Find vulnerabilities in Java with Ant
You can scan Java code in Ant repositories using the SCA agent command-line interface or the CI integrations.
For packaging instructions for Veracode Static Analysis, see Java packaging.
Scan your code
You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/veracode/example-java-ant
After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Maven code. Some scan directives are specific to Ant projects.
Before you begin:
- Meet the requirements for the Veracode SCA agent
- Have access to the Ant repository
- Use Ant version 1.9.0 or later
- Have build targets in the Ant build file that compile projects with the javac tag
The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. To test that the agent can build the project before scanning, run:
ant build
To complete this task:
At the command line, run the scan command pointed to the directory of the Ant repository. For example:
srcclr scan path/to/{project_folder}
To scan code repositories hosted in Git, use the --url argument at the command line.
To view more verbose output during the scan process, add the --loud argument:
srcclr scan path/to/{project_folder} --loud
Results:
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
Next steps:
After completing the scan, you can view the results.
Fix example direct vulnerability
When your configuration file specifically references a library, or you add the library to your project as a JAR file, Veracode SCA refers to the library as a direct dependency.
These example steps provide a fix for an Unauthorized Modification of Nodes vulnerability in Apache Kafka, version 0.9.0.1 in the example-java-ant repository.
To complete this task:
- Delete the
kafka_2.11-0.9.0.1.jarfile in thelibsrc/directory. Thelibsrc/directory is the location where you store the JAR files for your project. - From the issue details page, click the link to the appropriate version of the Apache Kafka library in Maven Central.
- Within that page, select the download link for the Apache Kafka JAR file.
- Download the JAR file to the
libsrc/directory. - Validate the fix.