Skip to main content

Reports

Access and download reports of scan results and findings for your applications.

note

Use and distribution of these reports is governed by the agreement between Veracode and its customer. In particular, these reports and the results in the report cannot be used publicly in connection with Veracode without written permission.

Access reports

You can access reports in the Veracode Platform, using the APIs, and within Veracode integrations.

Using the Veracode Platform

In the Veracode Platform, go to the Results page for a scanned application. You can view the Veracode and PCI Compliance reports to gain insights into your application security program activity and a better understanding of the business risk of vulnerabilities in your application.

Using the APIs

Access reports using the REST or XML APIs.

XML APIs

REST APIs

Using the integrations

After running a scan using a Veracode integration that accesses the Veracode Platform, such as integrations that support Veracode Upload and Scan or Veracode DAST, you can access the results in the Veracode Platform interface and download reports.

For scan types that don't access the Veracode Platform, such as integrations that use Pipeline Scan for Static Analysis scans, you typically access the scan results and reports within the integration interface, such as a website or application, or using the Veracode APIs.

Download the Customizable Report

This report summarizes the security flaws identified during this scan, how the application fared against the associated policy controls, and outlines the Veracode recommendations. The Veracode Report contains the same information as the Detailed Report that you can download from the Results page.

You can customize the PDF document of the application security findings in your latest policy scan to include only the contents that you need.

This report is the only Veracode report that includes Veracode Software Composition Analysis (SCA) data.

To complete this task:

  1. In the Veracode Platform, select My Portfolio > Applications.
  2. Find an application with scan results and select Results.
  3. Select Download > Customizable Report.
  4. Under Report Selections, select which sections you want to include in the report. All sections are selected by default. If you clear a checkbox for a section with subsections, it also clears the checkboxes for the subsections.
  5. Select Download. Your customized report is downloaded to your browser.

The Customizable Report summarizes the security findings identified during the most recent policy scan, the application policy status, and recommendations to fix the findings.

You can download the Customizable Report from the Results page. It contains these sections:

The report includes the following sections.

Executive Summary

The Executive Summary section is a high-level description of your findings and policy status. It provides scan details such as the number of findings, the policy rules, the most frequently found CWEs, and the Security Quality Score. If you include Veracode Software Composition Analysis findings, it also provides a summary of SCA findings and third-party component license risk.

Action Items

The Action Items section of the Veracode scan results report provides guidance on the steps required to bring the application to a state where it passes its assigned security policy. These steps may include fixing or mitigating flaws or performing additional scans. The section also includes best practice recommendations to improve the security quality of the application.

Policy Control

The Policy Control section lists the names and descriptions of the assigned security policy and details how the application complies with the following policy rules:

  • Veracode Level rule and any custom rules, including blocklist rules
  • Scan requirements
  • Remediation levels

Policy Evaluation

The Policy Evaluation is a summary of your policy compliance. It provides the description and status of your policy, as well as the rules, scan requirements, and Security Quality Score for the latest scan.

Static Scan Details

The Static Scan Details section describes the scope of the scan, listing the application modules included in and excluded from the scan.

Changes from Last Scan

The Changes from Last Scan section describes changes in scope from the prior scan, listing all modules that changed since the previous scan.

Findings and Recommendations

The Findings and Recommendations section provides a list of findings by severity, in addition to descriptions and remediation advice for the findings. Each finding is associated with the corresponding CWE ID. You can use the CWE ID to assign relevant Security Labs courses that explain how to resolve these findings. You can also view a list of Software Composition Analysis (SCA) findings by component with license risk details.

Approved, Proposed, and Rejected Mitigations

The Approved Mitigations, Proposed Mitigations, and Rejected Mitigations sections provide the mitigation history for findings in a specific mitigation status. It also provides the exploitability and location of each mitigated finding. For Veracode SCA, the report lists mitigations for vulnerabilities and licenses separately.

Download the Detailed Veracode Report

You can generate a report of your application security findings to share vulnerability statistics of applications and websites with your stakeholders.

