Manage workspaces

Use workspaces to separate and manage project scan data for SCA Agent-based Scan. Each workspace can include multiple SCA agents that perform scans on your code projects and display the results in the workspace to which they belong. You can store scan data in different workspaces and control user access to that data based on the workspaces to which a user belongs.

In the Veracode Platform, on the Workspace Portfolio page, you can search for a library, vulnerability, or license and drill down into the workspaces and projects that include the items in your search. If you select a workspace name, you see the issues associated with the workspace, including details such as the median resolution time and a breakdown of the issues by severity.

You can create workspaces and use them to collaborate with team members. You can also use the automatically created My Workspace to perform quick scans and review scan data on your own.

You can extract information about your workspaces using the SCA REST API.

About My Workspace

All users have access to a personal workspace for local scanning called My Workspace, but we don't recommend using it for anything but temporary experimentation. The Veracode Scan IDE plugins and extensions only use My Workspace.

Important

The Veracode Scan IDE plugins and extensions temporarily create projects in My Workspace, but since My Workspace can only store up to three projects, scans in your IDE will fail if you have already reached this limit. Therefore, we recommend deleting all projects from My Workspace before using these plugins.

Your user account does not require specific roles or team membership to create projects or start scans in My Workspace. The workspace automatically appears in your workspace list. With My Workspace, you can create agents, add custom rules, and manage and review scan data for projects just as you do with other workspaces.

To simplify the My Workspace experience, we implement several restrictions. You cannot:

• Apply organization rules.
• Link projects to applications.
• Add teams.
• Delete the workspace.
• Create more than three projects. If My Workspace contains three projects, you must delete one before you can scan another.

If you need access to more than three projects, reach out to the administrator of your Veracode account to request access to other workspaces.

Create a workspace

Workspaces help you organize your project data for scanning. Use workspaces to organize scan results by application or business unit. Workspaces are similar to teams. Scan results are available at the project level, and projects are available at the workspace level. You can also customize your workspace to suit your needs.

My Workspace, which is available for all users, provides limited functionality for experimenting with agent-based scans.

You can also create workspaces with the SCA REST API.

Before you begin:

You have the Security Lead or Creator role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select Actions > Create Workspace.
4. Enter a name for the workspace.
5. If you want to add teams to the workspace, select More Options and select one or more teams.
6. Select Create.

Next steps:

Set up an agent.

Delete a workspace

Deleting workspaces permanently deletes the agents and any data associated with that workspace.

You can also perform this task with the SCA REST API.

Before you begin:

You must have the Security Lead, Creator, or Workspace Administrator role to delete workspaces.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Settings from the Manage Workspace dropdown.
5. Select Delete Workspace.
6. Select Yes, Delete to permanently delete the workspace.

Locate the workspace slug

You use the workspace slug to apply an SCA agent to a workspace using a scan directive or environment variable.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select the desired workspace from the workspace list.
4. Copy the eight-character value shown in the URL.

You can also obtain a workspace slug by sending a request to the getWorkspaces API and retrieving the value from the site_id field in the payload.

Manage workspace access

For organizations with many users, it can be difficult to manage direct assignments. Teams can alleviate this manual work by providing a container for users who require the same level of access to the same workspaces. Add the teams to the right workspaces with the desired role, and all users in the team automatically inherit those permissions. When one person changes teams, remove the user from the old team and assign the user to the new team.

You perform all user management tasks in the Veracode Platform.

For team management tasks that are not specific to SCA workspaces, see Manage teams.

Users

Within each organization are individual users. These users are not added into any workspaces by default. You must add them to a workspace before they can get results in Veracode SCA agent-based scans.

Administrators

Creators of an organization are Administrators, by default, and are a member of every workspace within the organization. Administrators can add users to a workspace and manage the organization.

Add teams to a workspace

Add teams to a Veracode SCA workspace to grant members of those teams access to the projects in that workspace. By default, scan results for an SCA workspace are only visible to members of that workspace. Teams added to a workspace can view projects, scan results, libraries, issues, and vulnerabilities for that workspace.

note

Adding teams to My Workspace is not supported.

You can also perform this task with the SCA REST API.

Before you begin:

You must have the Security Lead, Creator, or Workspace Administrator role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Under Manage Workspace, select Teams.
5. Select Actions > Add Teams.
6. Select one or more teams to add.
7. Select Save.

Remove teams from a workspace

Remove teams from a workspace to prevent the members of those teams from accessing a workspace.

Before you begin:

You must have the Security Lead, Creator, or Workspace Administrator role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Teams.
5. Select the team to remove.
6. Select Actions > Remove Teams.
7. Select Save.

Assign security policies to workspaces

If you want projects to be evaluated against a security policy other than the default policy, you can assign policies at the workspace level.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Policy Assignment.
5. Select a policy. The available options include the built-in policy and any custom policies that contain rules applicable to agent-based scans.
6. Select Save.

Use the latest CVSS version in SCA policy rules

Important

If your organization has activated the Unified Policy feature, which replaces agent rules, all agent-based scans use Common Vulnerability Scoring System (CVSS) version 3 to evaluate your vulnerabilities.

