Using Third-Party Components Data with Veracode SCA

Veracode Software Composition Analysis

The Third-Party Components tab lists all the third-party components in your applications, and provides version, usage, license risk, and known vulnerability information.

The list of components shows the filename and an at-a-glance view of the severity of each vulnerability that Veracode found in each component. The Count column shows you how many times a component is used across all of your applications. The License column details the first license Veracode found for the component, and a risk rating Veracode assigned for the license.

Use the filter to find components by CVE ID, number of affected applications, blocklist presence, component name, severity, or any combination of these filters. If you sort by number of known vulnerabilities by severity, the components in the grid are sorted by total severity. If you switch tabs after filtering data, the filter sorts the content in the new tab unless you clear the filter. The Blocklist switch is only visible to users with the Security Lead role.

Note: If you scanned a JavaScript application that uses both Bower and npm package managers, and a component exists in both the bower_components and node_modules folders, Veracode SCA displays both of the components individually.

Component Details

Click a component filename to view detailed information for that component. The details in the popup include:
  • Other Versions: A list of all known versions of this component, an indication of whether that component is currently in your application portfolio, and the known vulnerabilities in that component.
  • Vulnerabilities: The list of vulnerabilities in this component as well as its severity, CVE ID, CWE ID, and description.
  • Dependent Applications: This tab lists any applications that contain this component, the policy associated with that application, and a color-coded shield icon that indicates if the application is in compliance with its policy.

Click the component link to get more details.

Additional component details, such as vulnerable methods and dependency graphs, are available through agent-based scanning.

Adding Components to a Blocklist

When reviewing the components that comprise a software application, you can add any component that contains an unacceptable vulnerability to the blocklist. You must have the Security Lead role to add components to the blocklist.

To add components to a blocklist:
  1. Go to Scans & Analysis > Software Composition Analysis.
  2. Find the component that you want to blocklist, and in the Blocklist column, move the switch from OFF to ON.
  3. Optionally, in the Blocklisted Component window, you can enter the remediation advice you want to provide for fixing the vulnerability.
  4. Click Save.

Set Blocklist toggle to ON or OFF.

You can change the remediation advice for any component at any time by clicking Edit at the end of the remediation advice line, and changing the text in the Blocklisted Component window.
Enter the remediation advice in the window.

Use the filter function to list applications by CVE ID, component, application name, or any combination of these filters.