Scan for Eclipse

Veracode Scan for Eclipse is a plugin for the Eclipse IDE that integrates Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Veracode Fix into your Software Development Lifecycle (SDLC).

From within your IDE:

• To detect flaws in your code, run Static Analysis scans.
• To detect vulnerabilities in open-source libraries and the risk level of open-source licenses, run SCA agent-based scans.
• To remediate flaws by applying suggested fixes, use Veracode Fix.
• To resolve findings manually, use the provided remediation guidance.

When you scan your project, the plugin automatically:

• Packages your project code into an artifact, such as ZIP or JAR.
• Uploads the artifact to Veracode for analysis.
• Downloads the results and displays them in your IDE.

Scan results are only available in your IDE. You cannot access the results in the Veracode Platform.

Supported versions

Veracode has tested the following versions of Eclipse, but the plugin might work with other versions.

• 2024-06
• 2024-03
• 2023-12

Supported languages and frameworks

Veracode has tested specific versions of the following languages and frameworks, but the plugin might work with other versions.

• For Static Analysis scans, see Pipeline Scan supported languages.
• For SCA scans, see Agent-based scan language support matrix.
• For Fix, see the supported languages.
• For auto-packaging, see supported languages.

About application packaging

Before Veracode can run a Static Analysis on your project, the code must be packaged into a supported artifact, such as ZIP or JAR. When you start a scan, the plugin uses an auto-packager to automatically package your project. Then, the plugin uploads the artifact to Veracode for scanning.

If the auto-packager is not able to package your application, or you prefer to create the artifact yourself, you can use the Veracode packaging guidance to package your application manually. The default location for manually packaged artifacts is <project root>/.verascan. At the root of your project, create the .verascan folder and add your artifact to this folder. When you start a scan, the plugin first looks for an artifact in the default location. To store your artifact in a different location, where the plugin looks next, configure the Artifact Glob setting.

Important

A packaged artifact must not exceed the total file size limit of 200 MB.

Prerequisites

Before you can install and use Veracode Scan for Eclipse, you must have:

• A supported version of Eclipse and a source project of a supported language or framework. Monorepos are not supported.

• Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as SRCCLR_NO_GIT=1.

• Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The plugin uses these addresses to authenticate with Veracode, upload your code for scanning, and download the results. To update your allowlist, you might need to contact your IT team.

• To generate suggested code fixes and apply them to flaws, you must have a Veracode Fix license, a supported code language, and your account must have the Submitter user role.

• To use auto-packaging, you must have:

  • All required build tools, such as compilers and supported package managers, for the language of your project, installed on your local system.
  • All required build tools available on the default command line prompt, which typically uses PATH. If you open a different project that uses different tools, or different versions of the same tools, before you can scan, you must ensure these tools are available on the default command prompt.

• To see the prerequisites for a scan type, select from the following:

  SAST

  To run Static Analysis scans and view flaws, you must have:

  • An active Static Analysis license.
  • One of the following Veracode accounts:
    • A human user account with the Security Lead, Creator, or Submitter user role.
    • An API service account with the Upload and Scan API or Upload API - Submit Only API role.
  • Ensured your application builds successfully. If your project files change between scans, rebuild your project and ensure it builds successfully.
  • Enabled one-way communication on port 443.

  SCA

  To run SCA scans and view vulnerabilities, you must have:

  • An active Veracode SCA license.
  • To be notified when SCA licenses are unavailable, ensure you have a current SSL certificate chain and make the path to the certificate known to the installed SCA agent. If an SCA license is unavailable, the SCA agent uses the certificate to show an error message in your IDE.
  • A human user account with the Security Lead, Workspace Administrator, Workspace Editor, or Submitter role. API service accounts are not supported.
  • The SCA workspace My Workspace with an available project slot. The plugin can only use My Workspace.
  • Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as SRCCLR_NO_GIT=1.
  • Installed a supported package manager.
  • If your open-source libraries are stored in an internal repository that rejects traffic from your proxy, contact Veracode Technical Support.

Create an API credentials file

Before you can use the plugin, you must generate API credentials in the Veracode Platform and store them in a local credentials file. The plugin uses the API credentials to authenticate with Veracode.

Install the plugin

Install the plugin from the Eclipse Marketplace website or from Veracode.

note

You can only install the plugin on one machine. If you install the plugin on multiple machines, it might fail to authenticate with Veracode.

Install from the Eclipse Marketplace

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

1. Go to the Eclipse Marketplace website.
2. Search for veracode.
3. Locate and install Veracode Scan.
4. Accept the terms of the license agreement, then select Finish.
5. If you are prompted to trust any artifacts, select Select All, then select Trust Selected.
6. Restart Eclipse and complete the setup.

