Skip to main content

Manage analysis results

Access and manage results from Veracode Dynamic Analysis in the Veracode Platform or using the REST API.

To perform these tasks, ensure you meet the prerequisites.

Review results

You can view the results for a Dynamic Analysis on the Triage Flaws page in the Veracode Platform.

Before you begin:

To view the results of a Dynamic Analysis, you must have the Creator, Reviewer, or Security Lead role, unless the results are linked to an application that you have permission to view.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Dynamic Analysis.
  2. Locate the row for the Dynamic Analysis for which you want to view the results.
  3. From the Actions menu at the end of the row, select View Analysis Results. The results open on the Triage Flaws page, which provides a detailed list of all vulnerabilities.
  4. On the Triage Flaws page, review the details for each vulnerability, including the URL, vulnerability path, and CWE information. If the results are linked to an application profile, you must perform any mitigations or approvals on the Triage Flaws page, or the application profile does not reflect those changes.

For a list of supported CWEs, see Veracode and the CWE

Review prescan results for an API scan

In the Veracode Platform, you can review the results of a prescan or full scan of your scanned API specifications or Postman Collections. The results indicate whether Veracode successfully reached and, if required, authenticated with the target server for each API endpoint or request included in the analysis.

If you ran a full Dynamic Analysis of your API specification, instead of a prescan, you can download the Dynamic Analysis Coverage Report.

Before you begin:

  • You have a Veracode account with the Creator, Submitter, or Security Lead role. Any member of the team associated with the Dynamic Analysis is able to view the analysis and its results.
  • You have created an API specification scan and run a prescan.
  • The scan status must be Completed - Results Available.

To complete this task:

  1. Sign in to the Veracode Platform.

  2. Select Scans and Analysis > Dynamic Analysis.

  3. In the All Dynamic Analyses table, select the analysis name.

  4. Under API Specifications List, locate your specification.

  5. To view detailed information about a scan, in the Actions column, select either View Prescan Details or View Scan Details. On the scan details page, you can review the scan status and any scan configuration errors. For a prescan, you might need to correct these errors before you can run a full scan. It also provides authentication and connection information that each request uses to access your target API server.

  6. In the Request and Response section, review the endpoints or requests included in the scan. To ensure optimal performance, a prescan only includes the first 100 endpoints or requests from each specification or Postman Collection. Requests in error are highlighted red with an error code in the Response column. The prescan uses the traffic defined in the specification to:

    • Test the connectivity to the API server, particularly if the server is behind a firewall, and you have configured an Internal Scanning Management (ISM) gateway and endpoint.
    • Verify the authentication method for accessing the server. For example, a 401 in the Response column might indicate an authentication problem for that request.

  7. Optionally, to view configuration information about the scanned API specification or Postman Collection, at the top of the page, select PRESCAN CONFIGURATION or SCAN CONFIGURATION. You can download the specification in its original format or, for OpenAPI 3.1, 3.0, and 2.0, download the converted HAR file.

Review scan details

Review scan results and configuration information for scanned web application URLs in the Veracode Platform.

Before you begin:

You must have the Creator, Reviewer, or Security Lead role to be able to view the results of a Dynamic Analysis, unless the results are linked to an application that you have permission to view.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Dynamic Analysis.
  2. Select the link of a Dynamic Analysis in the list on the All Dynamic Analysis Scans page. The top of the page summarizes the status and schedule of the Dynamic Analysis.
  3. Select the Dynamic Analysis Results tab. In the URL Configurations List or API Specification List table, review the scan status, date, and duration. The number of vulnerabilities found in each URL or endpoint is listed by severity.
  4. Select a link in the URL or Server column.
  5. Review the Scan Details tab for more detailed scan information. To review the scan configuration, select the Scan Configuration tab.

View the Dynamic Analysis Coverage Report

A Coverage Report for a Dynamic Analysis provides a simplified view of attack and non-attack traffic for the target site. Dynamic Analysis generates the Coverage Report after a URL scan for a web application or API is complete and results are available.

