SCA Upload and Scan

Use Veracode SCA Upload and Scan in the Veracode Platform to perform a Veracode Software Composition Analysis (SCA) of your open-source components using Veracode Upload and Scan. Upload and Scan analyzes both your first-party source code, using Static Analysis, and open-source components, using SCA, in s single operation. To run policy scans that assess your application's compliance with your organization's security policy, apply security policies to your scans.

You can access the SCA scan results after the prescan verification of your application is complete, whether you uploaded the application for Static Analysis or SCA scanning using Upload and Scan. If you only have an SCA license, you can only access the SCA results.

Alternatively, to scan your code early and frequently in your Software Development Lifecycle (SDLC), we recommend using Veracode SCA agent-based scanning. Agent-based scans provide additional features, such as dependency mapping, vulnerable methods, and automated pull requests.

Prerequisites

Before you can use SCA Upload and Scan, you must have:

• An active Veracode SCA license.
• A Veracode account with the Executive, Security Lead, or Administrator role.
• An artifact of the application you want to scan. The artifact must meet the packaging requirements, and the files in the artifact must not exceed the upload limits.

Supported languages

SCA Upload and Scan supports the following languages and package managers.

Language	Supported versions	Package manager artifacts
Java	JDK and OpenJDK 1.3–1.9, 10–17	JAR files
Scala	See Scala packaging	JAR files
Kotlin	See Kotlin packaging	JAR, APK, AAB files. For Android support, see Android packaging.
Go	See Go packaging	Glide: glide.lock GoVendor: vendor/vendor.json GoDep: godeps/godeps.lock Trash: trash.lock Go modules: go.sum Dep: gopkg.lock Note: All files or folders must be at the root of your ZIP archive.
Python	2.x, 3.x	Pipenv: pipfile.lock Poetry: pyproject.toml and poetry.lock
JavaScript TypeScript	NPM 2.10.0 and later	NPM: package.json and package-lock.json or package.json and npm-shrinkwrap.json Yarn: package.json and yarn.lock Bower: bower_components directory
Objective-C	See Apple Platforms packaging	CocoaPods: podfile.lock
Swift	See Apple Platforms packaging	CocoaPods: podfile.lock
Ruby	Bundler 1.1.0 and later	Bundler: gemfile.lock
PHP	5.3.2 and later, Composer 1.0.0 and later	Composer: composer.lock
C#/.NET	See .NET packaging	NuGet: {.NET_project_name}.deps.json (preferred), project.assets.json, or DLL files

SCA Upload and Scan workflow

The following workflow explains the tasks for requesting an SCA Upload and Scan through the Static Analysis workflow for Upload and Scan.

• Package your application code into an artifact. You can package your application manually, using the packaging guidance for the supported language in which the application is written, or automate packaging using the auto-packager.
• Access SCA Upload and Scan
• Request a scan.
• Upload your packaged artifact to the Veracode Platform.
• Review the prescan results.
• Select the modules to scan.
• Start the scan.
• Review the scan results.

Access SCA Upload and Scan

If you have performed an Upload and Scan of your application, both Static Analysis and SCA scan results are available when you access the SCA pages in the Veracode Platform. To learn more, see review scan results.

Veracode Platform

In the Veracode Platform, from the top menu, select Scans & Analysis > Software Composition Analysis. Then, select the Upload and Scan tab, which is selected by default.

To access SCA Upload and Scan for a specific application, locate and select an application profile. Then, on the application page, select Software Composition Analysis from the left menu.

APIs

• Findings REST API: retrieve and review findings from SCA Upload and Scan.
• SCA Annotations REST API: annotate findings from SCA Upload and Scan, including adding comments and proposing, accepting, and rejecting mitigations.

Request a scan

To request an SCA Upload and Scan in the Veracode Platform, use one of the following methods.

Using Static Analysis Upload and Scan

The simplest method to start an SCA scan is to request a Static Analysis scan and configure SCA scanning options.

From the SCA page

Alternatively, request a scan from the main SCA page in the Veracode Platform.

1. Select Scans & Analysis > Software Composition Analysis.
2. From the top-right corner of the page, select Start Scan.
3. Under Upload and Scan, select Start Scan.
4. Create or select an application profile to use for the scan.
5. On the application page, select Start a Scan to request a Static Analysis scan and configure SCA scanning options.

Using the API wrappers

uploadandscan.do: automate SCA Upload and Scan request with the API wrappers.

Scan statuses

The Veracode Platform displays the following scan statuses.

