Veracode Software Composition Analysis (SCA) helps you build an inventory of your third-party components to identify vulnerabilities, including open-source and commercial code.
The Veracode Platform analyzes both your own and third-party code in a single static scan, providing you visibility across your entire application portfolio. You can access SCA results after your static prescan is complete.
To use Veracode SCA upload scans, select Scans & Analysis > Software Composition Analysis at the top of the Veracode Platform. You must have the Executive, Security Lead, or Administrator role to view the data. You can also navigate to SCA from the left navigation menu to view SCA in the context of an application.
Depending on your role, you can:
View a list of application vulnerabilities from applications in your portfolio to view which applications are passing or failing your policy.
View which of your components are passing or failing the security requirements specified in the SCA policy rules, and the remediation practices you can use to lower your application security risk.
Detailed composition information is organized by these tabs:
Click Data Exports and export your Veracode SCA results to view findings in CSV format. This report contains details about all components across all of your applications in your portfolio.
In the report, you may see duplicate vulnerabilities if the same component is found in multiple locations within an application.
The Customizable Report contains Veracode SCA findings for individual applications in PDF format.
If you want to scan your code early and frequently in your software development lifecycle, Veracode recommends using Veracode SCA agent-based scanning. Agent-based scans provide additional features, such as dependency mapping, vulnerable methods, and automated pull requests.