Manage projects

A project is a local or remote repo that contains the application source code and dependencies you can scan with SCA Agent-based Scan. Projects are stored in a workspace and a workspace can contain multiple projects. To access the scan results from a central location, link the projects to the related application profiles.

Watch a project

On the Project Details page in the Veracode Platform, there is an option to watch a project.

If you have set a default branch, the Veracode Platform updates your issues automatically when the Veracode security research team releases a new vulnerability that affects you. If you are watching a project, the Veracode Platform emails a notification when a change affects that project.

View project history

SCA Agent-based Scan provides a history of scan results for your projects that allows you to review how your issues have changed since you created the project.

note

Veracode retains SCA agent-based scan data for 13 months. To view older data, go to Veracode Analytics.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Projects.
5. Select a project.
6. Select the Show History link. Veracode SCA displays a window showing the history of scans performed for the project.
7. Select a scan to see the details for that scan.

Link projects to application profiles

You can link the projects to application profiles to enable a unified view of your results for all Veracode scans and include agent-based scan results in your application policy evaluations.

Linking a project to an application sends the inventory of that project to the application profile, allowing the application profile to reflect all libraries, licenses, and vulnerabilities found through agent-based scans.

Important

If you modify the filenames of third-party libraries, it might lead to duplicate findings when you perform an agent-based scan and an upload scan of the same application.

You can link multiple projects to an application. If you want to link one project to multiple applications, you need to scan that project under multiple workspaces, then link each instance of that project to a different application.

To include agent-based results in the policy evaluation for your application, you must perform at least one upload scan of the application before linking an SCA project to the application.

Important

You cannot link scan results from a container project to an application profile.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role to link projects to applications.

To complete this task:

1. Go to Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Projects.
5. Select the project you want to link to an application.
6. Select Settings > Link to Application.
7. Select an application from the dropdown.
8. Select Save.

The application now appears in the Linked Application column of the Project List table. The project is now included in the Linked Projects column of the Applications list on the Upload and Scan tab.

Results:

After you link a project to an application, Veracode includes the findings from agent-based scans of that project in your application results and Veracode reports, displaying them exactly like the findings from scans of uploaded applications. To extract findings from linked projects using an API, we recommend using the Findings REST API.

Link projects using the API

To perform this task with an API, use the linkAppProject and unlinkAppProject endpoints of the SCA REST API.

About tags and branches

SCA Agent-based Scan is designed to be used with Git-based systems. Within these systems, there are commits, branches, and tags. This section describes how these three items affect issues and how you can manage them.

How SCA agents identify branches and tags

SCA Agent-based Scan chooses a tag, branch, or commit hash when importing results to the Veracode Platform. It uses the git describe --all command to determine the state of the scanned repository.

The order of selection is:

1. Tag
2. Branch
3. Previous tag
4. Previous branch
5. Commit hash

note

If you scan a tag on a branch, Veracode SCA considers it a tag.

How branches and tags affect issues

Veracode SCA has a unique list of issues for each branch or tag scanned, which means that if you have scanned multiple branches, you might see the same issue multiple times in the issues list. This feature allows you to see the state of a specific branch or tag rather than having only one set of results for everything.

View a specific branch or tag

When viewing a project in the Veracode Platform, you can choose to see issues from a single branch or tag. To do this, select Change next to the selected branch. In the Switch Branch or Tag window, you can see which branches you have scanned.

Default branches

The default branch for your projects determines which data to display in the results. It also specifies the branch in which to automatically create issues for newly released vulnerabilities.

The results only display issues, vulnerabilities, libraries, and licenses from the default branch. All list views only show the items from the default branch and all the counts across your organization only include findings from the default branch, unless you view a different branch.

When Veracode releases or updates a vulnerability that impacts any of your projects, it automatically creates a new issue or updates an existing issue in the default branch.

Change the default branch

You can set a specific branch as the default branch for your project or use the most recently scanned branch or tag.

