Scan code in the Veracode Platform

Use Veracode Upload and Scan to perform Static Analysis scans of your application source code and review the results. You can configure the scans to run against security policies, and create policy scans that ensure your applications comply with your organization's security requirements.

To quickly run your first Static Analysis in the Veracode Platform using a demo application, see the Static Analysis quickstart.

By default, the scans also run a Software Compilation Analysis (SCA) to test the security of your open source libraries. To access the SCA scan results, you must have an SCA license and your Veracode account must have the required user roles.

If you want to scan during testing, outside your production environment, you can scan in a development sandbox.

You can also perform Static Analysis scans with the Veracode APIs or use the Veracode integrations to add static scanning to your IDEs, build systems, SCM tools, and ticketing systems. The Pipeline Scan provides another method of adding Static Analysis to your development pipelines.

Prerequisites

Before you begin, ensure you meet the requirements for Upload and Scan.

Scanning workflow

Following is the workflow for requesting a Static Analysis scan in the Veracode Platform:

• Package your application
• Request a static scan and configure scan options
• Upload your packaged application
• Review prescan verification
• Select modules to scan
• Start the scan

Following is the workflow for reviewing the scan results in the Veracode Platform:

• Review your results when they become available.
• Schedule a consultation call to review your results with Veracode to understand what your scan has found.
• Mitigate your flaws on the Triage Flaws page.

Request a Static Analysis scan

You can request a static scan from the Applications page in the Veracode Platform.

To complete this task:

1. In the Veracode Platform, from the My Portfolio dropdown, select Applications.
2. Select the application name in the Applications list.
3. Select Start a Static Scan from the Start a Scan dropdown. The Static Scan Configuration page opens for you to provide scan information.
4. You can change the name of the scan and configure optional metadata about the scan on the Static Scan Configuration page. Additionally, you can configure the Auto-Scan setting.

By default, the Auto-Scan option is on. When the setting is on, Veracode automatically moves directly to the full scan after the prescan completes successfully, using the recommended modules selection. This action allows the Veracode Platform to accelerate your scan process.

To turn Auto-Scan off to be able to manually select modules and start scans, change the Auto-Scan after Prescan option in the Static Scan Configuration page, or while the prescan is running.

Upload a packaged application

When uploading applications to the Veracode Platform for scanning, follow the packaging requirements.

Before you begin:

Ensure your uploaded files meet the limit requirements.

If you have any problems uploading files, contact Veracode Technical Support.

Include any non-standard or third-party libraries needed to resolve references. Do not upload cross-platform files or upload applets, which we do not scan. We recommend that you create separate application profiles for each version of the application on the Veracode Platform and scan each profile separately.

To complete this task:

1. On the Upload Files page, select Select Files.
2. Browse to the directory containing the compiled files or binaries, including their dependencies.
3. Select Upload.
4. Repeat this process until you have selected all the required files. To upload a collection of files, upload a ZIP, TAR, or TAR.GZ archive. You can also drag and drop one or more files to the Upload Files page.
5. After uploading your files, select Next at the bottom of the page. We automatically perform a prescan verification of your application. If selected Auto-Scan, the scan starts immediately after prescan verification. Otherwise, you can select the modules to submit for scanning.

You can review the estimated completion time for your application on the prescan results page.

On the prescan results page before submission, the estimated completion time dynamically updates as modules are selected.

Export prescan results

You can save the list of prescan findings as a text file to share prescan information.

To complete this task:

1. Select the Export Module List link at the bottom of the page.
2. Use the Save As menu item in the browser to save the file to your local system.
3. To return to the list of modules, select the Back button in the browser.

Detect permissions for mobile apps

You can submit your application for Mobile Behavioral Analysis in the Veracode Platform. The results provide details about the permissions granted to the application. You use this information to decide if the permissions are appropriate for your application.

To complete this task:

1. Package your application according to the packaging guidance.
2. Sign in to the Veracode Platform
3. Select Start a Scan > Static Analysis.
4. Upload your application.
5. After the prescan is complete, select the Advanced Mode tab.
6. For Apple Platform applications, you do not have to modify your module selection to include Mobile Behavioral Analysis.
7. To download the findings in XML or CSV format, select Download.

