### Initiate Scan with All Top-Level Modules (HTTPie) Source: https://docs.veracode.com/r/r_beginscan Use this example to start a scan that includes all top-level modules. Ensure you replace `` with your actual application ID. ```http http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/beginscan.do" "app_id==" "scan_all_top_level_modules==true" ``` -------------------------------- ### Initiate Scan with Specific Modules (HTTPie) Source: https://docs.veracode.com/r/r_beginscan Use this example to start a scan with a specific set of modules. Replace `` and `` with your actual IDs. Modules are specified as a comma-separated list. ```http http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/beginscan.do" "app_id==" "modules==," ``` -------------------------------- ### Wrapper Usage Examples Source: https://docs.veracode.com/r/r_wrapper_parameters Examples of how to execute wrapper commands for Java and C#. ```APIDOC ## Java Wrapper Example ### Command java -jar vosp-api-wrapper-java{version}.jar -action getapplist -vid -vkey -phost proxyhost.com -pport 8080 -puser -ppassword ## C# Wrapper Example ### Command VeracodeC#API.exe -action getapplist -vid -vkey -phost proxyhost.com -pport 8080 -puser -ppassword ``` -------------------------------- ### Get Veracode CLI Version Source: https://docs.veracode.com/r/veracode_version Run this command to display the current version of the Veracode CLI installed on your system. No setup is required beyond having the CLI installed. ```bash ./veracode version [flags] ``` -------------------------------- ### Example output for configuration Source: https://docs.veracode.com/r/veracode_configure Displays the output when credentials are saved to the local configuration file. ```text Configuring credentials for the Veracode CLI ... API ID [Your Veracode API ID] API Secret Key [Your Veracode API Secret Key] Validated API credentials successfully. Wrote configuration to /$HOME/.veracode/veracode.yml ``` -------------------------------- ### beginprescan.do XML Response Example Source: https://docs.veracode.com/r/r_beginprescan Example of the buildinfo XML document returned by the beginprescan.do call. This can be validated against the buildinfo.xsd schema. ```xml ``` -------------------------------- ### Get Application Details by GUID Source: https://docs.veracode.com/r/r_applications_info Use this request to retrieve details for a specific application profile using its unique GUID. Ensure you have the correct application GUID. ```bash http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v1/applications/{applicationGuid}" ``` -------------------------------- ### Clone Veracode SCA Example JavaScript Bower Repository Source: https://docs.veracode.com/r/Find_vulnerabilities_in_Bower Clone the example repository to perform a test scan. Ensure you have Git installed and access to the repository. ```bash git clone https://github.com/veracode/example-javascript-bower ``` -------------------------------- ### Clone Example Java Maven Repository Source: https://docs.veracode.com/r/Find_vulnerabilities_in_Java_or_Kotlin_with_Maven Clone a public Veracode SCA repository to run an example scan. This is a starting point for testing the SCA agent with Maven projects. ```bash git clone https://github.com/veracode/example-java-maven ``` -------------------------------- ### Get Static Analysis Flaw Details from Sandbox Source: https://docs.veracode.com/r/c_findings_v2_examples Retrieve data paths for a static analysis finding from a sandbox scan. Requires application GUID, issue ID, and sandbox GUID. ```http http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings/{issue_id}/static_flaw_info?context={sandbox_guid}” ``` -------------------------------- ### Add GitLab Repositories Example Source: https://docs.veracode.com/r/veracode_repository_add This example demonstrates the interactive process of adding GitLab repositories. After running the command, you will be prompted to select GitLab, enter the URL, and provide an access token. The CLI then generates an Excel configuration file. ```bash ./veracode repository add ``` -------------------------------- ### GET /appsec/v1/applications/{applicationGuid} Source: https://docs.veracode.com/r/r_applications_info Retrieves the details of a specific application profile using its unique application GUID. ```APIDOC ## GET /appsec/v1/applications/{applicationGuid} ### Description Returns the details of a specific application profile based