Find and resolve vulnerabilities

To find and resolve vulnerabilities in your repositories, use SCA Agent-based Scan to scan your repositories and get recommendations for resolving vulnerabilities. You can run scans using the command-line interface or the repo integrations .

Resolve direct vulnerabilities

When your configuration file references a library, Veracode SCA considers the library a direct dependency. You can identify the vulnerabilities in direct dependencies from the Vulnerability issues list on the Issues page of your workspace. From this list, click the issue ID for details about the vulnerability, including instructions for fixing it.

Usually, the best way to fix a vulnerability in a direct dependency is to update the version in use to the version that Veracode SCA recommends. Some libraries include vulnerabilities that are not yet fixed. Therefore, the agent-based scan cannot always provide reliable update versions. In these cases, we recommend either creating a pull request to the vulnerable library or using a different library in your code.

Resolve transitive vulnerabilities

Direct dependencies often depend on other libraries known as transitive dependencies. Vulnerabilities in transitive dependencies are common because often, without Veracode SCA, the developer does not realize that the library they are adding to their project depends on a vulnerable library. Fixing vulnerabilities in transitive dependencies can be difficult because the direct dependency may require a specific version rather than a version range. You can find details on these issues by viewing your issues and leaving the Direct Libraries checkbox cleared. Transitive vulnerabilities are indicated in the Library column by the smaller arrow next to the library name. Selecting the issue number to view the issue details additionally provides the type of library; either direct or transitive.

Resolve vulnerability issues

When reviewing the scan results, view the issue details and follow the fix instructions provided in the Veracode Platform.

Resolve vulnerable methods

Within the issues across a given project, you can filter your list to display only vulnerabilities where a vulnerable method is in use by clicking the Vulnerable methods checkbox above your issues list. If a vulnerable method is in use, as indicated by the warning icon, it means that the specific piece of code which causes a given library to be vulnerable is being used by the code project it is found in. This is a crucial distinction from other vulnerabilities where you might not be using the vulnerable part of the code. In those cases, the vulnerability is more a matter of code hygiene where you would want to prevent developers from using this library in the future.

Within the issue details for a vulnerability where a vulnerable method in use, Veracode SCA provides the full call path for every instance of a given vulnerable method. This helps users evaluate the importance of the vulnerability based on the usage within their project and alter their actual code rather than fixing the vulnerability by updating the library.

.NET

You can find vulnerabilities in your .NET repositories. You can scan .NET repositories using the SCA agent command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and SCA Upload and Scan, see Packaging .NET Applications.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-dotnet    

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your .NET code. There are scan directives for .NET projects.

Before you begin:

Scanning a repository that uses .NET and one of its build or package managers requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes these requirements:

• Meet the requirements for the Veracode SCA agent.
• Have access to the .NET repository.
• Have .NET, NuGet CLI, or MSBuild installed.
• Have CSPROJ, FSPROJ , or VBPROJ files present in the repository.
• Use the PackageReference format to declare NuGet dependencies in PROJ files.
• If project.assets.json files do not exist in the project directory tree, you must be able to run the nuget restore {path}, dotnet restore {path}, or msbuild /restore:true {path} command, where {path} is an absolute or relative path to an SLN or a PROJ file, from the project root.

For .NET Framework repositories that rely on the packages.config format to declare NuGet dependencies, consider converting the project to use the supported PackageReference format for best compatibility. For more information, see Migrate from packages.config to PackageReference.

To complete this task:

Run the scan command with the Veracode SCA CLI agent pointed to the directory of the .NET repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

 srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Java

You can find vulnerabilities in your Java applications. You can run a scan on Maven, Gradle, and Ant repositories using the SCA agent command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and SCA Upload and Scan, see Java packaging.

Run an agent-based scan for Maven

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-java-maven

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Maven code. Some scan directives are specific to Maven projects.