• Scan Initialized: you have submitted the scan, but it has not started yet.
• Scan In Progress: the scan is in progress.
• Scan Failed: the scan encountered an error. Verify that you packaged your application correctly and select Try Again to resubmit the scan without restarting the Static Analysis scan. If the failure persists, contact Veracode Technical Support.

Review the scan results

After scanning your applications, review the vulnerabilities and information about the scanned open-source components.

Detailed composition information is organized as follows:

• Applications
• Third-party components
• Vulnerabilities

You might want to review your application portfolio to determine which applications are passing or failing policy.

You can also access the SCA findings with the Findings REST API.

Review scanned applications

The Applications tab provides a portfolio view of the vulnerability status of your applications and whether the applications are meeting the associated policies. The list of applications indicates who submitted the scan and the level of severity for each of the vulnerabilities found.

A colored-coded shield icon in the Policy Control column of the Applications tab indicates the policy status of this application and whether the application is meeting the requirements of its assigned policy. The colors green, orange, and red indicate passing, conditional pass, and failing. The number of components within the application that are in violation of this policy is also listed. To view the details of the associated policy and its rules, select the blue ? icon.

To include agent-based scan findings in the policy for your application, you can link your project to an application.

Use the filter function to find applications by CVE ID, application name, blocklist presence, component name, severity, or any combination of these filters. If you switch tabs after filtering data, the filter sorts the content in the new tab unless you clear the filter. If you are an enterprise customer, you see the name of the software vendor before the application name for third-party applications.

Review third-party components

The Third-Party Components tab lists all the third-party components in your applications, and provides version, usage, license risk, and known vulnerability information.

The list of components shows the filename and an at-a-glance view of the severity of each vulnerability that Veracode found in each component. The Count column shows you how many times a component is used across all of your applications. The License column details the first license Veracode found for the component, and a risk rating Veracode assigned for the license.

Use the filter to find components by CVE ID, number of affected applications, blocklist presence, component name, severity, or any combination of these filters. If you sort by number of known vulnerabilities by severity, the components in the grid are sorted by total severity. If you switch tabs after filtering data, the filter sorts the content in the new tab unless you clear the filter. The Blocklist switch is only visible to users with the Security Lead role.

note

If you scanned a JavaScript application that uses both Bower and NPM package managers, and a component exists in both the bower_components and node_modules folders, Veracode SCA displays both of the components individually.

Component details

Select a component filename to view the following information about the component.

• Other Versions: a list of all known versions of this component, an indication of whether that component is currently in your application portfolio, and the known vulnerabilities in that component.
• Vulnerabilities: the list of vulnerabilities in this component as well as its severity, CVE ID, CWE ID, and description.
• Dependent Applications: lists any applications that contain this component, the policy associated with that application, and a color-coded shield icon that indicates if the application is in compliance with its policy.

Review component license risk

SCA discovers details about the licenses associated with the open-source components in your application. You can use this information to further investigate your license obligations. Before using third-party, open-source components, we recommend reviewing the license and associated risk to understand the implications of using the component in your application.

The Third-Party Components tab displays all licenses found for a component. If a component has multiple licenses, select the Show More link to view all licenses. In addition to the results that Veracode provides, you should also perform your own investigation, because the contents in a file could be subject to different or additional licenses.

Select the link in the License column of a third-party component to go to the Open Source Initiative website for details about the license. You can also filter your third-party component data by risk rating. Use the filter function on the Third-Party Components tab to list applications by CVE ID, component, application name, or any combination of these filters.

To prevent an application from passing policy when a scan detects any license with the specified risk rating, add a license rule to your policy.

For additional component details, such as vulnerable methods and dependency graphs, use SCA agent-based scanning.

Review vulnerabilities and malicious libraries

The Vulnerabilities tab lists all the vulnerabilities in your portfolio by CVE and severity rating, including malicious libraries in your code, helping you determine whether a library poses a significant threat.

This tab provides detailed information about all known vulnerabilities in your portfolio. It sorts vulnerabilities by severity and lists the associated Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) IDs. It also includes a severity count and a description for each entry. The description field provides links to the affected applications and components.

Use the filter function to list applications by CVE ID, application name, component, or any combination of these filters. If you switch tabs after filtering data, the filter sorts the content in the new tab unless you clear the filter. Select the CVE or CWE ID link in the table to view additional information in the National Vulnerability Database (NVD) or MITRE CWE list, respectively.

For additional component details, such as vulnerable methods and dependency graphs, use SCA agent-based scanning.

Vulnerability data sources

The Veracode Platform may list two different data sources in the Vulnerability column for vulnerabilities: a CVE ID indicates that the vulnerability came from the NVD and a SRCCLR ID indicates that the vulnerability came from the SCA Vulnerability Database.

