SCA Agent-based Scan
Veracode Software Composition Analysis (SCA) Agent-based Scan analyzes your open-source components, including libraries and licenses, early and frequently in your software development lifecycle (SDLC). It uses SCA agents, or scanners, to scan your repos, find vulnerabilities, and assess license risk.
You can scan repositories, such as cloned projects stored on your desktop, or public repositories, from a command-line interface. You can also integrate SCA agents, to add SCA scanning to your continuous integration (CI) and source code management (SCM) tools, and create ticketing issues for vulnerabilities.
Alternatively, run SCA scans using SCA Upload and Scan. This scanning method uses Upload and Scan to upload a packaged artifact of your application code to the Veracode Platform and perform both Static Analysis and SCA scans, in a single operation. To review the Static Analysis results, you must have a Static Analysis license.
To set up an SCA agent and run a scan using the SCA CLI, see the quickstart.
Scanning workflow
With Veracode SCA agent-based scans, you can start scanning your projects to find vulnerabilities. When you scan a project, you can generate a report that tells you about libraries and vulnerabilities in your projects.
- Access SCA Agent-based Scan in the Veracode Platform.
- Set up and activate an agent, either locally using a CLI, or integrated with your repos.
- Scan your code or any example repository.
- Review the scan results in the CLI output, or go to the report URL in the output to view the results in the Veracode Platform.
How can I use SCA Agent-based Scan?
Select from the following products or integrations to set up and start scans.
Products
- Veracode Repository Scanning
- SCA agent command-line interface
- REST API - this API only supports reviewing SCA agent-based scan results.
Integrations
Requirements
To set up and use SCA Agent-based Scan, your environment must meet the following requirements.
- One of the following operating systems:
- macOS on Intel or Apple silicon. For Apple silicon, you must have Rosetta 2 installed
- Windows 7 or later with PowerShell 3 or later
- 64-bit version of one of these Linux distributions:
- Alpine 3.11 or later
- Debian 9 or later
- Ubuntu 18.04 or later
- Fedora 19 or later
- RHEL/CentOS 7 or later
- Outbound connections to the Veracode SCA URLs.
- Your client supports TLS 1.2 or later and one of the following ciphers:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- Git 1.9.3 or later
- If you are not using a Git-based repository, you need to set up the appropriate environment variables.
- Java 17 or higher for scanning with the command-line interface. The SCA agent is able to scan code written for Java 8 or above.
- If your Veracode account is in the United States Federal region, your environment must meet the following additional requirements in order to avoid conflicts with the third-party plugin from Bouncy Castle that the SCA agent uses to enforce FIPS-compliant connections (BCFIPS). Failure to adhere to these requirements may result in handshake errors between the SCA agent and the Veracode Platform:
- To ensure BCFIPS has access to sufficient entropy to generate high-quality keys, we recommend verifying that the execution environment has a hardware random number generator (RNG) activated. If not, your operating system’s kernel, in both hosts and containers, must have sufficient entropy allocated. See this example of increasing system entropy on RHEL CentOS 6 and 7.
- Do not run the SCA agent behind a proxy server.
- Contact your IT administrator to ensure that you have added the outbound connections to the Veracode SCA URLs to the allowlists in the systems that utilize Deep Pack Inspection (DPI), such as DPI firewalls, DPI data loss prevention systems, intrusion detection systems, and intrusion prevention systems. If not, these systems may interfere with BCFIPS.
Scanning a repository that uses Java and one of its build or package managers requires the ability to build the code within the environment in which you scan the project.
Supported languages
The following table identifies the functionality available to each language and package manager supported by SCA agents.
- A quick scan does not build the project or a dependency graph. To generate a list of libraries and versions in the project, a quick scan uses the
--quickdirective to read the project's manifest files or package lock files. Alternatively, for some languages, a quick scan compares the hashes of JAR files or DLL files in the project with hashes in the Veracode database. - A full scan builds the project and a dependency graph, so you can see which libraries are direct or transitive and can prioritize accordingly. Without the
-–quickdirective, a full scan is the default scan for the SCA agent. - A vulnerable method scan is not a separate scan but a standard part of a full scan, provided vulnerable methods are supported for the project's language and package manager. During the build, the agent determines whether a project’s first-party code calls any vulnerable methods in the third-party code.
| Language | Package manager | Quick scan (Level 1) | Full scan (Level 2) | Vulnerable methods scan (Level 3) |
|---|---|---|---|---|
| C#/.NET | DLL | X | X | X |
| C#/.NET | NuGet | X | X | X |
| C/C++ | Make | X | ||
| Go | Dep | X | X | |
| Go | Glide | X | X | |
| Go | go get | X | ||
| Go | Go modules | X | X | X |
| Go | GoDep | X | X | |
| Go | GoVendor | X | X | |
| Go | Trash | X | X | |
| Java | Ant | X | X | |
| Java | Gradle | X | X | |
| Java | Jars | X | X | X |
| Java | Maven | X | X | |
| JavaScript | Bower | X | X | |
| JavaScript | NPM | X | X | X |
| JavaScript | Yarn | X | X | X |
| Kotlin | Gradle | X | X | |
| Kotlin | Jars | X | X | X |
| Kotlin | Maven | X | X | |
| Objective-C | CocoaPods | X | X | |
| PHP | Composer | X | X | |
| Python | pip | X | X | |
| Python | Pipenv | X | X | X |
| Python | Poetry | X | X | |
| Ruby | Bundler | X | X | X |
| Scala | Jars | X | X | X |
| Scala | SBT | X | ||
| Swift | CocoaPods | X | X | |
| TypeScript | Bower | X | X | |
| TypeScript | NPM | X | X | X |
| TypeScript | Yarn | X | X | X |
Access SCA Agent-based Scan
Veracode Platform
If you have a Veracode Software Composition Analysis subscription, you can access SCA Agent-based Scan in the Veracode Platform using your existing username, teams, and roles.