Before you begin:

• Meet the requirements for the Veracode SCA agent.
• Have access to the Maven repository.
• Include the pom.xml file in the directory where you perform scans.
• Use Maven 3.1 or later with the executable installed in the local path.
• In your ~/.m2/settings.xml file, ensure that you properly set up any Nexus servers or authentications to successfully compile code.
• Be able to run the mvn dependency:tree command from the root of the project where you perform scans.
• If access to maven.apache.org is restricted, set the SRCCLR_MAVEN_DEP_TREE_COLLECTOR environment variable to true.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

mvn compile -Dcheckstyle.skip=true -e -DskipTests \
-DskipITs -Dmaven.test.skip=true --fail-fast --nsu -Denforcer.skip=true

To complete this task:

At the command line, run the scan command pointed to the directory of the NPM repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Scan the dependency tree for Maven

The Veracode SCA agent can scan the output of the Maven dependency:tree command. For dependency tree scanning, the agent requires you to specify the --stdin=maven input option.

You must compile the project before scanning to enable vulnerable method analysis.

Caution

Dependency tree scanning disables scanning for all other package managers.

You can scan the dependency tree for Maven using either of these methods:

• Redirect the output of the Maven dependency:tree command directly to the Veracode SCA agent. For example:

  mvn dependency:tree | srcclr scan --stdin=maven

• Redirect the output of the dependency:tree command into a file and point the Veracode SCA agent to the file using the dependency_tree_file scan directive. For example, in Linux bash:

  mvn dependency:tree > tree.txt
  SRCCLR_DEPENDENCY_TREE_FILE=tree.txt srcclr scan --stdin=maven

If you want to specify the scope of dependencies included in the scan, we recommend setting the scope scan directive in the agent instead of setting the scope property of the mvn command. The scan directive allows more precise scope selection.

Fix example direct vulnerability for Maven

When your pom.xml configuration file specifically references a library, or you add the library to your project as a JAR file, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for an Unauthorized Modification of Nodes vulnerability in Apache Kafka, version 0.9.0.1 in the example-java-maven repository.

To complete this task:

1. Edit the pom.xml file in the root of the project to match this example:

   <dependency>
   <groupId>org.apache.kafka</groupId>
   <artifactId>kafka_2.11</artifactId>
   <version>0.10.2.1</version>
   </dependency>

2. Validate the fix.

Fix example transitive vulnerability for Maven

To fix a transitive library for Maven, override the transitive dependency by adding the appropriately versioned dependency as a direct library.

These steps provide a fix for a Timing Attack Via Comparison Function vulnerability in OrientDB Core, version 2.1.9 in the example-java-maven repository.

To complete this task:

1. Add this text to the pom.xml file in the root of the project:

   <dependency>
   <groupId>com.orientechnologies</groupId>
   <artifactId>orientdb-core</artifactId>
   <version>2.1.11</version>
   </dependency>

2. Validate the fix.

Run an agent-based scan for Gradle

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-java-gradle

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Gradle code. Some scan directives are specific to Gradle projects.

Before you begin:

• Meet the requirements for the Veracode SCA agent.
• Have access to the Gradle repository.
• Use Gradle version 8 or earlier.
• Have the Gradle executable installed in your path or include the gradlew wrapper file in the project repository.
• Include the build.gradle file in the directory where you perform the scan.
• In ~/.gradle/gradle.properties, ensure you properly set up any Nexus servers or authentications to successfully compile code.
• Be able to run the gradle dependencies command from the root of the project where you perform the scan.
• If access to maven.apache.org is restricted, set the SRCCLR_GRADLE_DEP_TREE_COLLECTOR environment variable to true.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

./gradlew projects classes

To complete this task:

At the command line, run the scan command pointed to the directory of the Gradle repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Scan the dependency tree for Gradle

The Veracode SCA agent can scan the output of the Gradle dependencies task. For dependency tree scanning, the agent requires you to specify the --stdin=gradle input option.

You must compile the project before scanning to enable vulnerable method analysis.

Caution

Dependency tree scanning disables scanning for all other package managers.

You can scan the dependency tree for Maven using either of these methods:

• Redirect the output of the Gradle dependencies task directly to the Veracode SCA agent. For example, in Linux bash:

  ./gradlew dependencies | srcclr scan --stdin=gradle

• Redirect the output of the Gradle dependencies task into a file and point the Veracode SCA agent to the file using the dependency_tree_file scan directive. For example, in Linux bash:

  ./gradlew dependencies > tree.txt
  SRCCLR_DEPENDENCY_TREE_FILE=tree.txt srcclr scan --stdin=gradle

For multi-project Gradle builds, you might need to prefix the dependencies task with a subproject name and a colon in the gradle or gradlew command. For example: my-subproject:dependencies.