Vulnerability updates

The Veracode Platform makes daily updates to the vulnerabilities list to reflect any changes in the National Vulnerability Database or the Veracode SCA Vulnerability Database to provide the latest information on third-party component vulnerabilities in your applications. In turn, SCA results and related dashboards such as a Governance Risk and Compliance (GRC) systems are updated to reflect any new vulnerabilities. You do not need to rescan your applications to reflect the latest vulnerability changes. Veracode recommends that you review your SCA policy compliance after every vulnerability update.

Veracode also sends an email to users when a newly identified or upgraded vulnerability affects your policy.

To receive SCA email notifications, navigate to Your Account Settings, enter your email address, and select I wish to receive email notifications when a newly identified vulnerability or change in severity causes my application to violate policy.

note

The link to the Veracode Platform provided in the email notification is only accessible to users with the Security Lead role.

Filter results by CVSS versions

To see how different versions of the Common Vulnerability Scoring System (CVSS) affect the severity of the detected licenses and vulnerabilities, on the Third-Party Components or Vulnerabilities tabs, select a CVSS version from the Display dropdown menu. By default, the selected CVSS version is the one associated with your organization.

You can apply version 3 of the CVSS to your policies. The severity ratings are based on CVSS version 3.

If your organization is still using CVSS v2, you must contact Veracode Technical Support to switch to CVSS v3. The CVSS version can determine whether a vulnerability causes an application to fail policy.

After updating the scoring system, Veracode determines policy evaluations for all future scans of your applications based on the new CVSS version.

Assess the scan results against your security policy

Review which of your components are passing, or not passing, the security requirements defined by the SCA policy rules in your security policy.

• View all components in your application by version, count, or number of known vulnerabilities.
• View all vulnerabilities in your application by CVE and severity rating.
• Learn about remediation practices to lower your application security risk.

Include SCA findings in your security policy

Restrict an application from using vulnerable third-party components by adding requirements to your security policy. You can also enforce that the application must not exceed maximum CVSS scores or license risk and must meet grace period requirements to pass policy.

If you add an SCA policy rule to a policy already assigned to applications, The Veracode Platform recalculates their policy compliance status. This change can cause applications that we haven't rescanned to change from a passing status to a failing status.

Before you begin:

• You must have the Policy Administrator role to edit policies.
• You must have linked your project to an application.

To complete this task:

1. To add SCA findings in your policy, create a custom policy or edit an existing custom policy.

2. In the Rules section, add one or more of the following SCA rules.

   • Component Blocklist Enforcement: automatically prevent an application from passing policy if a scan detects blocklisted components. To see which components are blocklisted, select View Blocklist.
   • Component Licenses: automatically prevent an application from passing policy if a scan detects any license that doesn't meet the defined requirements.
   • Vulnerability CVSS Score: automatically prevent an application from passing policy if a scan detects any vulnerability with the specified CVSS score or higher.

3. Set the grace periods to apply to SCA rules.

4. Finish creating or editing the policy.

Remediate vulnerabilities

The following guidelines can help you lower your application risk.

• Download the latest version, or least-vulnerable version of the component. The latest version of the component is not always the least vulnerable.
• Replace the vulnerable component with a different component with similar functionality.
• Use environmental controls to suppress application risk. If you are using the vulnerable portion of the component, try a workaround.
• Mitigate the functionality of the vulnerability or license in the component.
• Build your own secure component.

Mitigate findings

Use mitigation actions to temporarily address vulnerabilities you won't resolve.

After you identify a finding as mitigated, users in your organization with the Mitigation Approver role can accept or reject the mitigations. Accepting the mitigated findings removes them from the determination of the policy status.

note

Mitigating SCA findings in development sandboxes is not supported.

The SCA mitigation workflow involves:

1. Review vulnerabilities and propose mitigations.
2. Review licenses and propose mitigations.
3. Accept or reject mitigations.
4. Review mitigated findings.

You should not consider mitigations as long-term fixes for application security findings. Environmental changes or new attack techniques can render ineffective many mitigating factors, including network and operating system mitigations. Veracode recommends that you use mitigations as part of a long-term plan to remediate the flaws in the code.

Mitigate vulnerabilities

You can take mitigation actions to temporarily address the vulnerabilities found in the latest Veracode Software Composition Analysis (SCA) scan of your application.

To complete this task:

1. Go to Scans & Analysis > Software Composition Analysis to view which of your applications are violating your policy.

2. After you select an application, from Third-party Components, select a component filename to investigate the vulnerabilities found in the component. The Component Profile opens where you can view additional information about the component including other versions of the component, component vulnerabilities, and applications that depend on the component.

