Skip to main content

Applying fixes to flaws

Apply suggested fixes from Veracode Fix as a single fix or apply multiple fixes as a batch. You apply suggested fixes differently using the Veracode CLI or the GitHub Action.

Apply fixes with the CLI

To fix flaws using the CLI, you can generate fixes with single fix or batch fix.

Single fix

To apply a single fix, Veracode Fix generates multiple fix options for each security flaw in a selected file. Then, select the appropriate fix for each flaw. To generate fixes in a single file, set the --type flag to file.

Batch fix

To apply multiple fixes as a batch, Veracode Fix consolidates all suggested fixes for all security flaws in a directory and selects the first fix for the flaws in your batch of files. You apply all necessary fixes at once, which streamlines the process. To generate fixes for the flaws in multiple files in a directory, set the --type flag to directory.

Apply fixes with the GitHub action

To fix flaws in a GitHub repository with a pull request, configure the action with single fix or batch fix.

Rebuild and scan after fixing flaws

To confirm that flaws are fixed, Veracode recommends that you always:

  • Rebuild your application to verify that it compiles successfully. The applied fix might introduce code that causes build errors.
  • Run a Static Analysis scan to generate new results and confirm whether the flaw is still present.
  • Re-run Fix on the application.

You can apply multiple suggested fixes without rebuilding or rescanning between each one. However, if a fix causes the build to fail, it might be easier to troubleshoot with fewer code changes applied at a time.

note

Some CWEs might continue to appear in Static Analysis results after a rescan. These might be false positives. If this happens, mitigate the findings in the Veracode Platform.

Resolve build errors after fixing flaws

Fix tries to verify that all suggested changes compile successfully, but some might be incompatible with your application or build environment. For potential causes of build errors, see Build errors after fixing flaws.

For example, a fix might use an import statement that adds a new library, so that the applied fix can use a supported cleansing function. This change requires an update to your package manager file, such as pom.xml, but Fix does not update this file. This change might cause your application build to fail. To fix the build, you can review your code to see if the applied fix added an import statement and, if it did, add the library to your package manager file.

If your application fails to build after applying a fix, continue with your regular development processes, such as unit testing, to diagnose and resolve errors. Because Fix makes targeted changes only in the flawed code, developers typically do not need to intervene. However, in some cases, Fix might add code—such as an import statement—that requires modifying code outside the affected file.

Even if an applied fix breaks a build, the flaw is still fixed. Developers might need to spend additional time modifying their code to reach a successful build, but they still spend much less time learning about a flaw and attempting to fix it manually, without Fix.

Build errors after fixing flaws

After applying suggested fixes or manually fixing flaws, the changed code might contain one or more of the following issues and cause build errors.

  • Incorrect code syntax, such as missing semicolons or incorrect punctuation
  • Incompatible or outdated library or framework versions, such as dependencies that do not support the new code
  • Missing or improperly installed dependencies

If your application built and ran successfully before a fix but fails afterward, review the error with a software developer in your organization. If you suspect the applied fixes introduced issues beyond those listed here, contact Veracode Technical Support.

Build errors for manually packaged applications

If you fix flaws in a manually packaged application—without using the autopackager—and encounter build errors, follow these steps to troubleshoot:

  1. Package the application into an artifact, such as a ZIP or WAR file. If using Maven, run mvn package. For packaging instructions, see Package your code.
  2. Copy the artifact file to the location where the scanner expects it. If using a Veracode Scan IDE plugin, add the artifact to .verascan.
  3. Scan the artifact.
  4. Review the results and apply suggested fixes or manually fix flaws.
  5. Repackage the application.
  6. Replace the previous artifact with the updated one in the expected location.
  7. Scan the new artifact.
  8. Confirm the flaws are fixed (for example, they no longer appear in the results).

Technical support

If you need help, contact Veracode Technical Support or visit the Community.

Last updated on