You can make requests to the Veracode service by sending an HMAC signature in the HTTP authorization header.
The mechanism is discussed on "Understanding API Access" https://help.veracode.com/reader/lsoDk5r2cv~YrwLQSI7lfw/H0S3580tt9sPFz3IgSMvnA with a Java program as illustration. For an API wrapper in GO, see https://github.com/brian1917/vcodeHMAC.
For illustration and plain shell scripting on the command line, it's possible to compute the Authorization header using openssl. Here's how:
# Input:
# - The URL you want to query, e.g. https://analysiscenter.veracode.com/api/5.0/getapplist.do
# - The HTTP method, e.g. GET
# - Your API credentials VERACODE_ID and VERACODE_KEY which you can generate (and revoke) from the UI
# Below values don't work any longer (that would be too easy, right?) and are included to allow tracing the HMAC operations.
VERACODE_ID=684a28d91070e4ce68b2131e43c2d79b
VERACODE_KEY=38611f3f651c90091e0cd5389e8a836fa591829505ea0acf4b8f141a4b0b1779ed016fd1819ddd07f2bee100bf7ffec9f2b29ff719f9e818f3e40865719474e3
NONCE="$(cat /dev/random | xxd -p | head -c 32)"
# NONCE=43a096639916c4f3925a44200cc2eeeb
TS="$(($(date +%s%N)/1000))"
# TS=1528471895699
URLPATH=/api/5.0/getapplist.do
METHOD=GET
encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2)
# encryptedNonce=fdadd4b99d0e80e2ff62c8462e649df50b7d8454bc44184385ad2d249eb0d3a2
encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2)
# encryptedTimestamp=cf2289384942ad95b591c15053dc2e91c16ec555722c4886329e697337240c98
signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2)
# signingKey=72163d368a280f9b5fc467baa1c181c391378e88b5bee0906569142d7d9d9e2f
DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD"
signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2)
VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature"
# VERACODE_AUTH_HEADER=VERACODE-HMAC-SHA-256 id=684a28d91070e4ce68b2131e43c2d79b,ts=1528471895699,nonce=43a096...3c72e2
curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH"
If things go right, output will be some XML (edited):
<?xml version="1.0" encoding="UTF-8"?>
<applist
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="https://analysiscenter.veracode.com/schema/2.0/applist"
xsi:schemaLocation="https://analysiscenter.veracode.com/schema/2.0/applist https://analysiscenter.veracode.com/resource/2.0/applist.xsd"
applist_version="1.2"
account_id="11111">
<app
app_id="22222"
app_name="Cyberdyne Systems"
policy_updated_date="1997-08-29T02:14:00-04:00"/>
</applist>
- I'm on Windows here using Git Bash, YMMV with other shells.
- The funny
cut
after each openssl call removes the(stdin)=
junk that gets emitted on my system
$ echo -n 'Hello' | openssl dgst -sha1 -hmac 'World'
(stdin)= 8d1a4c29af178df51b9282eaf6b8898b800e9ec5
$ echo -n 'Hello' | openssl dgst -sha1 -hmac 'World' | cut -d ' ' -f 2
8d1a4c29af178df51b9282eaf6b8898b800e9ec5
(08Jun2018)
Thank you for sharing this! I'm able to use it successfully for a URL path like /api/5.0/getbuildlist.do?app_id=XXXX for instance, but I consistently receive errors for any endpoints that have multiple querystring parameters, such as /api/5.0/getbuildlist.do?app_id=XXXX&sandbox_id=XXXX. I'm fairly confident that it's due to the DATA variable already using ampersand characters to delimit key-value pairs, causing the additional querystring parameters to no longer be interpreted as part of the URLPATH.
How would one go about using this script to call an endpoint that contained multiple querystring parameters?