Skip to end of metadata
Go to start of metadata

Plugin Information

View veracode-scanner on the plugin site for more information.

The current version of this plugin may not be safe to use. Please review the following warnings before use:


This plugin provides a post build action for submitting files for scanning to veracode.


*Warning* - This plugin has a dependency on Java 7, so the Jenkins instance that you're installing the plugin into will need to be running in a Java 1.7+ environment to function properly.   

*Warning* - This plugin is not officially supported by Veracode.  If you are experiencing issues or have questions, please comment here or report an issue on Github.  

To setup a job to submit artifacts to Veracode for a static scan, you'll first need to provide the credentials and default values in Manage Jenkins -> Configure System:

Then for each job that you want to initiate scans, add the "Submit Artifiacts For Veracode Scan" post build action to that job's configuration:

Provide a comma delimited list of files that you want to scan, the name of the application in Veracode, and override any default scan values:

18 Comments

  1. Could you please provide screenshots on how to pass the files or use the plugin.

    1. Sorry about the lack of documentation.  I've added some screenshots.  Let me know if you have any questions.

      1. Getting an error while trying to view help.

        1. Version 1.4 should be able to load the field help.

          1. Thanks Mike. It got fixed.

  2. Veracode Scanner Plugin - doesn't seem to work when running on a Slave - it doesn't find file:Caused by: java.io.FileNotFoundException: /home/jenkins/workspace/GS_xx_dev-veracode/xx/xx-distribution/target/xx-distribution-2.0.8-SNAPSHOT-veracode.tar.gz (No such file or directory)

    On the system:

    jenkins@mvqsgsatg300d target$ ls -lah /home/jenkins/workspace/GS_xx_dev-veracode/xx/xx-distribution/target/xx-distribution-2.0.8-SNAPSHOT-veracode.tar.gz
    rw-rr- 1 jenkins jenkins 83M Oct 8 10:43 /home/jenkins/workspace/GS_xx_dev-veracode/xx/xx-distribution/target/xx-distribution-2.0.8-SNAPSHOT-veracode.tar.gz

    (Project name replaced with xx)

    Finds file when running on the Jenkins Master

    1. Thanks for bringing this to my attention.  Currently the Veracode api that I'm using does not support referencing files in a slave environment.  I'll see if they can update the api so that the files can be referenced to work in this environment.  

  3. I've finally gotten my Jenkins project set up to the point that the Veracode plugin is attempting to upload the file.  However, Veracode doesn't show that a file was uploaded.  I used the ant-style pattern of **/project.ear (with my project name, of course), and the Veracode plugin output in the console looks like this:

     Uploading Files to Veracode: []
    Veracode User: lvance@<domain>.com
    Veracode Scan Succeeded.  Email will be sent once results are ready.
    Finished: SUCCESS
    

    Is there supposed to be something inside the square brackets?

    1. Yes, the files that were found to upload should be included within the square brackets.  The pattern uses the ant style patterns to locate files, so I'm surprised that your pattern is not working for you.  Have you tried to specify exactly the location of your project.ear file within your Jenkin's workspace?  I would try that if the wildcards are not working for some reason.  

      1. Since it took a while to get a reply here, I switched to the official Veracode plugin, but I was having the same problem.  I talked to their support guys on the phone, and they suspected there was a path issue.  I found a couple of problems that I had to address that I'll list here for your plugin users so hopefully they won't have to do the time consuming searches that I did.

        Problem 1: ear file not found using ant pattern matching.

        Solution: For some reason our application build script set the deploy directory outside of the workspace base directory (path was set to ${basedir}/../deploy/ui/file.ear).  I had to create an alternate debug build target that set these variables to keep the ear file within the workspace/basedir.

        Problem 2: Once the ant script could find the ear file, it uploaded it but the Veracode scan didn't find anything to scan, so we received a code quality of 100%, and I knew this was incorrect.  When I built the project in JDeveloper, it created an ear file that was approximately 17MB, and the ant script created an ear file that was approximately 9.5MB. 

