Skip to main content

Review SCA vulnerabilities in VS Code

You can review the discovered vulnerabilities for all open-source libraries in your project to see detailed information about the impacted libraries, the vulnerability risk level, and guidance for fixing each vulnerability.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In VS Code, on the Activity bar, select Veracode SCA Scan vs-code-side-bar.png.

  2. In the VULNERABILITIES view, expand Did Not Pass Policy or Pass Policy. You see a list of libraries that passed or did not pass the built-in policy.

  3. Optionally, click the filter icon filter_icon.png to hide or show vulnerabilities based on their severity or how your project uses a vulnerable library.

    The libraries with the most and highest-risk vulnerabilities are at the top of the list. The icon next to the library name indicates how your project uses the library.

    IconDescription
    veracode-usage-direct.svgThe library is a direct dependency that your project uses directly. Your project configuration file, such as package.json in an NPM project or pom.xml in a Maven project, has a reference to this library. To fix a vulnerability in a direct dependency, update the library version in the project configuration file and rebuild the project.
    veracode-usage-transitive.svgThe library is a transitive dependency that your project uses indirectly through another dependency. For example, if your project configuration file has a reference to a direct library and that library has a dependency on a library not referenced in the configuration file, your project indirectly depends on that other library. If the transitive library has a vulnerability, your project is vulnerable. To fix a vulnerability in a transitive library, add a new direct reference in your project configuration file to a safe version of the library. To check if the new dependency causes any errors, such as breaking the build or showing unexpected results, rebuild and test the project.

  4. Expand a library to view the detected vulnerabilities. Vulnerabilities that did not pass the built-in policy show a Warning icon vscode_warning_icon.png. Vulnerabilities that passed the built-in policy show a checkmark icon vscode_checkmark_icon.png.

  5. To view information about the library, select View library details. The Library Details window shows the latest version available, the known safe version, whether it has vulnerable methods, and a link for additional information in the Veracode Vulnerability Database. For a transitive dependency, it also shows the name of the parent dependency.

  6. To view information about a vulnerability, select it. The Vulnerability Details window shows the CVSS score, the affected libraries in your project, a link for additional information in the Veracode Vulnerability Database, and the recommended fix.

  7. After fixing a vulnerability, select Rescan vscode-sca-rescan-icon.png in the SCAN OVERVIEW view to confirm that the affected library no longer has that vulnerability.

    For example, if a library in an NPM project has a vulnerability, and you update the library in the package.json file to a safe version, select Rescan to confirm that the vulnerability no longer appears in the VULNERABILITIES view.