About C/C++ SCA Agent-Based Scanning

Veracode Software Composition Analysis

You can find vulnerabilities in your C/C++ applications using Veracode Software Composition Analysis agent-based scanning. You can run a scan on C/C++ repositories using the agent-based scanning command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Packaging C/C++ Applications on Linux and Solaris or Packaging C/C++ Applications on Windows.

Veracode SCA agent-based scanning support for native Linux C/C++ libraries is limited to scans of projects compiled with the Make build tool that you complete with the Linux CLI agent or a CI integration. If you use Windows or MacOS, you must have Docker installed to enable container scanning.

Agent-based scans can identify additional C/C++ libraries if they appear in supported package managers. See the list of native Linux C/C++ libraries and vulnerabilities that Veracode SCA monitors.

General Requirements

Scanning a repository that uses C/C++ libraries requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:

  • Meet the requirements for using the Veracode SCA agent
  • Have SO files present in the C/C++ repository
  • If using Windows or MacOS, have Docker installed.

Makefile Requirements

Your project must include a makefile that has:
  • One of these filenames: GNUmakefile, makefile, or Makefile. Veracode SCA searches for these filenames, in this listed order, and identifies the first one it finds to be the project makefile.
  • One of these strings: gcc, g++, clang, CMAKE, or CMake.
  • A clean target. Veracode SCA uses the clean target to collect findings. To configure a custom clean target for agent-based scanning, add this argument to your project as an environment variable:
    SRCCLR_MAKE_CLEAN_TARGET='<custom_clean_target_name>'
  • A first target. Veracode SCA uses the first target to build the project and to rebuild the project after it collects findings. To configure a custom first target for agent-based scanning, add this argument to your project as an environment variable:
    SRCCLR_MAKE_BUILD_TARGET='<custom_build_target_name>'

You also have the option to save the output of the makefile to your Veracode SCA agent, instead of rebuilding the project. To save the output file to the agent, add this argument to your project as an environment variable:

SRCCLR_MAKE_OUTPUT_FILE='<custom_output_filepath>'

Running a Scan

You can use agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/srcclr/example-cpp-makefile
Note: You can also use the --url argument with the CLI agent to scan code repositories hosted in Git.

After you clone the code to your desktop, point the Veracode SCA CLI agent to the directory of the repository and scan:

srcclr scan path/to/<project_folder>

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/<project_folder> --loud

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Viewing Scan Results

After completing a scan, the bottom of the output in your terminal includes a URL for the Veracode Platform where you can view the scan results in more detail:

Licenses
    Unique Library Licenses              3
    Libraries Using GPL                  0
    Libraries With No License            1
    
    Full Report Details                  https://sca.analysiscenter.veracode.com/teams/abzs0qx/scans/22679557
Veracode SCA displays the scan results in the following categories:
Issues
Includes out-of-date libraries, license violations, and vulnerabilities associated with a specific version of a library within a repository.
Vulnerabilities
Represents the set of unique vulnerabilities across a project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
Libraries
Includes each open source library Veracode SCA has identified within a code project.
Licenses
Displays the software license information associated with each open-source library in use.

Fixing Vulnerability Issues

After viewing the scan results, you can access the instructions for fixing vulnerability issues in the SCA Vulnerability Database.

Fixing a Direct Vulnerability

When your configuration file references a library, Veracode SCA considers the library a direct dependency. You can identify the vulnerabilities in direct dependencies from the Vulnerability issues list on the Issues page of your workspace. From this list, click the issue ID for details about the vulnerability, including instructions for fixing it. Usually, the best way to fix a vulnerability in a direct dependency is to update the version in use to the version that Veracode SCA recommends. Some libraries include vulnerabilities that are not yet fixed. Therefore, the agent-based scan cannot always provide reliable update versions. In these cases, Veracode recommends you either create a pull request to the unfixed library or use a different library in your code.

Validating a Fixed Vulnerability

Before committing your code changes, you can run an agent-based scan with the --allow-dirty flag to validate a fix you made to your repository. This flag ignores uncommitted changes in your code:

srcclr scan /path/to/<project_folder> --allow-dirty

When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability and you can commit your code.