Skip to content

Add Load Results Functionality and Restructure Codebase

Latest
Marketplace
Latest
Marketplace

Choose a tag to compare

View all tags
@julz0815 julz0815 released this 23 Jan 19:30
· 2 commits to main since this release
v0.0.6
581406d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

πŸŽ‰ New Features

Dual Functionality Support

This release introduces a major enhancement that extends the action to support two distinct operation modes:

  1. Start Scan Mode (action_type: start-scan) - The original functionality to kick off Veracode DAST scans
  2. Load Results Mode (action_type: load-results) - NEW: Automatically download DAST findings and create/update GitHub issues

Load Results Functionality

The new load-results mode provides comprehensive issue management for DAST findings:

  • Automatic Issue Creation: Creates GitHub issues for new DAST findings
  • Issue Lifecycle Management:
    • Automatically opens/closes issues based on finding status (OPEN/CLOSED)
    • Handles resolution status (APPROVED/REJECTED)
    • Closes issues when findings are no longer present in scan results
  • Annotation Support:
    • Converts Veracode annotations (APPROVED, REJECTED, NETENV, etc.) to GitHub issue comments
    • Prevents duplicate comments with intelligent duplicate detection
    • Automatically closes/reopens issues based on annotation actions
  • Smart Duplicate Detection: Uses [VID:issue_id] format to identify and update existing issues

Enhanced Labeling System

  • Severity Labels: Updated to match veracode-flaws-to-issues format:
    • VeracodeFlaw: Very High (severity 5)
    • VeracodeFlaw: High (severity 4)
    • VeracodeFlaw: Medium (severity 3)
    • VeracodeFlaw: Low (severity 2)
    • VeracodeFlaw: Very Low (severity 1)
    • VeracodeFlaw: Informational (severity 0)
  • CWE Labels: Automatically creates CWE-{id} labels for each vulnerability type
  • DAST Label: Adds veracode-dast label to all DAST findings

πŸ“ New Parameters

  • action_type (required): Choose between start-scan or load-results
  • profile_name (required for load-results): Veracode Application Profile Name to fetch findings from

πŸ”§ Code Improvements

  • Restructured Codebase:
    • Moved scan functionality to src/scan/ folder
    • Created new src/results/ folder for results processing
    • Maintained shared api/, namespaces/, and services/ folders
  • Enhanced Authentication: Fixed HMAC authentication for all API calls
  • Better Error Handling: Improved error messages and debugging information
  • URL Encoding: Properly handles profile names with special characters and spaces

πŸ“š Documentation

  • Updated README: Comprehensive documentation for both action types
  • Usage Examples: Added examples for both start-scan and load-results modes
  • Feature Documentation: Detailed explanation of issue lifecycle and annotation handling

πŸ› Bug Fixes

  • Fixed authentication issues with Veracode API calls
  • Fixed URL encoding for profile names with spaces
  • Improved error handling for API responses

⚠️ Breaking Changes

  • action_type parameter is now required: All workflows must specify either start-scan or load-results
  • Conditional parameters:
    • dast_config_file_name is now only required for start-scan
    • profile_name is now required for load-results
  • Label format changed: Severity labels now use VeracodeFlaw: {Severity} format instead of severity-{level}

πŸ”„ Migration Guide

To migrate from v1.x to v2.0:

  1. For existing start-scan workflows, add action_type: start-scan:

    - uses: veracode/veracode-dast-action@v2
  with:
    action_type: start-scan
    # ... rest of your existing parameters

  2. For new load-results workflows, use:

    - uses: veracode/veracode-dast-action@v2
  with:
    action_type: load-results
    profile_name: YourApplicationName
    # ... rest of parameters

  3. Update label filters if you're filtering by severity labels - the format has changed

Assets 2
Loading