Skip to content
/ veracode-bulk-cve-suppression Public

Allows for bulk suppression of specific CVE across full application portfolio.

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

aszaryk/veracode-bulk-cve-suppression

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.gitignore
.gitignore
 
 
BulkCVESuppression.py
BulkCVESuppression.py
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Bulk Approve or Reject Veracode CVE Findings

Allows for bulk suppression of specific CVE across full application portfolio. Script can also be used to reverse the bulk suppression of CVE findings.

Note: This script requires Python 3!

Expected Results

Script leverages the mitigation workflow in Veracode to propose, approve and reject CVE findings in order to prevent them from affecting policy. In order to preserve any previous actions taken with regard to mitigations, the script is meant to operate only on issues that have no previous mitigation actions in place.

APPROVALS:

Script will only approve (Suppress) CVE findings if:

  1. No existing proposed mitigation exists
  2. No existing approved mitigation exists

UNAPPROVALS:

Script will only reject (Unapprove) CVE findings that have been previously mitigated using this script. It matches the approval comment previously used to reject the mitigation. Otherwise, it will skip the finding.

Setup

Clone this repository:

git clone https://github.com/aszaryk/veracode-bulk-cve-suppression

Install dependencies:

cd veracode-bulk-cve-suppression
pip install -r requirements.txt

(Optional) Save Veracode API credentials in ~/.veracode/credentials

[default]
veracode_api_key_id = <YOUR_API_KEY_ID>
veracode_api_key_secret = <YOUR_API_KEY_SECRET>

Configuration

Within the script, set the following options to meet your needs:

------------- CONFIGURATION ---------------
cve_to_mitigate = 'CVE-xxxx-xxxx' *#CVE To suppress. For example: 'CVE-2018-1199'*
propose_action = 'BYDESIGN' *#REASON in Propose action. Acceptable Values are: ['BYENV', 'BYDESIGN', 'FP', 'ACCEPTRISK']*
propose_comment = 'Proposal comment to auto suppress CVE' *#COMMENT required to propose a mitigation*
approve_comment = 'Bulk suppression of CVE Approval' *#COMMENT required to accept a mitigation*
reject_comment = 'Bulk rejection of CVE Rejection comment' *#COMMENT required to reject a mitigation*
bulk_action = 'SUPPRESS' *# Use 'SUPPRESS' to auto-approve a mitigation OR 'EXPOSE' to reject a previously auto-approved mitigation*
------------- END CONFIGURATION -------------

Run

If you have saved credentials as above you can run:

python BulkCVESuppression.py

Otherwise you will need to set environment variables:

export VERACODE_API_KEY_ID=<YOUR_API_KEY_ID>
export VERACODE_API_KEY_SECRET=<YOUR_API_KEY_SECRET>
python BulkCVESuppression.py

Logging

The script creates a BulkCVESuppression.log file.

About

Allows for bulk suppression of specific CVE across full application portfolio.

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages