Scan code in the Veracode Platform

Use Upload and Scan to perform Static Analysis scans of your application source code and Software Compilation Analysis (SCA) scans of your open source components. You can configure the scans to run against security policies, and create policy scans that ensure your applications comply with your organization's security requirements. To access the SCA scan results, you must have an SCA license and your Veracode account must have the required user roles.

If you want to scan during testing, outside your production environment, you can scan in a development sandbox.

You can also perform Static Analysis scans with the Veracode APIs or use the Veracode integrations to add static scanning to your IDEs, build systems, SCM tools, and ticketing systems. The Pipeline Scan provides another method of adding Static Analysis to your development pipelines.

Prerequisites

Before you begin, ensure you meet the requirements for Upload and Scan.

Quickstart

To quickly run your first Static Analysis in the Veracode Platform using a demo application, see the quickstart.

Scanning workflow

Following is the workflow for requesting a Static Analysis scan in the Veracode Platform:

• Package your application
• Request a scan and configure scan options
• Upload your packaged application
• Review prescan verification
• Select modules to scan
• Start the scan

Following is the workflow for reviewing the scan results in the Veracode Platform:

• Review your results when they become available.
• Schedule a consultation call to review your results with Veracode to understand what your scan has found.
• Mitigate your flaws on the Triage Flaws page.

Request a scan

You can request a Static Analysis scan, which also performs an SCA scan during the prescan verification, from the Applications page in the Veracode Platform.

To complete this task:

1. In the Veracode Platform, from the My Portfolio dropdown, select Applications.
2. Select the application name in the Applications list.
3. Select Start a Static Scan from the Start a Scan dropdown. The Static Scan Configuration page opens for you to provide scan information.
4. You can change the name of the scan and configure optional metadata about the scan on the Static Scan Configuration page. Additionally, you can configure the Auto-Scan setting.

By default, the Auto-Scan option is on. When the setting is on, Veracode automatically moves directly to the full scan after the prescan completes successfully, using the recommended modules selection. This action allows the Veracode Platform to accelerate your scan process.

To turn Auto-Scan off to be able to manually select modules and start scans, change the Auto-Scan after Prescan option in the Static Scan Configuration page, or while the prescan is running.

Upload a packaged application

When uploading applications to the Veracode Platform for scanning, follow the packaging requirements.

Before you begin:

Ensure your uploaded files meet the limit requirements.

If you have any problems uploading files, contact Veracode Technical Support.

Include any non-standard or third-party libraries needed to resolve references. Do not upload cross-platform files or upload applets, which we do not scan. We recommend that you create separate application profiles for each version of the application on the Veracode Platform and scan each profile separately.

To complete this task:

1. On the Upload Files page, select Select Files.
2. Browse to the directory containing the compiled files or binaries, including their dependencies.
3. Select Upload.
4. Repeat this process until you have selected all required files. To upload a collection of files, upload a ZIP, TAR, or TAR.GZ archive. You can also drag and drop one or more files to the Upload Files page.
5. After uploading your files, select Next at the bottom of the page. We automatically perform a prescan verification of your application, and you can review the prescan results. If you selected Auto-Scan, the scan starts immediately after prescan verification.

Review the prescan results

When prescan verification is complete, the prescan results page displays the estimated scan completion time. The estimated completion time dynamically updates as you select modules. The SCA scan results are also available.

On the Application page, the Status column shows the following messages.

: prescan identified one or more problems that prevent Veracode from proceeding with the scan.

: prescan identified one or more problems that might degrade the quality of the scan results, but do not prevent Veracode from proceeding with the scan.

: prescan did not identify any problems and Veracode can proceed with the scan.

To learn more about these messages, see Prescan status messages.

Export prescan results

Optionally, you can save the list of prescan findings as a text file to share prescan information.

To complete this task:

1. Select the Export Module List link at the bottom of the page.
2. Use the Save As menu item in the browser to save the file to your local system.
3. To return to the list of modules, select the Back button in the browser.

Detect permissions for mobile apps

You can submit your application for Mobile Behavioral Analysis in the Veracode Platform. The results provide details about the permissions granted to the application. You use this information to decide if the permissions are appropriate for your application.

