This is the main issue with the user API and the Team API, no matter how I try, the current operations are both locked to partial and incremental = True, so you can only add things and never remove them.

Sloppy match is resulting in flaws over matching (too many flaws in target matching to a single flaw in source). There's not an easy way to fix this in the logic so the best path will be to make sloppy match an optional parameter and disable by default.

See tjarrettveracode/veracode-mitigation-copier#19

The URL for the API should be similar to upload scan with different type:

https://api.Veracode.com/sca/sbom/v1/targets/{projectUuid}/cyclonedx?type=agent

Note that the ProjectUUID must be gotten from a call to the workspaces/<guid>/projects endpoint.

A few of the APIs perform searches with queries in the URL. We should url-encode the search parameters for these. Specifically:

• get_app_by_name
• get_user_by_name
• get_workspace_by_name

see https://docs.veracode.com/r/c_identity_gen_creds​

​

please add support for the 'api/4.0/detailedreportpdf.do' api

We validate file paths in Findings()._format_file_path but don't handle the case where this data isn't available.

Need to add an optional argument to the create method for Users to support MFA requirements.

The uploadfile.do call uploads a file to an existing build or creates a build.

Add the ability to delete a build based on the app id or sandbox id mapping the functionality from the deletebuild.do action from the API wrapper

That would be a really useful function, to automate a lot of tagging of resources in the veracode platform.
The current update only has these fields

    def update(self,guid: UUID,app_name:str ,business_criticality, business_unit: UUID=None, teams=[]):
        return self._create_or_update("UPDATE",app_name,business_criticality,business_unit,teams,guid)

Tried updating a user's roles using Users().update() but kept getting a 500. I think it was because the function doesn't parse out the list of roles in the same way that Users().create() does.

I was able to successfully use the function when I passed json.dumps(roles) to it, where roles was something like:
{'roles': [{'role_name': 'extseclead'}, {'role_name': 'extcreator'}]}

I'd love to see this re-written as Users.update_roles() instead, with a more generic Users.update() kept around to be able to change multiple attributes at once.

It's in the README, but the function isn't reachable.
update_app(guid, app_name, business_criticality, business_unit(opt), teams(opt))

I think it's missing for now, https://app.swaggerhub.com/apis/Veracode/veracode-sca_agent_api_specification/3.0#/workspaces/getTeamsUsingGET_1

I'm building my "state-machine" to be able to define in a single JSON structure the Veracode user/teams/workspace/sast app management.

The JSON will look like:

{
  "TEAM_NAME":{
    "sast_applications": ["sast_app_name", ....],
    "sca_workspaces": ["sca_ws_name", ....],
    "users": ["email", ....],
  }
}

I need to be able to create/delete teams in the workspace, that's missing currently. I'll make a PR it should be simple enough.

Customer reports:

I need to use proxy to connect to Veracode servers and Veracode Pipeline Mitigation does not allow for that. It uses Python requests module under the hood which allows to use http_proxy and https_proxy env variables. However, proxies are explicitly defined in:

https://github.com/tjarrettveracode/veracode-api-py/blob/master/veracode_api_py/apihelper.py

session.send(prepared_request, proxies=self.proxies)

and because of that fact env variables are not taken into account.

The Applications REST API supports defining business owner and email, but these are not currently supported in create_app or update_app.

For cases where Veracode finds multiple flaws with the same CWE on the same line, the flaw description can be used to achieve a more precise match.

This should be added as an optional argument to the flaw match code so that it isn't used for every match.

The SBOM object is not exposed in the package and can't be imported.

The api().get_issue() call is incorrect and needs to be fixed.

Should add debug logging that includes the following:

• URL and method being executed
• x-conversation-id of response

I think this comes down to the incremental vs partial choice in the api
I managed to add new teams to a users, it was really easy because I just had to give the new team's id and it was added on the existing... but I knew this would probably be a problem if I wanted to remove that after.

Rename master to main.

The library used to host all functions in a single API layer. It's since been refactored into separate objects, but the documentation doesn't reflect this refactoring.

Update the docs to reflect both the calls on the api object and the actual functional objects - Applications, SCA, etc.

Partial stack trace:

  File "/usr/local/lib/python3.9/site-packages/veracode_api_py/api.py", line 141, in add_annotation
    return Findings().add_annotation(app,issue_list,comment,action,sandbox)
  File "/usr/local/lib/python3.9/site-packages/veracode_api_py/findings.py", line 51, in add_annotation
    return APIHelper()._rest_request(uri,"POST",body=payload,params=params)
UnboundLocalError: local variable 'params' referenced before assignment

I ran the following code (with value API token in the right place)

from veracode_api_py import VeracodeAPI
veracode_api = VeracodeAPI()
print(veracode_api.get_app_list())

It works but gives me XML. I was expecting a Python wrapper to give back a list. I'm not having a go at anyone, just want to understand if I'm driving this wrong before I start writing code to parse my responses.

this may be me, or a really weird issue.
after referencing the library
import veracode_api_py
I try to run the method like so:

    api = veracode_api_py.VeracodeAPI()
    api.upload_file(app_id, file_name)

at runtime, I get the following error:

File "blah.py"
    api.upload_file(app_id, file_name)
AttributeError: 'VeracodeAPI' object has no attribute 'upload_file'

super weird, because I run other xml api's like this too, and they work.

