About Veracode Fix
Veracode Fix is an intelligent remediation solution that helps your development teams reduce the time and effort they spend securing their applications. Developers can use Fix to get AI-generated code patches, review the suggested patches, and directly apply them to flaws in their application source, without writing any code.
How Veracode Fix helps developers
Veracode data shows that organizations are not keeping up with their security debt. Developers lack the training, experience, and tools to find and fix security findings in their code. A 2022 report by Techstrong Research showed that 73% of developers are expected to write secure code, but lack the adequate tools and knowledge.
The amount of time it takes for developers to remediate only half of their open findings in a given codebase continues to grow. Typically, developers must update codebases that have several security findings, and they are responsible for the overall security of any applications they build with these codebases. Their organization might also hold them accountable for addressing the security debt of their applications. Developers must spend time and work through the frustration of finding, researching, and fixing, security findings that they might not have created, in code they might not have written.
Veracode Fix provides contextual suggestions for each finding. Developers can quickly review and apply each suggested fix to their code, which can reduce the time they spend researching and fixing findings in all codebases.
How Veracode Fix works
Veracode Fix uses a combination of your application source files and the findings from a Static Analysis of your application. It identifies flaws in the source code and suggests fixes you can apply to the flaws. Fix uses a machine learning (ML) model that continually trains on thousands of samples of vulnerable code with suggested code patches. These patches come from real-world code that contains the appropriate fix for a security issue. Veracode continually curates these patches against its data set of Static Analysis flaws and against flaws in real-world code.
Each time you run Fix, it does the following:
- Uploads a copy of your source files and SAST results file to the Veracode Intelligent Remediation Engine.
- Uses the ML model to compare the code in your source files to its code samples.
- Returns a numbered list of issues, in your IDE or command prompt window, which are the flaws you can fix. Each issue shows the Common Weakness Enumeration (CWE) ID, a brief description of the flaw, and the line of code where the flaw exists.
- After you specify the issue you want to fix, Fix matches the patch in the code sample to your code and returns a list of between one and five suggested fixes. If no fixes are available, instead of suggesting fixes that might fix a flaw, Fix returns
No fixes found. - After you specify the fix you want to apply, Fix applies the patch by rewriting the code that contains the flaw.
- Discards the copy of your source file, so that it is no longer available to Veracode.
After you apply a fix for a routine injection flaw, such as CRLF injection, cross-site scripting (XSS), or SQL injection, Veracode recommends that you test your code before committing it. For other flaw categories, you might need to perform other tasks. For example, if Veracode recommends that you update a hashing algorithm to a version that is more cryptographically secure, such as moving from MD5 to SHA, you must update any instances of hashed data. If the hashed data is part of an interface, you must also update the definition for that interface, including all parties that use that definition.
Best practices
Consider the following best practices when you use Veracode Fix.
Rebuild and scan after you fix a flaw
To ensure a flaw is fixed, after each fix you apply, Veracode recommends that you always:
- Rebuild your application.
- Run a Static Analysis on the application to generate new scan results.
- Re-run Fix on the application.
You can apply multiple suggested fixes to your application without rebuilding and rescanning it between fixes. Although, if an applied fix causes the build to break, you might find it easier to troubleshoot the errors with fewer code changes from the applied fixes.
Resolve build errors after applying a fix
Fix attempts to verify that all suggested fixes are compilable, but you might apply a fix that is incompatible with your application.
For example, a fix might use an import statement that adds a new library, so that the applied fix can use a supported cleansing function. This change requires an update to your package manager file, such as pom.xml, but Fix does not update this file. This change might cause your application build to fail. To fix the build, you can review your code to see if the applied fix added an import statement and, if it did, add the library to your package manager file.
If your application fails to build after you apply a fix, continue with your regular development processes, such as unit testing, to understand what broke and to resolve the errors. Because Fix makes highly constrained changes to only the area of code where the flaw exists, developer usually do not need to intervene. There could be cases where Fix adds code, such as the import statement in the previous example, which would require a developer to modify code outside the file in which they are working.
Even if an applied fix breaks a build, the flaw is still fixed. Developers might need to spend additional time modifying their code to reach a successful build, but they still spend much less time learning about a flaw and attempting to fix it manually, without Fix.
If your application fails to build after applying a fix, and fixing the package manager file does not resolve the problem, please contact Veracode Technical Support.
Supported integrations
Veracode Fix is integrated with the following products:
- Veracode CLI to automate flaw remediation. See the quickstart.
- To use Veracode Fix in your IDE, see the supported IDEs in Use Veracode in your IDE.
- To use Veracode Fix in your GitHub repos, see Veracode Fix GitHub action.
Applying fixes to flaws
Apply suggested fixes as a single fix or apply multiple fixes as a batch. You apply suggested fixes differently with the CLI and the GitHub action.
Apply fixes with the CLI
To fix flaws in your CLI, you can generate fixes with single fix or batch fix.
Single fix
To apply a single fix, Veracode Fix generates multiple fix options for each security flaw in a selected file. You can choose the most appropriate fix from the available options for each flaw. To generate fixes in a single file, set the --type flag to file.
Batch fix
To apply multiple fixes as a batch, Veracode Fix consolidates all suggested fixes for all security flaws in a directory and selects the first fix for the flaws in your batch of files. You apply all necessary fixes at once, which streamlines the process. To generate fixes for the flaws in multiple files in a directory, set the --type flag to directory.
Apply fixes with the GitHub action
To fix flaws in a GitHub repository with a pull request, configure the action with single fix or batch fix.
Account requirements
To use Fix, you must have one of the following accounts:
Supported languages
Supported CWEs
Fix supports the following CWEs for each supported language. For the complete list of CWEs that each Veracode scan type supports, see Veracode and the CWE.
C#
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 209 | Information Exposure Through an Error Message | X | X |
| 316 | Cleartext Storage of Sensitive Information in Memory | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 352 | Cross-Site Request Forgery (CSRF) | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
Go
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | X |
| 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
Java
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 159 | Improper Handling of Invalid Use of Special Elements | X | X |
| 209 | Generation of Error Message Containing Sensitive Information | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
| 502 | Deserialization of Untrusted Data | X | |
| 597 | Use of Wrong Operator in String Comparison | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
JavaScript and TypeScript
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 78 | Improper Neutralization of Special Elements used in an OS Command | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 209 | Generation of Error Message Containing Sensitive Information | X | X |
| 311 | Missing Encryption of Sensitive Data | X | |
| 312 | Cleartext Storage of Sensitive Information | X | |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
| 614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | X | X |
Kotlin
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 331 | Insufficient Entropy | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
PHP
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
Python
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 78 | Improper Neutralization of Special Elements used in an OS Command | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 295 | Improper Certificate Validation | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | X | X |
Ruby
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X |
Scala
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (HTML Injection) | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
Technical support
If you need help, contact Veracode Technical Support or visit the Community.