Install from Veracode

If you are not able to access the Eclipse Marketplace website, you can download and install the plugin from Veracode from within Eclipse.

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

1. In Eclipse, select Help > Install New Software.
2. For Work with, enter https://downloads.veracode.com/veracodescan/eclipse-plugin.
3. Select Add.
4. In the Add Repository window, enter a name for the repository. Then, select Add.
5. Select Veracode Scan for Eclipse, then select Next.
6. Accept the terms of the license agreement, then select Finish.
7. If you are prompted to trust any artifacts, select Select All, then select Trust Selected.
8. Restart Eclipse and complete the setup.

Complete post-installation setup

After you install the plugin, you need to access the Veracode perspective, ensure the plugin can authenticate with Veracode, and install a local agent.

Before you begin:

• Ensure you meet the prerequisites.
• You must have an API credentials file.

To complete this task:

1. To open the Veracode perspective, select Window > Perspective > Open Perspective > Other....

2. In the Open Perspective window, select Veracode, then select Open.

3. Select the Veracode Scan view.

   

4. Select Scan Project . The first time you start a scan, the Getting Started window opens. The plugin automatically detects your API credentials file and attempts to authenticate with Veracode.

5. Under Authenticate with Veracode, review the Status.

   • If authentication is successful, the Status shows Authenticated. Continue to Step 6.

   • If authentication failed, the Status shows Not Authenticated. Complete one or both of the following, then select Test Authentication.

     a. Ensure your API credentials file is configured correctly and the file is in the required location.

     b. Ensure your API credentials are valid. If your credentials are invalid or expired, generate new credentials and replace the invalid credentials in your credentials file with your new credentials.

     c. If you need to authenticate through a proxy server, add your proxy credentials.

6. To install a local agent, under Install Local Agent, select Install Agent. The plugin uses this agent to communicate with Veracode. This agent is specific to the plugin and does not affect any other local Veracode agents.

7. Select Close. The Getting Started window will not open on subsequent scans. The setup is complete.

Configure the plugin

Optionally, turn on recursive scanning, configure a custom location for packaged artifacts, or add your proxy credentials to authenticate with Veracode through a proxy server.

To complete this task:

1. In the Veracode perspective, select the Veracode Scan view.

2. To open Veracode Scan Settings, from the dropdown menu , select Settings.

3. Configure the following options:

   • Recursive Scan: to have each scan run recursively on all folders in your project, select Enable SCA recursive scan. This option is selected by default.
   • Artifact Glob: enter a glob pattern that defines the path and filename for a packaged artifact that you created manually or placed in a custom location. The path must be relative to your project root directory.
   • HTTP Proxy URL: to authenticate with Veracode through a proxy, enter the URL for your proxy server, then add your proxy credentials. Alternatively, you can add the URL as an environment variable or in the Eclipse Preferences. This setting overrides the URL defined in an environment variable or Eclipse.
   • SRCCLR_SSL_CERT_FILE: enter the path to your SSL certificate file. To obtain this path, contact your IT team. This option is required if you set the HTTP Proxy URL option.

Add proxy credentials

If your organization requires you to authenticate with Veracode through a proxy server, add your proxy credentials to the plugin. The plugin only supports Basic authentication.

To complete this task:

1. In the Veracode perspective, select the Veracode Scan view.

2. To open Veracode Scan Settings, from the dropdown menu , select Settings.

3. For HTTP Proxy URL, enter the URL for your proxy server. If you do not know the proxy server URL or your proxy username and password, contact your IT administrator.

   Alternatively, add the proxy server URL to an environment variable or Eclipse Preferences. The HTTP Proxy URL option in the plugin overrides the URL in an environment variable or Eclipse.

   Environment variable

   Windows

   Create the following environment variable:

   • For Variable name, enter https_proxy or veracode_https_proxy.
   • For Variable value, enter the URL for your proxy server.

   macOS or Linux

   At a command prompt, run:

   export HTTPS_PROXY=<URL of your HTTPS proxy server>

   Eclipse Preferences

   1. In Eclipse, select Window > Preferences > Network Connections. The Preferences dialog opens.
   2. For Active Provider, select Manual.
   3. In the Proxy entries table, select HTTP or HTTPS. Then, select *Edit.
   4. In the Edit Proxy Entry dialog, enter your proxy server information.
   5. Select OK and then select Apply and Close.

4. In the Veracode Scan Details window, enter your proxy username and password. The Veracode Scan Details window only opens if you have a proxy username and password.

5. For SRCCLR_SSL_CERT_FILE, enter the path to your SSL certificate file. For example, a PEM file. To obtain this path, contact your IT team.

