Review SCA vulnerabilities in VS Code
You can review the discovered vulnerabilities for all open-source libraries in your project to see detailed information about the impacted libraries, the vulnerability risk level, and guidance for fixing each vulnerability.
Before you begin:
Ensure you have scanned your project.
To complete this task:
In VS Code, on the Activity bar, select Veracode SCA Scan
.
In the VULNERABILITIES view, expand Did Not Pass Policy or Pass Policy. You see a list of libraries that passed or did not pass the built-in policy.
Optionally, click the filter icon
to hide or show vulnerabilities based on their severity or how your project uses a vulnerable library.
The libraries with the most and highest-risk vulnerabilities are at the top of the list. The icon next to the library name indicates how your project uses the library.
Icon Description The library is a direct dependency that your project uses directly. Your project configuration file, such as package.json
in an NPM project orpom.xml
in a Maven project, has a reference to this library. To fix a vulnerability in a direct dependency, update the library version in the project configuration file and rebuild the project.The library is a transitive dependency that your project uses indirectly through another dependency. For example, if your project configuration file has a reference to a direct library and that library has a dependency on a library not referenced in the configuration file, your project indirectly depends on that other library. If the transitive library has a vulnerability, your project is vulnerable. To fix a vulnerability in a transitive library, add a new direct reference in your project configuration file to a safe version of the library. To check if the new dependency causes any errors, such as breaking the build or showing unexpected results, rebuild and test the project. Expand a library to view the detected vulnerabilities. Vulnerabilities that did not pass the built-in policy show a Warning icon
. Vulnerabilities that passed the built-in policy show a checkmark icon
.
To view information about the library, select View library details. The Library Details window shows the latest version available, the known safe version, whether it has vulnerable methods, and a link for additional information in the Veracode Vulnerability Database. For a transitive dependency, it also shows the name of the parent dependency.
To view information about a vulnerability, select it. The Vulnerability Details window shows the CVSS score, the affected libraries in your project, a link for additional information in the Veracode Vulnerability Database, and the recommended fix.
After fixing a vulnerability, select Rescan
in the SCAN OVERVIEW view to confirm that the affected library no longer has that vulnerability.
For example, if a library in an NPM project has a vulnerability, and you update the library in the
package.json
file to a safe version, select Rescan to confirm that the vulnerability no longer appears in the VULNERABILITIES view.