Before you begin:

You have the Executive, Reviewer, or Security Lead role.

The Detailed Veracode Report provides insights into your application security program activity and a better understanding of the business risk of vulnerabilities in your application. The Detailed Veracode Report contains the same information available in the Customizable Report, but without the ability to choose which sections to include in the report.

To complete this task:

  1. In the Veracode Platform, select My Portfolio > Applications.
  2. Find an application with scan results and select Results.
  3. Select Download.
  4. Select Detailed Veracode Report (PDF) and select Download. The report downloads to your computer for you to review and share with your stakeholders.

Download the Summary Veracode Report

You can download a Summary Report to share summary information about the security quality of your application without sharing the details of the discovered findings.

The Summary Report includes the application rating and security quality score. It also provides a summary of the number and types of findings that Veracode discovered during scanning. You can share this information with anyone without exposing the details of potentially exploitable findings.

The Summary Report provides a general summary of the overall security of the application while the Detailed Report provides a detailed list of findings, their location, and remediation guidance.

You can also get a Summary Report with the Summary Report REST API.

To complete this task:

  1. In the Veracode Platform, select My Portfolio > Applications.
  2. Find an application with scan results and select Results.
  3. Select Download > Summary Report.
  4. Select Download to download the report.

Download the Veracode PCI Report

This report provides guidance on how to fix the discovered flaws to achieve Payment Card Industry (PCI) compliance and how the application fared against the PCI policy.

Some applications may be subject to Payment Card Industry (PCI) criteria such as PCI-DSS and PA-DSS. Veracode provides the ability to evaluate any application against the PCI standards via the PCI report.

Veracode provides guidance for fixing security flaws to achieve compliance with PCI DSS version 4.0, sections 6.2, 6.4.1, and 11.4.1, and compliance with PCI SSF. Veracode implements the guidance provided in these sections in the PCI 4.0 standard, which recommends evaluating applications against the OWASP Top 10, CWE Top 25, CERT Secure Coding, and other standards, and which expressly requires that an application be free of High or Very High-severity flaws. You can view the details of how an application is evaluated against these standards in the Policy section of the PCI Report.

To complete this task:

  1. In the Veracode Platform, select My Portfolio > Applications.
  2. Select View in the Results column of the Applications list to open the results page for your application.
  3. Select PCI Compliance Report at the top of the page. The Veracode Platform opens the PCI Report view.
  4. To download a PDF copy of the report, select the download icon at the top-right of the page.
  5. Select Veracode PCI 4.0 Report (PDF) from the Download Report window and, if necessary, select the scan type to include in the report.
  6. Select Download.

Download the application activity report

You can download a report and an activity log from the Veracode Platform that provides detailed activity for an application.

The activity report provides the full history of scan events and policy events for the application. The activity log in the displays events from only the past 90 days.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis and select a scan type.
  2. Select an application.
  3. If you want to limit the report to scan activity, select Scans from the left navigation menu.
  4. To display the activity, in the Activity Log section, select the expand arrow.
  5. Select Generate CSV.
  6. After the CSV generates, select Download CSV. The scan activity report downloads to your computer.

Download the Detailed XML Report

Veracode exports, in XML format, detailed information about an application, including some application profile data, information about scans performed, Software Composition Analysis (SCA) data if available, and a list of open and fixed flaws. You can download this information from the Results page. The format for the download is the same as that provided by the Results API.

The XML export contains some data that is provided for automated consumption of flaw results, including remediation status and date first found.

The Detailed Results XML file for an application that contains more than one scan can contain information about both new and fixed flaws. The report states the line where each flaw is located, the number of lines of code (LOC) in a module, and also maps the flaws to the CWE, OWASP, and CERT industry standard lists of vulnerabilities.

Flaws that have been fixed can be filtered out by using the XML attribute remediation_status:

<flaw ... remediation_status="fixed" ... >

note

Flaws might not show as fixed if there were large changes in the upload or if another scan, which might have run in a development sandbox, already detected a flaw as fixed. If a flaw no longer appears in the scan results, you can consider it closed.

