Use Customized Process Templates to Import Flaws and Vulnerabilities into Azure DevOps

Ticketing Systems

Publication
Ticketing Systems
Edition date
2023-02-03
Last publication
2023-02-03T16:59:22.540087

You can use customized process templates to automatically import flaws and vulnerabilities as work items into Azure DevOps or Team Foundation Server (TFS). In an Azure DevOps project, when you customize one or more objects in a process template, that template changes to a customized process template.

Note: To ensure that flaws import successfully, if you want to add custom fields to the generated work items, you must configure these predefined variables before specifying the custom fields in the Veracode Flaw Importer.

To complete this task:

  1. In your Azure project, configure these predefined variables on the Variables tab in your build or release configuration:

    Note: The names of these predefined variables must match the variable names in your customized process templates.

    • enableCustomProcessTemplate: enter true to enable.
    • customWorkItemType: enter one of these work item types:

      • Agile
      • Bug
      • Epic
      • Feature
      • Issue
      • Task
      • Test Case
    • customPTActiveStatus: enter the state for in progress or active work.

    • customPTNewStatus: enter the state for new or proposed work.
    • customPTResolvedStatus: enter the state for resolved work.
    • customPTDesignStatus: enter the state for work in design or test.
    • customPTCloseStatus: enter the state for completed work.

    You configure these variables for the work item type (WIT) of which you are creating work items in your build or release configuration. The variables ensure that flaws import correctly if the status of a work item changes. See the Azure DevOps documentation for information on the work item states.

    For example, on the States tab, you might have a Bug work item with these state changes:

    • For Proposed: Introducing
    • For In Progress: Working
    • For Resolved: Fixed
    • For Completed: Closed

    In your build or release configuration, on the Variables tab, you configure these pipeline variables in the customized process template for the Bug work item:

    • enableCustomProcessTemplate: enter true
    • customWorkItemType: enter Bug
    • customPTActiveStatus: enter Working
    • customPTNewStatus: enter Introducing
    • customPTResolvedStatus: enter Fixed
    • customPTCloseStatus: enter Closed
  2. Optionally, to add debugging to your pipeline, add a new variable and enter these values in the New variable window:

    • Name: system.debug
    • Value: true
  3. Click Save & queue to save your configurations and add the build to your queue.

Results:

After the flaw import task has completed successfully, the work items related to flaws in a given application appear in Azure DevOps or TFS. In Azure DevOps, you can search on the Work or Queries pages, for example, to find the work items you created.

Next steps:

You can use a variable to prevent a password from appearing in a console log.