Static Analysis quickstart

This quickstart steps you through a Veracode Static Analysis of a demo application using the Veracode Platform. The Veracode Platform is a web console for managing your entire application security program. Scanning and running a Static Analysis of a Veracode demo application helps you understand the core concepts of performing a Static Analysis and how you can quickly get results.

Video: Static Analysis quickstart

Watch this video on YouTube.

To run your first Static Analysis, complete the following tasks:

• Obtain a Veracode account with the required permissions.
• Download a demo application for your first Static Analysis scan.
• Sign in to the Veracode Platform.
• Use the Veracode Platform to create an application profile, submit your first scan, and review the results.

Obtain a Veracode account

• To access the Veracode Platform, you must have a Veracode human user account.
• To configure scans, submit scans, and review scan results, your account must have the Creator, Submitter, and Reviewer roles.

Check with the Veracode Administrator for your organization to confirm that you have an account with the required roles and team membership. If you are a Veracode Administrator, your account likely has the required roles. If it does not, you can add roles to your account in the Veracode Platform.

Download a demo application

To complete this quickstart, download the pre-packaged demo application verademo.war and save it to your desktop. This demo application is compiled Java code in a WAR file that meets Veracode compilation and packaging requirements. It includes flaws that you can review in the scan results.

Sign in to the Veracode Platform

Sign in to the Veracode Platform domain for your region using one of the following methods. Each region has a unique URL. This quickstart uses the Commercial Region domain: https://analysiscenter.veracode.com/. Your account might be in a different domain, such as the European Region: https://analysiscenter.veracode.eu/

• If you have a new Veracode account, you received a welcome email that provides a link for activating your account in the Veracode Platform. If you did not receive the welcome email, contact your Veracode Administrator.
• If you have an active Veracode account, you can sign in to the Veracode Platform using the domain for your region. If your organization uses a Single-Sign-On (SSO) portal such as Okta, you can also access the Veracode Platform with SSO.

Create your first application profile

Application profiles define the importance of the application to your organization, the security policy to apply during Static Analysis, who can view the results, and metadata you can use with Veracode integrations.

note

For this quickstart, you create a new application profile. When you use this application profile to run a scan, it consumes a Veracode license. Also, the scan results from verademo.war can affect the results of future scans. To restore the consumed license and to completely remove both verademo.war and the scan results from your account, contact Veracode Technical Support.

note

These are example values for this quickstart to ensure a successful scan. Veracode does not recommend using these values in production application profiles.

To complete this task:

1. On the Platform Home page, select My Portfolio > Applications.

2. On the All Applications page, select Add New Application.

3. On the Add New Application page, enter values for the following required fields.

   • Application Name: enter a unique name for this application profile. For example, Verademo-{your-initials}.
   • Business Criticality: select Very Low. Business criticality specifies the importance of securing the application and the negative impact to your organization if an attacker compromises this application.
   • Policy: after you set Business Criticality to Very Low, this setting defaults to Veracode Recommended Very Low. A security policy determines whether the flaws that Veracode found in your application meet specific security standards. In the scan results, flaws that do not comply with the selected policy are highlighted. Before your application can pass policy, you must fix all highlighted flaws. For this quickstart, because the lowest policy setting is selected, you do not see highlighted flaws in the scan results for verademo.war.
   • Access: select Edit. Under Available Teams, select your team. You must be a member of the selected team to access this new application profile. If you do not see any teams, contact your Veracode Administrator. Select Add to add the team to Selected Teams, then select Save.

4. Select Submit to create the application profile.

Submit your first scan request

You can now use the Veracode Platform to scan the application and run a Static Analysis using the selected security policy.

To complete this task:

1. On the All Applications page, select the name of your new application profile.

2. On the Application page, select Start a Scan > Start a Static Scan.

3. Enter a unique name for the scan or accept the default, which is the current date followed by Static.

4. Under Auto-Scan, set Auto-Scan after Prescan to Off.

   For Static Analysis, a prescan evaluates your uploaded application to ensure you compiled and packaged it correctly prior to scanning. It also identifies the top-level modules, or components, in your application, including any third-party dependencies or supporting files that these modules call. Top-level modules are components your organization created. If this option is set to On and your application passes prescan, Veracode automatically selects the top-level modules and starts the scan. With this option set to Off, scanning does not start automatically after prescan and you can manually select the modules to include or exclude in the scan.

   If your account is on the European Region or US Federal Region domain, on the Package Application step of the wizard, select Continue to skip the packaging step, as verademo.war is already packaged.

5. Select Save and Continue.

6. On the Upload Files page, select Select Files.

7. Locate and select verademo.war. Then, select Open to upload the file.

8. After the upload is complete, select Next.

9. For this quickstart, on the Reviewing Modules page, wait for the prescan to complete. The spinning wheel under Validate Upload indicates when prescan is actively running. After prescan is complete, the spinning wheel stops and you receive an email stating that you can now start the policy scan.

10. Review the Prescan Status column for any packaging errors for your application. Because verademo.war meets the Veracode compilation and packaging requirements, you should not see any prescan status errors.

11. On the Select Modules to Scan page, select the Advanced Mode tab.

12. On the Modules tab, select the Entry Point? checkbox to select all top-level modules in verademo.war. The top-level modules in your application are the entry points that Veracode uses to determine which components, including third-party dependencies, to scan.

    

13. Select Start Scan. If your account is on the European Region or US Federal domain, on the Review and Submit step of the wizard, select Submit Scan.

14. Wait for the scan to complete, as indicated by the Scan in Progress bar. You receive three emails: after you submit the scan, when partial scan results are available, and when the scan is complete. You can review the partial results while you wait for the complete scan results. If the Scan in Progress bar appears stuck, refresh your browser to see if it updates.

    

Review example scan results

After running a Static Analysis of the application, review the complete results to identify flaws. Access the results directly in the Veracode Platform or from a link in one of the scan results emails.

This task assumes you are on the Application page for verademo.war: select My Portfolio > Applications > Verademo.

To complete this task:

1. In the left pane, select Triage Flaws to see a table of discovered flaws.

2. Optionally, to hide the Source Code View window, in the top-right corner, set Show to None. Next to this option, you can also select Max to hide the navigation bar.

3. In the ID column, select the right arrow next to a flaw ID to access detailed information and remediation guidance for that flaw.

   

Next steps

• Learn more about reviewing static flaws.
• Run a Static Analysis and review flaws in your IDE.
• Use the Veracode CLI to find and fix a flaw