Skip to main content

About Veracode Fix

Veracode Fix is an intelligent remediation solution that helps your development teams reduce the time and effort they spend securing their applications. Developers can use Fix to get AI-generated code patches, review the suggested patches, and directly apply them to flaws in their application source, without writing any code.

How Veracode Fix helps developers

Veracode data shows that organizations are not keeping up with their security debt. Developers lack the training, experience, and tools to find and fix security findings in their code. A 2022 report by Techstrong Research showed that 73% of developers are expected to write secure code, but lack the adequate tools and knowledge.

The amount of time it takes for developers to remediate only half of their open findings in a given codebase continues to grow. Typically, developers must update codebases that have several security findings, and they are responsible for the overall security of any applications they build with these codebases. Their organization might also hold them accountable for addressing the security debt of their applications. Developers must spend time and work through the frustration of finding, researching, and fixing, security findings that they might not have created, in code they might not have written.

Veracode Fix provides contextual suggestions for each finding. Developers can review and apply each suggested fix to their code, reducing the time spent researching and fixing flaws across all codebases.

How Veracode Fix works

Veracode Fix analyzes application source files alongside findings from a Static Analysis performed with Veracode Pipeline Scan. It processes the results—including CWE IDs, flaw severities, and flaw locations—to generate secure code patches. These patches replace vulnerable code with fixes generated using remediation data from Veracode.

Fix uses a machine learning (ML) model to generate secure patches for complex codebases. When you request a fix, it applies a retrieval-augmented generation (RAG) technique to find a secure patch from Veracode remediation data.

To determine the best suggested fixes, Fix analyzes key factors such as the CWE ID, the programming language, the risky function (or "sink"), and the surrounding code context. Each suggested code patch demonstrates secure coding practices for addressing a specific flaw in a specific location. Veracode routinely refines these patches using Static Analysis flaw data and real-world vulnerabilities to ensure accuracy and security.

Each time you run Fix, it does the following:

  1. Uploads a copy of your source files and Static Analysis results file, results.json, from a Pipeline Scan to the Veracode Intelligent Remediation Engine.
  2. Uses the ML model to compare the code in your source files against secure code samples from Veracode.
  3. Returns a list of flaws you can fix. Each flaw includes the Common Weakness Enumeration (CWE) ID, a brief description of the flaw, and the line of code where the flaw exists. If you use Fix in the Veracode CLI, the flaws appear as a numbered list of issues.
  4. Matches a patch from the secure code samples provided by Veracode to your code and suggests up to five fixes for the selected flaw. If no relevant fixes exist, Fix returns No fixes found.
  5. Applies the selected fix by rewriting the affected code.
  6. Discards the uploaded results.json file, ensuring that it is no longer accessible to Veracode.

After applying a fix for a routine injection flaw, such as CRLF injection, cross-site scripting (XSS), or SQL injection, Veracode recommends testing your code before committing it. For other flaw categories, additional steps might be required. For example, if Veracode recommends updating a hashing algorithm to a more secure version, such as migrating from MD5 to SHA, you must update all instances of hashed data. If the hashed data is part of an interface, update its definition and ensure all parties using it also update their implementations.

Rebuild and scan after fixing flaws

To confirm that flaws are fixed, Veracode recommends that you always:

  • Rebuild your application to verify that it compiles successfully. The applied fix might introduce code that causes build errors.
  • Run a Static Analysis scan to generate new results and confirm whether the flaw is still present.
  • Re-run Fix on the application.

You can apply multiple suggested fixes without rebuilding or rescanning between each fix. However, if a fix causes the build to fail, troubleshooting might be easier with fewer code changes applied at once.

Resolve build errors after fixing flaws

Fix attempts to verify that all suggested fixes compile successfully, but some fixes might be incompatible with your application or build environment. For potential causes of build errors, see Build errors after fixing flaws.

