Using the SCA Results page
Access Software Composition Analysis (SCA) scan results, from both SCA Upload and Scan and SCA Agent-based Scan, for a specific application in the Veracode Platform. Alternatively, access SCA results for all scanned applications.
The results provide details about the scanned components, detected vulnerabilities, license risk, and whether the results violate the assigned security policy.
Alternatively, access SCA results using the Findings REST API.
Access the SCA Results page
In the Veracode Platform, the SCA Results page provides a single point of reference for the findings from all completed SCA scans of an application.
Before you begin:
To access results from SCA Agent-based Scan, the SCA project must be linked to the application profile for the scanned application.
To complete this task:
- Sign in to the Veracode Platform.
- Select My Portfolio > Applications.
- On the All Applications page, locate an application with results ready.
- In the Results column, select View. The Results page opens.
- From the left menu, select Software Composition Analysis. The SCA Results page opens.
The SCA Results page displays results from both SCA Upload and Scan and SCA Agent-based Scan to provide a unified view of all open-source risk for a specific application.
The SCA Results page displays components, vulnerabilities, and licenses from SCA Agent-based Scan, but not issues. You can view and mitigate issues on the Issues List page for a selected workspace.
To access SCA results for all scanned applications, use the main Software Composition Analysis page.
Select from the following tabs.
Third-Party Components
The Third-Party Components tab lists all the third-party components in your applications, and provides version, usage, license risk, and known vulnerability information.
To determine which scan type (SCA Upload and Scan, SCA Agent-based Scan, or both) found the component, select the numeral in the Occurrences column to open the Occurrence Details window. In the Source column, you see upload_scan for SCA Upload and Scan, and the repository name for SCA agent-based.
The list of components shows the filename and an at-a-glance view of the severity of each vulnerability that Veracode found in each component. The Count column shows you how many times a component is used across all of your applications. The License column details the first license the scan found for the component, and a risk rating Veracode assigned for the license.
If you scanned a JavaScript application that uses both Bower and NPM package managers, and a component exists in both the bower_components and node_modules folders, Veracode SCA displays both of the components individually.
Select a component filename to view the following information about the component.
- Other Versions: a list of all known versions of this component, an indication of whether that component is currently in your application portfolio, and the known vulnerabilities in that component.
- Vulnerabilities: the list of vulnerabilities in this component as well as its severity, CVE ID, CWE ID, and description.
- Dependent Applications: lists any applications that contain this component, the policy associated with that application, and a color-coded shield icon that indicates if the application is in compliance with its policy.
Licenses
The Licenses tab lists the licenses that the SCA scan associated with the open-source components in the selected application. You can use this information to further investigate your license obligations.
To see all licenses found for a component, select the Third-Party Components tab. If a component has multiple licenses, select the Show More link to view all licenses. In addition to the results that Veracode provides, you should also perform your own investigation, because the contents in a file could be subject to different or additional licenses.
To mitigate licenses you won't resolve, add comments, or manage proposed mitigations, select from the Mitigation Actions menu.
Select the link in the License column of a third-party component to go to the Open Source Initiative website for details about the license. You can also filter your third-party component data by risk rating. Use the filter function on the Third-Party Components tab to list applications by CVE ID, component, application name, or any combination of these filters.
To prevent an application from passing policy when a scan detects any license with the specified risk rating, add a license rule to your policy.
| License risk rating | Icon | Risk details |
|---|---|---|
| Low |  | Low-risk licenses are typically permissive licenses that require you to preserve the copyright and license notices, but allow distribution under different terms without disclosing source code. |
| Medium |  | Medium-risk licenses are typically weak copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms. |
| High |  | High-risk licenses are typically strong copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms. |
| Non-OSS |  | Non-OSS indicates that this file could be subject to commercial license terms. If so, you should refer to your applicable license agreement with such vendor for additional information. |
| Unrecognized | Unrecognized indicates that no license was found for the component. However, this does not indicate that there is no risk associated with the license. |
Vulnerabilities
The Vulnerabilities tab lists all the vulnerabilities and malicious libraries for the selected application. It sorts vulnerabilities by severity rating and lists the associated Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) IDs. It also includes a severity rating and a description for each entry.
The Vulnerability column might list two different data sources for vulnerabilities: a CVE ID indicates that the vulnerability came from the NVD and a SRCCLR ID indicates that the vulnerability came from the Veracode Vulnerability Database.
To mitigate vulnerabilities you won't resolve, add comments, or manage proposed mitigations, select from the Actions menu.
The Veracode Platform makes daily updates to this list of vulnerabilities to reflect any changes in the National Vulnerability Database or the Veracode Vulnerability Database to provide the latest information on third-party component vulnerabilities in your applications. In turn, SCA results and related dashboards such as a Governance Risk and Compliance (GRC) systems are updated to reflect any new vulnerabilities. You do not need to rescan your applications to reflect the latest vulnerability changes. Veracode recommends that you review your SCA policy compliance after every vulnerability update.
Veracode also sends an email to users when a newly identified or upgraded vulnerability affects your policy. To receive SCA email notifications, navigate to Your Account Settings, enter your email address, and select I wish to receive email notifications when a newly identified vulnerability or change in severity causes my application to violate policy.
The link to the Veracode Platform provided in the email notification is only accessible to users with the Security Lead role.
Linked Projects
For SCA Agent-based Scan results, the Linked Projects tab lists the linked SCA agent projects.
Access SCA results for all applications
To review all applications scanned using SCA Upload and Scan or SCA Agent-based Scan, go to the main Software Composition Analysis page in the Veracode Platform.
To complete this task:
-
Sign in to the Veracode Platform.
-
Select Scans & Analysis > Software Composition Analysis.
-
Select one of the following tabs:
- Upload and Scan: lists the scanned applications, analyzed components, and detected vulnerabilities from the last SCA Upload and Scan. The Applications tab lists the scanned applications. In the Policy Control column, a colored-coded shield icon indicates the application's policy assessment status. The number of components within the application that are in violation of this policy is also listed. To view the details of the associated policy and its rules, select the blue ? icon. Select the name of an application profile to open the SCA Results page.
- Agent-Based Scan: lists the available workspaces, with a count of the detected issues for vulnerabilities, libraries, and licenses from the last SCA Agent-based Scan performed on the applications in the workspaces. To see all scan results in a workspace, and access various actions you can perform, select the name of a workspace.
Filter SCA Upload and Scan results
In the Veracode Platform, on the Software Composition Analysis page, you can filter the results on the Upload and Scan tab.
Use the filter function to find applications by CVE ID, application name, blocklist presence, component name, severity, or any combination of these filters. If you switch tabs after filtering data, the filter sorts the content in the new tab unless you clear the filter. If you are an enterprise customer, you see the name of the software vendor before the application name for third-party applications.
To see how different versions of the Common Vulnerability Scoring System (CVSS) affect the severity of the detected licenses and vulnerabilities, on the Third-Party Components or Vulnerabilities tabs, select a CVSS version from the Display dropdown menu. By default, the selected CVSS version is the one associated with your organization.
You can apply version 3 of the CVSS to your policies. The severity ratings are based on CVSS version 3.
If your organization is still using CVSS v2, you must contact Veracode Technical Support to switch to CVSS v3. The CVSS version can determine whether a vulnerability causes an application to fail policy.
After updating the scoring system, Veracode determines policy evaluations for all future scans of your applications based on the new CVSS version.