on the provided application GUID. ### Method GET ### Endpoint https://api.veracode.com/appsec/v1/applications/{applicationGuid} ### Parameters #### Path Parameters - **applicationGuid** (string) - Required - The unique identifier for the application. ``` -------------------------------- ### Combine certificate and key files Source: https://docs.veracode.com/r/configure-trusted-certificates Prepare the certificate bundle by copying the private key and appending the signed certificate. ```bash cp privkey.pem /etc/ssl/privkey.key cp privkey.pem /etc/ssl/new.pem cat new.crt >> /etc/ssl/new.pem ``` -------------------------------- ### Checkout source code for scanning Source: https://docs.veracode.com/r/Integrate_SCA_agents Initial steps to prepare the local environment by checking out the repository and navigating to the project directory. ```bash $ svn checkout https://svn.code.sf.net/p/properties-mvn/svn/ properties-mvn $ cd properties-mvn ``` -------------------------------- ### Get Findings Violating Policy Source: https://docs.veracode.com/r/c_findings_v2_examples Retrieve findings that do not comply with the defined security policy. Requires the application GUID. ```http http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?violates_policy=TRUE" ``` -------------------------------- ### Get Findings by CWE ID Source: https://docs.veracode.com/r/c_findings_v2_examples Retrieve all findings for a specific CWE ID within an application. Requires the application GUID. ```http http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?cwe=80" ``` -------------------------------- ### Execute getapplist with C# Wrapper Source: https://docs.veracode.com/r/r_wrapper_parameters Example command to retrieve the application portfolio using the C# wrapper with proxy settings. ```bash VeracodeC#API.exe -action getapplist -vid -vkey -phost proxyhost.com -pport 8080 -puser -ppassword ``` -------------------------------- ### Application Profile API Response Source: https://docs.veracode.com/r/REST_APIs_Quickstart Example JSON response returned by the Applications API, containing the application GUID and scan status. ```json { "id": 1571531, "oid": 72529, "last_completed_scan_date": "2022-10-31T13:41:35.000Z", "guid": "a99686b7-b54a-4fc4-abf5-cac0315fc041", "created": "2022-10-31T13:13:49.000Z", "modified": "2022-10-31T13:41:35.000Z", "app_profile_url": "HomeAppProfile:72529:1571531", "scans": [ { "scan_type": "STATIC", "status": "PUBLISHED", "modified_date": "2022-10-31T13:41:35.000Z", "scan_url": "StaticOverview:72529:1571531:21801526:21772979:21788629", "internal_status": "resultsready", "links": [], "fallback_type": null, "full_type": null } ], "last_policy_compliance_check_date": "2022-10-31T13:43:13.000Z", "profile": { "name": "Verademo", "tags": null, "business_unit": { "id": 76248, "name": "Not Specified", "guid": "677a8473-a5f9-4a00-9275-072005a7f488" }, "business_owners": [], "archer_app_name": null, "policies": [ { "guid": "1300d04a-05fb-4f85-ba88-9bd664443725", "name": "Veracode Recommended Very Low", "is_default": true, "policy_compliance_status": "PASSED" } ], "teams": [ { "team_id": 136485, "team_name": "Demo Team", "guid": "3b6ee442-8ac3-46c7-9a53-fb003322508f" } ], "custom_fields": null, "description": null, "settings": { "nextday_consultation_allowed": false, "static_scan_xpa_or_dpa": true, "dynamic_scan_approval_not_required": false, "sca_enabled": false }, "business_criticality": "VERY_LOW" }, "results_url": "ViewReportsResultSummary:72529:1571531:21801526", "_links": { "self": { "href": "https://api.veracode.com/appsec/v1/applications/a99686b7-b54a-4fc4-abf5-cac0315fc041" }, "sandboxes": { "href": "https://api.veracode.com/appsec/v1/applications/a99686b7-b54a-4fc4-abf5-cac0315fc041/sandboxes{?page,size}", "templated": true }, "policy": { "href": "https://api.veracode.com/appsec/v1/policies/1300d04a-05fb-4f85-ba88-9bd664443725" } } } ``` -------------------------------- ### Execute getapplist with Java Wrapper Source: https://docs.veracode.com/r/r_wrapper_parameters Example command to retrieve the application portfolio using the Java wrapper with proxy settings. ```bash java -jar vosp-api-wrapper-java{version}.jar -action getapplist -vid -vkey -phost proxyhost.com -pport 8080 -puser -ppassword ``` -------------------------------- ### Get eLearning courses with Java Source: https://docs.veracode.com/r/r_available_courses Example implementation using the Veracode HMAC authentication library to authorize