Select modules to scan

You can scan modules that Veracode selects by default or change the selection using the Advanced Mode.

After prescan verification is complete, the Review Modules page displays information about the scannable modules within the application. Veracode performs a default module selection based on the structure of the application identified during prescan verification. If you have scanned this application previously, Veracode remembers the modules you selected in previous scans and automatically populates subsequent scan configurations for this scan.

To complete this task:

1. From the File Selection dropdown menu, select Previous Selection to use the file selection used in the previous scan, or select Veracode Default if you want to use the Veracode recommended module selection.

2. In most cases, Veracode recommends using the default module selection. However, if you want to change your selection, select the Advanced Mode tab, which shows a list of all the modules uploaded and their statuses.

   The module includes these possible status values:

   • Validated: Veracode checked the module and the module is ready to be scanned.
   • Non-blocking issue: Veracode checked the module. The module has one or more issues that can impair the quality of results but do not prevent the scan from proceeding. The status column displays a summary of the issue.
   • Blocking error, shown in red highlight: Veracode has checked the module and has identified one or more issues that prevent it from being scanned. The status column displays a summary of the issue.

   You can filter the list of modules to show only the modules in error status, shown in red or yellow.

3. To view details about blocking errors or non-blocking issues, select the status text. The status messages provide detailed information about the error or issue as well as the guidance for resolving specific error messages.

Review the module selection

If you have scanned an application before, you can view the differences between the files you uploaded last time, and the files you uploaded this time. This view allows you to verify you are reviewing the same files as the previous upload. For the most consistent results, we recommend scanning the same files between scans.

From the Application Overview page, select Review Modules in the left navigation menu. The differences are displayed in a table called File Upload Information.

See View changes between file uploads for more information.

View changes between file uploads

For the most consistent results, Veracode recommends that you scan the same files between scans. If you have scanned an application previously, you can view the differences between the files you uploaded in the most recent scan and the files you uploaded in the prior scan.

From the Advanced Mode > Modules tab, you can view information about the differences in uploads. In the File Upload Information table, you can view module changes from the current and previous upload.

The color indicators on the left of the modules specify the type of change that occurred in the module since the last time you uploaded your application.

• Yellow: there was a modification in the module.
• Blue: indicates that there is a new module.
• Gray: indicates that no change occurred in the module.

note

You can also view module upload changes between two subsequent sandbox scans. However, if you promote the sandbox to a policy scan, you cannot view the changes between the sandbox and policy scan.

Re-upload modules in error status

You can change uploaded files or upload additional files.

To complete this task:

1. Select Update/Remove Files.
2. Select the files to add.
3. Select Upload.

Next steps:

Run a new prescan. See Rescan applications after initial scan.

Start the scan

After requesting a Veracode Static Analysis scan and uploading your application, you can start the scan.

To complete this task:

1. Go to the Review Modules page.
2. Select Start Scan.

You can review the estimated completion time on the static scan overview page.

Rescan applications after initial scan

After completing a scan, if you want to change which modules to include in your scan, you can quickly review and amend the module selection, and then rescan without having to re-upload the modules.

Before you begin:

• No more than 45 days can pass since the initial scan.
• The selected modules for the rescan are not the same selected modules from the initial scan.

To complete this task:

1. Go to the results of the specific scan that you want to rescan.
2. In the dropdown action menu, select Rescan.
3. On the Review Modules page, select or clear the modules you want to add or remove.
4. Select Start Rescan.

Delete a scan request

You can delete scans while they are in progress.

To complete this task:

1. Go to the In Progress Scans page and select the static scan you want to delete.
2. Select Delete Request.
3. When prompted, confirm that you want to delete the scan.

Monitor scans

You can return to the Veracode Platform at any time to check your scans, review detailed information about the status of a scan, or delete a scan request.

View scan status on the All Applications page

The Scan Status column shows the status of all the scans.

You can use the Status dropdown menu in the Advanced Filters window to filter applications by these status values:

Pending Approval of New Vendor

Awaiting approval from the third-party vendor to approve this application, which enables Veracode to build an application profile and scan the binaries.

