Skip to main content

Review Vulnerabilities in VS Code

You can review the discovered vulnerabilities for all open-source libraries in your project to see detailed information about the impacted libraries, the vulnerability risk level, and guidance for fixing each vulnerability.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In VS Code, on the Activity bar, select Veracode SCA Scan vs-code-side-bar.png.

  2. In the VULNERABILITIES view, scroll through the list of library names to see the number of vulnerabilities, by risk level, that the scan detected.

    The libraries with the most and highest-risk vulnerabilities are at the top of the list. The icon next to the library name indicates how your project uses the library.

    IconDescription
    veracode-usage-direct.svgThe library is a direct dependency that your project uses directly. Your project configuration file, such as package.json in an NPM project or pom.xml in a Maven project, has a reference to this library. To fix a vulnerability in a direct dependency, update the library version in the project configuration file and rebuild the project. If the library has one or more Critical or High vulnerabilities, the icon is red.
    veracode-usage-transitive.svgThe library is a transitive dependency that your project uses indirectly through another dependency. For example, if your project configuration file has a reference to a direct library and that library has a dependency on a library not referenced in the configuration file, your project indirectly depends on that other library. If the transitive library has a vulnerability, your project is vulnerable. To fix a vulnerability in a transitive library, add a new direct reference in your project configuration file to a safe version of the library. To check if the new dependency causes any errors, such as breaking the build or showing unexpected results, rebuild and test the project. If the library has one or more Critical or High vulnerabilities, the icon is red.

  3. Optionally, click the filter icon filter_icon.png to hide or show vulnerabilities by their severity.

  4. Expand a library to view the detected vulnerabilities.

    Vulnerabilities that violate the built-in policy show a Warning icon vscode_warning_icon.png. Vulnerabilities that do not violate the built-in policy show a checkmark icon vscode_checkmark_icon.png.

  5. Click View library details to open the Library Details tab.

    This tab provides information about the selected library, such as the latest version available, the known safe version, whether it has vulnerable methods, and a link for additional information about it in the Veracode Vulnerability Database.

  6. Click a vulnerability to open the Vulnerability Details tab.

    This tab provides information about the selected vulnerability, such as its CVSS score, the libraries in your project that it affects, a link for additional information about it in the Veracode Vulnerability Database, and the recommended fix.

  7. After fixing a vulnerability, click Rescan vscode-sca-rescan-icon.png in the SCAN OVERVIEW view to confirm that the affected library no longer has that vulnerability.

    For example, if a library in an NPM project has a vulnerability, and you update the library in the package.json file to a safe version, click Rescan to confirm that the vulnerability no longer appears for that library.