Review Vulnerabilities in VS Code
You can review the discovered vulnerabilities for all open-source libraries in your project to see detailed information about the impacted libraries, the vulnerability risk level, and guidance for fixing each vulnerability.
Before you begin:
Ensure you have scanned your project.
To complete this task:
In VS Code, on the Activity bar, select Veracode SCA Scan
.
In the VULNERABILITIES view, scroll through the list of library names to see the number of vulnerabilities, by risk level, that the scan detected.
The libraries with the most and highest-risk vulnerabilities are at the top of the list. The icon next to the library name indicates how your project uses the library.
Icon Description The library is a direct dependency that your project uses directly. Your project configuration file, such as package.json
in an NPM project orpom.xml
in a Maven project, has a reference to this library. To fix a vulnerability in a direct dependency, update the library version in the project configuration file and rebuild the project. If the library has one or more Critical or High vulnerabilities, the icon is red.The library is a transitive dependency that your project uses indirectly through another dependency. For example, if your project configuration file has a reference to a direct library and that library has a dependency on a library not referenced in the configuration file, your project indirectly depends on that other library. If the transitive library has a vulnerability, your project is vulnerable. To fix a vulnerability in a transitive library, add a new direct reference in your project configuration file to a safe version of the library. To check if the new dependency causes any errors, such as breaking the build or showing unexpected results, rebuild and test the project. If the library has one or more Critical or High vulnerabilities, the icon is red. Optionally, click the filter icon
to hide or show vulnerabilities by their severity.
Expand a library to view the detected vulnerabilities.
Vulnerabilities that violate the built-in policy show a Warning icon
. Vulnerabilities that do not violate the built-in policy show a checkmark icon
.
Click View library details to open the Library Details tab.
This tab provides information about the selected library, such as the latest version available, the known safe version, whether it has vulnerable methods, and a link for additional information about it in the Veracode Vulnerability Database.
Click a vulnerability to open the Vulnerability Details tab.
This tab provides information about the selected vulnerability, such as its CVSS score, the libraries in your project that it affects, a link for additional information about it in the Veracode Vulnerability Database, and the recommended fix.
After fixing a vulnerability, click Rescan
in the SCAN OVERVIEW view to confirm that the affected library no longer has that vulnerability.
For example, if a library in an NPM project has a vulnerability, and you update the library in the
package.json
file to a safe version, click Rescan to confirm that the vulnerability no longer appears for that library.