For example, a fix might use an import statement that adds a new library, so that the applied fix can use a supported cleansing function. This change requires an update to your package manager file, such as pom.xml, but Fix does not update this file. This change might cause your application build to fail. To fix the build, you can review your code to see if the applied fix added an import statement and, if it did, add the library to your package manager file.

If your application fails to build after applying a fix, continue with your regular development processes, such as unit testing, to diagnose and resolve errors. Because Fix makes targeted changes only in the flawed code, developers typically do not need to intervene. However, in some cases, Fix might add code—such as an import statement—that requires modifying code outside the affected file.

Even if an applied fix breaks a build, the flaw is still fixed. Developers might need to spend additional time modifying their code to reach a successful build, but they still spend much less time learning about a flaw and attempting to fix it manually, without Fix.

Build errors after fixing flaws

After applying suggested fixes or manually fixing flaws, the changed code might contain one or more of the following issues and cause build errors.

  • Incorrect code syntax, such as missing semicolons or incorrect punctuation
  • Incompatible or outdated library or framework versions, such as dependencies that do not support the new code
  • Missing or improperly installed dependencies

If your application built and ran successfully before a fix but fails afterward, review the error with a software developer in your organization. If you suspect the applied fixes introduced issues beyond those listed here, contact Veracode Technical Support.

Build errors for manually packaged applications

If you fix flaws in a manually packaged application—without using the auto-packager—and encounter build errors, follow these steps to troubleshoot:

  1. Package the application into an artifact, such as a ZIP or WAR file. If using Maven, run mvn package. For packaging instructions, see Package your code.
  2. Copy the artifact file to the location where the scanner expects it. If using a Veracode Scan IDE plugin, add the artifact to .verascan.
  3. Scan the artifact.
  4. Review the results and apply suggested fixes or manually fix flaws.
  5. Repackage the application.
  6. Replace the previous artifact with the updated one in the expected location.
  7. Scan the new artifact.
  8. Confirm the flaws are fixed (for example, they no longer appear in the results).

Supported integrations

Veracode Fix is integrated with the following products:

Applying fixes to flaws

Apply suggested fixes as a single fix or apply multiple fixes as a batch. You apply suggested fixes differently with the CLI and the GitHub action.

Apply fixes with the CLI

To fix flaws in your CLI, you can generate fixes with single fix or batch fix.

Single fix

To apply a single fix, Veracode Fix generates multiple fix options for each security flaw in a selected file. You can choose the most appropriate fix from the available options for each flaw. To generate fixes in a single file, set the --type flag to file.

Batch fix

To apply multiple fixes as a batch, Veracode Fix consolidates all suggested fixes for all security flaws in a directory and selects the first fix for the flaws in your batch of files. You apply all necessary fixes at once, which streamlines the process. To generate fixes for the flaws in multiple files in a directory, set the --type flag to directory.

Apply fixes with the GitHub action

To fix flaws in a GitHub repository with a pull request, configure the action with single fix or batch fix.

Account requirements

To use Fix, you must have one of the following accounts:

  • User account with the Submitter user role.
  • API account with the Submitter API role.

Supported languages

Supported CWEs

Veracode Fix suggests fixes for the following CWEs in each supported language. For a complete list of CWEs supported by each Veracode scan type, see Veracode and the CWE.

C#

CWE IDCWE nameSingle fix supportBatch fix support
73External Control of File Name or PathX
80Improper Neutralization of Script-Related HTML Tags in a Web PageXX
89Improper Neutralization of Special Elements used in an SQL CommandXX
117Improper Output Neutralization for LogsXX
209Information Exposure Through an Error MessageXX
316Cleartext Storage of Sensitive Information in MemoryXX
327Use of a Broken or Risky Cryptographic AlgorithmX
331Insufficient EntropyXX
352Cross-Site Request Forgery (CSRF)XX
404Improper Resource Shutdown or ReleaseXX
601URL Redirection to Untrusted Site ('Open Redirect')X
611Improper Restriction of XML External Entity ReferenceXX