        Solution: The ant build was missing all of the .class files inside the viewcontroller.  There is a setting that is added into the build targets occasionally named "nocompile" and it's set to true.  This option has to be removed so that it will create all of the .class files.  It cannot be set to "false" according to the forum posts that I found.  Once I removed it, the ear file size returned to normal.

        I hope this information is helpful to users of this plugin.

        1. Thanks for following up with your problems and found solutions.  You are an internet hero!  

  4. Getting the error below when trying to upload the code. I guess this might be due to proxy. But I'm able to login to veracode site and manually upload.

    Could you please let me know if there are any URLs that should be added as exceptions.Connection timed out: connect
    java.net.ConnectException: Connection timed out: connect
    FATAL: java.net.ConnectException: Connection timed out: connect
    org.jenkinsci.plugins.veracodescanner.exception.VeracodeScannerException: java.net.ConnectException: Connection timed out: connect
    at org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.getAppId(VeracodeNotifier.java:230)
    at org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.performScan(VeracodeNotifier.java:143)
    at org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.perform(VeracodeNotifier.java:87)
    at hudson.tasks.BuildStepMonitor$3.perform(BuildStepMonitor.java:36)
    at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:804)
    at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:776)
    at hudson.model.Build$BuildExecution.cleanUp(Build.java:192)
    at hudson.model.Run.execute(Run.java:1638)
    at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
    at hudson.model.ResourceController.execute(ResourceController.java:88)
    at hudson.model.Executor.run(Executor.java:247)
    Caused by: java.net.ConnectException: Connection timed out: connect
    at java.net.DualStackPlainSocketImpl.connect0(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.SocksSocketImpl.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
    at sun.security.ssl.BaseSSLSocketImpl.connect(Unknown Source)
    at sun.net.NetworkClient.doConnect(Unknown Source)
    at sun.net.www.http.HttpClient.openServer(Unknown Source)
    at sun.net.www.http.HttpClient.openServer(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.New(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
    at com.veracode.util.http.ClientHttpRequest.connect(ClientHttpRequest.java:99)
    at com.veracode.util.http.ClientHttpRequest.write(ClientHttpRequest.java:110)
    at com.veracode.util.http.ClientHttpRequest.boundary(ClientHttpRequest.java:148)
    at com.veracode.util.http.ClientHttpRequest.doPost(ClientHttpRequest.java:445)
    at com.veracode.util.http.ClientHttpRequest.post(ClientHttpRequest.java:480)
    at com.veracode.util.http.ClientHttpRequest.post(ClientHttpRequest.java:585)
    at com.veracode.util.http.WebClient.consumeResponse(WebClient.java:140)
    at com.veracode.util.http.WebClient.downloadString(WebClient.java:28)
    at com.veracode.apiwrapper.wrappers.UploadAPIWrapper.getAppList(UploadAPIWrapper.java:539)
    at org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.getAppId(VeracodeNotifier.java:214)
    ... 10 more

    1. The Veracode plug-in is contacting rest api's on the following host:

      https://analysiscenter.veracode.com/

      Can you add that URL to the exception list?  For example, the URL being called when trying to get the app id for your app is https://analysiscenter.veracode.com/api/4.0/getapplist.do.  

  5. Hi All

    Where is the link to the official Veracode Plugin?

    In a previous comment by Laura Vance she has mentioned this.

    Thanks

    Sean

    1. Howdy Sean,

      Last I checked the official Veracode plugin was hosted here: https://analysiscenter.veracode.com/auth/helpCenter/api/c_installing_Jenkins.html

      There is a link on that help page to download the hpi file. 

      Thanks,

      Mike

  6. Thanks Mike, I will try it out!

    Thanks

    Sean

  7. How may I upload to a sand box? Is that supported? As per the documentation here: https://analysiscenter.veracode.com/auth/helpCenter/api/c_configuring_Jenkins.html the user is able to provide a sandbox name.