For an application, the SBOM API endpoint allows for parameter "linked=true". This causes the generated SBOM to include components from any linked projects. However, the default value is false and there's no way to set the parameter. Therefore it's not possible for data from a linked project to show up in the generated SBOM for an application.

A customer tried to use https://github.com/veracode/veracode-python-hmac-example and got 401s when trying to use it with EU region.
The link in the sidebar is broken.

Do we still need https://github.com/veracode/veracode-python-hmac-example ? Could we maybe just remove it?

//cc @nbarhamvc

I'd like to be able to specify a branch in get_project_issues(), currently it calls APIHelper()._rest_paged_request(uri,"GET","issues",{}) with an empty {} for params

Seeing some confusion between integer app IDs and GUIDs among users of the library. Should look into properly validating when one vs the other is expected.

In issue #22 we added argument typing to eliminate ID/UUID confusion for SCA methods. Should roll this out for other UUIDs and argument types in the library.

The Identity API requires explicitly specifying that a newly created user is active. Fix this in Users().create.

I did not get grace_period_expires_date field from the get_findings() call on the static scan, it looked different from the the API shown in the swaggerhub https://app.swaggerhub.com/apis/Veracode/veracode-findings_api_specification/2.0#/Finding

scan_findings = vapi().get_findings(app_guid, 'STATIC')

And it seemed only that grace_period_expires_date was missed from the call response.

Please add support for the '/api/5.0/beginprescan.do'

All UUID type arguments should be distinct from int type arguments so that at least at time of writing it is clear when there are mismatches.

https://realpython.com/python-f-strings/

We use the Python Requests module and urllib3.util.retry to implement retry in the event of a short list of HTTP error codes. Need to ensure that the auth header gets regenerated with each retry. While we're at it, we should ensure that we're honoring the retry-after value in the response headers to deal gracefully with rate limiting.

A recent release added a new optional parameter, include_metrics, to the SCA GetWorkspaces (aka Workspaces().get_all()) API call. Need to update the methods that call this API to accept the new parameter.

create, update, delete, full list of policies

Details here: https://app.swaggerhub.com/apis/Veracode/veracode-sca_agent_api_specification/3.0#/registry/getComponentActivityUsingGET

Warning: CodeQL Action v1 will be deprecated on December 7th, 2022. Please upgrade to v2. For more information, see https://github.blog/changelog/2022-04-27-code-scanning-deprecation-of-codeql-action-v1/

An error is thrown when calling create_user(). Additionally, the default method treats user_name as optional, but it is required by the API.

SCA().get_issue() tries to call an endpoint as follows:

self.sca_base_url + '/issues/{}'.format(issue_id)

But the correct syntax for issues is just

'/v3/issues/{}'.format(issue_id)

Veracode released the ability to mitigate SCA vulnerability and license risk findings via API. Add support for these methods via the Python wrapper.

https://app.swaggerhub.com/apis/Veracode/veracode-identity_api/1.0#/team/getTeamUsingGET

This is to get the list of members in a team, which is required if we want to easily add/remove people from teams.

Currently:

Adding a user to a team

            VeracodeAPI().update_user(
                user["user_id"],
                {
                    "teams": [
                        {
                            "team_id": team_to_add_id,
                            "team_legacy_id": team_to_add_legacy_id,
                        }
                    ]
                },
            )

Remove a user from a team

You can't, that's because the above API is incremental only so you can only add new things to the user, not remove things.

The alternative we figured was to:

1. fetch the team members
2. remove the user you don't want
3. update the team with that new list
4. done

But there is no current API that fetches these details per team.

Hi @tjarrettveracode !

I'm having a bug currently with the SourceClear API, and the only fix would be to set the pagination size to a bigger one.
Its on the get_projects() function, but it got me thinking, looking at the apihelper.py, the _rest_paged_request() function could maybe inject a page size param, with a setting in the client constructor ?

I'll make a PR to show what I'm thinking about, it would really help

There are two new parameters for SBOM creation for both CycloneDX and SPDX:

• vulnerability (T/F) - include or suppress vulnerability information
• dependency (T/F) - include or suppress dependency information

We should add both as optional arguments for the SBOM methods.