You can use customized process templates to automatically import flaws and vulnerabilities as work items into Azure DevOps. In an Azure DevOps project, when you customize one or more objects in a process template, that template changes to a customized process template.
If you want to add custom fields to the generated work items, you must configure the predefined variables in this section before specifying the custom fields in the Veracode Flaw Importer.
Your customized process template can include names of work item types that the default process template does not support. For example, you can customize the default Scrum process template to include an Issue work item type.
To complete this task:
In your Azure project, configure these predefined variables on the Variables tab in your build or release configuration:note
The names of these predefined variables must match the variable names in your customized process templates.
customWorkItemType: enter one of these work item types:
customPTActiveStatus: enter the state for in progress or active work.
customPTNewStatus: enter the state for new or proposed work.
customPTResolvedStatus: enter the state for resolved work.
customPTDesignStatus: enter the state for work in design or test.
customPTCloseStatus: enter the state for completed work.
You configure these variables for the work item type (WIT) of which you are creating work items in your build or release configuration. The variables ensure that flaws import correctly if the status of a work item changes. See the Azure DevOps documentation for information on the work item states.
For example, on the States tab, you might have a Bug work item with these state changes:
- For Proposed:
- For In Progress:
- For Resolved:
- For Completed:
In your build or release configuration, on the Variables tab, you configure these pipeline variables in the customized process template for the Bug work item:
Optionally, to add debugging to your pipeline, add a new variable and enter these values in the New variable window:
Select Save & queue to save your configurations and add the build to your queue.
After the flaw import task has completed successfully, the work items related to flaws in a given application appear in Azure DevOps. In Azure DevOps, you can search on the Work or Queries pages, for example, to find the work items you created.
You can use a variable to prevent a password from appearing in a console log.