About Veracode Fix
Veracode Fix is an intelligent remediation solution that helps your development teams reduce the time and effort they spend securing their applications. Developers can use Fix to get AI-generated code patches, review the suggested patches, and directly apply them to flaws in their application source, without writing any code.
How Veracode Fix helps developers
Veracode data shows that organizations are not keeping up with their security debt. Developers lack the training, experience, and tools to find and fix security findings in their code. A 2022 report by Techstrong Research showed that 73% of developers are expected to write secure code, but lack the adequate tools and knowledge.
The amount of time it takes for developers to remediate only half of their open findings in a given codebase continues to grow. Typically, developers must update codebases that have several security findings, and they are responsible for the overall security of any applications they build with these codebases. Their organization might also hold them accountable for addressing the security debt of their applications. Developers must spend time and work through the frustration of finding, researching, and fixing, security findings that they might not have created, in code they might not have written.
Veracode Fix provides contextual suggestions for each finding. Developers can review and apply each suggested fix to their code, reducing the time spent researching and fixing flaws across all codebases.
How Veracode Fix works
Veracode Fix analyzes application source files alongside findings from a Static Analysis performed with Veracode Pipeline Scan. It processes the results—including CWE IDs, flaw severities, and flaw locations—to generate secure code patches. These patches replace vulnerable code with fixes generated using remediation data from Veracode.
Fix uses a machine learning (ML) model to generate secure patches for complex codebases. When you request a fix, it applies a retrieval-augmented generation (RAG) technique to find a secure patch from Veracode remediation data.
To determine the best suggested fixes, Fix analyzes key factors such as the CWE ID, the programming language, the risky function (or "sink"), and the surrounding code context. Each suggested code patch demonstrates secure coding practices for addressing a specific flaw in a specific location. Veracode routinely refines these patches using Static Analysis flaw data and real-world vulnerabilities to ensure accuracy and security.
Each time you run Fix, it does the following:
- Uploads a copy of your source files and Static Analysis results file,
results.json, from a Pipeline Scan to the Veracode Intelligent Remediation Engine. - Uses the ML model to compare the code in your source files against secure code samples from Veracode.
- Returns a list of flaws you can fix. Each flaw includes the Common Weakness Enumeration (CWE) ID, a brief description of the flaw, and the line of code where the flaw exists. If you use Fix in the Veracode CLI, the flaws appear as a numbered list of issues.
- Matches a patch from the secure code samples provided by Veracode to your code and suggests up to five fixes for the selected flaw. If no relevant fixes exist, Fix returns
No fixes found. - Applies the selected fix by rewriting the affected code.
- Discards the uploaded
results.jsonfile, ensuring that it is no longer accessible to Veracode.
After applying a fix for a routine injection flaw, such as CRLF injection, cross-site scripting (XSS), or SQL injection, Veracode recommends testing your code before committing it. For other flaw categories, additional steps might be required. For example, if Veracode recommends updating a hashing algorithm to a more secure version, such as migrating from MD5 to SHA, you must update all instances of hashed data. If the hashed data is part of an interface, update its definition and ensure all parties using it also update their implementations.
Rebuild and scan after fixing flaws
To confirm that flaws are fixed, Veracode recommends that you always:
- Rebuild your application to verify that it compiles successfully. The applied fix might introduce code that causes build errors.
- Run a Static Analysis scan to generate new results and confirm whether the flaw is still present.
- Re-run Fix on the application.
You can apply multiple suggested fixes without rebuilding or rescanning between each fix. However, if a fix causes the build to fail, troubleshooting might be easier with fewer code changes applied at once.
Resolve build errors after fixing flaws
Fix attempts to verify that all suggested fixes compile successfully, but some fixes might be incompatible with your application or build environment. For potential causes of build errors, see Build errors after fixing flaws.
For example, a fix might use an import statement that adds a new library, so that the applied fix can use a supported cleansing function. This change requires an update to your package manager file, such as pom.xml, but Fix does not update this file. This change might cause your application build to fail. To fix the build, you can review your code to see if the applied fix added an import statement and, if it did, add the library to your package manager file.
If your application fails to build after applying a fix, continue with your regular development processes, such as unit testing, to diagnose and resolve errors. Because Fix makes targeted changes only in the flawed code, developers typically do not need to intervene. However, in some cases, Fix might add code—such as an import statement—that requires modifying code outside the affected file.