If you want to specify the scope of dependencies included in the scan, you can use the --configuration option with the dependencies task for gradle or gradlew. The scope scan directive for the agent does not support dependency tree scanning for Gradle.

Fix example direct vulnerability for Gradle

When your build.gradle configuration file specifically references a library, or you add the library to your project as a JAR file, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for an Unauthorized Modification of Nodes vulnerability in Apache Kafka, version 0.9.0.1 in the example-java-gradle repository.

To complete this task:

1. Edit the build.gradle file in the root of the project, and edit the dependencies scope to match this example:

   compile 'org.apache.kafka:kafka_2.11:0.10.2.1'

2. Validate the fix.

Fix example transitive vulnerability for Gradle

To fix a transitive library for Gradle, override the transitive dependency by adding the appropriately versioned dependency as a direct library.

These steps provide a fix for a Timing Attack Via Comparison Function vulnerability in OrientDB Core, version 2.1.9 in the example-java-gradle repository.

To complete this task:

1. Edit the build.gradle file in the root of the project, and add this text in the dependencies scope:

   compile ('com.orientechnologies:orientdb-core:2.1.11') {
     force = true
   }

2. Validate the fix.

Fix example vulnerable method for Gradle

Veracode SCA supports vulnerable method analysis for the Gradle, Maven, and Ant package managers.

These example steps provide a fix for an Information Disclosure vulnerable method in the jBCrypt library in the example-java-gradle repository.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select Agent-Based Scan.

3. Select your workspace.

4. Select Projects.

5. Select the srcclr/example-java-gradle project.

6. Select Information Disclosure Of Password Hashes Through Crypt_raw in the Vulnerabilities table. The Vulnerable Methods section shows that the crypt_raw method is the vulnerable part of the library.

7. To address the identified vulnerable method, do one of these tasks:

   • Change your code to perform in the same manner without relying on this particular method.
   • Follow the provided instructions to update the library to a safe version.

8. Validate the fix.

Run an agent-based scan for Ant

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-java-ant

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Maven code. Some scan directives are specific to Ant projects.

Before you begin:

• Meet the requirements for the Veracode SCA agent
• Have access to the Ant repository
• Use Ant version 1.9.0 or later
• Have build targets in the Ant build file that compile projects with the javac tag

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

ant build

To complete this task:

At the command line, run the scan command pointed to the directory of the Ant repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability for Ant

When your configuration file specifically references a library, or you add the library to your project as a JAR file, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for an Unauthorized Modification of Nodes vulnerability in Apache Kafka, version 0.9.0.1 in the example-java-ant repository.

To complete this task:

1. Delete the kafka_2.11-0.9.0.1.jarfile in the libsrc/ directory. The libsrc/ directory is the location where you store the JAR files for your project.
2. From the issue details page, click the link to the appropriate version of the Apache Kafka library in Maven Central.
3. Within that page, select the download link for the Apache Kafka JAR file.
4. Download the JAR file to the libsrc/ directory.
5. Validate the fix.

JavaScript

You can find vulnerabilities in your JavaScript applications. You can run a scan on NPM, Yarn and Bower repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and SCA Upload and Scan, see Packaging JavaScript and TypeScript applications.

Run an agent-based scan for NPM

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-javascript   

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your NPM code. Some scan directives are specific to NPM projects or, like scope, require NPM-specific configurations.

Before you begin:

• Meet the requirements for the Veracode SCA agent.
• Have access to the NPM repository.
• Have NPM 2.10.0 or later installed on the local path.
• In the repository to scan, include the package.json, package-lock.json, or npm-shrinkwrap.json file with the lockfile format set to version 3 or lower.
• If neither npm-shrinkwrap.json nor package-lock.json exist, be able to run the npm ls command from the root of the project where you perform scans.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

npm install --only=production
npm ls --only=production --json

To complete this task:

At the command line, run the scan command pointed to the directory of the NPM repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability for NPM

When your configuration file specifically references a library, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for a Cross-site Scripting (XSS) Using Non-standard Encodings vulnerability in Express, version 4.1.1 in the example-javascript repository.

