Analytics

Veracode Analytics provides the insight you need to demonstrate progress and success to stakeholders through pre-built dashboards and data visualizations, such as charts, graphs, and counts.

Use the explores to navigate and configure visualizations of your analytics data. Then, add your visualizations to existing or new dashboards, which you use to display your data and share it with your organization.

Veracode Analytics and the Veracode Platform

Veracode Analytics displays data in the Veracode Platform using Google Looker.

The analytics data in both the Veracode Platform and Veracode Analytics are correct. The underlying data model in the Veracode Platform is different from the underlying data model in Veracode Analytics, but they are equivalent. Veracode Analytics performs joins, which combine one or more tables in a relational database, on data as fast as possible to load visualizations and large amounts of data quickly. Veracode Analytics uses a modified star schema model to load data, which requires only a single join to produce any piece of data, instead of the relational data model in the Veracode Platform, which requires many joins to generate a report.

Veracode has also refined the data model in Veracode Analytics to match how users interact with data. For example, in the Veracode Platform, findings with the Open, New, and Reopened statuses are all peer statuses, indicating that Veracode does not list a new finding as Open. All three statuses indicate that the finding has the potential to be exploited and you should remediate it. In Veracode Analytics, the Open and Closed statuses are parent statuses.

note

Veracode Analytics does not use real-time data. It receives refreshed data every four hours. This refresh rate means that sometimes changes in the Veracode Platform are not reflected in Veracode Analytics until the next time the data refreshes.

See our guidelines on optimizing analytics performance.

What data can I see in Veracode Analytics?

Veracode Analytics includes data from:

• Veracode Static Analysis.
• Veracode DAST scans linked to applications. A limited amount of DAST data is available in the Scans explore. Because DAST data is significantly different from Static Analysis and Manual Penetration Testing data, and DAST scans aren't supported by sandbox scans, DAST data isn't available in the pre-built dashboards.
• Veracode Manual Penetration Testing.
• Veracode Software Composition Analysis (SCA).

Veracode Analytics does not currently include data from:

• Veracode eLearning.
• Veracode DAST scans not linked to applications.
• VAST applications, which are only available in the Veracode Platform. Similar to how the Veracode Platform displays third-party application data, the enterprise view of the data includes enterprise-funded applications.
• Veracode Package Firewall - see Analytics for Package Firewall.
• Veracode Risk Manager - see Using factors.

How can I use Veracode Analytics?

You can access and use Veracode Analytics in the Veracode Platform and using the Veracode APIs. You can only access data for application profiles to which you have access.

Ensure you meet the prerequisites.

Using the Veracode Platform

To use Veracode Analytics in the Veracode Platform, see the following sections:

• Manage dashboards
• Customize visualizations
• Explore your data
• Generate and download reports using data exports

Using the APIs

Access analytics data using the Veracode APIs.

REST APIs

• Reporting API
• Summary Report API
• Findings API

XML APIs

• Flaw Report API
• Summary Report API
• Summary Report PDF API
• Detailed Report API
• Detailed Report PDF API

Prerequisites

Access to analytics data is based on your user roles and team memberships. If you have a team-limited role, such as Reviewer, you can only view applications from the teams of which you're a member.

To access Veracode Analytics data, your user account must have one of the following roles:

• All teams: Security Lead or Executive
• User teams only: Security Insights

To manage dashboards and visualizations, your user account must have the Analytics Creator role.

Use dashboards

Use dashboards to display and share visualizations of your analytics data. You can download data from any chart, graph, or visualization in CSV, XLS, PNG, JSON, HTML, or MD format.

Access dashboards

Dashboards display visualizations of your analytics data. You can see all the Veracode dashboards, however, Veracode only provides data for products that your organization has purchased.

1. Sign in to the Veracode Platform.
2. Select Analytics > Veracode Dashboards. The pre-built dashboards appear. To select dashboards shared with your organization, select My Organization's Dashboards. To select dashboards only available to you, select My Personals Dashboards.
3. Select a dashboard, such as Policy Compliance Overview. The dashboard opens, and your analytics data displays in the visualizations in the dashboard.
4. Optionally, to download the dashboard as PDF or CSV files, from the ellipsis () in the top-right corner of the dashboard,, select Download. To download data from a visualization in the dashboard, hover over a visualization, select the ellipses menu, then select Download data.

Filter dashboard data

When viewing a dashboard, you can modify the filters to change the data displayed in the visualizations.

To complete this task:

1. In the Veracode Platform, select Analytics > Veracode Dashboards.

2. Select a dashboard. For example, Policy Compliance Overview.

3. The filters applied to the dashboard appear at the top. If you don't see the filters, select Show filters from the top-right corner of the dashboard.

4. To change a filter, select it. For example, on the Policy Compliance Overview dashboard, if you want to change the time period from the past year to the past 90 days, select Application Published Date and change the time period from is in the past 12 months to is in the past 90 days.

