veracode-demo-labs.github.io

Return to GitHub/Veracode-Demo-Labs

IntelliJ

Begin by ensuring the project builds. IntelliJ

Pull up the terminal using ALT+F12 or from the main menu, select View

Tool Windows

Terminal

IntelliJ

Type in “cd app” then “mvn clean install” This will create verademo.war in the target folder. IntelliJ

Submit Scan with Greenlight

See more about Greenlight here - https://docs.veracode.com/r/c_master_greenlight

Right click on the main folder and click Veracode Greenlight to submit a scan. IntelliJ

Review results and organize by Severity. IntelliJ

Submit SAST/SCA sandbox scan

In the platform create an application profile and a sandbox. IntelliJ

From IntelliJ, click Veracode - Upload and Scan

Cancel out of the first screen so you can properly set the application profile and sandbox. IntelliJ

Add the verademo.war file to the upload IntelliJ

IntelliJ

Submit the scan IntelliJ

Remediate | re-scan | no new flaws

While we wait a few minutes for that to complete, lets fix a SQLi issue and resubmit the scan. In UserController.java, comment out the two bad code sections, and uncomment the two good code sections.

Locate the SQLi on line 170. IntelliJ

Should look like… IntelliJ

Should look like… IntelliJ

Save the file and submit a Greenlight scan. IntelliJ

The issue is now gone. IntelliJ

Open the Terminal to recompile the project using “mvn clean install”. IntelliJ

Submit another sandbox scan - Scan 2. IntelliJ

Download results from Scan 1. IntelliJ

The SQLi exists. IntelliJ

Download results from Scan 2. IntelliJ

The flaw is gone. IntelliJ

The reporting shows 3 issue fixed. Two other issues were resolved while fixing the SQLi.

IntelliJ

Next steps would be:

Remediate or mitigate any issues that violate policy
Automate scans via CI/CD to prevent new flaws from being committed.
Connect bug tracking systems to establish a continuos feedback loop of any issues.
Establish a recurring DAST scan.
Developer training

Return to GitHub/Veracode-Demo-Labs