You can access the Dynamic Analysis Coverage Report from the Veracode Platform. The report provides details about the attack and non-attack traffic that Dynamic Analysis detected during scanning.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Dynamic Analysis. The Dynamic Analysis page opens, showing all Dynamic Analysis scans and their status.
  2. Select the name of a Dynamic Analysis for a web application or API. The results page for the analysis opens.
  3. In the URLs List or API Specifications List table, select a URL or API specification. The Details page opens.
  4. Select the Coverage Report tab to view the Coverage Report.
  5. To download the report , select Download Report and select Unique URLs Found CSV or Scan Activity Log CSV.

The Coverage Report includes the following sections.

Coverage Report sections

The Coverage Report provides the following information about your analysis.

Scan Times and Duration

Identifies the scan status, start and end times for the scan, and duration of the scan.

Coverage Summary

Provides a summary of the URLs found, including:

  • Total Unique URLs Found
  • Audited URLs
  • Ignored URLs
  • Blocked URLs
  • Total Scan Activity: identifies the number of entries in the Scan Activity Log table. This number reflects the amount of work the scan engine performed, including both crawl and audit activity. Total Scan Activity compares results between scans of the same site. You can use it to identify changes to:
    • The content of the site
    • The quality of network connectivity

Unique URLs Found

Contains unique URL information. Dynamic Analysis removes any duplicate URLs from this data table, which has these columns:

  • URL: each unique URL that Dynamic Analysis crawled
  • Count: how many times Dynamic Analysis encountered that specific URL
  • Type: explains the category of content that Dynamic Analysis audited
    • Resource: static files such as images or CSS that the scan engine ignores
    • Websocket: bidirectional, real-time requests made over WebSocket
    • Network: low-level exchanges sent by the scan engine, including those sent as part of security tests
    • Browser: unique browser location that the scan engine discovered and passed through redundancy checks
    • Event Source: unidirectional, real-time events sent to a browser over an event source channel
  • Scope: determines if the URL is within the scope of the scan
    • Audit: in scope of the scan
    • Block: on the URL blocklist
    • Ignore: outside the scope of the scan

Scan Activity Log

Contains all coverage information an analysis collected, consisting of the unique URL information and these additional columns:

  • Timestamp: time at which the scan engine sent a request to the URL
  • Method: HTTP request made by the scan engine to the application
  • Response: HTTP response status code that the request was successful
  • Duration: length of time the scan engine interacted with the URL

Filters are available for most of the column headers in the Coverage Report to enable you to customize the report. You can access the report from the Actions menu in the URLs List table.

You can also access the report from the URL Actions menu on the URL Configuration Scan Summary page. If a Coverage Report is not available when you select the menu option, it is because the analysis stopped without completing or it predates this feature.

The Dynamic Analysis application linking feature allows you to link scan results to an application profile. By linking the results, you can evaluate them against policy and aggregate the results from multiple scan types, such as Static Analysis Dynamic Analysis, in a single report for the same application.

You can link results manually or automatically. You can also use the REST API.

By default, Dynamic Analysis does not automatically create application profiles during the linking process. To create application profiles, configure auto-linking.

Benefits

Linking results to an application profile provides the following benefits.

  • View the results of all types of scans aggregated in a single report.
  • Access reports in the Veracode Platform to identify crawled and attacked links.
  • Save results from each subsequent scan without overriding the results of the previous scan.
  • Use the Veracode Platform to review the application policy evaluation.
  • Review the application policy evaluation.
  • Download a PDF of the results.

Prerequisites

  • Linking to a scan requires an existing application profile in the Veracode Platform.

  • Application linking succeeds only if a Dynamic Analysis request in an application profile is complete. Verify the status of any Dynamic Analysis requests within the profile. If you have permission, delete an incomplete request before attempting to link the application. Incomplete statuses include:

    • Prescan Complete
    • Scan in Progress
    • Prescan Failed

  • You cannot link an application profile that contains an in-progress Dynamic Analysis. You must delete the in-progress Dynamic Analysis and unlink the application profile. You can then link another application profile.

