Veracode Fix
Veracode Fix is an intelligent remediation solution that helps your development teams reduce the time and effort they spend securing their applications. Developers can use Fix to get AI-generated code patches, review the suggested patches, and directly apply them to flaws in their application source, without writing any code.
Veracode Fix resolves findings found by Pipeline Scan, but doesn't resolve findings found by Upload and Scan.
How Veracode Fix helps developers
Veracode data shows that organizations are not keeping up with their security debt. Developers lack the training, experience, and tools to find and fix security findings in their code. A 2022 report by Techstrong Research showed that 73% of developers are expected to write secure code, but lack the adequate tools and knowledge.
The amount of time it takes for developers to remediate only half of their open findings in a given codebase continues to grow. Typically, developers must update codebases that have several security findings, and they are responsible for the overall security of any applications they build with these codebases. Their organization might also hold them accountable for addressing the security debt of their applications. Developers must spend time and work through the frustration of finding, researching, and fixing, security findings that they might not have created, in code they might not have written.
Veracode Fix provides contextual suggestions for each finding. Developers can review and apply each suggested fix to their code, reducing the time spent researching and fixing flaws across all codebases.
Video: Veracode Fix
How Veracode Fix works
Veracode Fix analyzes application source files alongside findings from a Static Analysis performed with Veracode Pipeline Scan. It processes the results—including CWE IDs, flaw severities, and flaw locations—to generate secure code patches. These patches replace vulnerable code with fixes generated using remediation data from Veracode.
Fix uses a machine learning (ML) model to generate secure patches for complex codebases. When you request a fix, it applies a retrieval-augmented generation (RAG) technique to find a secure patch from Veracode remediation data.
To determine the best suggested fixes, Fix analyzes key factors such as the CWE ID, the programming language, the risky function (or "sink"), and the surrounding code context. Each suggested code patch demonstrates secure coding practices for addressing a specific flaw in a specific location. Veracode routinely refines these patches using Static Analysis flaw data and real-world vulnerabilities to ensure accuracy and security.
Each time you run Fix, it does the following:
- Uploads a copy of your source files and Static Analysis results file,
results.json, from a Pipeline Scan to the Veracode Intelligent Remediation Engine. - Uses the ML model to compare the code in your source files against secure code samples from Veracode.
- Returns a list of flaws you can fix. Each flaw includes the Common Weakness Enumeration (CWE) ID, a brief description of the flaw, and the line of code where the flaw exists. If you use Fix in the Veracode CLI, the flaws appear as a numbered list of issues.
- Matches a patch from the secure code samples provided by Veracode to your code and suggests up to five fixes for the selected flaw. If no relevant fixes exist, Fix returns
No fixes found. - Applies the selected fix by rewriting the affected code.
- Discards the uploaded
results.jsonfile, ensuring that it is no longer accessible to Veracode.
After applying a fix for a routine injection flaw, such as CRLF injection, cross-site scripting (XSS), or SQL injection, Veracode recommends testing your code before committing it. For other flaw categories, additional steps might be required. For example, if Veracode recommends updating a hashing algorithm to a more secure version, such as migrating from MD5 to SHA, you must update all instances of hashed data. If the hashed data is part of an interface, update its definition and ensure all parties using it also update their implementations.
Account requirements
To use Fix, you must have one of the following accounts:
Supported integrations
Veracode Fix is integrated with the following products:
- Veracode CLI to automate flaw remediation. See the quickstart.
- To use Veracode Fix in your IDE, see the supported IDEs.
- To use Veracode Fix in your GitHub repos, see Veracode Fix GitHub action.
Supported languages
Supported CWEs
Veracode Fix suggests fixes for the following CWEs in each supported language. For a complete list of CWEs supported by each Veracode scan type, see Veracode and the CWE.
C#
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 209 | Information Exposure Through an Error Message | X | X |
| 316 | Cleartext Storage of Sensitive Information in Memory | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 352 | Cross-Site Request Forgery (CSRF) | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
COBOL
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | |
| 209 | Information Exposure Through an Error Message | X | |
| 248 | Uncaught Exception | X | |
| 489 | Leftover Debug Code | X | |
| 252 | Unchecked Return Value | X |
Go
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | X |
| 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
Java
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 159 | Improper Handling of Invalid Use of Special Elements | X | X |
| 209 | Generation of Error Message Containing Sensitive Information | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
| 502 | Deserialization of Untrusted Data | X | |
| 597 | Use of Wrong Operator in String Comparison | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
JavaScript and TypeScript
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 78 | Improper Neutralization of Special Elements used in an OS Command | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 209 | Generation of Error Message Containing Sensitive Information | X | X |
| 311 | Missing Encryption of Sensitive Data | X | |
| 312 | Cleartext Storage of Sensitive Information | X | |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
| 614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | X | X |
Kotlin
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 331 | Insufficient Entropy | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
PHP
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
Python
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 78 | Improper Neutralization of Special Elements used in an OS Command | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 295 | Improper Certificate Validation | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | X | X |
Ruby
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X |
Scala
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (HTML Injection) | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 611 | Improper Restriction of XML External Entity Reference | X | X |