You can use CVSS version 3 in your policy rules to evaluate your vulnerabilities against the latest version of the standard.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role to edit the CVSS version for a workspace rule. You must have the Security Lead role to edit the CVSS version for an organization rule.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Custom Rules.
5. Select Edit.
6. Choose a rule control you want to modify or select Add control to create a new control.
7. For Level, choose if you want violations of this control to result in an error or a warning. Errors result in a build failure. Warnings result in log entries to the continuous integration systems, but they do not cause a build failure.
8. Expand the control row to display all condition options.
9. From the Severity dropdown menu, select the CVSS score you want to use for this control.
10. If you want to generate issues based on the CVSS severity, select Create Issue.
11. Select Save.

Configure workspace rules

Important

If your organization has activated the Unified Policy feature, which replaces agent rules, you can create a custom policy that uses agent-based scan rules, and assign it to a workspace or set it as the default policy for all workspaces. For example, you can copy the Veracode Recommended SCA Very High policy and edit it into a custom SCA policy.

Custom rules help you manage your software delivery workflow. Rules are sets of controls to which your codebase must adhere. Default rules are hard-coded and applied to all workspaces.

Custom rules expose the controls that the rules engine uses. It allows you to edit these controls per workspace and decide what actions to take when projects violate controls, ensuring that no software ships unless it meets your security requirements.

When projects violate a control, you can choose to create an issue to track a problem, break the build, or both. Set your own severity for different kinds of control violations. SCA agents use this severity for issues and as the exit code when a build breaks. You cannot create custom rules for a workspace if your organization enforces organization rules.

At scan time, the scanner identifies open-source libraries in your code and any transitive library dependencies, generates a dependency graph and a call graph, and then sends the results of the scan to the Veracode Platform. Veracode checks the scan results against each control in the rule. If a control fails, the specified action for that control is triggered, and the highest severity of the violated controls returns as the exit code.

Organization rules

Important

If your organization has activated the Unified Policy feature, which replaces agent rules, set the default policy for workspaces.

Organization rules allow you to apply the same set of controls to all of your workspaces. If your organization enforces organization rules, you cannot set custom rules at the workspace level. If your organization has configured organization rules but does not enforce them, you can select the organization rules when configuring the rules for a workspace.

Default rules

Important

If your organization has activated the Unified Policy feature, which replaces agent rules, the default policy for workspaces is the Veracode Recommended SCA Very High policy. You can change the default policy in your policy settings.

If you do not customize the workspace rules, Veracode SCA applies the default rules.

Using the Veracode default rules, issues get created when:

• A vulnerability exists in either direct or transitive libraries.
• A direct library is out of date.
• A direct library contains a high-risk license.

Additional controls that you can use with custom rules include:

• A library has multiple licenses.
• A library has no license.

The issue severities are set as follows:

• Vulnerability issues, direct or transitive: the CVSS score of the vulnerability
• Outdated library issues, direct: 3.0

Rule controls

There is one rule for each workspace. Every project in a workspace inherits the workspace rules. Each rule consists of one or more controls. A control checks if the project meets specific parameters.

Each control has the following structure:

• Properties
  • Control Name
  • Severity
  • Level
• Conditions
  • Matcher
  • Descriptor
    • Parameters for vulnerability descriptors
      • Severity
        • Check for a vulnerability of high, medium, or low risk. The level of risk that a vulnerability has is determined by its CVSS score. Veracode SCA supports the use of vulnerability severities based off of either CVSS v2 or CVSS v3 scores.
      • Vulnerable Method
      • Override Control Severity with CVSS Score
    • Parameters for license descriptor
      • Kind
        • Check for specific licenses by name or select a risk rating.
      • Including
        • If you select License by name, select the licenses to include in the rule.
      • Excluding
        • If you select a risk rating, select the licenses to exclude from the rule.
• Action
  • Create Issue

Properties

The properties of a control are basic fields that identify a control and its severity.

• Control Name: a string that helps you quickly identify the control.
• Severity: a number from 0.1 (lowest) to 10.0 (highest) that lets you determine how serious a control violation is considered in this rule. If you choose to create an issue when a control is violated, the severity of the failed control defines the severity of the issue. Severities appear on lists of issues to make them easier to rank.
  • Severity is different from a vulnerability risk (CVSS) score. However, if you wish to use the CVSS score as the severity for vulnerability issues, you can set that option. See Descriptor.
• Level: there are two levels
  • Error: A level of error means that a non-zero will be returned, which can be used (for example, by CI build scripts) to break a build. The exact value of the exit code depends on the severity of all controls which were violated. See note below for more details.
  • Warning: A level of warning will return an exit code of 0 which can be used to allow the build to continue.
  • To determine the exit code for a scan, enter echo $? in the CLI after the scan concludes. If 0 is returned, that means no controls of level error were violated. If a number greater than 0 is returned, that means a control of level error was violated, and the number reflects the highest-severity control that was violated, rounded to the nearest integer.

Conditions

A control condition is a rule to enforce, such as library should not contain high-risk vulnerabilities.

A condition contains the following parts:

Resource

The resource is the entity being inspected for certain conditions. SCA agents inspect libraries with four dependency relationships.