3. After you address the vulnerability, you must specify the reason or method you took to address it. From Application > Vulnerabilities, search by CVE ID, Severity, or Component Filename, and select one or more vulnerabilities to flag as mitigated.

4. From the Action menu, select one of the following action types:

   • Mitigate by Environment to state that an environmental control provided by the operating system hosting the application addressed the vulnerability.
   • Mitigate by Design to state that custom business logic within the body of the application, which might not be fully identifiable by an automated process, addressed the vulnerability.
   • Potential False Positive to state that Veracode has incorrectly identified a vulnerability.
   • Accept the Risk to state that your business has evaluated the potential risk and effort required to address the vulnerability and is willing to accept the associated risk.
   • Comment to communicate information about the vulnerability to your team without applying mitigations. If you use TSRV (Technique, Specifics, Remaining Risk, and Verification) format for mitigation proposals, Veracode prompts you to enter details about the mitigation.

   The mitigation type is displayed in the Mitigation column after you apply an action. All mitigations are displayed with a (proposed) notation after the mitigation type until the mitigation is approved by a member of your team with the Mitigation Approver role.

5. To view the mitigation history of a component, select the Component Filename, and go to History on the Component Profile.

Component mitigation information by severity is also available from Application > Software Composition Analysis > Third-party Components. Hover over vulnerabilities with an asterisk to view a tooltip with mitigation information.

Next steps:

A Mitigation Approver can approve or reject your proposed mitigations.

Mitigate license risk

Use mitigation actions to temporarily address license risks.

Before you begin:

You must have the Reviewer or Security Lead role.

To complete this task:

1. In the Veracode Platform, go to Scans & Analysis > Software Composition Analysis.

2. Select an application from the Applications list.

3. Select Licenses.

4. Select the licenses on which you want to perform a mitigation action.

5. Select one of these actions from the Mitigation Actions dropdown:

   • Mitigate as Approved by Legal: the legal team of your organization has determined this license to be acceptable.
   • Mitigate as Commercially Licensed: the library has a dual license, both open-source and commercial, and this application contains the commercial version.
   • Mitigate as Experimental: your development team is experimenting with the functionality of the library and will not violate license terms by using it in production.
   • Mitigate as Internal Use: the license terms permit internal use of the library.
   • Accept the Risk: your business is willing to accept the risk associated with this license.
   • Comment: communicate information about the license to your team without applying mitigations.

6. Select Apply.

7. Enter a comment with details about the mitigation.

8. Select Continue. The mitigation type and status appear in the Mitigation column of the Licenses table and in the History tab of the component profile.

Next steps:

A user with the Mitigation Approver role must approve any proposed mitigations to apply them.

Approve or reject mitigations

Approve or reject mitigations that your team proposed on the findings.

Before you begin:

You must have the Mitigation Approver role.

To complete this task:

1. In the [application profile(../02_getting_started/09_platform_basics/10_manage_app_portfolio/README.md), select Mitigations from the left pane.

2. Select Mitigated Component Licenses or Mitigated Component Vulnerabilities.

3. Under Proposed, select one or more vulnerabilities or licenses on which you want to take action.

4. Select one of these actions:

   • Approve to accept the proposed mitigation.
   • Reject to reject the proposed mitigation.
   • Comment to enter additional information about the proposed mitigation. You must enter a comment when you approve or reject mitigations.

5. Select Continue.

Next steps:

To view the mitigation history of a component, select History on the Component Profile.

You can also view component mitigation information by severity from Third-Party Components. Hover over findings with an asterisk to view a tooltip with mitigation information.

Export scan results

Export and download the SCA scan results in CSV format. The exported file contains details about all components across all applications in your portfolio.

note

In the report, you might see duplicate vulnerabilities if the same component is found in multiple locations within an application.

The Customizable Report contains Veracode SCA findings for individual applications in PDF format.

The SCA Results report only includes results of scans performed using the upload and scan method. You can export additional data from Veracode SCA findings through Veracode Analytics.

Before you begin:

You must have the Security Lead or Administrator role to access the SCA Results report on the Export Data page.

To complete this task:

1. From Scans & Analysis > Veracode Software Composition Analysis, select Data Exports.
2. In the Software Composition Analysis (SCA) Results Export row, select Generate Data Export to refresh the report with up-to-date data. The report may take a few minutes to generate. When the report finishes generating, the Last Generated column updates to the current date and time.
3. When the up-to-date report is available, select Download Data Export . The report downloads to your browser as an Excel file.