Skip to main content

Manage SCA issues

Issues are the essential components of SCA Agent-based Scan. You use issues to track and take action on vulnerabilities, out-of-date libraries, and software licensing concerns for open-source libraries in a specific software project. You can also import issues into ticketing systems.

Issues are unique to a specific project as well as the library and corresponding version. If you scan multiple tags or branches in the same project, the results might contain duplicate issues. See How branches and tags affect issues.

If a library is updated to a different version that also includes the same vulnerability, Veracode SCA creates a new issue that references the new version. The new issue automatically replaces the old issue because the older version is no longer in use.

View issues

Because issues uniquely relate to a specific library and version, the details for an issue make it much easier to fix.

You can also view issue details using the SCA Agent REST API.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select the workspace for which you want to view issues.
  4. If you want to view issues for an individual project, select Projects, then select a project.
  5. In the list of issues, select the Issue ID link of the issue for which you want to see details.

The details of the issue appear. They can include library fix information for vulnerabilities, license details for license violations, and update information for out-of-date libraries.

Issues are assigned a severity level that helps you prioritize your actions for remediation. The severity level of vulnerabilities ranges from 1 to 10. You can also filter and customize the view to prioritize the most critical issues. If a scan identifies a malicious library in your code, it assigns a severity level of 10, signaling that the library poses a significant threat to your codebase.

Ignore issues

SCA Agent-based Scan provides accurate, up-to-date vulnerability information, but not all issues apply to your code. For this reason, Veracode SCA allows you to suppress issues if you want to prevent them from causing your build pipeline to fail.

Ignoring issues only impacts your pipeline if you configure your SCA rules to generate an error instead of a warning, and you need to make exceptions that allow you to bypass the error. Ignoring an issue is not the same as closing an issue.

If you ignore an issue, the issue remains ignored in future scans of the project, even if the issue severity changes or a subsequent scan finds a vulnerable method.

note

For projects linked to application profiles, ignoring an issue has no impact on the status of any mitigation actions for the application. A reviewer still needs to review proposed mitigations in the Veracode Platform or with the Veracode APIs.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. If you want to view issues for an individual project, Select Projects, then select a project.
  5. Select the checkbox next to the issues you want to ignore.
  6. Select Actions > Ignore.
  7. Select Ignore Forever or Ignore Temporarily.
  8. If you select Ignore Temporarily, select a date. Veracode will ignore the issue until 11:59 PM UTC on the selected date.
  9. Enter a comment explaining why you are ignoring the issues.
  10. Select Confirm ignore issue.
  11. Select Finish.

Results:

Anyone who has access to the workspace can view the comment.

Unignore issues

If you mistakenly ignored an issue or decide that an issue should now be tracked, you can unignore it.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. If you want to view issues for an individual project, Select Projects, then select a project.
  5. To view the list of ignored issues, change the Active issues filter to Ignored.
  6. Select the ignored issues.
  7. Select Actions > Unignore.
  8. Enter a comment explaining why you are unignoring the issues.
  9. Select Confirm unignore issue.
  10. Select Finish.

Results:

Anyone who has access to the workspace can view the comment.

Add comments to issues

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. If you want to view issues for an individual project, select Projects, then select a project.
  5. Select the issue ID.
  6. Select the Comment action in the top-right corner of the issue detail view.
  7. Enter your comment in the text box.
  8. Select Finish.

Results:

The comments now appear in the issue history list.

View comments on issues

A red dot next to the Comment action on the Issue page indicates that there are comments on an issue.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. If you want to view issues for an individual project, Select Projects, then select a project.
  5. Select the issue ID.
  6. Select the Show History action in the top right-hand corner of the issue detail view.
Last updated on