To complete this task:

1. Package your application according to the packaging guidance.
2. Sign in to the Veracode Platform
3. Select Start a Scan > Static Analysis.
4. Upload your application.
5. After the prescan is complete, select the Advanced Mode tab.
6. For Apple Platform applications, you do not have to modify your module selection to include Mobile Behavioral Analysis.
7. To download the findings in XML or CSV format, select Download.

Select modules to scan

You can scan modules that Veracode selects by default or change the selection using the Advanced Mode.

After prescan verification is complete, the Review Modules page displays information about the scannable modules within the application. Veracode performs a default module selection based on the structure of the application identified during prescan verification. If you have scanned this application previously, Veracode remembers the modules you selected in previous scans and automatically populates subsequent scan configurations for this scan.

To complete this task:

1. From the File Selection dropdown menu, select Previous Selection to use the file selection used in the previous scan, or select Veracode Default if you want to use the Veracode recommended module selection.

2. In most cases, Veracode recommends using the default module selection. However, if you want to change your selection, select the Advanced Mode tab, which shows a list of all the modules uploaded and their statuses.

   The module includes these possible status values:

   • Validated: Veracode checked the module and the module is ready to be scanned.
   • Non-blocking issue: Veracode checked the module. The module has one or more issues that can impair the quality of results but do not prevent the scan from proceeding. The status column displays a summary of the issue.
   • Blocking error, shown in red highlight: Veracode has checked the module and has identified one or more issues that prevent it from being scanned. The status column displays a summary of the issue.

   You can filter the list of modules to show only the modules in error status, shown in red or yellow.

3. To view details about blocking errors or non-blocking issues, select the status text. The status messages provide detailed information about the error or issue as well as the guidance for resolving specific error messages.

Review the module selection

If you have scanned an application previously, you can view the differences between the files you uploaded last time, and the files you uploaded this time. This view allows you to verify you are reviewing the same files as the previous upload. For the most consistent results, we recommend scanning the same files between scans.

From the Application Overview page, select Review Modules in the left navigation menu. The differences are displayed in a table called File Upload Information.

See View changes between file uploads for more information.

View changes between file uploads

For the most consistent results, Veracode recommends that you scan the same files between scans. If you have scanned an application previously, you can view the differences between the files you uploaded in the most recent scan and the files you uploaded in the prior scan.

From the Advanced Mode > Modules tab, you can view information about the differences in uploads. In the File Upload Information table, you can view module changes from the current and previous upload.

The color indicators on the left of the modules specify the type of change that occurred in the module since the last time you uploaded your application.

• Yellow: there was a modification in the module.
• Blue: indicates that there is a new module.
• Gray: indicates that no change occurred in the module.

note

You can also view module upload changes between two subsequent sandbox scans. However, if you promote the sandbox to a policy scan, you cannot view the changes between the sandbox and policy scan.

Re-upload modules in error status

You can change uploaded files or upload additional files.

To complete this task:

1. Select Update/Remove Files.
2. Select the files to add.
3. Select Upload.

Next steps:

Run a new prescan. See Rescan applications after initial scan.

Start the scan

After requesting a scan and uploading your application, you can start the scan.

To complete this task:

1. Go to the Review Modules page.
2. Select Start Scan.

You can review the estimated completion time on the static scan overview page.

Rescan applications after initial scan

After completing a scan, if you want to change which modules to include in your scan, you can quickly review and amend the module selection, and then rescan without having to re-upload the modules.

Before you begin:

• No more than 45 days can pass since the initial scan.
• The selected modules for the rescan are not the same selected modules from the initial scan.

To complete this task:

1. Go to the results of the specific scan that you want to rescan.
2. In the dropdown action menu, select Rescan.
3. On the Review Modules page, select or clear the modules you want to add or remove.
4. Select Start Rescan.

Delete a scan request

You can delete scans while they are in progress.

To complete this task:

1. Go to the In Progress Scans page and select the static scan you want to delete.
2. Select Delete Request.
3. When prompted, confirm that you want to delete the scan.

