Prescan web applications and APIs
You can prescan all URLs or API servers in a Dynamic Analysis to verify that we can reach and, if necessary, authenticate with each target web application URL or API endpoint.
Prescanning saves time by alerting you to any issues that Veracode finds with the configuration before the Dynamic Analysis runs.
To complete this task:
- Go to the Schedule page of the Dynamic Analysis workflow and select the Prescan Only option. The prescan starts immediately after submission. When the prescan completes, you receive an email notification of the results. The Dynamic Analysis still starts regardless of the results of the prescan.
- If the prescan fails, check your connections and authentication configuration settings, and run prescan again.
- If you need assistance from Veracode with any of the issues found during prescan, select Contact Support in the bottom-left of the Review and Submit window.
Results:
The prescan results are available on the Dynamic Analysis summary page. You can view the details of the prescan at any time by going to the URL row and, either clicking the URL or selecting View Prescan Details in the Actions column.
Additional troubleshooting information is available in the Verification Screenshots section, which provides screenshot images that the Veracode scan engine takes at predetermined points. You can use these images to gain insight into what the scan engine discovers during a Dynamic Analysis. For example, the Authentication: Logged In screenshot can verify that the page on which the scan engine lands after executing the login script matches expectations. The Connection: Target URL screenshot can determine that a login script failed because a page redirects to different content for requests that originate from outside the corporate intranet.
Verification Screenshots
| Screenshot type | Description |
|---|---|
| Connection: Target URL | The web page state seen by the Veracode scan engine at the end of connection verification, at the start of a scan or prescan. |
| Authentication: Consecutive Login Failure | Shown after the Veracode scan engine is unable to log in to a target application after 50 consecutive attempts. |
| Authentication: Logged In | Shown after the Veracode scan engine executes a user-provided Selenium login script. If the best practice of including a verification command in the Selenium script is not followed, the screenshot might show an early snapshot of the page, which might not show what the site really looks like when logged in. |
| Authentication: Logged Out | Shown after the Veracode scan engine executes a user-provided Selenium logout script. Logout scripts are optional, and this screenshot is omitted if one is not specified. |
| Authentication Failure | Shown if the Veracode scan engine encounters an error while verifying authentication using a user-specified login or logout script. |
Prescan Notes
Displays one or more scan notes based on the following severities.
Information: non-actionable issues encountered by the scan engine.Warning: issues that could impact coverage of the scan. For example, a login script that does not contain commands to verify its successful execution could possibly fail in future scans.Error: exceptions that have resulted in early scan termination, such as the repeated inability to execute Selenium scripts due to a site changing during a scheduled scan.
Prescan errors
Prescan errors comprise two types: connection errors and authentication errors. You can review any prescan errors for a Dynamic Analysis in the Veracode Platform. All prescan errors relate to connection, auto-login, basic authentication, or login script issues.
The Prescan Details window provides information for fixing a specific error. To open the Prescan Details window, on Dynamic Analysis summary page, in the row of the URL scan you want to review, select Actions > View Prescan Details.
Connection errors
These tables provide corrective actions for prescan connection and authentication errors. After troubleshooting the problem you are experiencing, verify the Dynamic Analysis configuration and run prescan again. If a failure persists, contact Veracode Technical Support.
