Find vulnerabilities in C/C++

You can find vulnerabilities in your C/C++ applications. You can scan C/C++ repositories using the command-line interface or the CI integrations.

SCA Agent-based Scan supports native Linux C/C++ libraries for projects compiled with the Make build tool using the CLI agent on Linux or in your repos.

Agent-based scans can identify additional C/C++ libraries if they appear in supported package managers. See the list of native Linux C/C++ libraries and vulnerabilities that Veracode SCA monitors.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-cpp-makefile

Before you begin:

Scanning a repository that uses C/C++ libraries requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:

Meet the requirements for the Veracode SCA agent
Have SO files present in the C/C++ repository
If using Windows or MacOS, have Docker installed

Additionally, your project must include a makefile that has:

One of these filenames: GNUmakefile, makefile, or Makefile. Veracode SCA searches for these filenames, in this listed order, and identifies the first one it finds to be the project makefile.
One of these strings: gcc, g++, clang, CMAKE, or CMake.
A clean target. Veracode SCA uses the clean target to collect findings. To configure a custom clean target to scan, add this argument to your project as an environment variable:
```
SRCCLR_MAKE_CLEAN_TARGET='{custom_clean_target_name}'
```
A first target. Veracode SCA uses the first target to build the project and to rebuild the project after it collects findings. To configure a custom first target for scanning, add this argument to your project as an environment variable:
```
SRCCLR_MAKE_BUILD_TARGET='{custom_build_target_name}'
```

To complete this task:

At the command line, run the scan command pointed to the directory of the C/C++ repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Did you find this helpful?