Pending Vendor's Acceptance

Awaiting the third-party vendor of this application to accept the requested application profile and scan request.

Before Submission

The application is ready for the submission of the scan request.

Analysis in Progress

The scan is in progress.

Vendor Reviewing Results

The third-party vendor of this application is reviewing the scan results.

Results Ready

The scan results are published for viewing. A user with the appropriate role can view the results.

View scan status on the application overview page

You can view detailed information about the security policy and status of an application that Veracode is currently scanning.

The application overview page displays information about the security policy and status for in-progress static scans for the selected application. It also displays a progress bar and the estimated completion date. After a scan has completed, you can select an action to perform other tasks, such as View Report or Triage Flaws.

View scan status on the In Progress Scans page

You can select the In Progress view to obtain the status of all applications that Veracode is currently scanning.

To complete this task:

1. To see the in-progress scans for the application, in the left navigation, select In Progress.
2. To go to the detail page, select a scan name.

About the scan status messages

You can review the Veracode Static Analysis messages to determine the status of scans.

Scan status values appear in the following locations.

• The Recent Applications list on the Applications page
• In the In Progress section of the left navigation menu
• In the individual application overview page

If an application has no status, then you have not requested a scan.

Module Selection Required

The prescan completed. The Select Modules page shows the modules. After you make the appropriate entry-point selections, submit the scan for analysis. For future scan requests, you can enable Auto Scan to skip this step.

If the Select Modules page shows an error message or no modules exist, an error occurred during prescan. Try one of these actions:

• Select Retry Verification on the Select Modules page.
• Adjust the submission to include only components supported for analysis and that meet the packaging requirements.
• Contact Veracode Technical Support for further assistance.

Request Incomplete

Your request does not include some information. You must complete one or more steps in the scan request process before you can submit the request. These steps might involve uploading files, selecting modules, or obtaining vendor acceptance of a third-party scan request.

1. Go to the Application Overview to review and edit your static analysis request.
2. Run your scan again.

Results Ready or Complete

The scan completed successfully and the results are now available. On the Applications page, select View in the Results column, or select Results in the left navigation menu.

Scan in Progress

You can monitor the scan progress in the Application Overview or wait for an email notification after the scan completes.

Validating Upload

Veracode is currently validating the scan submission and preparing it for analysis. Wait until you receive an email notifying you that the prescan results are available. To check the prescan progress, go to the In Progress section of the left navigation menu and click the scan name.

Vendor Confirmation

The vendor must confirm the scan request before Veracode can start scanning.

Vendor Reviewing

The vendor is performing a requested scan and reviewing results.

Viewing detailed scan activity

You can view the activity log to see details of the activities that occurred during the scan. This information includes the event type, username, and timestamp.

You can view the activity log for an application from the application page or the Scans page. You can view the activity log for a sandbox on the sandbox page. The activity log displays the scan activity for 90 days. To view older activity, download the activity report.

A delay can sometimes occur between when you perform an action and the refresh in the activity log. If your action is not visible in the log, do not repeat the UI action or API call. Wait a few minutes and, then, refresh the browser.

Download the application activity report

You can download a report from the Veracode Platform that provides detailed activity for an application.

Veracode provides an activity report, which you can download, and an activity log, which appears in the Veracode Platform user interface. The activity report provides the full history of scan events and policy events for the application. The activity log in the displays events from only the past 90 days.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis and select a scan type.
2. Select an application.
3. If you want to limit the report to scan activity, select Scans from the left navigation menu.
4. To display the activity, in the Activity Log section, select the expand arrow.
5. Select Generate CSV.
6. After the CSV generates, select Download CSV. The scan activity report downloads to your computer.

Review the static scan details

The static scan overview page provides at-a-glance information for the latest static scan. To view this page, from the Veracode Platform, go to Scans & Analysis > Static Analysis, then select an application from the All Applications page. The static scan overview page contains this information and functionality:

Scan name

Select Edit at any time to change the name of the scan.

Scan status and progress

These fields provide you with all the status information you need from submission to completion:

• Scan Status
• Progress Meter
• Submitted Date
• Current Status

The Scan Status field identifies which stage the scan is in or if the scan request is incomplete. The Current Status field provides the estimated date of completion.

