Troubleshooting Build and Release Management System Integrations

Veracode APIs

This section helps you remedy common problems and understand how better to use Veracode build and release management system integrations.

Build and Release Management System Issue Solution
Veracode Jenkins Plugin I receive one of these messages:
  • An app_id could not be located for application profile
  • Access denied
  • Check the Veracode user role for the logged-in account to verify that you have a role with permissions to create an application profile, such as Upload API for API service accounts or Creator for user accounts.
  • Confirm that the Veracode application profile for the specified application name is visible by the specific teams who have access to this application and its scan results.
Veracode Jenkins Plugin This message appears in the console output: The policy status 'Did Not Pass' is not passing. Unable to continue. This message indicates that you selected the Wait for scan to complete checkbox in your job configuration and the scan failed to pass your policy. If you want builds for scans that fail policy to complete, you must deselect that checkbox.
Veracode Jenkins Plugin The test connection action fails. There is no success message.
  • Verify that your Jenkins server has internet connectivity.
  • Check outside of the Jenkins plugin environment to verify if the server the Jenkins tool is running on has internet connectivity. To determine connectivity, download and run the Veracode Java API wrapper on the same machine the Jenkins tools are running on to test for internet connectivity.
  • Verify the proxy settings to see if a proxy is required.
  • If a proxy is not required, you can test for an external internet connection with a cURL command and running, for example, the getapplist.do command.
  • Veracode APIs and integrations require access to analysiscenter.veracode.com and api.veracode.com. Contact your IT team to ensure these domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.
Veracode Jenkins Plugin This message appears in the console output: Unknown vid and vid key. See step 23.
Veracode Jenkins Plugin or Java API wrapper This message appears: Requested array size exceeds VM limit. This error indicates you are attempting to upload an archive that is too large for the current limit (in GB). Check the content and size of the files or archives you are uploading to verify you are using the correct files.
Veracode Jenkins Plugin or Java API wrapper

This message appears:

[16.01.11 14:28:39] java/net/HttpURLConnection.setFixedLengthStreamingMode(J)V Build step Upload and Scan with Veracode marked build as failure Finished: FAILURE
This message indicates that the Java version you are using is not Java 7 or later. The Veracode Jenkins Plugin and the Veracode Java API wrapper require Java 7 or later.
Veracode Azure DevOps Extension The Veracode Release Summary report is not displaying in the TFS on-premise extension. If you rename the build step task Upload and Scan, the extension cannot find and execute the task, and no Veracode Summary Report is created.
Veracode Azure DevOps Extension I am receiving upload errors for my Azure DevOps builds.

To resolve the upload errors, you have these options:

  • Before uploading to Veracode, add the folder containing the files you want to scan to a ZIP archive. The ZIP archive suppresses errors due to unsupported file types.
  • After prescan, resolve any fatal errors:
    1. Review the prescan results to identify the modules that have fatal errors.
    2. Resolve the errors.
    Optionally, if you do not want to resolve the errors, you can: If you have not added or deleted any modules since the last analysis that contained the fatal errors, the next automated analysis uses the same selected modules.
  • Ensure your binaries are in the default location, or modify the default location system variable $(build.artifactstagingdirectory) if you require your files to be in a different location. For example, if your files have a different pathname and are in a bin folder, you can modify your system variable to look like this: $(build.sourcesdirectory)/<pathname>/bin.

Microsoft provides pipeline build steps for creating a folder with only the files that Veracode requires for scanning. See the Copy Files task and Delete Files task in the pipeline documentation on the Azure documentation website.

Veracode Azure DevOps Extension I selected the Veracode Scan Summary tab in Azure DevOps to view scan results and see the message Veracode is taking longer than expected to load. Clear your browser cache and, then, select the Veracode Scan Summary tab again.
Pipeline Scan I received an error code message. Try these resolutions for each error code:
  • 401: Unauthenticated. The API credentials may be expired. If they are not expired, verify the API credential ID and key you use in the pipeline match the generated credentials. They cannot contain extra spaces.
  • 403: Unauthorized. Check that the user accounts have Security Lead, Creator, and Submitter roles. Check that API user account credentials have Upload and Scan API or Upload API - Submit Only roles.
  • 429: Throttled. The API credentials were submitted for more than six scans in the last one minute. Try again after a short delay.
  • -50x: Server side problems. This can be a problem with AWS or with Veracode services. Check the Veracode service status dashboards for details. For example, if the Identity Service is not working, then Pipeline Scan also does not work.
Pipeline Scan I need to open a support case with Veracode Technical Support. Provide this information to Veracode Technical Support:
  • Pipeline Scan version
  • Java version
  • Platform application name and the URL of the application
  • Build logs
  • Debug logs
Veracode Software Composition Analysis I need to open a support case with Veracode Technical Support. Provide this information to Veracode Technical Support:
  • The package manager and version you are using.
  • The agent CLI, CI, and plugins you use for scanning, and their versions.
  • The environment variables, flags, and directives you use for scanning.
  • Your debug logs which you can get with any of these commands:
    • In your terminal: srcclr scan --debug
    • In a CI: curl -sSL https://download.sourceclear.com/ci.sh | DEBUG=1 bash
    • In a CI: export DEBUG=1 curl -sSL https://download.sourceclear.com/ci.sh | bash
  • The project you are scanning with the correct directory structure.
  • The command you use to start the scan, and answers to these questions:
    • Was your scan only a SRCCLR scan, or did you use other environment variables?
    • Did you use a CI script to perform the scan?