Veracode SCA Glossary of Terms

Veracode Software Composition Analysis

This section provides some of the basic concepts and terminology associated with Veracode Software Composition Analysis.

For agent-based scanning, an agent is a command-line tool that interfaces with the artifacts or repositories to be scanned and the Veracode service. Agents associate the results of their scans to a project within a particular workspace. You can configure agents at the organization or workspace level.
Application Profile
Application profiles serve as an organizing container for scan results from different scan types. Veracode automatically adds Veracode SCA upload scan results to an application profile. To add agent-based scan results to an application profile, you must link an SCA project to an application profile.
For agent-based scanning, projects typically correspond directly to a repository in a source control system. When executing a scan with the Veracode SCA agent, the agent automatically creates the project based on the repository being scanned. The project itself is associated with a workspace based on the agent used when performing the scan.
Veracode Vulnerability Database
The Veracode Vulnerability Database contains all of the public CVEs and vulnerability content that is exclusively available through Veracode. You can use the Veracode Vulnerability Database as a tool to determine if a library is safe prior to adding it to your code. It also provides important details about a library, such as the license in use and insight into specific vulnerabilities.
Workspaces serve as the organizing container for your agent-based scanning projects. Some common groupings include creating workspaces by product, by scrum team, or by geographic region.