  • You can link one URL to one application profile. This manual step requires you to map each URL to an existing application profile.

You can link the results from a Dynamic Analysis to an application profile in the Veracode Platform or with the REST API.

note

Do not use any actions under the application profile menu for Dynamic Analysis scans linked to an application.

Before you begin:

You must have the Administrator, Security Lead, Creator, or Submitter role to be able to manually link results.

To complete this task:

  1. In the Veracode Platform, select the Dynamic Analysis Results tab of the analysis summary page, and select Actions > Link to Application. The Link to Application window opens.
  2. Select the application you want to link to from the list. You cannot select an application that is already linked to a URL configuration.
  3. Select Save.

Results:

The linked application appears in the Additional Information section on the Scan Details page.

Linked Dynamic Analysis results are now available from the application overview. Select Completed in the left navigation menu of the Veracode Platform to see your completed Dynamic Analysis scans. You can review the results in the Coverage Report for the Dynamic Analysis.

You can unlink results when you no longer want to associate them with a specific application profile or when you want to link them to a different application. You can perform this in the Veracode Platform or with the REST API.

After unlinking results from an application profile, all future scan results are no longer associated with that application. The results from previous scans remain available, and you can link them to the same or a different application profile.

Before you begin:

You must have the Administrator, Security Lead, Creator, or Submitter role.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Dynamic Analysis.
  2. In the All Dynamic Analyses table, select the name of the analysis from which to unlink an application profile.
  3. In the URLs List table or the API Specifications List table, next to a URL or API specification, select Actions > Unlink from Application.
  4. In the Unlink from Application window, select Unlink.
  5. To unlink additional URLs or API specifications, repeat steps 3 and 4.

The Dynamic Analysis auto-linking feature automatically links URL scans from Dynamic Analyses to applications that already exist in the Veracode Platform. The matching process searches for URLs previously associated with the existing application that match the target URL in the Dynamic Analysis.

Auto-publishing results of concurrent scans improves Dynamic Analysis scans. When Veracode links Dynamic Analysis scans to an application profile, Veracode matches flaw results that do not require any additional verification on a subsequent scan. This practice reduces the publishing time of results while maintaining a low false-positive rate.

We recommend configuring recurring schedules to ensure that the results automatically link to the application profiles for future scans.

note

If you configure a recurring schedule but do not link the results to the application profiles, the next time the scan runs using that schedule, the new results override the previous results.

Before you begin:

You must have the Administrator or Security Lead role to enable the auto-linking feature for your organization. After enabling auto-linking, any users in your organization who have the appropriate permissions can view linked results.

To complete this task:

  1. Select the gear icon in the top-right of the Veracode Platform and select Dynamic Analysis Auto-Linking. The Dynamic Analysis Auto-Linking Options page opens.

  2. Select an auto-linking option:

    • Do not auto-link: do not auto-link any URL scan results or create any new applications.
    • Auto-link but do not create applications: search existing applications for previously associated URLs that match the target URL and auto-link future URL scan results to the application.
    • Auto-link and create applications: search existing applications for previously associated URLs that match the target URL and auto-link future scan results to the application. For each target URL that does not match any URLs in an existing application, create a new application based on the information you enter in the New Application Name, Business Criticality, Policy, and Visibility Settings fields.

    The selected option applies to all future analyses and results that are not yet published. You can only link one target URL to an application at a time. If you have multiple Dynamic Analysis scans that have the same target URL, you can link them to the same application. If you have previously linked a target URL to multiple applications, the auto-linking feature selects the most recently published scan to link to in the future. You can also manually unlink results.

  3. Select Save.

The linked application appears in the Additional Information section on the Scan Details page. Linked Dynamic Analysis results are now available from the application overview. Select Completed in the left navigation menu of the Veracode Platform to see your completed Dynamic Analysis scans. You can review the results in the Coverage Report for the Dynamic Analysis.

Last updated on