Veracode SCA Upload and Scan
Use Veracode SCA Upload and Scan in the Veracode Platform to perform a Veracode Software Composition Analysis (SCA) of your open-source components using Upload and Scan. Upload and Scan analyzes both your first-party source code, using Static Analysis, and open-source components, using SCA, in a single operation. To run policy scans that assess your application's compliance with your organization's security policy, assign security policies to your application profiles.
You can access the SCA scan results after the prescan verification of your application is complete, whether you uploaded the application for Static Analysis or SCA scanning using Upload and Scan. If you only have an SCA license, you can only access the SCA results.
Alternatively, to scan your code early and frequently in your Software Development Lifecycle (SDLC), we recommend using Veracode SCA Agent-based Scan. Agent-based scans provide additional features, such as dependency mapping, vulnerable method detection, and using automated pull requests to resolve vulnerabilities.
Prerequisites
Before you can use SCA Upload and Scan, you must have:
- An active Veracode SCA license.
- A Veracode account with the Executive, Security Lead, or Administrator role.
- An artifact of the application you want to scan. The artifact must meet the packaging requirements, and the files in the artifact must not exceed the upload limits.
Supported languages
SCA Upload and Scan supports the following languages and package managers.
| Language | Supported versions | Package manager artifacts |
|---|---|---|
| Java | JDK and OpenJDK 1.3–1.9, 10–23 | JAR files |
| Scala | See Scala packaging | JAR files |
| Kotlin | See Kotlin packaging | JAR, APK, AAB files. For Android support, see Android packaging. |
| Go | See Go packaging | Glide: glide.lock GoVendor: vendor/vendor.jsonGoDep: godeps/godeps.lockTrash: trash.lockGo modules: go.sumDep: gopkg.lockNote: All files or folders must be at the root of your ZIP archive. |
| Python | 2.x, 3.x | Pipenv: Pipfile.lock Poetry: pyproject.toml and poetry.lock |
| JavaScript TypeScript | NPM 2.10.0 and later | NPM: package.json and package-lock.json or package.json and npm-shrinkwrap.json Yarn: package.json and yarn.lockBower: bower_components directory |
| Objective-C | See Apple Platforms packaging | CocoaPods: podfile.lock |
| Swift | See Apple Platforms packaging | CocoaPods: podfile.lock |
| Ruby | Bundler 1.1.0 and later | Bundler: gemfile.lock |
| PHP | 5.3.2 and later, Composer 1.0.0 and later | Composer: composer.lock |
| C#/.NET | See .NET packaging | NuGet: {.NET_project_name}.deps.json (preferred), project.assets.json, or DLL files |
SCA Upload and Scan workflow
The following workflow explains the tasks for requesting an SCA Upload and Scan through the Static Analysis workflow for Upload and Scan.
- Package your application code into an artifact. You can package your application manually, using the packaging guidance for the supported language in which the application is written, or automate packaging using the autopackager.
- Access SCA Upload and Scan.
- Request a scan.
- Upload your packaged artifact to the Veracode Platform.
- Review the prescan results.
- Select the modules to scan.
- Start the scan.
- Review the scan results.
Access SCA Upload and Scan
If you have performed an Upload and Scan of your application, both Static Analysis and SCA scan results are available when you access the SCA pages in the Veracode Platform. To learn more, see review scan results.
Veracode Platform
In the Veracode Platform, from the top menu, select Scans & Analysis > Software Composition Analysis. Then, select the Upload and Scan tab, which is selected by default.
To access SCA Upload and Scan for a specific application, locate and select an application profile. Then, on the application page, select Software Composition Analysis from the left menu.
APIs
- Findings REST API: retrieve and review findings from SCA Upload and Scan.
- SCA Annotations REST API: annotate findings from SCA Upload and Scan, including adding comments and proposing, accepting, and rejecting mitigations.
Request a scan
To request an SCA Upload and Scan in the Veracode Platform, use one of the following methods.
Using Static Analysis Upload and Scan
The simplest method to start an SCA scan is to request a Static Analysis scan and configure SCA scanning options.
From the SCA page
Alternatively, request a scan from the main SCA page in the Veracode Platform.
- Select Scans & Analysis > Software Composition Analysis.
- From the top-right corner of the page, select Start Scan.
- Under Upload and Scan, select Start Scan.
- Create or select an application profile to use for the scan.
- On the application page, select Start a Scan to request a Static Analysis scan and configure SCA scanning options.
Using the API wrappers
uploadandscan.do: automate the SCA Upload and Scan request with the API wrappers.
Scan statuses
The Veracode Platform displays the following scan statuses.
- Scan Initialized: you have submitted the scan, but it has not started yet.
- Scan In Progress: the scan is in progress.
- Scan Failed: the scan encountered an error. Verify that you packaged your application correctly and select Try Again to resubmit the scan without restarting the Static Analysis scan. If the failure persists, contact Veracode Technical Support.
Review the scan results
After scanning an application, access the results in the Veracode Platform to review the detected components, vulnerabilities, license risk, and, optionally, mitigate vulnerabilities.
Add components to a blocklist
You can create a list of third-party software components that are known to contain unacceptable security vulnerabilities. Components on the blocklist are third-party software code that the organization prohibits.
When a scan finds blocklisted components in applications, the scan results report a scan policy violation. You can label the policy violations as mitigated, or replace the component to resolve the vulnerability.
Before you begin:
- You must have the Security Lead role.
- Ensure the security policy assigned to the application includes the Component Blocklist Enforcement rule.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- On the Upload and Scan tab, select Third-Party Components.
- For each component you want to blocklist, in the Blocklist column, set the switch to ON. The Blocklisted Component window opens.
- Optionally, enter any remediation advice that might help resolve the vulnerability. To update the remediation advice for a component, under the component filename, select Edit next to the advice text line.
- Select Save.
Export scan results
Export and download the SCA scan results in CSV format. The exported file contains details about all components across all applications in your portfolio.
In the report, you might see duplicate vulnerabilities if the same component is found in multiple locations within an application.
The Customizable Report contains Veracode SCA findings for individual applications in PDF format.
The SCA Results report only includes results of scans performed using the upload and scan method. You can export additional data from Veracode SCA findings through Veracode Analytics.
Before you begin:
You must have the Security Lead or Administrator role to access the SCA Results report on the Export Data page.
To complete this task:
- From Scans & Analysis > Veracode Software Composition Analysis, select Data Exports.
- In the Software Composition Analysis (SCA) Results Export row, select Generate Data Export
to refresh the report with up-to-date data. The report may take a few minutes to generate. When the report finishes generating, the Last Generated column updates to the current date and time. - When the up-to-date report is available, select Download Data Export
. The report downloads to your browser as an Excel file.