   Absolute date filters allow you to use specific date values to generate query results. For example, assume the current date is September 10, 2021. You want to query the publication dates of policy scans before the current date. Use the filters is before absolute 2021-09-10. The results include all previous data up to September 9, 2021.

   Relative date filters allow you to filter using rolling date values relative to the current date. If you use a relative filter, the results reflect the data before the beginning of the specified period. For example, assume the current date is September 10, 2021. You want to query the publication dates of policy scans in the past two years. Use the filters is before relative 2 years ago. The results include all data in 2019 and 2020 and exclude all data beginning on January 1, 2021.

5. To run the query with your modifications, select Run.

6. If you want to download this information to view later, go to the gear icon () in the top-right corner, and select Download as PDF or Download as CSV.

Examples of date filters and the results

The following examples assume the current date is Friday, September 10, 2021.

Filter	Description	Example
Past 1 week	Includes all days starting with today, and going to the Sunday of the current week.	5 Sep 2021 – 10 Sep 2021
Past 1 complete week	Includes all days in the previous complete week.	29 Aug 2021 – 04 Sep 2021
Past 7 days	Includes all days starting with today, and going 7 days back.	03 Sep 2021 – 10 Sep 2021
Past 365 days	Include all days in the past year through today.	10 Sep 2020 – 10 Sep 2021
Past 1 month	Include all days starting with the first day of the current month through today.	01 Sep 2021 – 10 Sep 2021
Past 1 complete month	Include all days in the previous complete month.	01 Aug 2021 – 31 Aug 2021
Past 1 year (relative)	Include all days in the year before January 1 of the current year.	01 Jan 2020 – 31 Dec 2020

Share dashboards

To share a link to a dashboard, select the share icon () in the bottom-right corner of each dashboard. You have the option to copy the link to your clipboard or to send the link by email, which opens your email client.

Download dashboards

You can download an open dashboard in CSV, XLS, PNG, JSON, HTML, or MD format.

To download an open dashboard, in the Veracode Platform, select the ellipsis () in the top-right corner of the Veracode Analytics page, and then select Download Data. If you want to download data from an entire dashboard, you can download a PDF file. You can also download a collection of CSV files that represent the data in each dashboard module.

Customize dashboards

If you want to view data differently than the pre-built dashboards, you can modify existing dashboards and visualizations to suit your own needs. You can also share and download dashboards.

Pre-built dashboards

The following pre-built dashboards are available in the Veracode Platform. You can customize the visualizations configured in each dashboard.

Policy Compliance Overview

Overview of the policy compliance of your application. You can view your policy compliance over time, the applications that are passing policy, and the teams or business units that have applications passing policy.

Scan Activity

Data on scan activity, including which types of scans occur, who submits scans, and how many applications have been scanned multiple times.

Sandbox Scan Activity

Data on the sandbox utilization. You can view which teams and business units have completed sandbox scans, which provide ability to scan applications and measure the results against the policy rules without affecting the policy compliance of the entire application.

Scan Times

Details on scan completion time. You can view scan times by language or scan type.

Findings Details

Details on the most-prevalent findings in your applications over time. You can view the most-seen Common Weakness Enumeration (CWE) categories, as well as the most-frequent open, closed, and reopened CWEs.

Findings Status and History

Data on your findings to help you view the security state of your application and how effectively your business units and teams resolve findings. You can view the age of open flaws, the severity of your findings, and the time to resolve findings.

Resolution and Mitigation Details

Insights into how your findings are closed or mitigated. You can determine if users are taking mitigation actions to temporarily address findings, or if findings are resolved through scans.

Security Consultation

Data on security consultation utilization and how consultations improve the density of your flaws. Consultation calls answer specific questions you have about your scan results, help you understand the significance of the flaws, and provide guidance on remediation and mitigation. The security consultation dashboard reports on consultations that you scheduled through the Veracode Platform, but not any you scheduled by emailing Veracode Technical Support.

Fix Usage

Data on how your organization has used Veracode Fix. You can view data on users, including the CLI and IDE users, and on which CWEs you have addressed.

Veracode Fix-able Findings

Overview of how Veracode Fix may impact the security posture of your organization, both overall and on a per-language basis. The following languages are currently supported in the Veracode Fix dashboard: C#, Java, and JavaScript. This dashboard will be updated as Veracode Fix continues to support additional languages and CWEs.

note

Veracode Static Analysis does not differentiate between .NET languages in the Latest Language Scanned field. Veracode determines that a finding is written in C# by viewing the filename extension and aggregating it with information returned by the scanner.

Security Program Overview

Data to help you track and understand how your AppSec program is trending, based on your target goals. This dashboard shows current and historical trends for policy compliance, and assists you in understanding policy compliance behavior.

SCA Findings

Data on your SCA components and vulnerabilities to help you understand the open-source vulnerabilities within your application portfolio. You can also view component usage and license risk information.

Greenlight Usage

Data on Greenlight scan usage by users and by language, as well as findings results.

