Manage SCA projects

A project is a local or remote repo that contains the application source code and dependencies you can scan with SCA Agent-based Scan. Projects are stored in a workspace and a workspace can contain multiple projects. To access the scan results from a central location, link the projects to the related application profiles.

Watch a project

On the Project Details page in the Veracode Platform, there is an option to watch a project.

If you have set a default branch, the Veracode Platform updates your issues automatically when the Veracode security research team releases a new vulnerability that affects you. If you are watching a project, the Veracode Platform emails a notification when a change affects that project.

View project history

SCA Agent-based Scan provides a history of scan results for your projects that allows you to review how your issues have changed since you created the project.

note

Veracode retains SCA agent-based scan data for 13 months. To view older data, go to Veracode Analytics.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Projects.
5. Select a project.
6. Select the Show History link. Veracode SCA displays a window showing the history of scans performed for the project.
7. Select a scan to see the details for that scan.

Link projects to application profiles

You can link projects to application profiles to access the scan results from the SCA Results page in the Veracode Platform. The SCA Results page combines results from SCA Upload and Scan and SCA Agent-based Scan for the same application.

Linking a project to an application sends the inventory of that project to the application profile, allowing the application profile to reflect all libraries, licenses, and vulnerabilities found through agent-based scans.

You can link multiple projects to an application. If you want to link one project to multiple applications, you need to scan that project under multiple workspaces, then link each instance of that project to a different application.

Important

• If you change the filenames of third-party libraries, the results might contain duplicate findings when you perform an agent-based scan and an SCA Upload and Scan of the same application.
• You can't link projects to a sandbox scan.

Before you begin:

• You must have the Security Lead, Workspace Administrator, or Workspace Editor role.
• Ensure the project is not in My Workspace, is not a container project, and has a default branch set.
• Ensure the application profile has an assigned security policy.

To complete this task:

1. Go to Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Projects.
5. Select the project you want to link to an application.
6. Select Settings > Link to Application.
7. Select an application profile from the dropdown. If you don't see the name of the application profile, you can try typing the name in the field at the top of the dropdown.
8. Select Save.

The application now appears in the Linked Application column of the Project List table. The project is now included in the Linked Projects column of the Applications list on the Upload and Scan tab.

Results:

After you link a project to an application, Veracode includes the findings from agent-based scans of that project in your application results and Veracode reports, displaying them exactly like the findings from scans of uploaded applications. To extract findings from linked projects using an API, we recommend using the Findings REST API.

Link projects using the API

To perform this task with an API, use the linkAppProject and unlinkAppProject endpoints of the SCA REST API.

Delete a project

You can delete projects from your workspaces.

Before you begin:

You must have the Security Lead or Workspace Administrator role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Projects.
5. Select a project.
6. Select Settings.
7. Select Other.
8. Select Delete Project.
9. Select Confirm. An alert window appears informing you when the project successfully deletes.

Configure notifications

Notify teams about new vulnerabilities in watched projects or configure webhooks to receive notifications for project events.

Get notifications for watched projects

Teams assigned to a workspace that contains a watched project can get notified about new vulnerabilities in the project.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select Agent-Based Scan Settings.
4. Select Email me about issues created or changed due to new vulnerability releases in any of my projects that I am watching.

Get notifications for project events

Create webhooks that send events about your projects. When the event triggers, the SCA agent sends an HTTP POST request with a payload to your configured URL. Your receiving system must be able to accept custom payloads.

Webhook event triggers

The following events can trigger notifications.

Event	Description
Scan	Veracode successfully scans project.
Vulnerability issues discovered in project library after a scan	The Veracode research team releases a new vulnerability that affects your project
Vulnerability issues changed in project library after a scan	The Veracode research team updates a vulnerability that affects your project

Add a webhook to a project

You can configure the payload URL and trigger events of the webhook notifications for your SCA projects.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Projects.
5. Select a project.
6. Select Settings.
7. Select Notifications.
8. Select Actions > Create.
9. Enter your payload URL. The payload URL must be accessible from the internet and accept HTTP HEAD requests.
10. Select the trigger events for which you want to receive notifications.
11. Select Create.

Webhook payload examples

Each trigger event generates a particular type of payload with the relevant information. These examples show the content that the SCA agent sends for each event.

Scan success

    {
      "event": "SCAN_SUCCESS",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": {
        "id": 2910,
        "name": "John Smith"
      },
      "scan": {
        "id": 1099430,
        "commit": "2bedd63b8e3019121c89108bfccb2421b08e28e9",
        "branch": "New_demo_branch",
        "tag": null,
        "reportLink": "<LINK TO REPORT>",
        "vulnIssuesCount": 31,
        "outofDateIssuesCount": 9,
        "licenseIssuesCount": 0
      },
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
    }

Vulnerability issues discovered

    {
      "event": "VULN_ISSUES_DISCOVERED_AFTER_SCAN",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": null,
      "issues": [
        {
          "id": 111967,
          "status": "NEW",
          "issueUrl": "<LINK TO ISSUE>",
          "vuln": {
            "id": 16462,
            "title": “Title of vulnerability",
            "cvssScore": 4.3,
            "cvss3Score": 5.9,
            "cve": null,
            "cveStatus": "NA",
            "stage": "RELEASED",
            "disclosureDate": null,
            "hasExploits": false,
            "vulnerabilityTypes": [],
            "overview": null
          }
        }
      ],
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
    }

Vulnerability issues changed

    {
      "event": "VULN_ISSUES_CHANGED_AFTER_SCAN",
      "organization": {
        "id": 310,
        "name": "Veracode",
        "planType": "ENTERPRISE"
      },
      "workspace": {
        "id": 4788,
        "name": "Webhooks"
      },
      "user": null,
      "issues": [
        {
          "id": 111967,
          "status": "RESOLVED",
          "issueUrl": “<LINK TO ISSUE>”,
          "vuln": {
            "id": 16462,
            "title": "Title of vulnerability",
            "cvssScore": 7.8,
            "cvss3Score": 5.9,
            "cve": null,
            "cveStatus": "NA",
            "stage": "RELEASED",
            "disclosureDate": null,
            "hasExploits": false,
            "vulnerabilityTypes": [],
            "overview": null
          }
        }
      ],
      "project": {
        "id": 20757,
        "name": "example-javascript"
      }
     }