Common actions

Action buttons appear on this page if it is possible for you to perform actions on this scan, such as edit or delete the scan request, depending on the user roles you have. In addition, you can edit the lifecycle stage of the application by selecting the pencil icon if this metadata for this software has changed since you configured the scan.

Activity log

This log shows all actions performed in the request and submission process for this current static scan. It also shows when an application passes or fails policy.

Delete a completed policy scan

You can use the Veracode Platform to delete a Static Analysis policy scan that completes successfully.

For scans that are in progress or failed, see Delete a scan request.

Before you begin:

You must have the Delete Scans, Creator, or Security Lead role to be able to delete a scan.

note

Deleting a policy scan is permanent. You cannot restore a deleted scan.

To complete this task:

1. From the Veracode Platform, select Scans & Analysis > Static Analysis.
2. Select the application name in the Applications list.
3. To see the completed scans for the application, in the left navigation, select Completed.
4. To go to the detail page, select a scan name.
5. Select the menu icon and select Delete Scan.
6. When prompted, confirm that you want to delete the scan.

Review scan results

The triage flaws task allows you to review static flaws (findings) in the context of their local copy of the source code for the application.

To access static results, from the Application Overview page of the application, select Triage Flaws under the application name. Then, select Static under the application name, if it is not already selected.

To begin reviewing a portion of your results while the remainder of your application is scanned, select the View Partial Results link from the Application Overview page. See Viewing accelerated results for static scans for more information.

The table at the bottom of the Triage Flaws page shows the flaw ID, severity, exploitability, CWE, location, source, number of data paths, status, and mitigation status. You can select the triangle next to a flaw ID to view details about the flaw, including remediation guidance, flaw descriptions, links to software security resources, and links to recommended Veracode eLearning courses and tutorials.

The CWE ID & Name column maps the discovered flaw to the Common Weakness Enumeration (CWE) standard. If this flaw is stopping the application from passing policy compliance, the red shield icon indicates that a fix is required to meet the policy requirements.

Select a specific finding to load your local copy of the source code into the Source Code view at the top of the page.

View data path information for flaws

You can view all paths through the code that lead to the sink, the exploitable point where a flaw is expressed, from a link on the Triage Flaws page.

To complete this task:

1. From the application overview, select Triage Flaws.
2. Select the link in the Data Paths column.
3. The Data Path tab opens, where you can view each path that leads to the sink.
4. To view details about a specific data path, select a path from the left panel. Details are displayed for each path, including the steps taken to exploit the flaw, filename or class, function name, and line number or relative location of the flaw by percentage.
5. Fix each exploitable data path to remediate the flaw.

Use the source code view

The Source Code view allows you to load source code from your local system,or a network-accessible directory, into Triage Flaws so that you can view information about the flaw in the context of your original source.

The Veracode Platform does not have access to the source code for the application, and the source code is not uploaded to the Veracode Platform when you view it in the Source Code view.

Before you begin:

You must use an HTML5-supported browser.

To complete this task:

1. From the Triage Flaws page, select Source Code Viewer radio button at the top-right of the page, if it is not already selected.
2. Select a flaw.
3. If you have not previously loaded source code for this application, locate the source code on your hard disk when prompted. For reference, the Veracode Platform shows the fully qualified path of the source code that you used to build the application. The Veracode Platform loads the source code and scrolls the file to the line of code containing the flaw. If you selected the wrong source file, you can select Load Different File to change it.
4. Hovering over the annotation on the left-hand column allows viewing a detailed description of the flaw and a remediation recommendation. You can also scroll through the code to view other flaws in the same source file, or use the Go to Line field to jump to a particular line.

View flaws found in non-debug code

The Veracode Platform allows you to view flaws found in code without debug symbols. Since source file and line number information is unavailable for these flaws, Veracode Provides other location information.

In the Flaws tab of the Triage Flaws page, the Source column contains the function prototype containing the flaw and the approximate location in the function body, by percentage, where the flaw occurs.

Selecting one of the flaws allows you to open a source file for reference. Veracode prompts you with the name of the class path containing the flaw.