a request to the courses endpoint. ```java import java.net.URI; import org.apache.http.HttpEntity; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.HttpClients; import org.apache.http.util.EntityUtils; import org.json.JSONObject; import com.veracode.security.apisigning.ClientCryptoLib; public class GetCoursesClient { // An API Id for authentication private final static String API_KEY = "API_KEY_GOES_HERE"; // The secret key corresponding to the API Id private final static String API_SECRET = "API_SECRET_GOES_HERE"; public static void main(String[] args) throws Exception { URI uri = URI.create("https://api.veracode.com/elearning/v1/courses"); String authHeader = ClientCryptoLib.calculateAuthorizationHeader(ClientCryptoLib.VERACODE_HMAC_SHA_256, API_KEY, API_SECRET, uri.getHost(), uri.getPath(), HttpGet.METHOD_NAME); HttpGet request = new HttpGet(uri); request.addHeader("Authorization", authHeader); CloseableHttpResponse response = HttpClients.createDefault().execute(request); HttpEntity entity = response.getEntity(); JSONObject json = new JSONObject(EntityUtils.toString(entity, "UTF-8")); System.out.println(json.toString(4)); } } ``` -------------------------------- ### Java Example for getapplist.do Source: https://docs.veracode.com/r/r_getapplist Example of how to execute the getapplist.do action using the Veracode Java API wrapper. Replace placeholders with your actual credentials and version number. ```java java -jar vosp-api-wrappers-java-.jar -vid -vkey -action getapplist ``` -------------------------------- ### Get New Findings from Latest Scan Source: https://docs.veracode.com/r/c_findings_v2_examples Retrieve only the new findings introduced in the most recent scan of an application. Requires the application GUID. ```http http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?new=true" ``` -------------------------------- ### Display Help Source: https://docs.veracode.com/r/SCA_agent_commands Show a summary of available commands. ```bash $ srcclr --help ``` -------------------------------- ### Get eLearning report cards with Java Source: https://docs.veracode.com/r/r_elearning_progress_API Example demonstrating how to authenticate and request report cards using the Veracode HMAC signing library. ```java import java.net.URI; import org.apache.http.HttpEntity; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.HttpClients; import org.apache.http.util.EntityUtils; import org.json.JSONObject; import com.veracode.security.apisigning.ClientCryptoLib; public class GetReportCardsClient { // An API Id for authentication private final static String API_KEY = "API_KEY_GOES_HERE"; // The secret key corresponding to the API Id private final static String API_SECRET = "API_SECRET_GOES_HERE"; public static void main(String[] args) throws Exception { URI uri = URI.create( "https://api.veracode.com/elearning/v1/reportcards?course_id=CRLF&user_id=jsmith"); String authHeader = ClientCryptoLib.calculateAuthorizationHeader(ClientCryptoLib.VERACODE_HMAC_SHA_256, API_KEY, API_SECRET, uri.getHost(), uri.getPath().concat("?"+uri.getQuery()), HttpGet.METHOD_NAME); HttpGet request = new HttpGet(uri); request.addHeader("Authorization", authHeader); CloseableHttpResponse response = HttpClients.createDefault().execute(request); HttpEntity entity = response.getEntity(); JSONObject json = new JSONObject(EntityUtils.toString(entity, "UTF-8")); System.out.println(json.toString(4)); } } ``` -------------------------------- ### Get sandboxes for an application profile Source: https://docs.veracode.com/r/r_applications_sandboxes Use this request to retrieve all sandboxes linked to a specific application GUID. Requires the Veracode HMAC authentication type. ```http http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v1/applications/{applicationGuid}/sandboxes" ``` -------------------------------- ### HTTPie Example for getapplist.do Source: https://docs.veracode.com/r/r_getapplist Example using HTTPie to call the getapplist.do API with user info included. Ensure you use the correct authentication method for your region. ```bash http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/getapplist.do" "include_user_info==true" ``` -------------------------------- ### Get Static Analysis Flaw Details Source: https://docs.veracode.com/r/c_findings_v2_examples Retrieve data paths for a specific static analysis finding. Requires application GUID and finding ID. ```http