| Error message | Definition and corrective actions |
|---|---|
Unresolvable hostname | Veracode was not able to resolve the hostname. Verify the hostname and try again. |
Unreachable port | Veracode was not able to reach the destination port. Verify the port and try again. |
Connection error | Veracode was not able to connect to the target URL. Verify the URL and its connectivity, and try again. |
Server error | There is an error on the target server. Verify the server is connected and available, and try again. |
No target found | Veracode did not find the target URL at the site. Verify you have entered the correct URL and try again. |
Empty response received | Veracode received an empty response from the target URL. Verify the web server is correctly configured and try again. |
Blocklisted URL | This URL is on the blocklist and will not be analyzed. Enter a new URL. |
No response from server | Veracode received no response from the host server of the target URL. Verify the URL and its connectivity, and try again. |
Non-allowlisted URL | This URL is not on the allowlist and will not be analyzed. Enter a new URL. |
Excessive redirect | This URL has an infinite or excessively long redirection loop and will not be analyzed. Enter a new URL. |
Timeout error | This URL returned an HTTP protocol-level timeout error indicating there is a problem with network congestion or connection throttling by a proxy server. Verify your network infrastructure and connectivity, and try again. |
Malformed URL | This URL does not adhere to the URI syntax. Re-enter the URL with the correct syntax. |
Non-allowlisted URL redirection | The request to the target URL results in a redirection. Verify the URL and try again. |
Blocklisted URL redirection | The request to the target URL redirects to a URL that is on the blocklist and will not be analyzed. Enter a new URL. |
For connection errors, review:
- In the Connection section, the Authentication Verification, Login Successes, and Login Failures fields for the specific reason why you have an authentication issue
- Request and Response section for any
4xxx-5xxresponse codes - Prescan Notes for any warning notes
If Veracode cannot connect to the target URL, verify:
- URL is spelled correctly and uses the correct protocol.
- URL is live and available.
34.195.146.191is on your allowlist.- If there is heavy traffic causing the connection to fail.
Authentication errors
| Error message | Definition and corrective actions |
|---|---|
Missing credentials | You have not provided any browser-based credentials. Enter the credentials and try again. |
Invalid credentials | The browser-based credentials you provided are invalid. Verify the credentials and try again. |
Selenium script failure | The Selenium login script you provided has failed. Record a new script and try again. |
Browser failure | The browser was unresponsive while executing the login script. Record a new script and try again. |
Verification text failure | The verification text failed. Verify that the verification text is present on the page after login. |
Auto-login failure | Auto-login failed. Verify your credentials and try again. |
Verification text failure | The verification text failed. Edit the login script to provide the verification text that is only present after successful login. |
Authentication alert | No browser authentication was encountered. Verify the type of authentication necessary for the website and try again. |
Logout pattern failure | No logout patterns were detected. Verify the logout pattern, ensure that at least one resource that requires authentication is accessible from the target URL. Then, try again. |
Logout pattern failure | Too many logout patterns were detected. Verify the logout pattern and the authentication credentials, and try again. |
Logout pattern failure | Veracode could not detect any logout patterns. Contact Veracode Technical Support if this error persists. |
Logout pattern failure | Veracode detected numerous logout patterns. Verify the logout pattern and authentication credentials, and try again. |
Blocklisted URL | The login verification is blocklisted. Change the URL or remove it from the blocklist. |
URL error | Requests to the login verification URL resulted in a network error. Correct the URL and ensure your web server is online. |
Non-allowlisted URL | The login verification URL is not an allowed host. Change the URL and ensure it is not on the blocklist. |
Redirection error | Requests to the login verification URL resulted in numerous HTTP redirects. Correct the URL or change the redirects. |
Unsuccessful response | Requests to the login verification URL resulted in an unsuccessful HTTP response. Correct the URL and ensure your web server is online. |
Malformed URL | The login verification URL does not adhere to URL syntax. Correct the URL and try again. |
Non-allowlisted URL | The login verification URL redirects to a URL that is not an allowed host. Correct the URL and try again. |
Blocklisted URL | The login verification URL redirects to a URL that is on the blocklist. Correct the URL or change the redirects, and try again. |
For authentication errors, review:
- The Authentication Verification, Login Successes, and Login Failures fields for the specific reason why you have an authentication issue
- The Verification Screenshots section for any authentication failure
- The Prescan Notes for any warning notes
If you have provided a login script, you can select a verification screenshot of the associated login errors.
If authentication has failed, verify:
- You are using the correct username, password, and domain (if applicable). The Login Successes and Login Failures fields indicate if auto-login is working.
- Any login script, verification URL, and verification text you provided is still valid. The Authentication Verification field indicates at which point in your script an error occurred, saving you troubleshooting time.