Skip to main content

Resolve vulnerabilities using pull requests

SCA Agent-based Scan supports automatically generating pull requests of GitHub and GitLab repositories to resolve vulnerabilities identified in SCA agent scans.

Using information from the update advisor, the automatic pull requests modify package dependency files and update the libraries to the next closest safe version.

If the recommended safe version is a major version, and you do not want to update your application, we recommend ignoring the pull request.

Supported projects

The following table lists which GitHub and GitLab projects support automatic pull requests.

Package managerLanguageFiles modified in pull request
MavenJavapom.xml
GradleJavabuild.gradle
PipPythonrequirements.txt
PipenvPythonPipfile and Pipfile.lock
BundlerRubyGemfile and Gemfile.lock
NPMJavaScriptpackage.json and either npm-shrinkwrap.json or package-lock.json

If neither npm-shrinkwrap.json nor package-lock.json are present in the project, the agent-based scan generates a package-lock.json file.
BowerJavaScriptbower.json
CocoaPodsObjective-CPodfile and Podfile.lock
ComposerPHPcomposer.json

Enable pull requests for GitHub

To use automatic pull requests with SCA Agent-based Scan, you need permission to create pull requests in GitHub.

To complete this task:

  1. Go to https://github.com/settings/tokens.

  2. If prompted, enter your GitHub credentials and log in.

  3. On the New personal access token page, select Generate new token.

  4. Enter a token description. For example: Allow Veracode Agent-Based Scan to generate pull requests

  5. Select repo.

  6. Select Generate token.

  7. After the token generates, to copy the token and save it to a safe location, select clipboard copy token.

    Important

    After you leave the page, you cannot access this token again.

  8. Add your token using one of these methods:

    • Add this code to the agent.yml file installed in your ~/.srcclr folder:

      scmType: GITHUB
      scmToken: <token copied in earlier step>

    • Set the token as an environment variable in a command script. For example, add this code in Linux bash:

      export SRCCLR_SCM_TYPE="GITHUB"
      export SRCCLR_SCM_TOKEN="<token copied in earlier step>"

  9. If you are using an installation of GitHub other than GitHub.com, add your project URL using one of these methods:

    • Add the project URL to the agent.yml file installed in your ~/.srcclr folder. For example:

      scmUrl: https://github.acme.io

    • Set the project URL as an environment variable in a command script. For example, add this code in Linux bash:

      export SRCCLR_SCM_URL="https://github.acme.io"

Enable pull requests for GitLab

To use automatic pull requests with SCA Agent-based Scan, you need permission to create merge requests in GitLab.

To complete this task:

  1. Go to GitLab.com.

  2. If prompted, enter your GitLab credentials to log in.

  3. On the Personal Access Tokens page, enter a token name.

  4. Select the api checkbox.

  5. Select Create personal access token.

  6. After generating the token, copy it to your clipboard and save it to a safe location.

    Important

    After you leave the page, you cannot access this token again.

  7. If your GitLab instance requires SSH, follow GitLab's instructions to add an SSH key to your account.

  8. Add your token using one of these methods:

    • Add this code to the agent.yml file installed in your ~/.srcclr folder:

      scmType: GITLAB
      scmToken: {token copied in earlier step}

    • Set the token as an environment variable in your CI/CD settings or in a command script. For example, add this code in Linux bash:

      export SRCCLR_SCM_TYPE="GITLAB"
      export SRCCLR_SCM_TOKEN="{token copied in earlier step}"

  9. If you are using an installation of GitLab other than GitLab.com, add your project URL using one of these methods:

    • Add the project URL to the agent.yml file installed in your ~/.srcclr folder:

      scmUrl: https://gitlab.acme.io

    • Set the project URL as an environment variable in your CI/CD settings.

    • Set the project URL as an environment variable in a command script. For example, add this code in Linux bash:

      export SRCCLR_SCM_URL=https://gitlab.acme.io

Configure SCA agents

You configure parameters of automatic pull requests in your SCA agent.

Before you begin:

To complete this task:

Set the relevant scan directives in your shell or automation script to configure the parameters that determine when to generate the pull requests. You can set the directives in two ways:

  • As environment variables in your CI/CD settings, with SRCCLR_appended to the directive names. For example:

    export SRCCLR_PR_ON=methods
    export SRCCLR_NO_BREAKING_UPDATES=true
    export SRCCLR_IGNORE_CLOSED_PRS=false
    export SRCCLR_SCM_URL=https://gitlab.acme.io
    EXTRA_ARGS='--update-advisor --pull-request'

  • As directives in the srcclr.yml file of your SCA project. For example:

    pr_on: methods
    no_breaking_updates: true
    ignore_closed_prs: false
Important

If you configure the environment variables in both files, they override the srcclr.yml directives.

After you complete the configuration, your Veracode SCA agent can generate pull requests when the scan results meet the specified parameters. You can review and approve the pull request in your GitHub or GitLab project.

Next steps:

For a more effective integration with your CI pipeline, we recommend customizing the automatic pull request behavior in your pipeline job, such as the following example in GitLab:

sourceclear:
  stage: security
  variables:
    SRCCLR_API_TOKEN: ${SRCCLR_API_TOKEN}
  script:
    - |
      if [[ $CI_BUILD_REF_NAME = master ]]; then
 
        # Set up ssh-agent
        which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
        eval $(ssh-agent -s)
        echo "$SSH_PRIVATE_KEY" | base64 --decode | ssh-add - > /dev/null
        mkdir -p ~/.ssh
        chmod 700 ~/.ssh
        [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
        git config --global user.email "[email protected]"
        git config --global user.name "user"
 
        # We want the PR to target the master branch
        git checkout -b master
 
        # GitLab doesn't set a remote either
        git remote set-url origin "[email protected]:$CI_PROJECT_PATH.git"

        EXTRA_ARGS='--update-advisor --pull-request'
 
        export SRCCLR_SCM_TOKEN="$GITLAB_TOKEN"
        export SRCCLR_SCM_TYPE=GITLAB
        export SRCCLR_SCM_URL='https://git.mycompany.com'
      fi
    - VERBOSE=true curl -sSL https://sca-downloads.veracode.com/ci.sh | sh -s -- scan $EXTRA_ARGS

Troubleshooting

If the SCA agent is not able to generate an automatic pull request, it displays this message: No pull request was generated.

If you see this message when you expect the agent to generate a pull request, such as when the project uses vulnerable dependencies, verify that your project uses the supported build files.

If your project uses yarn.lock files, which Veracode SCA does not support, we recommend trying one or both of the following troubleshooting steps:

  • Remove yarn.lock while retaining package.json, and run the srcclr scan command again with the --allow-dirty option.
  • Run the srcclr scan --scan-collectors 'npm' command to perform an npm install and generate a pull request.

After merging the pull request, run the yarn install command to update the yarn.lock based on the changes in package.json.

Last updated on