Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes:
- Static:
cweid
,type
,sourcefile
, andline
(see Note 1 below) - Static (no debug information):
cweid
,type
,procedure
andrelative_location
- Dynamic:
cweid
,path
andvulnerable_parameter
The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to
build if it already has an accepted mitigation.
Note: This script requires Python 3!
Clone this repository:
git clone https://github.com/tjarrettveracode/veracode-mitigation-copier
Install dependencies:
cd veracode-mitigation-copier
pip install -r requirements.txt
(Optional) Save Veracode API credentials in ~/.veracode/credentials
[default]
veracode_api_key_id = <YOUR_API_KEY_ID>
veracode_api_key_secret = <YOUR_API_KEY_SECRET>
If you have saved credentials as above you can run:
python MitigationCopier.py (arguments)
Otherwise you will need to set environment variables:
export VERACODE_API_KEY_ID=<YOUR_API_KEY_ID>
export VERACODE_API_KEY_SECRET=<YOUR_API_KEY_SECRET>
python MitigationCopier.py (arguments)
Arguments supported include:
-f
,--fromapp
- Application GUID that you want to copy mitigations from.-fs
,--fromsandbox
(optional) - Sandbox GUID that you want to copy mitigations from. Ignored if--prompt
is set.-t
,--toapp
- Application GUID that you want to copy mitigations to.-ts
,--tosandbox
(optional) - Sandbox GUID that you want to copy mitigations to. Ignored if--prompt
is set.-p
,--prompt
- Specify to prompt for the applications to copy from and to.-d
,--dry_run
(optional) - Specify to log potential copied mitigations rather than actually mitigating the findings.-l
,--legacy_ids
(optional) - Specify to use legacy Veracode application IDs rather than application GUIDs.-po
,--propose-only
(optional) - If specified, only propose mitigations; do not approve the copied mitigations.-i
,--id_list
(optional) - If specified, only copy mitigations from thefromapp
for the flaw IDs inid_list
.
The script creates a MitigationCopier.log
file. All actions are logged.
python MitigationCopier.py --prompt
python MitigationCopier.py --fromapp abcdefgh-1234-abcd-1234-123456789012 --toapp 12345678-abcd-1234-abcd-abcdefghijkl
python MitigationCopier.py --fromapp abcdefgh-1234-abcd-1234-123456789012 --toapp 12345678-abcd-1234-abcd-abcdefghijkl --id_list 1 2 3
You must provide the application GUID values for both application profiles. You can look these up by calling the Veracode Applications API (or use the --prompt
argument and copy the GUIDs from the console output).
python MitigationCopier.py --fromapp 1234567 --toapp 7654321
You must provide the legacy Veracode application ID values for both application profiles. These IDs are available from the Veracode XML APIs.
python MitigationCopier.py --prompt --dry_run
- For static findings, when matching by line number, we automatically look within a range of line numbers around the original finding line number to allow for drift. This is controlled by the constant
LINE_NUMBER_SLOP
declared at the top of the file. - For static findings when source file information is not available, we try to use procedure and relative location. This is less predictable so it is recommended that you perform a dry run when copying mitigations from non-debug code. Unlike when source file information is available, we do not use "sloppy matching" in this case -- we have observed that mitigations in non-debug code are most common when a binary dependency is being reused across teams and thus locations are less likely to change.