For new projects, the default branch for agent-based scans is set to Use Last Scanned, so that it always updates to the most recently scanned branch or tag. You can change the default to a specific branch, such as the main branch, in your project settings.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, go to Scans & Analysis > Software Composition Analysis > Agent-Based Scan.
2. Select a workspace.
3. Select Projects from the left menu, then select a project from the Project List table.
4. Select Settings.
5. Select a branch from the dropdown menu.
6. Select Save.

Change the branch name

To rename a branch, run:

git clone url
git checkout branch_name
srcclr scan .

Configure notifications

Notify teams about new vulnerabilities in watched projects or configure webhooks to receive notifications for project events.

Get notifications for watched projects

Teams assigned to a workspace that contains a watched project can get notified about new vulnerabilities in the project.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select Agent-Based Scan Settings.
4. Select Email me about issues created or changed due to new vulnerability releases in any of my projects that I am watching.

Get notifications for project events

Create webhooks that send events about your projects. When the event triggers, the SCA agent sends an HTTP POST request with a payload to your configured URL. Your receiving system must be able to accept custom payloads.

Webhook event triggers

These events can trigger notifications:

Event	Description
Scan	Veracode successfully scans project.
Vulnerability issues discovered in project library after a scan	The Veracode research team releases a new vulnerability that affects your project
Vulnerability issues changed in project library after a scan	The Veracode research team updates a vulnerability that affects your project

Add a webhook to a project

You can configure the payload URL and trigger events of the webhook notifications for your SCA projects.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Projects.
5. Select a project.
6. Select Settings.
7. Select Notifications.
8. Select Actions > Create.
9. Enter your payload URL. The payload URL must be accessible from the internet and accept HTTP HEAD requests.
10. Select the trigger events for which you want to receive notifications.
11. Select Create.

Webhook payload examples

Each trigger event generates a particular type of payload with the relevant information. These examples show the content that the SCA agent sends for each event.

Scan success

    {
      "event": "SCAN_SUCCESS",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": {
        "id": 2910,
        "name": "John Smith"
      },
      "scan": {
        "id": 1099430,
        "commit": "2bedd63b8e3019121c89108bfccb2421b08e28e9",
        "branch": "New_demo_branch",
        "tag": null,
        "reportLink": "<LINK TO REPORT>",
        "vulnIssuesCount": 31,
        "outofDateIssuesCount": 9,
        "licenseIssuesCount": 0
      },
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
    }

Vulnerability issues discovered

    {
      "event": "VULN_ISSUES_DISCOVERED_AFTER_SCAN",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": null,
      "issues": [
        {
          "id": 111967,
          "status": "NEW",
          "issueUrl": "<LINK TO ISSUE>",
          "vuln": {
            "id": 16462,
            "title": “Title of vulnerability",
            "cvssScore": 4.3,
            "cvss3Score": 5.9,
            "cve": null,
            "cveStatus": "NA",
            "stage": "RELEASED",
            "disclosureDate": null,
            "hasExploits": false,
            "vulnerabilityTypes": [],
            "overview": null
          }
        }
      ],
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
    }

Vulnerability issues changed

    {
      "event": "VULN_ISSUES_CHANGED_AFTER_SCAN",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": null,
      "issues": [
        {
          "id": 111967,
          "status": "RESOLVED",
          "issueUrl": “<LINK TO ISSUE>”,
          "vuln": {
            "id": 16462,
            "title": "Title of vulnerability",
            "cvssScore": 7.8,
            "cvss3Score": 5.9,
            "cve": null,
            "cveStatus": "NA",
            "stage": "RELEASED",
            "disclosureDate": null,
            "hasExploits": false,
            "vulnerabilityTypes": [],
            "overview": null
          }
        }
      ],
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
     }

Delete a project

You can delete projects from your workspaces.

note

Deleting a project permanently deletes all scan data for that project.

Before you begin:

You must have the Security Lead or Workspace Administrator role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Projects.
5. Select a project.
6. Select Settings.
7. Select Other.
8. Select Delete Project.
9. Select Confirm. An alert window appears informing you when the project successfully deletes.