Azure DevOps YAML Properties for Flaw Importer

Ticketing Systems

This table describes the properties and their values for adding the Veracode Flaw Importer task to an Azure DevOps or Team Foundation Server (TFS) build pipeline using YAML.

Property Type Description
ConnectionDetailsSelection
Required
String One of these methods for connecting to Veracode:
  • Endpoint to use an existing service connection that includes your Veracode API credentials. Include AnalysisService to specify a service connection name.
  • Credentials to enter your Veracode API credentials. Include apiId to enter your API ID and apiKey to enter your API key.
veracodeAppProfile
Required
String Name of the Veracode application profile. The name is case-sensitive.
AnalysisService String If you set ConnectionDetailsSelection to Endpoint, the name of the service connection for accessing Veracode.

If a service connection does not exist, you can create a new service connection.
apiId String If you set ConnectionDetailsSelection to Credentials, your Veracode API ID.
apiKey String If you set ConnectionDetailsSelection to Credentials, your Veracode API key.
proxySettings String If using a proxy to access Veracode, your proxy settings. For example:

-phost abc.com -pport 5252 -puser proxyuser -ppassword proxypassword

Note: Do not enclose any of the values in single or double quotations.

tfspassword String If using TFS 2015 Update 2, your TFS password. If not using TFS, do not set this property.
sandboxName String For development sandbox scans, the name of the sandbox in which to run the scan. If the sandbox does not exist, include createSandBox to create it with the specified name.
importType String One of these flaw types to import:
  • All Flaws, including mitigated and remediated flaws, from all scans. During the import process, the extension changes the state of the work items for all mitigated and remediated flaws to resolved or closed. This option imports all flaws without any restrictions.
  • All Unmitigated Flaws from all scans.
  • All Flaws Violating Policy, including all open flaws from all scans that affect policy.
  • All Unmitigated Flaws Violating Policy, including open flaws from all scans that affect policy. The default.

    Note: The Flaw Importer task does not import vulnerabilities from Veracode Software Composition Analysis (SCA) scans as work items.


    When generating new work items for imported flaws, the extension also imports mitigation and annotation comments. If you add comments to a previously imported flaw with work items, the extension does not import the new comments to work items during subsequent flaw imports.
workItemType String One of these work item types to apply to all imported flaws:Bug, Issue, Task, Epic, Feature, Test Case

Note: The Scrum process template does not support the Issue work item type. Also, the Veracode Flaw Importer task can only import flaws to customized work item types that do not contain required fields. If your customized work item types contain required fields, you must select different work item types that do not contain required fields, or the flaws fail to import.

area String Path to the area where you want to group the work items. You can enter up to five levels in the path. To enter the area paths, use the format <project_name>\<area_1>\<area_2>. For <project_name>, enter the name of the project in the Build Pipeline or Release Pipeline task for which you want to import flaws.
overwriteAreaPathInWorkItemsOnImport Boolean Set to true to replace the area path in new and existing work items with the value specified for area. If set to false existing work items retain their current area path.
addCustomTag String Add a tag with a custom string to all work items for all imported flaws.
addCweAsATag Boolean Add a tag with the CWE ID for the discovered flaw to the corresponding work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
foundInBuild Boolean Add a tag with the build number of the build in which Veracode discovered the flaw to the corresponding work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
addScanNameAsATag Boolean Add a tag to each work item showing the name of the Veracode scan that found the imported flaw. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false.
flawImportLimit Integer Maximum number of flaws to import at the same time. Default is 1000.
customFields String Add custom fields from process templates to generated work items of imported flaws. Enter key-value pairs to specify each field name and value. Add each key-value pair, separated with a colon, on a new line. For example: field.name:value

Note: Ensure these field names match the field names you define in Azure and that all values are valid for a given field type. If there are any mismatch or validation errors, you can only see these errors in the console after importing flaws.