6. Select Add Credentials. The plugin authenticates with Veracode.

Scan your project

To analyze the security risk of your code, scan your project. Because each scan uses the data paths in your project files to detect flaws in lines of code, it does not scan your code as you type. To detect flaws in new or changed lines of code, you must rescan your project.

A Veracode account is limited to six scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

1. Open a supported project. You can only scan one project at a time.
2. In the Veracode perspective, select the Veracode Scan view.
3. Select Scan Project . If you have more than one project open, the Select Project window opens.
4. Select a project, then select OK.
5. Wait for the scans to complete, which can take several minutes or longer. When the scans are complete, the results appear in the following views: Scan Overview and Flaws In My Code.

Review the scan overview

After you scan your project, in the Veracode perspective, in the Veracode Scan view, the Scan Overview provides the following information about the scan and the results:

• The completion time and duration of the scans.
• The total number of flaws from the Static Analysis scan. To view the flaws categorized by severity, expand Flaws.
• The total number of vulnerabilities from the SCA scan. To view the vulnerabilities categorized by severity, expand Vulnerabilities.

Working with flaws

To review, fix, or ignore discovered flaws, use the Flaws In My Code pane.

Review flaws

Learn about the discovered flaws, their severity, and get remediation guidance that can help you fix them.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. In the Veracode perspective, select the Veracode Scan view.
2. Under Flaws In My Code, review the list of flaws. Each flaw shows the Common Weakness Enumeration (CWE) ID and name, sorted by severity. The flaws with the highest severity are at the top of the list. If there are suggested fixes from Veracode Fix, a green banner shows the total number of available fixes and all flaws to which you can apply fixes show a blue dot .
3. Optionally, to only show flaws with specific severities or flaws with available fixes, select the filter to filter the flaws. Then, select one or more severities or Has fix.
4. To view a flaw within a source file, select a flaw. The source file opens in a tab and the line of code where the flaw exists is underlined in red. An icon to the left of the line of code shows the flaw severity. If the line of code contains multiple flaws, the icon shows the highest severity of all flaws.
5. To view a detailed description of a flaw and the remediation actions you can take to fix it, under Flaws In My Code, expand a flaw, then select View Flaw Details . The Veracode Scan Details view opens.
6. Alternatively, to open the Veracode Scan Details view from a flaw in a source code file, hover over a line of code with a red underline. Then, select Fix this flaw on a CWE.
7. To review ignored flaws, under Flaws In My Code, scroll down to the bottom of the view and expand Ignored Findings.

Filter flaws

To control which flaws are listed in the Flaws In My Code pane, you can filter them by severity or by available fixes from Veracode Fix.

Before you begin:

Ensure you have scanned your project.

1. In the Veracode perspective, select the Veracode Scan view.

2. Under Flaws In My Code, select the filter .

3. From the dropdown menu, select from the following filters:

   • Severity filters: hide or show flaws based on their severity.
   • Fix filter: to only show flaws with suggested fixes that you can apply or flaws that have fixes applied , select Has fix.

   The list of flaws updates automatically and the selected filters show a checkmark . To indicate that the flaws are filtered, the filter icon shows a yellow plus sign .

4. To remove filters, select one or more filters that show a checkmark.

Fix flaws

To fix discovered flaws, you can apply suggested fixes from Veracode Fix or follow the remediation guidance available in your IDE. If the scan results do not include the path to a flaw, Veracode Fix does not provide suggested fixes for that flaw.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. In the Veracode perspective, select the Veracode Scan view.

2. Under Flaws In My Code, expand a flaw you want to fix.

3. Optionally, to hide or show flaws based on their severity, filter the flaws.

4. To open the Veracode Scan Details view, select View Flaw Details .

5. To open the source file that contains the flaw, select the flaw. In the source file, the line of code where the flaw exists is underlined in red. A line of code can contain multiple flaws.

6. In the Veracode Scan Details view, select from the following tabs. You only see the Veracode Fix tab if Fix supports the CWE ID for the selected flaw.

   • Veracode Fix: to apply the top suggested fix for this flaw, select Apply Fix. The bar to the left shows a red line for the code that contains the flaw, and a green line for the suggested code fix that will replace the code that contains the flaw. To apply other suggested fixes, select Fix Option, select a fix, then select Apply Fix. After you apply a suggested fix, a notification message opens with details about the applied fix. In the Flaws In My Code pane, the severity and fix icons change to gray . If you fix a flaw manually, the severity icon does not change to gray.
   • Remediation Guidance: to fix this flaw manually, follow the remediation guidance. To see the path that the scanner followed to locate this flaw: under Data Paths, expand a path. Then, select the Step link for the source file and code line number you want to view.

