Scan open source
Veracode Software Composition Analysis (SCA) helps you build an inventory of your third-party components to identify malicious libraries and vulnerabilities in your open-source libraries and commercial code. SCA scans compile a list of libraries in an application, then identify known vulnerabilities and malicious packages in each library. SCA determines the list of libraries, vulnerabilities, and malicious packages at the time of the scan. However, you can receive notifications about newly announced vulnerabilities and malicious packages that impact your applications without requiring a new scan.
With Veracode SCA integrated with your development tools and workflows, and by using our one-on-one remediation advice, your development teams can develop secure applications and assess the security of web, mobile, desktop, and back-end applications.
Open source scanning methods
Veracode SCA supports two methods of scanning that you can run at different points in the development lifecycle: agent-based scans and scans of uploaded applications. The scan results highlight vulnerabilities and malicious libraries included in your code, and help you take necessary actions to eliminate threats from your applications.
SCA Agent-based Scan
Use SCA Agent-based Scan to scan open source components in local or remote repositories using the Veracode Platform. You can scan repositories or locally cloned projects from a command line or integrate SCA Agent-based Scan into your continuous integration (CI) pipelines, source code management (SCM) repos, and import findings into ticketing systems.
You can extract information about your SCA workspaces using the SCA REST API.
To set up an SCA agent and run a scan using the SCA CLI, see the quickstart.
See the supported languages.
Scan early and frequently in development pipelines
Agent-based scans execute from a command line, and you can incorporate them in any continuous integration pipeline to prevent developers from introducing new vulnerabilities. Depending on the CI tool, they can execute in parallel with other security testing methods for faster throughput.
Prioritize and fix findings
Some functionality for prioritizing and fixing findings is only available through agent-based scans. These features include vulnerable method detection, automated pull requests for upgrading libraries, and dependency graphs with transitive libraries and vulnerabilities.
Docker container scanning
You can use SCA Agent-based Scan to scan Docker containers or images. We recommend scanning your repositories before including them in a Docker image so that fixes to the underlying code are prioritized first.
SCA Upload and Scan
Use SCA Upload and Scan to upload a packaged artifact of your application code to the Veracode Platform for SCA scanning using Upload and Scan. If you have previously used Upload and Scan to perform a Static Analysis of an application, the SCA results for that application are available immediately after you activate your SCA license.
See the supported languages.
Get an overview of your open-source risk
You can upload and scan the artifact of your application, and review the scan results from both the Static Analysis and SCA scans, in the Veracode Platform user interface or by using the Veracode XML APIs. After you upload the artifact, the Veracode Platform scans your open-source components during prescan verification, and the scan results are available after prescan completes.
Assess compliance prior to release
Run policy scans to assess the scan results against security policies and use development sandboxes to scan during testing, outside production environments.
As you prepare to release an application, performing an SCA Upload and Scan allows you to use the robust mitigation, policy evaluation, analytics, and reporting features available in the Veracode Platform.
Open source risk detection
To detect risks in open source components, Veracode SCA uses the following resources.
-
Vulnerabilities: the Veracode Vulnerability Database and the National Vulnerability Database
-
Exploits: the EPSS, the CISA KEV, and the Exploit Database
-
Libraries and licenses:
Vulnerability risk levels
To determine the risk level of the vulnerabilities in your libraries, Veracode SCA uses the Common Vulnerability Scoring System (CVSS) v3.0 rating assigned to the Common Vulnerabilities and Exposures (CVE) ID for a given vulnerability.
| Vulnerability risk level | CVSS score range | Description |
|---|---|---|
| Critical | 9.0-10.0 | A very serious weakness that is an easy target for an attacker to exploit. Fix this vulnerability immediately to avoid potential attacks. |
| High | 7.0-8.9 | A serious weakness that is an easy target for an attacker to exploit. Fix this vulnerability immediately to avoid potential attacks. |
| Medium | 4.0-6.9 | A moderate weakness that might be an easy target for an attacker to exploit. Fix this vulnerability after fixing all Critical and High vulnerabilities. |
| Low | 0.1-3.9 | A low weakness that an attacker might exploit. Consider fixing this vulnerability after fixing all Critical, High, and Medium vulnerabilities. |
Supported languages
Veracode Software Composition Analysis (SCA) features are available for several programming languages, which all have specific requirements for performing scans.
See the detailed list of supported tools and languages for SCA Agent-based Scan or SCA Upload and Scan.
SCA user roles
This table lists the roles you must have in the Veracode Platform to complete specific actions in Veracode Software Composition Analysis.
| Action | Mitigation Approver | Security Lead | Executive | Creator | Reviewer | Submitter | Workspace Administrator | Workspace Editor |
|---|---|---|---|---|---|---|---|---|
| View the SCA Portfolio Page | X | X | X | X | X | X | X | |
| Create and Delete Applications | X | X | ||||||
| Edit Applications | X | X | ||||||
| Add Teams to Applications | X | X | ||||||
| View All Applications | X | X | ||||||
| View Specific Applications | X | X | X | X | ||||
| Request SCA (Static) Scans | X | X | ||||||
| Propose Mitigations | X | X | ||||||
| Approve Mitigations | X | |||||||
| View the Workspace Portfolio Page | X | X | X | X | X | X | ||
| Create Workspaces | X | X | ||||||
| Delete Workspaces | X | X | X | |||||
| Edit Workspaces | X | X | X | |||||
| Add Teams to Workspaces | X | X | X | |||||
| View All Workspaces | X | X | ||||||
| View Specific Workspaces | X | X | X | X | X | |||
| Manage Projects | X | X | X | |||||
| Link Projects to Applications | X | X | X | |||||
| Manage Agent-Based Scan Rules | X | X | X | |||||
| Manage Integrations | X | |||||||
| Manage Agents | X | X | X | X | ||||
| Ignore and Unignore Issues | X |
REST APIs
You can use the Veracode REST APIs to perform various tasks for SCA Agent-based Scan or SCA Upload and Scan.
For Veracode SCA Agent-based Scan, you can:
- Create workspaces, create agents, review findings, and more with the SCA REST API.
- Review findings with the Findings REST API.
For SCA Upload and Scan, you can:
- Review findings with the Findings REST API.
- Generate a software bill of materials (SBOM) with the SCA REST API.
Veracode SCA legal disclaimer
Veracode, Inc. (“Veracode”) does not provide legal advice. Please be aware that your use of the Veracode solution does not serve as a substitute for your compliance with any applicable laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, or executive order (collectively, (“Laws”))) or any contractual obligations with any third parties. You are responsible for consulting an independent legal counsel regarding any such Laws or contractual obligations. Use of the Veracode solution does not serve as a substitute for your own assessment of business risks associated with the software licenses identified by Veracode.