To complete this task:

1. Run this command to edit the package.json file in the root of the project:

   npm install [email protected] --save

2. Validate the fix.

Fix example transitive vulnerability for NPM

Because NPM projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript repository. In this example, the recommended version of cookie-signature is 1.0.4.

Before you begin:

You must have already run a Veracode SCA agent-based scan or run the npm install command to install dependencies. These actions result in a node_modules folder and a package-lock.json appearing in your project.

To complete this task:

1. Add this resolutions section to your package.json file:

   "resolutions": {
     "cookie-signature": "1.0.4"
   }

   If a resolutions section already exists, add "cookie-signature": "1.0.4" to it.

2. Add this scripts section to your package.json file:

   "scripts": {
     "preinstall": "npx npm-force-resolutions"
   }

   If a scripts section already exists, add "preinstall": "npx npm-force-resolutions" to it. This change makes the npm install command force the version resolution of the cookie-signature library to 1.0.4, according to the resolutions section using the NPM Force Resolutions package.

3. Delete the node_modules folder.

4. Run the npm install command to download the updated dependency and ensure the updated version works with your project.

Next steps:

If you encounter problems using the NPM force-resolutions package, you can use this alternative method.

Fix example transitive vulnerability for NPM without force resolutions

If you encounter problems using the NPM force-resolutions package, you can use this alternative method to fix transitive vulnerabilities in NPM projects.

Before you begin:

• Run a Veracode SCA agent-based scan or run the npm install command to install dependencies. These actions result in a node_modules folder and a package-lock.json appearing in your project.
• Use NPM version 3.10.4 or later.

To complete this task:

1. Run the npm shrinkwrap command in the same directory as your package.json file. This command generates a npm-shrinkwrap.json file with all the dependencies currently in use.

2. Find the cookie-signature library with the version specified in the issue details viewed previously. In this example, version 1.0.3 is vulnerable and the recommended version is 1.0.4.

3. Edit the npm-shrinkwrap.json file to update the cookie-signature library:

   "cookie-signature": {
     "version": "1.0.4",
     "from": "[email protected]",
     "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.4.tgz"
   }

4. Delete the node_modules folder.

5. Run the npm install command to download the updated dependency and ensure the updated version works with your project.

Fix example vulnerable method for NPM

Veracode SCA supports vulnerable method analysis for NPM packages using the NPM and Yarn package managers. It does not support vulnerable method analysis with Bower.

These example steps provide a fix for a Regular Expression Denial Of Service (ReDoS) vulnerable method in the marked library in the example-javascript-vulnerable-methods repository.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select Agent-Based Scan.

3. Select your workspace.

4. Select Projects.

5. Select the srcclr/example-javascript-vulnerable-methods project.

6. Select Regular Expression Denial Of Service (ReDoS) in the Vulnerabilities table. The Vulnerable Methods section shows that the marked.InlineLexer method is the vulnerable part of the library.

7. To address the identified vulnerable method, do one of these tasks:

   • Change your code to perform in the same manner without relying on this particular method.
   • Follow the provided instructions to update the library to a safe version.

8. Validate the fix.

Run an agent-based scan for Yarn

You can scan Yarn projects but not Yarn workspaces. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-javascript-yarn   

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Yarn code. The scope directive requires Yarn-specific configurations.

Before you begin:

• Meet the requirements for the Veracode SCA agent.
• Have access to the Yarn repository.
• Have NPM 2.10.0 or later installed on the local path.
• Include the yarn.lock file in the repository to scan.
• Include the package.json file in the repository to scan, in the same directory as the yarn.lock file.
• Have Yarn installed through NPM and located on the local path.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

node -e var fs= require('fs'); \
  var parse= require('../lib/lockfile/parse.js').default; \
  var contents= fs.readFileSync('/path/to/example-javascript-yarn/yarn.lock', 'utf8'); \
  console.log(JSON.stringify(parse(contents)));

To complete this task:

At the command line, run the scan command pointed to the directory of the Yarn repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability for Yarn

When your configuration file specifically references a library, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for a Cross-site Scripting (XSS) Using Non-standard Encodings vulnerability in Express, version 4.1.1 in the example-javascript-yarn project.

To complete this task:

1. Run this command to edit the Yarn file in the root of the project:

   yarn upgrade [email protected]
   yarn install --flat

2. Validate the fix.

Fix example transitive vulnerability for Yarn 1.0 or later

Because Yarn projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript-yarn repository.

