Mapper configuration
a mapper is a configuration mechanism used to map data fromsecurity and development tools into so that scan results, vulnerability data, andrelated information can be accurately processed and ingested mappers define how tool specific data is interpreted, including required configuration fields, supported formats, andoptional parameters that customize integrations and vulnerability data processing this guide contains the available mapper supported phases, supported secure tool subcategories, and the required configuration details for each type it also describes optional fields and additional parameters that can be used to customize integrations and vulnerability data processing use this information to ensure accurate tool mapping andsuccessful ingestion of scan results supports mappers for the following phases supports the mappers for the following phases secure build deploy test these selections are made from a dropdown menu in the tool category field develop category of tools as supports most of the leading tools in this category out of the box develop doesnot support mappers through the service user interface, but can accommodate them through the use of private apis to add a develop wrapper, please contact your kyndryl representative secure the secure category requires the specification of a tool subcategory that is associated with the type of activity being performed the following tool subcategories are supported dependency check static scan image scan license scan the required procedure varies with each subcategory subsequents sections provide the required procedure dependency check the user is required to populate the technical service name field additionally, the user must select the appropriate time field format from the dropdown menu, which aligns with the format supported by their vulnerabilities response completing the additional option field contains is not required but supports two options provider href this field is for the user to enter the url of the provider technical service override this field allows the user to override the technical service name if it is already present, when set to true if the user wants to use a different name for the technical service, they can enter it here if set to false , it won't allow to post duplicates that have the same technical service names these fields provide additional information about the scan and can be useful for tracking and managing dependency check scans in the dependency check run body, the user can copy and paste the complete test runs response this allows the system to process the entire set of vulnerability data at once static scan the user is required to populate the technical service name field additionally, the user must select the appropriate time field format from the dropdown menu, which aligns with the format supported by their vulnerabilities response completing the additional option field contains is not required but it supports two options provider href this field is for the user to enter the url of the provider technical service override this field allows the user to override the technical service name if it is already present, when set to true if the user wants to use a different name for the technical service, they can enter it here if set to false , it won't allow to post duplicates that have the same technical service names these fields provide additional information about the scan and can be useful for tracking and managing dependency check scans in the static scan run body, the user can copy and paste the complete test runs response this allows the system to process the entire set of vulnerability data at once image scan the user is required to populate the image name and technical service name fields additionally, the user must select the appropriate time field format from the dropdown menu, which aligns with the format supported by their vulnerabilities response completing the additional option info field is not requrired, but it supports four options release name this field is for the user to enter the name of the release that is being scanned provider href this field is for the user to enter the href (url) of the provider technical service override this field allows the user to override the technical service name if it is already present, when set to true if the user wants to use a different name for the technical service, they can enter it here if set to false , it won't allow to post duplicates that have the same technical service names scanned time this field is for the user to enter the time when the scan was performed these fields provide additional information about the scan and can be useful for tracking and managing vulnerabilities in the imagescan run body, the user can copy and paste the complete vulnerabilities response this allows the system to process the entire set of vulnerability data at once license scan for the 'tool sub category' is license scan the user is required to populate the technical service name field additionally, the user must select the appropriate time field format from the dropdown menu, which aligns with the format supported by their vulnerabilities response completing the additional option info field is not required, but it supports three options provider href this field is for the user to enter url of the provider technical service override this field allows the user to override the technical service name if it is already present, when set to true if the user wants to use a different name for the technical service, they can enter it here if set to false , it won't allow to post duplicates that have the same technical service names scanned time this field is for the user to enter the time when the scan was performed if the status from the tool is not provided or does not match any of the known statuses, it will be mapped to "unknown" on the di dashboard these fields provide additional information about the scan and can be useful for tracking and managing license scans in the license scan run body, the user can copy and paste the complete test runs response this allows the system to process the entire set of vulnerability data at once build the user is required to populate the technical service name field additionally, the user must select the appropriate time field format from the dropdown menu, which aligns with the format supported by their build data completing the additional option info is not required but it supports two options provider href this field is for the user to enter the href (url) of the provider technical service override this field allows the user to override the technical service name if it is already present, when set to true if the user wants to use a different name for the technical service, they can enter it here if set to false , it won't allow to post duplicates that have the same technical service names these fields provide additional information about the scan and can be useful for tracking and managing build runs in the build run body, the user can copy and paste the complete build runs response this allows the system to process the entire set of vulnerability data at once deploy the user is required to populate the technical service name field additionally, the user must select the appropriate time field format from the dropdown menu, which aligns with the format supported by their deployment data completing the additional option info , but it supports seven options provider this field is for the user to enter the name of the provider, which can be a comma separated list if there are multiple providers provider href this field is for the user to enter the href (url) of the provider