diniscruz / veracode-api Goto Github PK

At the moment it is quite aggressive which has some security benefits but makes it a really bad user experience.

That said, this forces me to have the password saved in the browser (since I don't want to type it dozens of times every working session)

Not only the timeout period is very small (see #9), at least after logging in again, the UI should take the user to the last screen (not to the main UI which is usually 4 to 5 clicks away from the last working location)

At the moment it seems that the only solution is to use the [email protected] email which is not very effecient and does not caputure the questions and answers.

For example using GitHub Issues (like what I'm doing here) would allow the search of issues and for veracode users to learn from each other.

This would work for non company/scan specific issues (or for cases when the issue's target can be annonymized)

not this

or 1 (ok) or 0 (not ok)

At the moment the veracode API returns the current list of applications after the delete is successful, which is the same as calling veracode-app-list

If the app doesn't exist of we don't have access to that app, we get <?xml version="1.0" encoding="UTF-8"?> <error>Access denied.</error>

Related to #13

At the moment most (if not all) links on the veracode UI are javascript:void(0); this means that there isn't an easy way to open multiple tabs from one of the pages.

A common (desired) workflow is to open the 'Sandbox page' and be able to open each of the projects in a separate tab.

At the moment the only workflow that I have is to open the Sandbox page in each tab, and click on the desired project (one at the time). This is hard with multiple projects since it is easy to miss a project

A work around for this would be to use a context menu (see #2) or to set the link with the actual value (instead of using javascript:void(0); )

This should put data in the same repo that will hold the scans results

Used to track:

• scans done
• scans status (this could be used on a script that checks for all scans for any pending actions, like download)
• pre-scan errors

related to #13

Unless I'm missing something obvious, when I go to the view:

I am not able to see the Call Stack details which are shown in the IntelliJ plugin

This really reduces the usability of that web interface, since key to understand the real impact of an issue is the path into that issue

At the moment it is returning an XML salad

related to #13

see prob with 2nd answer

which is caused by not recognising this answer

For example I'm opening an issue which I would like to point to a search result and an article (see pics below)

At the moment the only link that looks available is the https://analysiscenter.veracode.com/auth/index.jsp?subsystem=helpcenter

Note: one workaround is to open the article in a separate tab and copy that link (for example https://analysiscenter.veracode.com/auth/helpCenter/policy/policy_veracodelevel.html )

like this one

This is made worse by the aggressive timeout (see #9) and lack of redirect to last known location (#10)

before

after (with mouse overing the 'settings' icon

it looks like something is there, but no options are shown

Check if there is already an api in veracode REST for this, if not parsing the files from #19 might do the trick

tracked by #13

Given the complexity of the UI, it would help if there was a context menu available via the right-mouse button

At the moment the status says 'Pre Scan Success'

but in reality it is stuck with an 'Unscannable module' error

This would improve security

given access to veracode engine via UI or API
when a scan is started
and the scan UI page is openned
then there should be an easy way to refresh the content of the UI

Namely the Activity Log

• add alias veracode-apps #15
• find ID for a particular project - done: veracode-app-id ,
• Automatically create application when it is not there (to remove need to provide ID)
• Delete an application - done: veracode-delete-app or veracode-app-delete #14
• Add ability to scan a file (jar or war) - done: veracode-scan-file
• Get scan status
• List of app's builds - done: veracode-app-builds
• Method to provide list of active scans #20
• Check if there is a report for scan
• Download report (pdf and xml)
• Put downloaded report in repo, commit changes and push to repo
• current scan status
• test download report on Jenkins job (running at a regular interval)
• Add ability to scan a folder
• Add logging function #19
• Detect missing dependencies (after analysis)

Looking at https://analysiscenter.veracode.com/auth/helpCenter/policy/policy_veracodelevel.html is it not that clear if the scanning rules (and techniques) are dependent on the chosen veracode level.

Namely will there be any difference in the results if I chose

vs

We should get a nice table with the important values: build_id , file_id, file_name

This is what we currently get

<?xml version="1.0" encoding="UTF-8"?>

<filelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns="https://analysiscenter.veracode.com/schema/2.0/filelist" 
  xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/filelist https://analysiscenter.veracode.com/resource/2.0/filelist.xsd" 
  filelist_version="1.1" account_id="xxx" app_id="xxx" build_id="xxx">
     <file file_id="5718780000" file_name="xxx-xxx.zip" file_status="Uploaded"/>
</filelist>