Skip to main content

Review analysis results

Access scan details and results from Veracode Dynamic Analysis in the Veracode Platform or using the REST API. To more easily access the results from an application profile, and include them in reports, link the results to an application profile.

To perform these tasks, ensure you meet the prerequisites.

View historical details for an analysis

You can view detailed information about all occurrences of a Dynamic Analysis, including scan results, in the Veracode Platform.

You can use the historical information to understand when the analysis and scans, occurred, how often, the analysis duration, the schedule, if any, its current status, and whether it completed successfully. The past occurrences are read-only as they provide an historical record for the selected analysis. You can only change the most recent occurrence of an analysis.

You can also get the historical information with the REST API.

Before you begin:

You must have the Creator, Reviewer, or Security Lead role. Any member of the team associated with the Dynamic Analysis is able to view the analysis and its results.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Dynamic Analysis. The All Dynamic Analyses page opens.

  2. Locate the row for the Dynamic Analysis for which you want to view historical information.

  3. To open the Analysis History window, from Actions at the end of the row, select View Analysis History.

    The Analysis History window shows a list of past occurrences for the selected analysis with the following information:

    • Analysis Occurrence ID: unique ID for a specific analysis.
    • Analysis Status: current status of the analysis.
    • Actual Start and Actual End: timestamp when the analysis started and finished, whether manually or on a schedule.
    • Scheduled Start and Scheduled End: for a scheduled analysis, the timestamp when it is scheduled to start and finish. These times indicate when the analysis is scheduled to run compared to the times when it actually started and ended.

  4. Optionally, from the Filter by dropdown menu, you can select to show only analyses with a specific status or to include or exclude prescans. Then, select Apply to filter the list.

  5. In the Analysis Occurrence ID column, select a link to close the Analysis History window and open a read-only page with more detailed information about the selected occurrence. From the Analysis Actions dropdown menu, you can select Configure Most Recent Analysis to go to the Edit page for the most recent occurrence of the selected analysis. Any changes to the analysis configuration only apply to future analyses.

  6. To view the historical scan results for the selected analysis, in the URLs List or API Specifications to Scan table, select a URL or specification. The Scan Details page opens with read-only information about the selected scan occurrence. From the Scan Actions dropdown menu, you can select Configure to edit the scan configuration. Any changes to the scan configuration only apply to future scans.

Review findings

You can view the results and mitigate findings for a Dynamic Analysis on the Triage Flaws page in the Veracode Platform.

Typically, findings from Dynamic Analysis are called vulnerabilities, but they appear on the Triage Flaws page as flaws.

Before you begin:

You must have the Creator, Reviewer, or Security Lead role, unless the results are linked to an application that you have permission to view.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Dynamic Analysis.
  2. Locate the row for the Dynamic Analysis for which you want to view the results.
  3. From the Actions menu at the end of the row, select View Analysis Results. The results open on the Triage Flaws page, which provides a detailed list of all vulnerabilities.
  4. On the Triage Flaws page, review the details for each vulnerability, including the URL, vulnerability path, and CWE information. If the results are linked to an application profile, you must perform any mitigations or approvals on the Triage Flaws page, or the application profile does not reflect those changes.

For a list of supported CWEs, see CWEs detected as flaws.

Review prescan results for an API scan

In the Veracode Platform, you can review the results of a prescan or scan of your API specifications or Postman Collections. The results indicate whether Veracode successfully reached and, if required, authenticated with the target server for each API endpoint or request included in the analysis.

If you ran a full Dynamic Analysis of your API specification, instead of a prescan, you can download the Dynamic Analysis Coverage Report.

Before you begin:

  • You have a Veracode account with the Creator, Submitter, or Security Lead role. Any member of the team associated with the Dynamic Analysis is able to view the analysis and its results.
  • You have created an API specification scan and run a prescan.
  • The scan status must be Completed - Results Available.

To complete this task:

  1. Sign in to the Veracode Platform.

  2. Select Scans and Analysis > Dynamic Analysis.

  3. In the All Dynamic Analyses table, select the analysis name.

  4. Under API Specifications List, locate your specification.

  5. To view detailed information about a scan, in the Actions column, select either View Prescan Details or View Scan Details. On the scan details page, you can review the scan status and any scan configuration errors. For a prescan, you might need to correct these errors before you can run a scan. It also provides authentication and connection information that each request uses to access your target API server.

  6. In the Request and Response section, review the endpoints or requests included in the scan. To ensure optimal performance, a prescan only includes the first 100 endpoints or requests from each specification or Postman Collection. Requests in error are highlighted red with an error code in the Response column. The prescan uses the traffic defined in the specification to:

    • Test the connectivity to the API server, particularly if the server is behind a firewall, and you have configured an Internal Scanning Management (ISM) gateway and endpoint.
    • Verify the authentication method for accessing the server. For example, a 401 in the Response column might indicate an authentication problem for that request.

  7. Optionally, to view configuration information about the scanned API specification or Postman Collection, at the top of the page, select PRESCAN CONFIGURATION or SCAN CONFIGURATION. You can download the specification in its original format or, for OpenAPI 3.1, 3.0, and 2.0, download the converted HAR file.

Review scan details

Review scan results and configuration information for scanned web application URLs in the Veracode Platform.

Before you begin:

You must have the Creator, Reviewer, or Security Lead role to be able to view the results of a Dynamic Analysis, unless the results are linked to an application that you have permission to view.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Dynamic Analysis.
  2. Select the link of a Dynamic Analysis in the list on the All Dynamic Analysis Scans page. The top of the page summarizes the status and schedule of the Dynamic Analysis.
  3. Select the Dynamic Analysis Results tab. In the URL Configurations List or API Specification List table, review the scan status, date, and duration. The number of vulnerabilities found in each URL or endpoint is listed by severity.
  4. Select a link in the URL or Server column.
  5. Review the Scan Details tab for more detailed scan information. To review the scan configuration, select the Scan Configuration tab.
Last updated on