technical service override this field allows the user to override the technical service name if it is already present, when set to true if the user wants to use a different name for the technical service, they can enter it here if set to false , it won't allow to post duplicates that have the same technical service names isproduction this field is for the user to specify whether the environment is a production environment ( true ) or not ( false ) environment name this field is for the user to enter the name of the environment, which can be a comma separated list if there are multiple environments release name this field is for the user to enter the name of the release incident host url this field is for the user to enter the url of the host where the incident occurred these fields provide additional information about the deployment and can be useful for tracking and managing deployment data in the deployment run body, the user can copy and paste the complete deployment runs response this allows the system to process the entire set of vulnerability data at once test the user is required to populate the techincal service name field additionally, the user must select the appropriate time field format from the dropdown menu, which aligns with the format supported by their deployment data completing the additional option info is not required but it supports two options provider href this field is for the user to enter the href (url) of the provider technical service override this field allows the user to override the technical service name if it is already present, when set to true if the user wants to use a different name for the technical service, they can enter it here if set to false , it won't allow to post duplicates that have the same technical service names these fields provide additional information about the scan and can be useful for tracking and managing test cases in the test run body, the user can copy and paste the complete test runs response this allows the system to process the entire set of vulnerability data at once develop no uisupport is available for devlop mappers users can directly select the tool sub category and map the endpoint response body values to the keys provided in the develop run body this means that the user must manually ensure that the values in the endpoint response match the keys described in the develop run body the tool subcategory dropdown presents three selections issues pull request commit issues the following keys are supported assignees an array of usernames who are assigned to the issue category the category of the issue (e g , "bug", "issue", etc ) created at the date and time when the issue was created created by the username of the person who created the issue description a brief description of the issue endpoint hostname the hostname of the endpoint where the issue is located fixed releases an array of release versions where the issue has been fixed found releases an array of release versions where the issue was found issue engine the engine used to track the issue issue type the type of the issue (e g , "story", "task", etc ) labels an array of labels associated with the issue priority the priority of the issue (e g , "high", "medium", "low") provider engine the engine of the provider provider href the href (url) of the provider provider id the id of the provider provider url key the url key of the provider scmhost url the url of the source code management host severity the severity of the issue state the current state of the issue (e g , "open", "closed") technical service the name of the technical service technical service override a boolean value indicating whether the technical service name can be overridden technical service tag an object containing additional properties related to the technical service title the title of the issue updated at the date and time when the issue was last updated ensure that the values in issues response match the keys described above each key value pair in response should correspond to a field in the issue if a key in your response does not match any of the keys listed above, map it to an appropriate key for example, if your response has a key named issue creator , you should map it to the created by key in the list above this means that the value of issue creator in your response becomes the value for created by in the final data that you post here pull request the following keys are supported created at the date and time when the pull request was created created by the username of the person who created the pull request description a brief description of the pull request endpoint hostname the hostname of the endpoint where the pull request is located endpoint technical service id the id of the technical service at the endpoint ischerrypick a boolean value indicating whether the pull request is a cherry pick merge commit sha the sha of the merge commit for the pull request merged at the date and time when the pull request was merged pr engine the engine used to track the pull request provider href the href (url) of the provider provider id the id of the provider pull number the number of the pull request release name the name of the release that the pull request is associated with state the current state of the pull request (e g , "open", "closed") technical service the name of the technical service technical service override a boolean value indicating whether the technical service name can be overridden technical service tag an object containing additional properties related to the technical service title the title of the pull request updated at the date and time when the pull request was last updated ensure that the values in the pull request response match the keys described above each key value pair in the response should correspond to a field in the pull request if a key in your response does not match any of the keys listed above, map it to an appropriate key for example, if your response has a key named pr creator , you should map it to the created by key in the list above this means that the value of pr creator in your response becomes the value for created by in the final data that you post here commit the following keys are supported comments the comments associated with the commit commit url the url of the commit created at the date and time when the commit was created created by the username of the person who created the commit endpoint hostname the hostname of the endpoint where the commit is located endpoint technical service id the id of the technical service at the endpoint parent ids an array of ids for the parent commits provider engine the engine used to track the commit provider href the href (url) of the provider provider id the id of the provider release names an array of names of the releases that the commit is associated with scm engine the engine used for source code management sha the sha of the commit technical service the name of the technical service technical service override a boolean value indicating whether the technical service name can be overridden technical service tag an object containing additional properties related to the technical service ensure that the values in the commit response match the keys described above each key value pair in the response should correspond to a field in the commit if a key in your response does not match any of the keys listed above, map it to an appropriate key for example, if your response has a key named commit creator , you should map it to the created by key in the list above this means that the value of commit creator in your response becomes the value for created by in the final data that you post here