To complete this task:

1. Add this resolutions section to your package.json file:

   "resolutions": {
     "cookie-signature": "1.0.4"
   }

   If a resolutions section already exists, add "cookie-signature": "1.0.4" to it.

2. Run the yarn install command.

Next steps:

After completing these steps, build, test, and rescan your project to ensure the fix succeeded.

Fix example transitive vulnerability for Yarn earlier than 1.0

Because Yarn projects allow for multiple versions of the same library, you cannot override a vulnerable library by adding the appropriate version directly to the configuration file.

These steps provide a fix for a Timing Attack Via Signature Validation vulnerability in cookie-signature, version 1.0.3 in the example-javascript-yarn repository.

To complete this task:

1. Run this command to install cookie-signature library 1.0.4:

   yarn add [email protected]

2. Run this command and, when prompted, choose the latest version:

   yarn install --flat

Next steps:

After completing these steps, build, test, and rescan your project to ensure the fix succeeded.

Bower

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-javascript-bower   

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Bower code. Some scan directives are specific to Bower projects.

Before you begin:

• Meet the requirements for the Veracode SCA agent.
• Have access to the Bower Repository
• Have Bower installed on path.
• Include the bower.json file in the repository to scan.
• Be able to run bower install and bower list from the root of the project where you perform scans. For both commands, use the --allow-root flag when the user is the superuser (root) by setting the allow_root scan directive or the SRCCLR_ALLOW_ROOT environment variable to true.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

bower install
bower list --json

To complete this task:

At the command line, run the scan command pointed to the directory of the Yarn repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability

When your configuration file specifically references a library, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for a Cross-site Scripting (XSS) Through link-to Title Attribute vulnerability in Ember, version 1.2.0 in example-javascript-bower repository.

To complete this task:

1. Add this line to the bower.json file in the root of the project:

   "ember": "1.2.2"

2. Run this command to install Ember version 1.2.2:

   bower update ember

3. Validate the fix.

Fix example transitive vulnerability

To fix a transitive library for Bower, override the transitive dependency by specifying how to resolve the dependency.

These steps provide a fix for a Cross-site Scripting (XSS) Vulnerability in the jquery library vulnerability in jQuery version 1.10.2 in the example-javascript-bower repository.

To complete this task:

1. Add the appropriate version of jQuery to the bower.json file with a defined resolutions section:

   "dependencies": {
        ...
       "jquery": "1.12.0",
        ...
   },
   "resolutions": {
        ...
       "jquery": "1.12.0",
        ...
   }

2. Run this command to download the updated jQuery library:

   bower update jquery

3. Validate the fix.

Next steps:

After completing these steps, build, test, and rescan your project to ensure the fix succeeded.

Go

You can find vulnerabilities in your Go applications. You can scan Glide, go get, Go modules, Godep, Govendor, and Trash repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and SCA Upload and Scan, see Packaging Go applications.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

• Glide: git clone https://github.com/veracode/example-go-glide
• Go Get: git clone https://github.com/veracode/example-go-goget
• Go Modules: git clone https://github.com/veracode/example-go-modules
• Godep: git clone https://github.com/veracode/example-go-godep
• Govendor: git clone https://github.com/veracode/example-go-govendor
• Trash: git clone https://github.com/veracode/example-go-trash

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your .NET code. Some scan directives are specific to Go projects.

Before you begin:

Scanning a repository that uses Go and one of its build or package managers requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes these requirements:

• Meet the requirements for the Veracode SCA agent.
• Have access to the Go repository.
• Use Go version 1.5 or later.
• Ensure that the project can build in the environment where the agent performs scans.
• Ensure that the GOROOT and GOPATH environment variables are set to the correct directories, and that the bin subdirectory of GOROOT is included in the PATH environment variable. For example, if GOROOT is set to /usr/local/go, you should include /usr/local/go/bin in your PATH. See the Go documentation for more information on configuring Go projects.
• If you use Godep, Govendor, Glide, or Trash, ensure the package manager is installed.
• For these tools, meet the specified requirement:
  • Glide: include the Glide.lock file
  • Go get: use Go version 1.5–1.15
  • Godep: include the Godeps/Godeps.json file
  • Golangdep: include the Gopkg.lock file
  • Govendor: include the vendor/vendor.json file
  • Trash: include the vendor.conf file
  • Go modules
    • Run this command: go list -deps -json all
    • Run this command to add any missing modules required for the build: go mod tidy
    • To avoid downloading required packages during scanning, which can decrease scan speeds, run this command to download the packages prior to scanning: go mod vendor
    • Use the GOFLAGS environment variable to pass any arguments required for the build. For example: GOFLAGS='-buildvcs=false'