http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings/{finding_id}/static_flaw_info" ``` -------------------------------- ### Clone the example repository Source: https://docs.veracode.com/r/Find_vulnerabilities_in_JavaScript_with_NPM Use this command to download the public Veracode SCA example repository for testing. ```bash git clone https://github.com/veracode/example-javascript ``` -------------------------------- ### Get Dynamic Analysis Vulnerability Details Source: https://docs.veracode.com/r/c_findings_v2_examples Retrieve detailed information for a specific dynamic analysis finding. Requires application GUID and issue ID. ```http http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings/{issue_id}/dynamic_flaw_info" ``` -------------------------------- ### HTTPie Example for beginprescan.do Source: https://docs.veracode.com/r/r_beginprescan Example using HTTPie to call the beginprescan.do API. Ensure you replace with your actual application ID. ```bash http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/beginprescan.do" "app_id==" "auto_scan==false" ``` -------------------------------- ### Define application directory structure Source: https://docs.veracode.com/r/compilation_go Example layout for a Go application archive including the configuration file and vendor dependencies. ```text app.zip |__ app/ |-- veracode.json [configuration file, see above] |__ cmd/ |__ app1 |-- main.go |__ vendor/ [first- and third-party dependencies go in this folder] |__ golang.org/ |__ gopkg.in/ |__ github.com/ |__ my_company/ [marked as 'first-party' and included in analysis] |__ firstpartypkg1/ |__ firstpartypkg2/ |__ 3rdparty [marked as 'third-party' and not included in analysis] ``` -------------------------------- ### HMAC Signing Example in Java Source: https://docs.veracode.com/r/c_enabling_hmac This Java code demonstrates how to implement HMAC signing for Veracode API requests. Ensure the Java authentication library is installed. ```java import java.io.IOException; import java.net.URI; import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; public class HmacExample { private static final String HMAC_SHA256 = "HmacSHA256"; public static void main(String[] args) { // Replace with your actual API ID, API Key, and target URL String apiId = "YOUR_API_ID"; String apiKey = "YOUR_API_KEY"; String targetUrl = "https://your.veracode.api.url/resource"; String httpMethod = "GET"; // or "POST", "PUT", etc. String requestBody = ""; // Empty for GET requests, or your payload for POST/PUT try { String nonce = generateNonce(); String timestamp = String.valueOf(System.currentTimeMillis() / 1000); String message = httpMethod.toUpperCase() + ":" + targetUrl.toLowerCase() + ":" + apiId + ":" + nonce + ":" + timestamp; if (!requestBody.isEmpty()) { message += ":" + sha256(requestBody); } String hmacSignature = calculateHmac(message, apiKey); HttpClient client = HttpClient.newHttpClient(); HttpRequest request = HttpRequest.newBuilder() .uri(URI.create(targetUrl)) .header("x-api-id", apiId) .header("x-hmac-nonce", nonce) .header("x-hmac-timestamp", timestamp) .header("Authorization", "VERACODE-HMAC-SHA256 ``` ```java signature="+hmacSignature") .method(httpMethod, HttpRequest.BodyPublishers.ofString(requestBody)) .build(); HttpResponse response = client.send(request, HttpResponse.BodyHandlers.ofString()); System.out.println("Status Code: " + response.statusCode()); System.out.println("Response Body: " + response.body()); } catch (NoSuchAlgorithmException | InvalidKeyException | IOException | InterruptedException e) { e.printStackTrace(); } } private static String generateNonce() { // In a real application, use a cryptographically secure random number generator return String.valueOf(System.nanoTime()); } private static String sha256(String input) throws NoSuchAlgorithmException { java.security.MessageDigest digest = java.security.MessageDigest.getInstance("SHA-256"); byte[] hash = digest.digest(input.getBytes(StandardCharsets.UTF_8)); StringBuilder hexString = new StringBuilder(); for (byte b : hash) { String hex = Integer.toHexString(0xff & b); if (hex.length() == 1) hexString.append('0'); hexString.append(hex); } return hexString.toString(); } private static String calculateHmac(String data, String key) throws NoSuchAlgorithmException, InvalidKeyException { SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), HMAC_SHA256); Mac mac = Mac.getInstance(HMAC_SHA256); mac.init(secretKeySpec); byte[] hmacBytes = mac.doFinal(data.getBytes(StandardCharsets.UTF_8)); StringBuilder