Skip to main content

Manage SCA issues and findings

After scanning your repos with SCA Agent-based Scan, you can review the scan results in the Veracode Platform or from the CLI. The scan results are organized into the following categories.

  • Issues: includes out-of-date libraries, license violations, and vulnerabilities associated with a specific version of a library within a repository.
  • Vulnerabilities: represents the set of unique vulnerabilities across a project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
  • Libraries: includes each open source library Veracode SCA has identified within a code project.
  • Licenses: displays the software license information associated with each open-source library in use.

After viewing the scan results, you can resolve the vulnerabilities using the instructions in the Veracode Platform or the CLI and validate the fixes.

To learn more about the vulnerabilities in your code, you can navigate between vulnerabilities, open-source libraries, and licenses in your project. To mitigate vulnerabilities you won't resolve, see Mitigate vulnerabilities.

You can select an issue to view reliable and actionable insights, including vulnerable methods, recommended fixes, and dependency graphs.

If your project is linked to an application profile, you can access and review findings, but not issues, from both SCA agent scans and SCA Upload and Scan on the SCA Results page in the Veracode Platform.

View vulnerabilities

Vulnerabilities represent the set of security concerns across a project or workspace. Viewing vulnerability details allows you to view information across all versions of a specific vulnerability, such as libraries in which the agent-based scan has found it.

Unlike issues of type Vulnerability, Veracode SCA counts each vulnerability only once within the context of a workspace, even if the same library and corresponding vulnerabilities exist across multiple projects. Also, you cannot ignore vulnerabilities, which means the number of vulnerabilities could be greater than the number of issues of type Vulnerability.

Veracode uses multiple data sources for vulnerabilities: Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD), and Veracode vulnerabilities (SRCCLR) from the Veracode Vulnerability Database.

To find vulnerabilities outside the NVD, Veracode researchers curate and validate public database entries and track developer lists, code commits and releases, discussion forums, underground bulletin boards, and social chatter. The technology uses machine learning, extracting patterns from known vulnerabilities and applying new techniques and theories. SCA Agent-based Scan uses clone verification to validate versions are patched as intended.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. If you want to view vulnerabilities for an individual project, select Projects. Then, select a project.
  5. Select Vulnerabilities.
  6. In the Vulnerability List table, locate a vulnerability.
  7. To view detailed information about a vulnerability in the Veracode Vulnerability Database, select the link in the Vulnerability column. The Vulnerability column might list two different data sources for vulnerabilities: a CVE ID indicates that the vulnerability came from the NVD and a SRCCLR ID indicates that the vulnerability came from the Veracode Vulnerability Database.
  8. To view detailed information about a library in the Veracode Vulnerability Database, select the link in the Library or Version columns.
  9. To see which projects have a vulnerability, expand the arrow in the Projects column.

View libraries

View details about the libraries in a workspace, including vulnerable version ranges for the library, other libraries that might be subject to particular vulnerabilities, and resources for finding more information.

When scanning a project, Veracode SCA identifies (matches) each library that it recognizes. This identification allows the agent-based scan to determine and display the licenses, vulnerabilities, and custom rules associated with the library. If an SCA san can't identify a library, the library is unmatched.

You can also perform this task with the SCA REST API.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Libraries. The Library List table opens.
  5. To view detailed information about a library in the Veracode Vulnerability Database, select the library name link in the Library column.

View unmatched libraries

Unmatched libraries are libraries found in your project that the SCA scan engine doesn't recognize. Veracode SCA might not recognize libraries if they are internal, modified, or not available from the sources that the scan tracks. Unmatched libraries do not include licenses, vulnerabilities, or custom rules.

To complete this task:

To view your unmatched libraries, from the Library List table of your workspace or project, from the Library List dropdown menu, select Unmatched Libraries.

Review license risk

Before using third-party, open-source components, we recommend reviewing the license and associated risk to understand the implications of using the component in your application.

Licenses consist of the software license information associated with each open-source library. Veracode SCA maintains license information by staying up-to-date with several open-source library repositories. This information can help you avoid issues relating to copyleft licenses or keep track of the licenses in use across a set of libraries.

Important

Review the Veracode legal disclaimer before acting upon the license information listed in the SCA results for your application.

The License List table for each workspace and project provides details of all the licenses identified in your agent-based scans, including the library in which the analysis found the license and the license risk rating.

When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability, and you can commit your code.

Export scan results

You can export the results of your agent-based scans as a CSV file. You can filter the results by scan date and by issue type.

See the example exports.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select a workspace from the workspace list.

  4. From the Scan Date dropdown menu, select the timeframe of scans to include in the results.

    note

    If you select All dates or More than 7 days ago, you cannot export the results.

  5. From the Issues List dropdown menu, select the issue type to include in the results.

  6. Select the download icon Download icon, then select Export to CSV. Your browser downloads the CSV file containing the details of the requested issues.

Last updated on