If you set FORCE_GO_INSTALL to true as a scan directive or environment variable or use the --url argument, the Veracode SCA agent runs specific commands to identify the dependencies and their versions in your project. You can run these commands before scanning to test that the agent can build the project:

• Glide: glide install
• Go get: go get -d ./...
• Godep: godep restore
• Govendor: govendor sync
• Trash: trash

To complete this task:

At the command line, run the scan command pointed to the directory of the Go repository. For example:

srcclr scan path/to/{project_folder}

o scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example vulnerable method

These example steps provide a fix for a Denial of Service (DoS) attack vulnerable method in golang.org/x/text, which is included in the example-go-modules repository.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select Agent-Based Scan.

3. Select your workspace.

4. Select Projects.

5. Select the veracode/example-go-modules project.

6. From Issues, search for CVE-2021-38561 and select the issue number.

7. Go to Vulnerable Methods where it shows that the Parse method is the vulnerable part of the library.

8. To address the identified vulnerable method, do one of these tasks:

   • Change your code to perform in the same manner without relying on this particular method.
   • Follow the provided instructions to update the library to a safe version.

9. Validate the fix.

PHP

You can find vulnerabilities in your PHP applications. You can scan Composer repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and SCA Upload and Scan, see Packaging PHP applications.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-php-composer

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your PHP code. Some scan directives are specific to PHP projects.

Before you begin:

Scanning a repository that uses PHP and one of its build or package managers requires the ability to assemble the projects dependencies within the environment in which you scan the project. This includes these requirements:

• Meet the requirements for the Veracode SCA agent.
• Have access to the PHP repository.
• Have PHP 5.3.2 or later installed.
• Have Composer 1.0.0 or later installed.
• Have composer.json or composer.lock files present in the repository.
• Be able to run the composer install or php composer.phar install command from the root of the project where you perform scans.

The Veracode SCA agent runs specific commands to identify the dependencies and their versions in your project. You can run these commands before scanning to test that the agent can build the project:

composer install
composer show --tree

To complete this task:

At the command line, run the scan command pointed to the directory of the PHP repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Python

You can find vulnerabilities in your Python applications. You can scan Python repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and SCA Upload and Scan, see Packaging Python applications.

You can use scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-python

git clone https://github.com/veracode/example-python-pipenv

git clone https://github.com/veracode/example-python3-poetry

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Python code. Some scan directives are specific to Python projects.

Before you begin:

Scanning a repository that uses PyPi for package management requires the ability to assemble your libraries within the environment in which you scan the project. This includes these requirements:

• Meet the requirements for the Veracode SCA agent.
• Have access to the Python repository.

• Your code repository uses Python 2.x or 3.x.
• Have Python 2.x or 3.x installed in your path.
• For pip:
  • Install pip version 10.0.0 or later.
  • Include one of these files in the repository: setup.py, requirements.txt, requirements-dev.txt, or dev-requirements.txt.

• For pipenv:
  • Install pipenv in your path.
  • Include one of these files in the repository: Pipfile or Pipfile.lock.

• For Poetry: include both pyproject.toml and poetry.lock in the repository.

• Be able to perform one of these installation tasks:

  • pip: from the project root, run pip install -r <requirements-file>, where <requirements-file> is requirements.txt, requirements-dev.txt, or dev-requirements.txt.
  • pip: run the python setup.py install command.
  • pipenv: be able to run pipenv sync if the pipfile.lock file is available, or be able to run pipenv install if the file unavailable.
  • Poetry: N/A

• Exclude optional dependencies from your requirements files or lock files to avoid false negative results.

To complete this task:

At the command line, run the scan command pointed to the directory of the Python repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability

When a library is specifically referenced in your setup.py, requirements.txt, requirements-dev.txt, or dev-requirements.txt, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for a Denial of Service (DoS) Memory Consumption vulnerability in feedparser, version 5.1.1 in the example-python repository.