Peer Benchmarking

Comparison of your application security program with that of your peers and all Veracode customers. You can identify where your program is leading or where it could improve.

Customize visualizations

You can customize the visualizations, such as charts, in a dashboard, to change how the data is displayed. You can modify many visual elements including colors, labels, and chart types.

To complete this task:

1. In the Veracode Platform, select Analytics > Veracode Dashboards.

2. Select a dashboard.

3. In the dashboard, hover over a visualization, such as a chart, you want to customize.

4. Select the ellipsis () in the top-right corner of the visualization, and then select Explore from here. The Explore page opens where you can modify the chart as needed.

5. To modify the query used in the visualization:

   a. Use the dropdown menus to change the dashboard query. For example, if you want to change the time period in the dashboard from the past year to the past 90 days, you can use the Application Published Date filter to change the time period from is in the past 12 months to is in the past 90 days.

   b. Select Run in the top-right corner.

6. To modify the chart type to a different kind of information display, under Visualization select the chart icon you want to use. The menu icon () provides additional chart types.

7. To edit the legend, colors, X and Y axis labels, or font size, select Edit in the top-right corner of the visualization section.

8. Optionally, save and share your visualizations.

Save and share visualizations

You can save modified visualizations to new or existing dashboards, save them as Look files to view later, or share them with other users.

To complete this task:

1. In the Veracode Platform, select Analytics > Veracode Dashboards.

2. Select a dashboard.

3. In the dashboard, hover over a visualization, such as a chart.

4. Select the ellipsis () in the top-right corner of the visualization, and then select Explore from here.

5. Modify the visualization and select Run.

6. To download this information in TXT, XLSX, CSV, JSON, HTML, MD, or PNG format, select the gear icon and select Download.

7. To save the visualization to view later, select the gear icon () at the top of the page, and select Save as a Look. Your saved visualizations are available from the four square icon (), under the personal tab ().

8. To save the visualization to a dashboard in your own personal space:

   a. Select the gear icon at the top of the page, and select Save > As a new dashboard.

   b. Enter a title for your dashboard.

   c. Select the personal tab.

   d. Select Save to Dashboard.

   Your saved dashboard is available from Analytics > My Personal Dashboards.

9. To save the visualization to a shared space that is available to your organization:

   a. Select the gear icon at the top of the page, and select Save > As a new dashboard.

   b. Enter a title for your visualization.

   c. Select the Group tab.

   d. Select New Dashboard.

   e. Enter a name for your dashboard.

   f. Select OK.

   g. Select Save to Dashboard.

   Your saved dashboard is available from Analytics > My Organization's Dashboards.

   To share a link to the dashboard, select the share icon in the bottom-right corner of each dashboard. You have the option to copy the link to your clipboard or to send the link by email, which opens your email client.

Data refresh times

Veracode Analytics receives refreshed data from the Veracode Platform every four hours. Veracode Analytics does not use real-time data.

The data refresh process takes about two hours in the United States Commercial Region and one hour in the European Region. When the process finishes, it immediately restarts and gathers data from when the prior process was running. Data is, at most, four hours old in the Commercial Region and two hours old in the European Region.

For the United States Federal region, the data refreshes on the following schedule.

Platform data refresh times	Analytics update times
12:00 AM ET	1:00 AM - 3:59 AM ET
4:00 AM ET	5:00 - 7:59 AM ET
8:00 AM ET	9:00 - 11:59 AM ET
12:00 PM ET	1:00 - 3:59 PM ET
4:00 PM ET	5:00 - 7:59 PM ET
8:00 PM ET	9:00 - 11:59 PM ET

Optimize analytics performance

Veracode Analytics uses the Looker platform for data analytics, dashboards and visualizations. Dashboards might take a long time to load when their SQL queries take longer to run. In addition, some components can consume significant memory, leading to performance issues.

To optimize the performance of Veracode Analytics, follow these best practices for creating and using dashboards:

• Avoid displaying too much data in a single dashboard element. This reduces memory usage and improves performance.
• Limit the number of elements in a dashboard. This reduces the number of queries run when the dashboard loads.
• If a dashboard uses only filters, disable Run on load.
• Use required filters wherever possible.
• Remember that post-query processing features, such as merged results, custom fields, and table calculations, consume memory.
• Because pivoted dimensions increase processing load, filter at the dashboard or Look level to allow the user to select the dimension values that they are most interested in comparing.
• Aim to have fewer columns and rows to improve browser performance. The default row limit for tiles is 500. You can increase it to 5000 rows. We recommend limiting the amount of data you view at any one time to ensure that the data you're using is actionable. Apply filters, such as Application, Team, or Business Unit, to narrow the data to within 5000 rows.
• Use filters at the dashboard or Look level to reduce the number of results displayed in each element.

To quickly create a report for any set of data, use the Reporting API.

The following resources provide best practices for building and optimizing Looker dashboards:

• Considerations when building performant Looker dashboards
• Optimize Looker performance