The date_first_occurrence attribute of the flaw contains the date on which the first report referencing this flaw was published. You can use this date to compute statistics about flaw aging.

The cia_impact attribute contains information about the Veracode assessment of the confidentiality, integrity, and availability impact of the flaw if it is exploited. Veracode uses this information, part of the CVSS standard, to compute the severity for the flaw. The value is presented as three letters, where the first letter is the confidentiality, second is integrity, and third is availability. Possible values for each letter are c for Complete, p for Partial, or n for None.

The policy_compliance_status attribute contains information about the Veracode policy evaluation for sandbox scan results. Each finding for a sandbox scan includes the policy impact under the BLANK attribute, which allows you to inspect the sandbox findings that impact policy. A sandbox scan does not take into account the activity-based policy rules, such as scan types and scan frequency. Sandbox scans do not count towards the rule of scan frequency. In a sandbox, only the findings are assessed for policy implications.

To complete this task:

  1. In the Veracode Platform, select My Portfolio > Applications.
  2. Find an application with scan results and select Results.
  3. Select Download > Detailed XML Report.
  4. Select Download. The report is downloaded to your browser. Veracode provides the report as a ZIP file that contains the XML document and the associated XSD XML schema for using the XML information in another application.

Download the Assessment Summary Report

For Static Analysis scans, the Assessment Summary Report shows how many modules were included, how many call sites were in the modules, and how many of those call sites are vulnerable.

The summary lists the statistics on the number of call sites scanned for each flaw category. You can use this information to gain confidence in the completeness of the results in high-quality applications where the majority of high and very-high flaws are already remediated. A call site is the area in the code that Veracode scans for dangerous flaws to determine which call sites are vulnerable to various flaw categories. There may be more call sites for each subcategory than there are unique call sites because Veracode analyzes each call site for CWEs in each subcategory.

To complete this task:

  1. In the Veracode Platform, go to the Results:Latest page for the application.
  2. In the left navigation menu, select View Report.
  3. On the Executive Summary tab, scroll down and select Assessment Summary. The assessment summary opens in a new window.

The statistics are divided by CWE category, indicating what type of vulnerabilities you have.

Share reports with vendors

Vendors who want to share scan results can generate reports for enterprise organizations. To enable the sharing of Veracode reports, contact Veracode Technical Support.

As a vendor, as soon as scan results are available, you can send a copy of the results to an organization of your choice.

  1. In the Veracode Platform, from the left navigation menu of the application page, select Results.
  2. To share the results of the latest scans of each scan type, select Share in the top right to open the Share this Report window. If this icon is disabled, contact Veracode Technical Support to establish the relationship between you and the enterprise organization.
  3. Select the enterprise organization with whom you want to share the report. This dropdown list is based on vendor relationships you have with other organizations. To add more organizations to this list, contact Veracode Technical Support.
  4. Select the policy against which you want to calculate the results of the report. The policy details appear, showing you the description, rules, and scan requirement of the policy.
  5. Select Save and Continue.

The generated report is listed in the Shared Reports page, which you access from the left navigation menu. At a glance you can see which reports you generated and when. The color of the shield icon in the Generated For column indicates whether the policy compliance is a pass (green), conditional pass (orange), or fail (red).

When you are ready to send the generated report to the selected organization, select Share Now. You receive a prompt to confirm that you are ready to share.

You are only sharing the Summary Report, as well as the SCA Report, if you have subscribed to the Software Composition Analysis (SCA) feature that Veracode offers for examining the components that comprise a software application. The Detailed Report is specifically for your information only.

To access shared reports for any application, select the application name on the Applications page or the report name on the Shared Reports page. Only the vendor who owns the application and the security lead, executive, and reviewer members of the enterprise team can access a vendor's shared reports.

To unshare a report you have already shared with an organization, select Undo to revoke the shared action. When prompted to confirm your choice, select Yes.

The report is no longer available to view or download by the enterprise recipient.

Last updated on