Go

CWE IDCWE nameSingle fix supportBatch fix support
73External Control of File Name or PathXX
78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')XX
117Improper Output Neutralization for LogsXX

Java

CWE IDCWE nameSingle fix supportBatch fix support
80Improper Neutralization of Script-Related HTML Tags in a Web PageXX
89Improper Neutralization of Special Elements used in an SQL CommandXX
113Improper Neutralization of CRLF Sequences in HTTP HeadersXX
117Improper Output Neutralization for LogsXX
159Improper Handling of Invalid Use of Special ElementsXX
209Generation of Error Message Containing Sensitive InformationXX
327Use of a Broken or Risky Cryptographic AlgorithmX
331Insufficient EntropyXX
404Improper Resource Shutdown or ReleaseXX
502Deserialization of Untrusted DataX
597Use of Wrong Operator in String ComparisonXX
601URL Redirection to Untrusted Site ('Open Redirect')X
611Improper Restriction of XML External Entity ReferenceXX

JavaScript and TypeScript

CWE IDCWE nameSingle fix supportBatch fix support
73External Control of File Name or PathX
78Improper Neutralization of Special Elements used in an OS CommandX
80Improper Neutralization of Script-Related HTML Tags in a Web PageXX
89Improper Neutralization of Special Elements used in an SQL CommandXX
113Improper Neutralization of CRLF Sequences in HTTP HeadersXX
117Improper Output Neutralization for LogsXX
209Generation of Error Message Containing Sensitive InformationXX
311Missing Encryption of Sensitive DataX
312Cleartext Storage of Sensitive InformationX
327Use of a Broken or Risky Cryptographic AlgorithmX
352Cross-Site Request Forgery (CSRF)XX
601URL Redirection to Untrusted Site ('Open Redirect')XX
611Improper Restriction of XML External Entity ReferenceXX
614Sensitive Cookie in HTTPS Session Without 'Secure' AttributeXX

Kotlin

CWE IDCWE nameSingle fix supportBatch fix support
80Improper Neutralization of Script-Related HTML Tags in a Web PageXX
89Improper Neutralization of Special Elements used in an SQL CommandXX
113Improper Neutralization of CRLF Sequences in HTTP HeadersXX
117Improper Output Neutralization for LogsXX
331Insufficient EntropyXX
404Improper Resource Shutdown or ReleaseXX

PHP

CWE IDCWE nameSingle fix supportBatch fix support
73External Control of File Name or PathX
80Improper Neutralization of Script-Related HTML Tags in a Web PageXX
89Improper Neutralization of Special Elements used in an SQL CommandXX
117Improper Output Neutralization for LogsXX

Python

CWE IDCWE nameSingle fix supportBatch fix support
73External Control of File Name or PathX
78Improper Neutralization of Special Elements used in an OS CommandXX
80Improper Neutralization of Script-Related HTML Tags in a Web PageXX
89Improper Neutralization of Special Elements used in an SQL CommandXX
295Improper Certificate ValidationXX
327Use of a Broken or Risky Cryptographic AlgorithmX
331Insufficient EntropyXX
601URL Redirection to Untrusted Site ('Open Redirect')X
757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')XX

Ruby

CWE IDCWE nameSingle fix supportBatch fix support
73External Control of File Name or PathXX
80Improper Neutralization of Script-Related HTML Tags in a Web PageXX
89Improper Neutralization of Special Elements used in an SQL CommandXX
117Improper Output Neutralization for LogsXX
601URL Redirection to Untrusted Site ('Open Redirect')XX

Scala

CWE IDCWE nameSingle fix supportBatch fix support
78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')XX
80Improper Neutralization of Script-Related HTML Tags in a Web Page (HTML Injection)XX
117Improper Output Neutralization for LogsXX
611Improper Restriction of XML External Entity ReferenceXX

Technical support

If you need help, contact Veracode Technical Support or visit the Community.