Monitor scans

You can return to the Veracode Platform at any time to check your scans, review detailed information about the status of a scan, or delete a scan request.

View scan status on the All Applications page

The Scan Status column shows the status of all the scans.

You can use the Status dropdown menu in the Advanced Filters window to filter applications by these status values:

Pending Approval of New Vendor

Awaiting approval from the third-party vendor to approve this application, which enables Veracode to build an application profile and scan the binaries.

Pending Vendor's Acceptance

Awaiting the third-party vendor of this application to accept the requested application profile and scan request.

Before Submission

The application is ready for the submission of the scan request.

Analysis in Progress

The scan is in progress.

Vendor Reviewing Results

The third-party vendor of this application is reviewing the scan results.

Results Ready

The scan results are published for viewing. A user with the appropriate role can view the results.

View scan status on the application overview page

You can view detailed information about the security policy assigned to the application and the scan status.

The application overview page displays information about the security policy and status for in-progress static scans for the selected application. It also displays a progress bar and the estimated completion date. After a scan has completed, you can select an action to perform other tasks, such as View Report or Triage Flaws.

View scan status on the In Progress Scans page

You can select the In Progress view to obtain the status of all applications being scanned.

To complete this task:

1. To see the in-progress scans for the application, in the left navigation, select In Progress.
2. To go to the detail page, select a scan name.

About the scan status messages

You can review the Veracode Static Analysis messages to determine the status of scans.

Scan status values appear in the following locations.

• The Recent Applications list on the Applications page
• In the In Progress section of the left navigation menu
• In the individual application overview page

If an application has no status, then you have not requested a scan.

Module Selection Required

The prescan completed. The Select Modules page shows the modules. After you make the appropriate entry-point selections, submit the scan for analysis. For future scan requests, you can enable Auto Scan to skip this step.

If the Select Modules page shows an error message or no modules exist, an error occurred during prescan. Try one of these actions:

• Select Retry Verification on the Select Modules page.
• Adjust the submission to include only components supported for analysis and that meet the packaging requirements.
• Contact Veracode Technical Support for further assistance.

Request Incomplete

Your request does not include some information. You must complete one or more steps in the scan request process before you can submit the request. These steps might involve uploading files, selecting modules, or obtaining vendor acceptance of a third-party scan request.

1. Go to the Application Overview to review and edit your static analysis request.
2. Run your scan again.

Results Ready or Complete

The scan completed successfully and the results are now available. On the Applications page, select View in the Results column, or select Results in the left navigation menu.

Scan in Progress

You can monitor the scan progress in the Application Overview or wait for an email notification after the scan completes.

Validating Upload

Veracode is currently validating the scan submission and preparing it for analysis. Wait until you receive an email notifying you that the prescan results are available. To check the prescan progress, go to the In Progress section of the left navigation menu and click the scan name.

Vendor Confirmation

The vendor must confirm the scan request before Veracode can start scanning.

Vendor Reviewing

The vendor is performing a requested scan and reviewing results.

Viewing detailed scan activity

You can view the activity log to see details of the activities that occurred during the scan. This information includes the event type, username, and timestamp.

You can view the activity log for an application from the application page or the Scans page. You can view the activity log for a sandbox on the sandbox page. The activity log displays the scan activity for 90 days. To view older activity, download the activity report.

A delay can sometimes occur between when you perform an action and the refresh in the activity log. If your action is not visible in the log, do not repeat the UI action or API call. Wait a few minutes and, then, refresh the browser.

Review the static scan details

The static scan overview page provides at-a-glance information for the latest static scan.

To open the static scan overview page, in the Veracode Platform, go to Scans & Analysis > Static Analysis. Then, select an application from the All Applications page to view the following information and options.

Scan name

Select Edit at any time to change the name of the scan.

Scan status and progress

These fields provide you with all the status information you need from submission to completion:

• Scan Status
• Progress Meter
• Submitted Date
• Current Status

The Scan Status field identifies which stage the scan is in or if the scan request is incomplete. The Current Status field provides the estimated date of completion.

Common actions

Action buttons appear on this page if it is possible for you to perform actions on this scan, such as edit or delete the scan request, depending on the user roles you have. In addition, you can edit the lifecycle stage of the application by selecting the pencil icon if this metadata for this software has changed since you configured the scan.

