Bugzilla

Veracode provides an integration for the Bugzilla defect tracking system. You can use the integration to import findings from Veracode into Bugzilla. You can then manage the findings as defects in Bugzilla. This integration is based on standard Bugzilla configuration settings for priority, severity, and other values.

Download the script

You can download a sample script to integrate Veracode with Bugzilla.

To complete this task:

1. Download this sample integration script. This script automatically publishes data from the Veracode Results API to Bugzilla using the built-in XML import capability in Bugzilla.
2. If you have customized any fields, you can edit the provided veracode_bugzilla.xsl to update the logic for mapping fields between Veracode and Bugzilla. The integration package includes the XSL file.

Configure the integration

You can configure the Veracode for Bugzilla integration to import findings that Veracode detects in your application.

Before you begin:

You must have Bugzilla administrator permissions.

To complete this task:

1. In Bugzilla, select Administration > Settings.
2. Select Bug Moving on the left.
3. Set Move-enabled to On.
4. In the Bug Moving window, define a default product and component.
5. If the import feed provides invalid values, enter the name of a valid product and component to use.

Map Veracode fields to Bugzilla fields

You can customize Bugzilla import business logic with information from your local Bugzilla implementation.

The veracode_bugzilla.xslt file contains business logic to map custom fields in the Veracode Platform to Bugzilla fields. The file contains three parameters at the top that you must customize with information from your local Bugzilla implementation: urlbase, maintainer, and exporter. The XSLT file suppresses importing fixed findings, but populates new, open, and reopened findings. If you use the XSLT file on multiple builds of the same application, you can also suppress open findings.

To complete this task:

1. Open veracode_bugzilla.xslt in a text editor or XML editor.
2. Find the line that begins <xsl:param name="urlbase" and change the value in quotation marks to the urlbase of your Bugzilla instance. Ensure the value matches the urlbase that appears on the Administration > Settings page in Bugzilla.
3. Find the line that begins <xsl:param name="maintainer" and change the value in quotation marks to the email address of the person responsible for maintaining the Bugzilla account.
4. Find the line that begins <xsl:param name="exporter" and change the value in quotation marks to the email address of a valid Bugzilla user in your local implementation. Ensure the value matches the user that appears on the Administration > Settings page in Bugzilla.
5. If you have changed the default values for the Severity and Priority fields, search the XSLT file for @severity and update any references to that field with your values. Veracode assigns these values based on the severity of the finding.
6. To suppress open findings, you can edit the two <xsl:choose> sections in the file.

Test the integration

You can test Veracode for Bugzilla to ensure it can authenticate with Veracode and import findings.

Before you begin:

• You must have valid Veracode API credentials to access Veracode.
• When configuring authentication for an integration, Veracode strongly recommends that you use an API service account.

To complete this task:

1. Edit the script importresults.pl.

2. Locate these lines and replace username with your API ID and replace password with your API key:

   my $user='username';
   my $passwd='password'

3. You can update other variables in the script. See the README file in the ZIP file for more information.

4. Run this command to start the integration:

   perl importresults.pl

   The importresults.pl script connects to the Results API, downloads all available results, parses them to the Bugzilla format, and then imports them using the Bugzilla importxml.pl library.