• Any: a library which is either referenced in your configuration file or used by a direct dependency. Encompasses all your libraries.
• Direct: a library which is specifically referenced in your configuration file.
• Transitive: other libraries which are used by the direct dependencies.
• Both: a library which is both referenced in your configuration file and used by a direct dependency.

Matcher

The matcher is a comparison operator that defines how the resource is inspected. The values are should not contain and should be.

Descriptor

The descriptor and its parameters define the checks performed against the resource. The current descriptors available are vulnerability, license, and library.

• SCA Agent-based Scan can check that:
  • A library should not contain vulnerabilities with certain parameters. This check uses the should not contain matcher.
  • A library should not contain licenses with certain parameters. This check uses the should not contain matcher.
  • A library should be the latest version. This check uses the should be matcher.
• Parameters for vulnerability descriptor
  • Severity: check for a vulnerability of high, medium, or low risk.
  • Vulnerable Method: check for vulnerabilities where vulnerable methods were or were not found.
  • Override Control Severity with CVSS Score: for vulnerability issues only, set the severity of the violated control to the CVSS score of that vulnerability instead of manually assigning a severity. See Properties of the control.
• Parameters for license descriptor
  • Kind: check for specific licenses by name or check for licenses with a selected risk rating. You can exclude specific licenses by name from the risk rating parameter.

Actions

The action for a control defines what happens automatically when the condition evaluates to false.

If you select Create Issue, Veracode creates an issue when the condition is false and the control is violated at scan time.

Creating an issue from a rule does not automatically create issues in third-party applications. However, if you have an SCA agent integration to Jira or GitHub, you can manually create a Jira or GitHub issue from an SCA issue in the Veracode Platform.

Add, remove, and arrange controls

When a rule is in edit mode, you can add new controls, remove controls, and move controls up and down in the Veracode Platform.

To add a new control, select the Add Control button below the last control row.

To remove a control, select the trash can icon at the far right.

To move controls up and down, use the up and down arrows next to the trash can icon.

The order of controls in a rule does not affect which issues will be created, whether a build is broken or not, or the order in which controls are evaluated. You order the controls to visually group them in an order that is meaningful to you. However, if you create two nearly identical controls that only differ by a property, such as a different severity rating, the control furthest down the list takes precedence.

View rules

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Either select a workspace to view workspace rules or select Agent-Based Scan Settings to view organization rules.
4. Select Rules.

Create custom rules

Creating custom rules lets you define unique security requirements for your workspace.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Either select a workspace to view workspace rules or select Agent-Based Scan Settings to view organization rules.
4. Select Rules.
5. Select Custom Rules. A copy of the default rules appears.
6. To open edit mode, select Edit.
7. Make your adjustments, then select Save.

To define a control, see rule controls and Add, remove, and arrange controls.

Edit custom rules

You can edit custom rules if you want to change the security requirements for your workspace.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Either select a workspace to view workspace rules or select Agent-Based Scan Settings to view organization rules.
4. Select Rules. The currently applied custom rules appear.
5. Select Edit. The controls change from view-only mode to edit mode. The details of each control are collapsed by default.
6. Make your adjustments, then select Save. The custom rules are active for any future scans in the workspace.

To define a control, see rule controls and Add, remove, and arrange controls.

Reset custom rules

You might want to update your custom rules by starting over from the default rules and making new customizations. Complete the following steps to discard any customizations, reset all controls to the default rules, and apply the changes immediately.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. To view workspace rules, select a workspace. To view organization rules, select Agent-Based Scan Settings.
4. Select Rules. The currently applied custom rules appear.
5. Select Edit.
6. Select Veracode Defaults.
7. Select Reset rules.

Custom rule examples

This section provides some examples of custom rules you can apply to a workspace.

High-risk vulnerabilities with vulnerable methods

There should be no CVSS v2 high-risk vulnerabilities where vulnerable methods are found. If there are, assign a severity of 10, break the build, and create a Veracode SCA issue.

Medium-risk vulnerabilities without vulnerable methods

There should be no CVSS v3 medium-risk vulnerabilities where vulnerable methods are not found. If there are, use the CVSS score of the vulnerabilities as the control severity, do not break the build, but do create a Veracode SCA issue.

Allow low-risk vulnerabilities without vulnerable methods

If you do not want to track low-risk vulnerabilities where no vulnerable methods are found, you can delete any controls where Descriptor = vulnerability, Severity = low risk, and Vulnerable Method = no. The SCA scan will not create SCA issues for this kind of vulnerability.

Alternatively, you can clear the Create Issue checkbox in a control where Descriptor = vulnerability, Severity = low risk, and Vulnerable Method = no. You might prefer this method if you may want to create Veracode SCA issues for this control in the future.

High-risk licenses with exceptions

If your condition rejects libraries that contain high-risk licenses, you can select one or more specific high-risk licenses to allow. In this example, you allow one exception for Open Software License 1.0.

Out-of-date libraries

Ensure all direct libraries are up-to-date. For any out-of-date libraries, do not break the build, but do create a Veracode SCA issue with severity = 1.