Even if an applied fix breaks a build, the flaw is still fixed. Developers might need to spend additional time modifying their code to reach a successful build, but they still spend much less time learning about a flaw and attempting to fix it manually, without Fix.
Build errors after fixing flaws
After applying suggested fixes or manually fixing flaws, the changed code might contain one or more of the following issues and cause build errors.
- Incorrect code syntax, such as missing semicolons or incorrect punctuation
- Incompatible or outdated library or framework versions, such as dependencies that do not support the new code
- Missing or improperly installed dependencies
If your application built and ran successfully before a fix but fails afterward, review the error with a software developer in your organization. If you suspect the applied fixes introduced issues beyond those listed here, contact Veracode Technical Support.
Build errors for manually packaged applications
If you fix flaws in a manually packaged application—without using the auto-packager—and encounter build errors, follow these steps to troubleshoot:
- Package the application into an artifact, such as a ZIP or WAR file. If using Maven, run
mvn package. For packaging instructions, see Package your code. - Copy the artifact file to the location where the scanner expects it. If using a Veracode Scan IDE plugin, add the artifact to
.verascan. - Scan the artifact.
- Review the results and apply suggested fixes or manually fix flaws.
- Repackage the application.
- Replace the previous artifact with the updated one in the expected location.
- Scan the new artifact.
- Confirm the flaws are fixed (for example, they no longer appear in the results).
Supported integrations
Veracode Fix is integrated with the following products:
- Veracode CLI to automate flaw remediation. See the quickstart.
- To use Veracode Fix in your IDE, see the supported IDEs in Use Veracode in your IDE.
- To use Veracode Fix in your GitHub repos, see Veracode Fix GitHub action.
Applying fixes to flaws
Apply suggested fixes as a single fix or apply multiple fixes as a batch. You apply suggested fixes differently with the CLI and the GitHub action.
Apply fixes with the CLI
To fix flaws in your CLI, you can generate fixes with single fix or batch fix.
Single fix
To apply a single fix, Veracode Fix generates multiple fix options for each security flaw in a selected file. You can choose the most appropriate fix from the available options for each flaw. To generate fixes in a single file, set the --type flag to file.
Batch fix
To apply multiple fixes as a batch, Veracode Fix consolidates all suggested fixes for all security flaws in a directory and selects the first fix for the flaws in your batch of files. You apply all necessary fixes at once, which streamlines the process. To generate fixes for the flaws in multiple files in a directory, set the --type flag to directory.
Apply fixes with the GitHub action
To fix flaws in a GitHub repository with a pull request, configure the action with single fix or batch fix.
Account requirements
To use Fix, you must have one of the following accounts:
Supported languages
Supported CWEs
Veracode Fix suggests fixes for the following CWEs in each supported language. For a complete list of CWEs supported by each Veracode scan type, see Veracode and the CWE.
C#
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 209 | Information Exposure Through an Error Message | X | X |
| 316 | Cleartext Storage of Sensitive Information in Memory | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 352 | Cross-Site Request Forgery (CSRF) | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
Go
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | X |
| 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
Java
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 159 | Improper Handling of Invalid Use of Special Elements | X | X |
| 209 | Generation of Error Message Containing Sensitive Information | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
| 502 | Deserialization of Untrusted Data | X | |
| 597 | Use of Wrong Operator in String Comparison | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
JavaScript and TypeScript
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 78 | Improper Neutralization of Special Elements used in an OS Command | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 209 | Generation of Error Message Containing Sensitive Information | X | X |
| 311 | Missing Encryption of Sensitive Data | X | |
| 312 | Cleartext Storage of Sensitive Information | X | |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
| 614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | X | X |
Kotlin
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 331 | Insufficient Entropy | X | X |
| 404 | Improper Resource Shutdown or Release | X | X |
PHP
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
Python
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | |
| 78 | Improper Neutralization of Special Elements used in an OS Command | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 295 | Improper Certificate Validation | X | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | |
| 331 | Insufficient Entropy | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | |
| 757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | X | X |
Ruby
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 73 | External Control of File Name or Path | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page | X | X |
| 89 | Improper Neutralization of Special Elements used in an SQL Command | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X |
Scala
| CWE ID | CWE name | Single fix support | Batch fix support |
|---|---|---|---|
| 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | X | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (HTML Injection) | X | X |
| 117 | Improper Output Neutralization for Logs | X | X |
| 611 | Improper Restriction of XML External Entity Reference | X | X |
Technical support
If you need help, contact Veracode Technical Support or visit the Community.