To complete this task:

1. Edit the requirements.txt file in the root of the project to match the following:

   feedparser== 5.1.2

2. Validate the fix.

Fix example transitive vulnerability

To fix a transitive library for Python, override the transitive dependency by adding the appropriately versioned dependency as a direct library to your configuration file, which can be a requirements.txt or setup.py file.

These steps provide a fix for a Cross-Site Scripting (XSS) vulnerability in html5lib, version .9999999 in the transitive_vulns branch of the example-python repository.

To complete this task:

1. Edit the requirements.txt file in the root of the project and add the recommended version of the library:

   html5lib== 0.99999999

   Important

   Updating some transitive libraries will fail because a specific version is required for usage. In cases such as these, you will need to update the directly specified library to a version which allows for the safe version to be used.

2. Validate the fix.

Fix example vulnerable method

These example steps provide a fix for a BERserk attack vulnerable method in rsa, which is included in the example-python repository.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select Agent-Based Scan.

3. Select your workspace.

4. Select Projects.

5. Select the srcclr/example-python project.

6. Select BERserk Attack Vulnerability in the rsa library in the Vulnerabilities table. The Vulnerable Methods section shows that the verify method is the vulnerable part of the library.

7. To address the identified vulnerable method, do one of these tasks:

   • Change your code to perform in the same manner without relying on this particular method.
   • Follow the provided instructions to update the library to a safe version.

8. Validate the fix.

Ruby

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-ruby   

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Ruby code. Some scan directives are specific to Ruby projects.

You can find vulnerabilities in your Ruby applications. You can scan Ruby Gem repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and SCA Upload and Scan, see Packaging Ruby on Rails applications.

Before you begin:

Scanning a repository that uses Ruby and one of its build or package managers requires the ability to build the code within the environment in which you scan the project. This includes these requirements:

• Meet the requirements for the Veracode SCA agent.
• Have access to the Ruby repository.
• Have Ruby installed on your local path. To scan vulnerable methods, you must have Ruby 2.x or later.
• Include Gemfile in the repository that you plan to scan.
• If Gemfile.lock does not exist in the project root where you perform scans, you must be able to run the bundle install command from this project root.
• Have Bundler 1.1.0 or later installed on the local path.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

bundle install --path vendor/bundle

To complete this task:

At the command line, run the scan command pointed to the directory of the Ruby repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability

These example steps provide a fix for a Cross-site Request Forgery (CSRF) vulnerability in administrate, version 0.1.4 in the example-ruby repository.

To complete this task:

1. Edit the Gemfile file in the root of the project to match the following:

   gem 'administrate', '0.1.5'

2. Run this command from your terminal within the project:

   bundle update administrate  

3. Validate the fix.

Fix example transitive vulnerability

To fix a transitive library for Ruby, override the transitive dependency by adding the appropriately versioned dependency as a direct library to your Gemfile.

These steps provide a fix for a Session Fixation vulnerability in rest-client, version 1.7.3 in the test-ruby-gem repository.

To complete this task:

1. Edit the Gemfile file in the root of the project and add the recommended version of the gem:

   gem 'rest-client', '1.8.0.rc1'

2. Run this command from your terminal within the project:

   bundle update rest-client  

3. Validate the fix.

Fix example vulnerable method

These example steps provide a fix for a Reflected Cross-site Scripting (XSS) through Unvalidated Input in Error Messages vulnerable method in rack-ssl, which is included in the example-ruby repository.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select Agent-Based Scan.

3. Select your workspace.

4. Select Projects.

5. Select the srcclr/example-ruby project.

6. Select Reflected Cross-site Scripting (XSS) through Unvalidated Input in Error Messages in the Vulnerabilities table. The Vulnerable Methods section shows that the redirect_to_https method is the vulnerable part of the library.

7. To address the identified vulnerable method, do one of these tasks:

   • Change your code to perform in the same manner without relying on this particular method.
   • Follow the provided instructions to update the library to a safe version.