To complete this task:
- Sign in to the Veracode Platform.
- Go to Scans & Analysis > Software Composition Analysis.
- Select the Agent-Based Scan tab.
- To set up SCA agents and start scanning, select Start Scan.
SCA agent CLI
If you are using the command line, access SCA Agent-based Scan using the commands.
What agent-based scanning does
SCA Agent-based Scan provides a way to check the open-source libraries used in your code repositories for vulnerabilities. By using the native build and package managers that manage your open-source libraries, agent-based scanning accurately identifies vulnerabilities in open-source code and provides fix information. Veracode SCA agent-based scanning doesn't scan for vulnerabilities in custom code.
How agent-based scanning does it
Developers can use agent-based scanning on their desktop or with their continuous integration server. The Veracode SCA agent scans the application by building it with its native build or package manager and creating a call graph of the entire application. This call graph shows line-by-line details of code affected by a vulnerability, including all direct and transitive dependencies. Because the agent-based scans use the native build system for a repository to handle dependency resolution, the build system resolves the dependency graph in cases of circular dependencies.
When the agent finds a vulnerability, Veracode SCA:
- Determines whether the application uses the vulnerable part of the component
- Identifies the vulnerable methods used in the library
- Supplies full stack traces back to the developer about which line of code is calling the vulnerable method
To learn more about what we collect from your environment during the scanning process, see evidence collection.
What agent-based scanning knows
When an agent-based scan identifies the direct and transitive open-source libraries in your code, it provides substantial information including, but not limited to:
- Vulnerability write-ups
- Vulnerability exploit code
- Fixed library versions
- Outdated libraries in use
- Indication of whether the vulnerable part of the library is being used, and where it is being used in your code
Veracode SCA provides the above information about the vulnerabilities in the Veracode Vulnerability Database, in addition to discovering vulnerabilities in a variety of ways. If you want to know more about the vulnerability discovery methods, read about the science behind it.
Research process
Veracode SCA Agent-based Scan uses multiple methods to identify open-source libraries, based on accuracy and availability for each language and package manager. These methods include build coordinates, SHA-2 file hashes, proprietary byte-code hashes, and filenames. For each identified library, Veracode SCA reports the vulnerabilities based on its vulnerability database. Veracode builds the database using machine learning and natural language processing over a variety of public sources that contain information about open-source libraries. These sources include NVD, GitHub commits, GitHub issues, Jira boards, Bugzilla, mailing lists, vendor advisory lists, and other security-relevant websites and discussion boards. Due to this unique approach, Veracode SCA can identify vulnerabilities that the NVD has not yet reported in addition to the reported vulnerabilities. Veracode goes through every item flagged by the machine learning model, reviews the code where the potential vulnerability was discovered, and confirms if it is a vulnerability. Veracode SCA then adds a CVSS score, descriptions of the vulnerability, and remediation advice to the database.
Transitive and direct components
A direct component is a dependency directly referenced in the configuration file that the repository build or package manager supports, such as pom.xml for Maven or package.json for NPM. A transitive component is a dependency not directly specified in the configuration file, but required by another component that the repository uses.
Vulnerable methods
Veracode SCA Agent-based Scan collects the list of vulnerable methods that the agent finds during the creation of call chains from your code, which determine the usage of library APIs in your repository. Veracode doesn't collect the call chains. You can use the --no-upload option in your scans to prevent SCA agents from sending the vulnerable method list.
Evidence collection
Because the scanning process consists of building the code to be scanned, generating a dependency graph from the built code, and identifying libraries used with the dependency graph, SCA Agent-based Scan requires the source code of the repository you want to scan in order to function properly. Libraries are identified by sending information to Veracode to match against the Veracode database. This section provides details on what information is sent from your environment to Veracode.
What Veracode does not send
We never send your source code off of your environment. We also never send call chains built for vulnerable method calculation from your environment, but instead matches them on your environment.
Git information
Veracode SCA requires that any repository being scanned contains Git metadata in a .git folder because SCA agent uses this information to identify the repository, and track commit, branch, and tag information. The Git metadata is sent to Veracode to evaluate and identify this information.
Language type
Before beginning a scan, agent-based scans identify the build and package managers used in your repository. Veracode SCA finds the configuration files for a given build or package manager in the root of the project, or in a location where a configuration file might be typically found. For example, a pom.xml in the root of a project indicates a Maven repository. This information is sent to Veracode to distinguish coordinates among the various build and package managers.
Library identification
To identify the open-source libraries that your code uses, Veracode SCA uses a set of coordinates from the dependency graph generated during the build process in combination with the language type. The coordinates for each language are:
- Maven/Gradle/Scala: groupId, artifactId, version
- NPM/Bower/Yarn: library name, version
- Ruby Gems: library name, version
- Python: library name, version
- PHP: library name, version
- Go: library name, commit hash/version
- .NET: library name, version
- Objective-C: library name, version
By sending these coordinates along with the language type, Veracode SCA is able to uniquely identify the libraries used in your project.