Veracode Upload and Scan
Use Veracode Upload and Scan to get a complete security assessment of your application by testing the source code, open source libraries, and assessing the test results against security policies, in a single operation. Upload and Scan performs Static Analysis scans, to find flaws in source code, and Software Composition Analysis (SCA) scans, to identify vulnerable open-source libraries, malicious libraries, and licenses. You upload a packaged artifact of your application to the Veracode Platform, we prescan or scan your code, and generate scan results that list the discovered findings with remediation guidance for resolving them.
By default, Upload and Scan performs both Static Analysis and SCA scans, but you must have licenses for these products to access the results.
Alternatively, test your code faster with Veracode Pipeline Scan and resolve Pipeline Scan findings with Veracode Fix.
How does Upload and Scan work?
- Uploads a packaged artifact of your application code to the Veracode Platform.
- Performs a prescan verification of your code and identifies open source components.
- Performs Static Analysis and Software Composition Analysis (SCA) scans, which can also run in a development sandbox, to detect security findings in source code and open source libraries.
- Analyzes the results of your code against security policies to assess the application's compliance with your organization's security requirements.
- Provides scan results that you can review in the Veracode Platform, download and review in your IDEs, or access using the APIs.
How can I use Upload and Scan?
You can use Upload and Scan in the following products.
Veracode Platform and services
Integrations
- Static-only IDE plugins and extensions: these are older plugins and extensions that only support Static Analysis scans, but they also support mitigating findings. We aren't updating these IDE integrations with new features. We recommend you use the Veracode Scan plugins and extensions, which support Static Analysis and SCA scans, automatic code packaging, and Veracode Fix.
- SCM integrations
- CI/CD integrations
- XML APIs and API wrappers
Supported languages
Prerequisites
To use Upload and Scan, you must have:
- An active Veracode Static Analysis or SCA license.
- For Static Analysis, you must have the Creator, Submitter, or Security Lead role.
- For SCA, you must have the Executive, Security Lead, or Administrator role.
- An artifact of the application you want to scan. The artifact must meet the packaging requirements, and the files in the artifact must not exceed the upload limits.
The products that support Upload and Scan also have prerequisites.
Limits for uploaded files
Upload and Scan has the following limits for the files uploaded in a packaged artifact.
| Upload limit | Value |
|---|---|
| Largest individual file you can upload | 2 GB |
| Total maximum size of all the uploaded files that we can analyze in a single scan | 5 GB |
| Total number of files that we can analyze in a single scan | 50,000 files |
Find flaws in mobile apps
Veracode Mobile Behavioral Analysis finds static flaws in mobile applications. Veracode Static Analysis examines the permissions that the submitted mobile application requests, which can provide valuable insights into the behavior of the application.
A common security risk with mobile applications is called over-permissioning. Over-permissioning occurs when mobile applications request permissions that are unnecessary for the application to function. These permissions might be requested accidentally by the developers, or requested by a third-party component included with the application.
A consolidated list of permissions that the application is requesting can help both developers and end users understand what the application is capable of doing, and the risk the permission may present. Developers and security leads should review the list of permissions that the application requests, and validate that these permissions meet their expectations.
To review a list of permissions requested by the application found during scanning, in the Veracode Platform, navigate to the completed scan and select Mobile Behavioral Analysis.
Mobile Behavioral Analysis is available when analyzing native Android applications built as APK files, and Apple Platform applications packaged as xcarchive bundles. Mobile Behavioral Analysis is not available for mobile applications built using Titanium, PhoneGap, Cordova, or Xamarin.
You can review the permissions listed in the table and determine if the permission settings are appropriate for your application. Mobile Behavioral Analysis findings do not impact your policy score.
Estimated scan completion time
We compute the estimated completion time for prescans and Static Analysis scans of applications based on historical delivery times for applications of similar size and language.
Considerations for large applications
The amount of time that it takes to deliver results for a static scan depends on many factors, including the language or platform in which the application was written, the size of the application, and whether the application is being scanned on behalf of a third party.
Large applications may take additional time to process. The actual processing time can vary by language, platform, and unique behaviors of the submitted code. For example, applications submitted with missing dependencies, or with dependencies compiled without debug symbols, can take longer.
Veracode makes every effort to deliver results as soon as possible. Therefore, if applications complete analysis sooner than the estimated delivery window, Veracode publishes the results sooner.
Scans under investigation
If we encounter a technical issue during scanning, the Estimated Delivery field shows the Under Investigation status, indicating that Veracode is working to resolve the issue.
How we match filenames between scans
The Veracode Platform attempts to match uploaded application files that appear to be related to a source file, but might have different build or version numbers. By matching these files, the Veracode Platform can track flaws across different builds without falsely reporting any new flaws because the name of the container changes between scans.
The matching scheme examines only the last characters of the filename preceding the file extension. Consider these sample files:
myapp-123.dllmyapp-124.dll
Veracode recognizes these files as different versions of the same file because they contain the same base name, myapp. Only the trailing numbers 123 and 124 at the end of the filename are different.
These filenames do not match the previous filenames because the final part of the names contain alphabetic characters:
myapp-123-test.dllmyapp-124-test.dll
In some circumstances, this filename matching scheme may encounter problems. You might upload files that appear to match and Veracode does not match them. Consider an application that has multiple, similar files in the build, such as:
function-1.dllfunction-2.dllfunction-3.dll
In this scenario, flaw matching can encounter problems between scans when Veracode matches them as versions of the same file, but they aren't related. Depending on which file the Veracode Platform finds first, the module listing for the scan identifies code added or removed because these files contain different code.
To avoid ending a filename with numerals, we recommend appending alphabetic characters to the end of the filename.