode Password and API Key in encrypted form when writing to veracode2rally_config.xml. If you wish to use this feature, it is recommended that you change the default password located in credentials.java and veracode2rallyConfig.java.
#Rally Credentials Tab#
Rally credentials are stored in veracode2rally_config.xml. A Username/Password combination, API Key or both can be stored. For Rally accounts that use Single sign-on (SSO), an API Key should be used. Users can acquire a Rally API Key by navigating to:
https://rally1.rallydev.com/login/
and click API KEYS
When using a regular user account, enter the Rally Username and Password and select Username/Password in the "Login with" dropdown.
For an API account, enter the Rally API Key and select API Key in the "Login with" dropdown. Only the Rally API Key is needed when using this option.
Credentials for both Username/Password and API Key can be entered but only the credential selected by the "Login with" dropdown will be used during synchronization.
Encrypt Password and Key
Checking this box stores the Rally Password and API Key in encrypted form when writing to veracode2rally_config.xml. If you wish to use this feature, it is recommended that you change the default password located in credentials.java and veracode2rallyConfig.java.
#Rally Custom Fields Tab#
Veracode2Rally can use custom fields in Rally. This enables developers to propose mitigations in Rally and synchronize them with Veracode. To see more about this, please view the demo video at:
THIS FEATURE IS OPTIONAL. None of the entries on this tab are required. If you do not want to use the propose mitigation from Rally feature, leave these boxes blank.
Below are sample specifications to be given to a Rally administrator to create these custom fields. What specifically to name the field is optional, but be aware that custom fields in Rally when called through the API require that a "c_" be placed in front of the field name as demonstrated in the example above.
Mitigation Action - Optional Maps to the Mitigation Action dropdown in Veracode In Rally, Add Custom Field Name: Action DisplayName: Action Type: Drop Down List Visible This Project: Yes Values:
- Add Comment
Mitigation Comment - Optional Maps to the Comment text box located next to the Mitigation Action dropdown in Veracode In Rally, Add Custom Field Name: Comment DisplayName: Comment Type: Text Visible This Project: Yes
Mitigation History - Optional Represents a history of all mitigation actions and comments stored in Veracode In Rally, Add Custom Field Name: MitigationHistory DisplayName: MitigationHistory Type: Text Visible This Project: Yes
Unique ID - Optional Veracode2Rally creates a unique ID for each flaw and by default stores it in the Rally Description field. Users who want to store this identifier in a separate field for reporting purposes should create a Rally custom field using the specifications below and indicate the name of that field in this box. Add Custom Field Name: VeracodeID DisplayName: VeracodeID Type: String Visible This Project: Yes