hexHmac = new StringBuilder(); for (byte b : hmacBytes) { String hex = Integer.toHexString(0xff & b); if (hex.length() == 1) hexHmac.append('0'); hexHmac.append(hex); } return hexHmac.toString(); } } ``` -------------------------------- ### Get Findings for a Sandbox Source: https://docs.veracode.com/r/c_findings_v2_examples Retrieve findings associated with a specific non-policy sandbox. If no sandbox GUID is provided, the API returns the latest policy scan findings. ```http http --auth-type=veracode_hmac GET "https://api.veracode.com/appsec/v2/applications/{application_guid}/findings?context={sandbox_guid}" ``` -------------------------------- ### List Configuration Source: https://docs.veracode.com/r/SCA_agent_commands Display the entire configuration from the agent.yml file. ```bash $ srcclr config --list ``` -------------------------------- ### HTTPie Example for getvendorlist.do Source: https://docs.veracode.com/r/r_getvendorlist An example using the HTTPie command-line tool to authenticate and call the getvendorlist.do API. This demonstrates how to make the request with HMAC authentication. ```bash http --auth-type=veracode_hmac "https://analysiscenter.veracode.com/api/5.0/getvendorlist.do" ``` -------------------------------- ### HMAC Signing Example in Python Source: https://docs.veracode.com/r/c_enabling_hmac This Python code snippet shows how to generate an HMAC signature for Veracode API requests. Ensure the Python authentication library is installed. ```python import hashlib import hmac import time import requests # Replace with your actual API ID, API Key, and target URL api_id = "YOUR_API_ID" api_key = "YOUR_API_KEY" target_url = "https://your.veracode.api.url/resource" http_method = "GET" # or "POST", "PUT", etc. request_body = "" # Empty for GET requests, or your payload for POST/PUT nonce = str(int(time.time() * 1000)) timestamp = str(int(time.time())) # Calculate SHA256 hash of the request body if it exists body_hash = "" if request_body: body_hash = hashlib.sha256(request_body.encode('utf-8')).hexdigest() # Construct the message string message = f"{http_method.upper()}:{target_url.lower()}:{api_id}:{nonce}:{timestamp}" if body_hash: message += f":{body_hash}" # Calculate the HMAC-SHA256 signature hmac_signature = hmac.new(api_key.encode('utf-8'), message.encode('utf-8'), hashlib.sha256).hexdigest() # Prepare headers for the request headers = { "x-api-id": api_id, "x-hmac-nonce": nonce, "x-hmac-timestamp": timestamp, "Authorization": f"VERACODE-HMAC-SHA256 signature={hmac_signature}" } # Make the API request try: response = requests.request(http_method, target_url, headers=headers, data=request_body) response.raise_for_status() # Raise an exception for bad status codes print(f"Status Code: {response.status_code}") print(f"Response Body: {response.text}") except requests.exceptions.RequestException as e: print(f"An error occurred: {e}") ``` -------------------------------- ### PUT /appsec/v1/applications/{guid} Source: https://docs.veracode.com/r/r_applications_update Updates an existing application profile. Note that all properties are required; it is recommended to perform a GET request first to retrieve the current state before updating. ```APIDOC ## PUT /appsec/v1/applications/{guid} ### Description Updates an application profile. All properties are required for this operation. ### Method PUT ### Endpoint https://api.veracode.com/appsec/v1/applications/{guid} ### Parameters #### Path Parameters - **guid** (string) - Required - The unique identifier of the application profile. #### Request Body - **profile** (object) - Required - The application profile object containing all required fields including name, tags, business_unit, business_owners, policies, teams, custom_fields, and business_criticality. ### Request Example { "profile": { "name": "Applications REST API 9.5", "tags": "demo, restapi", "business_unit": { "guid": "{business_unit_guid}" }, "business_owners": [ { "email": "user@example.com", "name": "string" } ], "archer_app_name": null, "policies": [ { "guid": "{policy_guid}", "is_default": true } ], "teams": [ { "guid": "{team_guid}" } ], "custom_fields": [ { "name": "my_custom_field", "value": "my_custom_value" } ], "description": null, "business_criticality": "HIGH" } } ``` -------------------------------- ### Example build list XML response Source: https://docs.veracode.com/r/c_TUTOR_mitigate Sample XML structure returned by the getbuildlist.do API call. ```xml ```