Using the Results page
Access the findings for a scanned application from its application profile in the Veracode Platform.
The scan results from Veracode integrations are typically available within the integration. The results for several integrations, such as IDEs, SCMs, and APIs, that connect to the Veracode Platform are available in the Veracode Platform interface.
If you need help or guidance with reviewing findings from Veracode's expert security professionals, schedule a consultation.
Access the Results page
In the Veracode Platform, the Results page provides a single point of reference for the results of all completed scans (SAST, SCA, DAST, MPT) of an application.
You also access security policy evaluations, a results summary, and reports (Veracode and PCI compliance) that provided details about your scans and findings, download reports, bookmark reports, and schedule a consultation with Veracode Technical Support.
To complete this task:
- Sign in to the Veracode Platform.
- Select My Portfolio > Applications.
- On the All Applications page, locate an application with results ready.
- In the Results column, select View. The Results page opens with details about the flaws found by SAST and DAST scans. To access vulnerabilities from SCA scans, from the left menu, select Software Composition Analysis to open the SCA Results page.
- For a Static Analysis Upload and Scan, if the scan is in progress, select the View Partial Results link (if available) to review a portion of your results while the remainder of your application is scanned.
Reporting options
At the top of the Results page, select from the following options to access reports of the selected results, share the results with your teams, and get remediation guidance from Veracode Technical Support.
- Veracode Report: opens the Veracode Report that summarizes the security flaws found by Static Analysis or Dynamic Analysis scans of your application. It explains how the application fared against the assigned security policy, and outlines Veracode recommendations for resolving the flaws. This report contains the same information as the Detailed Report.
- PCI Compliance Report: the PCI Compliance Report provides guidance on how to fix the discovered flaws to achieve PCI compliance and how the application performed against the PCI policy.
- Download: opens a dropdown menu of the reports you can download as a PDF or XML file.
- Bookmark: bookmark the displayed Results page. Bookmarked reports capture a snapshot of findings and policy compliance at a specific point in time. Enter a name for the bookmark and select Save. To access bookmarked reports, select Bookmarked Reports from the left menu.
- Share: if you have a vendor-enterprise relationship with other organizations, select this option to share the results with your vendors.
- Schedule a Consultation: schedule a consultation with Veracode security experts to get help with reviewing your results and resolving findings.
Left menu items
Select from the following links in the left menu. The list of links varies depending on the types of scans (SAST, DAST, SCA, MPT) run on the application.
- View Report - opens the Customizable Report. This report provides detailed information about the application's compliance with the assigned security policies.
- Software Composition Analysis - opens the SCA Results page where you can review SCA scan results, including detected third-party components, license risk, and review and mitigate vulnerabilities.
- Triage Flaws - for Static Analysis using Upload and Scan and Dynamic Analysis scans, opens the Triage Flaws page. This page displays a detailed list of static and dynamic flaws and provides options for managing and mitigating flaws with your teams.
- Mobile Behavioral Analysis - for Static Analysis using Upload and Scan, opens a report with details about detected permissions for mobile access. To view this report, Mobile Behavioral Analysis must be turned on for the scan.
- Flaw Sources - opens the Flaw Sources page that lists the injection points in your code where findings originate.
- Scan details - opens a report with details about the latest selected scan. For example, if you ran Static Analysis and Dynamic Analysis scans, you see the links Static Scan
and Dynamic Analysis Scan . For a dynamic scan report, under Scan Submission Details, select the application name to view the Dynamic Analysis Coverage Report.
Flaw Sources
This page identifies main sources of untrusted data in an application and locates all the flaws that share a flaw source.
Being able to identify multiple flaws that you can fix with a single code change significantly reduces the time developers spend on finding and fixing or mitigating vulnerabilities in software code. If a source is secured by design, developers can report all the flaws stemming from the safe source with a single mitigation action.
To access the flaw sources report in the Veracode Platform after a static scan has completed, in the left navigation pane of the application page, select Results > Flaw Sources.
The flaw sources reports provide this information:
- The function that contains the flaw
- The location in the source file of that function
- The severities of the downstream flaws
- The CWE with which each flaw is associated
Policy Evaluation
The Policy Evaluation section of the Results page provides an overview of how the application fared against its assigned security policy.
The policy evaluation shows whether the application was assessed against constraints, including rules, required scans, and a remediation grace period. The Veracode Level the application achieves is based on the security score it receives from completed scans.
To view more details about the scan results on the overview pages, select the scan names in the Static, Dynamic, and Manual columns. The Policy Evaluation section of the Results page provides an overview of how the application fared against its associated policy.
The policy evaluation shows whether the application was assessed against rules, required scans, and a remediation grace period. The Veracode Level the application achieves is based on the security score from completed scans.
Select the scan names in the static, dynamic, and manual columns to go to the overview pages to see more details of the scan results.
Summarized Results
The Summarized Results section of the Results page provides an overview of all SAST and DAST flaws by severity and status, including a summary of the top risks and how the scan metrics data is trending. You can see the number and types of flaws the application currently contains.
At a glance, you can see the number and types of flaws the application currently contains.
Open Flaw Severities
This section of the Results page shows open flaws characterized by potential impact to confidentiality, integrity, and availability of the application as defined in the CVSS.
| Severity | CVSS rating (SCA and MPT only) | Description |
|---|---|---|
| 5 - Very High | 8.1-10 | These lines of code have a very serious weakness and are an easy target for an attacker. Fix this finding immediately to avoid potential attacks. |
| 4 - High | 6.1-8 | These lines of code have a serious weakness and are an easy target for an attacker. Fix this finding immediately to avoid potential attacks. |
| 3 - Medium | 4.1-6 | These lines of code have a moderate weakness and might be an easy target for an attacker. Fix this finding after fixing all Very High and High findings. |
| 2 - Low | 2.1-4 | These lines of code have a low weakness. Consider fixing this finding after fixing all Very High, High, and Medium findings. |
| 1 - Very Low | 0.1-2 | These lines of code have a very low weakness. The finding might indicate other problems in the code, but you do not need to mitigate it. |
| 0 - Informational | 0 | These lines of code have an issue with no impact on the security of the application, but the finding might indicate other problems in the code. You can safely ignore this issue. |
Remediation Status
This section of the Results page shows the number of SAST and DAST flaws found in an application and their status, as described in the following table. You can use this data to compare the number of new or open flaws for an application to the number of mitigated or remediated (fixed) flaws.
| Status | Scan type | Description |
|---|---|---|
| New | Policy | The number of flaws that Veracode did not find in any previous policy scan. |
| New | Sandbox | The number of flaws that Veracode did not find in any previous scan. |
| Open | Policy | The number of flaws Veracode found in a previous policy scan. |
| Open | Sandbox | The number of flaws Veracode found in a previous scan, not necessarily within this sandbox. |
| Reopened | Policy or Sandbox | The number of flaws Veracode found in a previous scan within the sandbox or policy scan, not found in a subsequent scan within the sandbox or policy scan, but found again in the current scan. |
| Fixed | Policy or Sandbox | The number of flaws Veracode found in a previous scan within the policy or sandbox scan, but did not find again in the current scan. |
| Mitigated | Policy or Sandbox | The number of flaws that someone approved as mitigated by OS environment, mitigated by network environment, and mitigated by design. |
| Potential False Positive | Policy or Sandbox | The number of flaws that someone approved as a potential false positive. |
Top Risks
This section of the Results page lists the top flaws, by CWE name, and the number of each flaw found in the application.
Trend Data
This section of the Results page shows scan history and scan scores for the application over time. To view the name, date, and score of each scan, hover over data points on the chart.