8. Validate the fix.

Scala

You can find vulnerabilities in your Scala applications. You can scan Scala repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and SCA Upload and Scan, see Packaging Scala applications.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-sbt  

Before you begin:

Scanning a repository which utilizes Scala and SBT requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes these requirements:

• Meet the requirements for the Veracode SCA agent.
• Have access to the Scala repository.
• Include build.sbt in the projects root folder.
• Build the project with SBT version 0.13.16 or later. If you are overriding the version in the project build.properties file, ensure the version is set to 0.13.16 or later.
• For Coursier and SBT, be able to successfully run sbt clean compile from the root of the project where you perform scans.

To complete this task:

At the command line, run the scan command pointed to the directory of the Scala repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Kotlin

You can find vulnerabilities in your Kotlin repositories. You can scan Maven and Gradle repositories using the command-line interface or the CI integrations.

The requirements for running a scan and reviewing results for Kotlin repositories are the same as the requirements for Java repositories.

For packaging instructions for Upload and Scan, see Packaging Kotlin applications.

Objective-C

You can find vulnerabilities in your Objective-C applications. You can scan Objective-C repositories using the command-line interface or the CI integrations.

SCA Agent-based Scan supports scanning Objective-C repositories managed with CocoaPods. It does not support other package managers.

For packaging instructions for Veracode Static Analysis and Upload and Scan, see Packaging Apple Platform applications.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-objc-cocoapods

Before you begin:

Scanning a repository that uses Objective-C and the CocoaPods package manager requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:

• Meet the requirements for the Veracode SCA agent
• Have access to the Objective-C repository
• Have a podfile.lock file present in the Objective-C repository. If podfile.lock does not exist in the project root where you perform scans, you must be able to run the pod install command from the project root.

To complete this task:

At the command line, run the scan command pointed to the directory of the Objective-C repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Swift

You can find vulnerabilities in your Swift applications. You can scan Swift repositories using the command-line interface or the CI integrations.

SCA Agent-based Scan supports Swift repositories managed with CocoaPods. It does not support the Swift package manager.

For packaging instructions for Veracode Static Analysis and [SCA Upload and Scan], see Packaging Apple Platform applications.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-swift-cocoapods

Before you begin:

Scanning a repository that uses Swift and the CocoaPods package manager requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:

• Meet the requirements for the Veracode SCA agent
• Have access to the Swift repository
• Have a podfile.lock file present in the Swift repository. If podfile.lock does not exist in the project root where you perform scans, you must be able to run the pod install command from the project root.

To complete this task:

At the command line, run the scan command pointed to the directory of the Swift repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

C/C++

You can find vulnerabilities in your C/C++ applications. You can scan C/C++ repositories using the command-line interface or the CI integrations.

SCA Agent-based Scan supports native Linux C/C++ libraries for projects compiled with the Make build tool using the CLI agent on Linux or in your repos.

Agent-based scans can identify additional C/C++ libraries if they appear in supported package managers. See the list of native Linux C/C++ libraries and vulnerabilities that Veracode SCA monitors.

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-cpp-makefile

Before you begin:

Scanning a repository that uses C/C++ libraries requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:

• Meet the requirements for the Veracode SCA agent
• Have SO files present in the C/C++ repository
• If using Windows or MacOS, have Docker installed

Additionally, your project must include a makefile that has:

• One of these filenames: GNUmakefile, makefile, or Makefile. Veracode SCA searches for these filenames, in this listed order, and identifies the first one it finds to be the project makefile.

• One of these strings: gcc, g++, clang, CMAKE, or CMake.

• A clean target. Veracode SCA uses the clean target to collect findings. To configure a custom clean target to scan, add this argument to your project as an environment variable:

  SRCCLR_MAKE_CLEAN_TARGET='{custom_clean_target_name}'

• A first target. Veracode SCA uses the first target to build the project and to rebuild the project after it collects findings. To configure a custom first target for scanning, add this argument to your project as an environment variable:

  SRCCLR_MAKE_BUILD_TARGET='{custom_build_target_name}'

To complete this task:

At the command line, run the scan command pointed to the directory of the C/C++ repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Validate resolved findings

After resolving vulnerabilities and license risk, but before committing your code changes, you can run an agent-based scan with the --allow-dirty flag to ensure the findings are resolved. This flag ignores uncommitted changes in your code. For example:

srcclr scan /path/to/<project_folder> --allow-dirty