Accessing Veracode reports

From the Results page, you can view the Veracode and PCI Compliance reports to gain insights into your application security program activity and a better understanding of the business risk of vulnerabilities in your application. In addition, you can download reports, bookmark reports, share results, and schedule a consultation.

Select Veracode Report or PCI Compliance Report to open these reports. The Veracode Report summarizes the security flaws identified during this scan, how the application fared against the associated policy controls, and outlines the Veracode recommendations. The Veracode Report contains the same information as the Detailed Report that you can download from the Results page.

The PCI Compliance Report provides guidance on how to fix the discovered flaws to achieve Payment Card Industry (PCI) compliance and how the application fared against the PCI policy.

The Customizable Report is the only Veracode report that includes Veracode Software Composition Analysis data.

From the Results page you can use the buttons to:

Download Reports

Select this button to drop down the menu of reports you can download. You can download any of these report types:

• Customizable Report
• Detailed Veracode Report
• Summary Veracode Report
• Veracode PCI 3.2 Report
• Detailed XML Report

Bookmark this Report

You can bookmark this results page, enabling you to come back to it later.

Share this Report

If you have a vendor-enterprise relationship with other organizations, you can share scan results using this button.

Request Consultation

If you want to receive assistance in interpreting your scan results, select this button to request a consultation call with Veracode.

Summarized results

The Summarized Results section of the Results page in the Veracode Platform provides an excellent overview of all the flaws by severity and status, as well as a summary of the top risks and how your metrics data is trending.

At a glance, you can see the number and types of flaws the application currently contains.

The Open Flaw Severities section shows open flaws characterized by potential impact to confidentiality, integrity, and availability of the application as defined in the CVSS.

For a description of the different severity levels, see Veracode finding severities.

The Remediation Status section shows the number of flaws found in an application, characterized by remediation status.

The Trend Data section shows the history of the scans and their scores over time. You can hover over data points on the chart to view the name, date, and score of each scan.

Reviewing the assessment summary

The assessment summary report shows how many modules were included in the Static Analysis, how many call sites were in the modules, and how many of those call sites are vulnerable.

The summary lists the statistics on the number of call sites scanned for each flaw category. You can use this information to gain confidence in the completeness of the results in high-quality applications where the majority of high and very-high flaws are already remediated. A call site is the area in the code that Veracode scans for dangerous flaws to determine which call sites are vulnerable to various flaw categories. There may be more call sites for each subcategory than there are unique call sites because Veracode analyzes each call site for CWEs in each subcategory.

To complete this task:

1. In the Veracode Platform, go the Results:Latest page of the application.
2. In the left navigation menu, select View Report.
3. In the Executive Summary section, select Assessment Summary.

The assessment summary opens in a new window.

The statistics are divided by CWE category, indicating what type of vulnerabilities you have.

Understanding the Customizable Report

The Customizable Report summarizes the security findings identified during the most recent policy scan, the application policy status, and recommendations to fix the findings.

You can download the Customizable Report from the Results page. It contains these sections:

Executive Summary

The Executive Summary section is a high-level description of your findings and policy status. It provides scan details such as the number of findings, the policy rules, the most frequently found CWEs, and the Security Quality Score. If you include Veracode Software Composition Analysis findings, it also provides a summary of SCA findings and third-party component license risk.

Policy Evaluation

The Policy Evaluation is a summary of your policy compliance. It provides the description and status of your policy, as well as the rules, scan requirements, and Security Quality Score for the latest scan.

Static Scan Details

The Static Scan Details section describes the scope of the scan, listing the application modules included in and excluded from the scan.

Changes from Last Scan

The Changes from Last Scan section describes changes in scope from the prior scan, listing all modules that changed since the previous scan.

Findings and Recommendations

The Findings and Recommendations section provides a list of findings by severity, in addition to descriptions and remediation advice for the findings. You can also view a list of Software Composition Analysis (SCA) findings by component with license risk details.

Approved, Proposed, and Rejected Mitigations

The Approved Mitigations, Proposed Mitigations, and Rejected Mitigations sections provide the mitigation history for findings in a specific mitigation status. It also provides the exploitability and location of each mitigated finding. For Veracode SCA, the report lists mitigations for vulnerabilities and licenses separately.

Veracode's Methodology

The Veracode's Methodology section provides a detailed explanation of several components of Veracode results, such as application security policies, the Veracode rating system, and manual assessments.

Download a Customizable Report

You can customize the PDF document of the application security findings in your latest policy scan to include only the contents that you need.

To complete this task:

1. In the Veracode Platform, select My Portfolio > Applications.
2. Find an application with scan results and select Results.
3. Select Download > Customizable Report.
4. Under Report Selections, select which sections you want to include in the report. All sections are selected by default. If you clear a checkbox for a section with subsections, it also clears the checkboxes for the subsections.
5. Select Download. Your customized report is downloaded to your browser.

Download a Summary Report

You can download a Summary Report to share summary information about the security quality of your application without sharing the details of the discovered findings.

The Summary Report includes the application rating and security quality score. It also provides a summary of the number and types of findings that Veracode discovered during scanning. You can share this information with anyone without exposing the details of potentially exploitable findings.

The Summary Report provides a general summary of the overall security of the application while the Detailed Report provides a detailed list of findings, their location, and remediation guidance.

You can also get a Summary Report with the Summary Report REST API.

To complete this task:

1. In the Veracode Platform, select My Portfolio > Applications.
2. Find an application with scan results and select Results.
3. Select Download > Summary Report.
4. Select Download to download the report.

Download the Detailed Veracode Report

You can generate a report of your application security findings to share vulnerability statistics of applications and websites with your stakeholders.

Before you begin:

You have the Executive, Reviewer, or Security Lead role.