7. Alternatively, to open the Veracode Scan Details view from a flaw in the source file, hover over a line of code with a red underline. Then, in the window that opens, select one of the following links:

   • If there are suggested code fixes for the selected flaw, select Fix this flaw and apply a fix on the Veracode Fix tab.
   • If you are not using Veracode Fix, or there are no suggested fixes for the selected flaw, select More details and follow the instructions on the Remediation Guidance tab.

8. To confirm that a flaw is fixed, rescan your project and check that the flaw is no longer listed under Flaws In My Code.

Ignore flaws

To temporarily remove flaws from the scan results, you can ignore them. For example, you might want to ignore flaws that continually appear or are of low importance, such as Informational.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. In the Veracode perspective, select the Veracode Scan view.
2. Under Flaws In My Code, select a flaw. The source file that contains the flaw opens in a tab and the line of code where the flaw exists is underlined in red.
3. Hover over a line of code with a red underline. A window opens with details about the CWEs for the flaws in the line of code.
4. To ignore the flaw, select Ignore this finding for its CWE. If the line of code contains multiple flaws, you see a link with the CWE for each flaw. The flaw moves to the Ignored Flaws section at the bottom of Flaws In My Code and is no longer visible in the source file.
5. To unignore a flaw, under Flaws In My Code, expand Ignored Flaws. Then, expand a flaw and select Unignore Flaw. The flaw moves out of the Ignored Flaws section and is visible in the source file.

Working with vulnerabilities

To review and fix the discovered vulnerabilities, see the list under Vulnerabilities In My Libraries.

Review and fix vulnerabilities

Under Vulnerabilities In My Libraries, review the list of all open-source libraries with one or more vulnerabilities.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. In the Veracode perspective, select the Veracode Scan view. Under Vulnerabilities in My Libraries, you see a list of all detected libraries with vulnerabilities. The libraries with the most and highest-risk vulnerabilities are at the top of the list.
2. Optionally, to only list libraries with vulnerabilities of specific severities, select the filter to filter the vulnerabilities.
3. To see the vulnerabilities for a library, expand a library.
4. To see additional information about the library you expanded, select View Library Details. The Veracode Scan Details window provides useful information about the library, such as its total vulnerability count with severities, the latest version available, the known safe version, and its usage.
5. To see additional information about a vulnerability and the remediation guidance you can use to fix it, select it. The Veracode Scan Details window shows the CVSS score, all libraries in your project with this vulnerability, a link to view it in the Veracode Vulnerability Database, and the recommended fix.
6. To fix the vulnerability, under The Fix, follow the remediation steps. For example, if a library in an NPM project has a vulnerability, you might need to upgrade, or downgrade, the library in the package.json file to a safe version.
7. To confirm that a vulnerability is fixed, rescan your project and check that the affected library, or the specific vulnerability you fixed, is no longer listed under Vulnerabilities In My Libraries.

Filter vulnerabilities

To control which vulnerabilities are listed under Vulnerabilities In My Libraries, you can filter them by severity.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. Under Vulnerabilities In My Libraries, select Filters .

2. From the dropdown menu, select one or more filters:

   • Severity: hide or show vulnerabilities based on their risk level.
   • Usage: hide or show vulnerabilities based on their usage.

   To indicate that the vulnerabilities are filtered, the filter icon shows a yellow plus sign .

Review open-source licenses

You can review a list of all open-source licenses, the libraries that use these licenses, and the license risk level. Your organization uses this information when deciding whether it needs to change a license to a safe version.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. In the Veracode perspective, select the Veracode Scan view.
2. To see the names, versions, and risk level of each license, scroll through the list of licenses under Library Licenses. The licenses with the highest risk level are at the top of the list.
3. To see the libraries that use a license, expand a license.

Clear all results

Remove all findings from all views and the plugin.

Before you begin:

Ensure you have scanned your project.

To complete this task:

Caution

You cannot undo this action or recover the cleared findings. To see results, rescan your project.

1. In the Veracode perspective, select the Veracode Scan view.
2. From the dropdown menu , select Clear All Results.

Troubleshooting

To generate a log file for a scan and the auto-packager, turn on debugging. You can use these logs to troubleshoot issues.

note

When turned on, the debug option does not persist. You must turn it on before each scan.

To complete this task:

1. In the Veracode perspective, select the Veracode Scan view.
2. From the dropdown menu , select Enable Debug. The Enable Debug menu item shows a checkmark .

The log files are stored on your local machine in .veracode/ide_agent/eclipse/. To remove these files, you must delete them manually.

To turn off debugging, select Enable Debug to remove the checkmark.

Get help or provide feedback

If you need help or want to report an issue, from the dropdown menu , select Help. Then, select a link to visit the Veracode Community or report an issue.

For additional help, contact Veracode Technical Support.