Activity log

This log shows all actions performed in the request and submission process for this current static scan. It also shows when an application passes or fails policy.

Delete a completed policy scan

You can use the Veracode Platform to delete a Static Analysis policy scan that completes successfully.

For scans that are in progress or failed, see Delete a scan request.

Before you begin:

You must have the Delete Scans, Creator, or Security Lead role to be able to delete a scan.

note

Deleting a policy scan is permanent. You cannot restore a deleted scan.

To complete this task:

1. From the Veracode Platform, select Scans & Analysis > Static Analysis.
2. Select the application name in the Applications list.
3. To see the completed scans for the application, in the left navigation, select Completed.
4. To go to the detail page, select a scan name.
5. Select the menu icon and select Delete Scan.
6. When prompted, confirm that you want to delete the scan.

Review scan results

The scan results list the findings (flaws) found in your application code and provide detailed information about each finding with remediation guidance for resolving it.

Partial scan results are available during scanning. To review the complete results, wait for the scan to complete.

Before you begin:

You must have successfully scanned an application, using either the Veracode Platform or an integration that accesses the Veracode Platform, and the scan results must be available in the Veracode Platform.

To complete this task:

1. Select Scans & Analysis > Static Analysis.
2. In the Applications list, locate an application with results ready.
3. To see the latest results on the application overview page, in the Results column, select Results. The Results page provides details about the scan results, such as the security policy evaluation and a summary of all findings.
4. If the scan is in progress, select the View Partial Results link to review a portion of your results. while the remainder of your application is scanned.
5. To view the sources for flaws, from the left menu, select Flaw sources.
6. To review results with your team and get more insight into each finding, select Triage Flaws to open the Triage Flaws page. Then, select Static under the application name, if it is not already selected. The table at the bottom of the Triage Flaws page shows the flaw ID, severity, exploitability, CWE, location, source, number of data paths, status, and mitigation status. You can select the triangle next to a flaw ID to view details about the flaw, including remediation guidance, flaw descriptions, links to software security resources, and links to recommended Veracode eLearning courses and tutorials. The CWE ID & Name column maps the discovered flaw to the Common Weakness Enumeration (CWE) standard. If this flaw is stopping the application from passing policy compliance, the red shield icon indicates that a fix is required to meet the policy requirements.

Flaw sources

This report identifies main sources of untrusted data in an application and locates all the flaws that share a flaw source.

Being able to identify multiple flaws that you can fix with a single code change significantly reduces the time developers spend on finding and fixing or mitigating vulnerabilities in software code. If a source is secured by design, developers can report all the flaws stemming from the safe source with a single mitigation action.

To access the flaw sources report in the Veracode Platform after a static scan has completed, in the left navigation pane of the application page, select Results > Flaw Sources.

The flaw sources reports provide this information:

• The function that contains the flaw
• The location in the source file of that function
• The severities of the downstream flaws
• The CWE with which each flaw is associated

View partial scan results

The Veracode Platform publishes static scan results incrementally, by top-level module, so that you can begin reviewing your results while the remainder of your application is scanned.

Top-level modules are the binaries identified during prescan verification that have entry points for external data. If the flaws are found in code shared across top-level modules, Veracode recommends that you wait for the entire application to scan to view results in the context of the entire application.

To complete this task:

1. From the Applications page in the Veracode Platform, select the View Partial Results link, when available. The Triage Flaws page opens, where you can review any available results.

   Veracode also sends email stating that partial results are available when the first module with results is published. You must have one of these roles to receive this email: Internal Reviewer, External Reviewer, Executive, Security Lead, Archer Reports, or Results API.

2. To view which modules have finished scanning:

   a. At the top of the Triage Flaws page, select the % of modules scanned link. A popup opens, where you can view the number of modules that have already scanned and the number of modules in the queue for the current scan. b. To view information about a specific module, search by module name, then select Go.

3. To view a set of results published at a certain time:

   a. From the Search drop-down, select Publish Time. b. For Publish Times, select the range of time you want to view. c. Select Go.