The Detailed Veracode Report provides insights into your application security program activity and a better understanding of the business risk of vulnerabilities in your application. The Detailed Veracode Report contains the same information available in the Customizable Report, but without the ability to choose which sections to include in the report.

To complete this task:

1. In the Veracode Platform, select My Portfolio > Applications.
2. Find an application with scan results and select Results.
3. Select Download.
4. Select Detailed Veracode Report (PDF) and select Download. The report downloads to your computer for you to review and share with your stakeholders.

Download the PCI Report

Some applications may be subject to Payment Card Industry (PCI) criteria such as PCI-DSS and PA-DSS. Veracode provides the ability to evaluate any application against the PCI standards via the PCI report.

Veracode provides support for testing applications under the scope of PCI-DSS Version 3.2.1, sections 6.1, 6.3.2, 6.5, 6.6, and 11.3.2 and PCI PA-DSS Version 3.2, sections 5.1.4, 5.2, 7.1.1, 7.1.2, and 7.1.3. Veracode implements the guidance provided in these sections in the PCI 3.2.1 standard, which recommends evaluating applications against the OWASP Top 10, CWE Top 25, CERT Secure Coding, and other standards, and which expressly requires that an application be free of High or Very High-severity flaws. You can view the details of how an application is evaluated against these standards in the Policy section of the PCI Report.

To complete this task:

1. In the Veracode Platform, select My Portfolio > Applications.
2. Select View in the Results column of the Applications list to open the results page for your application.
3. Select PCI Compliance Report at the top of the page. The Veracode Platform opens the PCI Report view.
4. To download a PDF copy of the report, select the download icon at the top-right of the page.
5. Select Veracode PCI 3.2.1 Report (PDF) from the Download Report window and, if necessary, select the scan type to include in the report.
6. Select Download.

Sharing reports from the Veracode Platform

Vendors who want to share scan results can generate reports for enterprise organizations. To enable the sharing of Veracode reports, contact Veracode Technical Support.

As a vendor, as soon as scan results are available, you can send a copy of the results to an organization of your choice.

1. In the Veracode Platform, from the left navigation menu of the application page, select Results.
2. To share the results of the latest scans of each scan type, select Share in the top right to open the Share this Report window. If this icon is disabled, contact Veracode Technical Support to establish the relationship between you and the enterprise organization.
3. Select the enterprise organization with whom you want to share the report. This dropdown list is based on vendor relationships you have with other organizations. To add more organizations to this list, contact Veracode Technical Support.
4. Select the policy against which you want to calculate the results of the report. The policy details appear, showing you the description, rules, and scan requirement of the policy.
5. Select Save and Continue.

The generated report is listed in the Shared Reports page, which you access from the left navigation menu. At a glance you can see which reports you generated and when. The color of the shield icon in the Generated For column indicates whether the policy compliance is a pass (green), conditional pass (orange), or fail (red).

When you are ready to send the generated report to the selected organization, select Share Now. You receive a prompt to confirm that you are ready to share.

You are only sharing the Summary Report, as well as the SCA Report, if you have subscribed to the Software Composition Analysis (SCA) feature that Veracode offers for examining the components that comprise a software application. The Detailed Report is specifically for your information only.

To access shared reports for any application, select the application name on the Applications page or the report name on the Shared Reports page. Only the vendor who owns the application and the security lead, executive, and reviewer members of the enterprise team can access a vendor's shared reports.

To unshare a report you have already shared with an organization, select Undo to revoke the shared action. When prompted to confirm your choice, select Yes.

The report is no longer available to view or download by the enterprise recipient.

Download an XML report

Veracode exports, in XML format, detailed information about an application, including some application profile data, information about scans performed, Software Composition Analysis (SCA) data if available, and a list of open and fixed flaws. You can download this information from the Results page. The format for the download is the same as that provided by the Results API.

To complete this task:

1. In the Veracode Platform, select My Portfolio > Applications.
2. Find an application with scan results and select Results.
3. Select Download > XML Report.
4. Select Download. The report is downloaded to your browser. Veracode provides the report as a ZIP file that contains the XML document and the associated XSD XML schema for using the XML information in another application.

About the XML report

The XML export contains some data that is provided for automated consumption of flaw results, including remediation status and date first found.

The Detailed Results XML file for an application that contains more than one scan can contain information about both new and fixed flaws. The report states the line where each flaw is located, the number of lines of code (LOC) in a module, and also maps the flaws to the CWE, OWASP, and CERT industry standard lists of vulnerabilities.

Flaws that have been fixed can be filtered out by using the XML attribute remediation_status:

<flaw ... remediation_status="fixed" ... >

note

Flaws may not show as fixed if there were large changes in the upload or if another scan, which might have run in a development sandbox, already detected a flaw as fixed. If a flaw no longer appears in the scan results, you can consider it closed.

The date_first_occurrence attribute of the flaw contains the date on which the first report referencing this flaw was published. You can use this date to compute statistics about flaw aging.

The cia_impact attribute contains information about the Veracode assessment of the confidentiality, integrity, and availability impact of the flaw if it is exploited. Veracode uses this information, part of the CVSS standard, to compute the severity for the flaw. The value is presented as three letters, where the first letter is the confidentiality, second is integrity, and third is availability. Possible values for each letter are c for Complete, p for Partial, or n for None.

The policy_compliance_status attribute contains information about the Veracode policy evaluation for sandbox scan results. Each finding for a sandbox scan includes the policy impact under the BLANK attribute, which allows you to inspect the sandbox findings that impact policy. A sandbox scan does not take into account the activity-based policy rules, such as scan types and scan frequency. Sandbox scans do not count towards the rule of scan frequency. In a sandbox, only the findings are assessed for policy implications.