Issues Overview

Veracode Software Composition Analysis

Issues are the essential components of Veracode Software Composition Analysis agent-based scanning. They allow you to track and take action on vulnerabilities, out-of-date libraries, and software licensing concerns for open-source libraries in a specific software project.

Issues are unique to a specific project as well as the library and corresponding version. For example, the screenshot below corresponds to an issue within the srcclr/test-java-maven project for version 3.2.0.RELEASE of the spring-security-web library:

If this library is updated to a different version that also includes the same vulnerability, Veracode SCA creates a new issue that references the new version. The new issue automatically replaces the old issue because the older version is no longer in use. For example, in the screenshot below, the Issue ID number is different from the screenshot above because version 3.2.1.RELEASE of spring-security-web is being used:

View Issue Details

Because issues uniquely relate to a specific library and version, the details for an issue make it much easier to fix.

You can also perform this task with the SCA Agent REST API.

To view the details of an issue:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Click the Agent-Based Scan tab.
  3. Select the workspace for which you want to view issues.
  4. If you want to view issues for an individual project, click Projects and select a project.
  5. In the list of issues, select the Issue ID link of the issue for which you want to see details.

    You are presented with the details of the issue, which could include library fix information for vulnerabilities, license details for license violations, as well as update information for out-of-date libraries.

Perform Action on Issues

Issues can be tracked within your issue tracking systems such as GitHub issues or Jira. If you determine an issue to be irrelevant or unimportant, you can also choose to ignore it so that subsequent scans do not display the issue despite the library still existing in your repository.

To take action on an issue:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Click the Agent-Based Scan tab.
  3. Select a workspace.
  4. If you want to view issues for an individual project, click Projects and select a project.

    You see a list of issues, which you can filter by specifying an issue type, severity, issue status, or various other attributes using the checkboxes at the top of the issue list.

  5. To take action, select the checkbox next to the issue and click the green Actions button.
  6. You now have the option to either ignore the issue to prevent it from appearing in subsequent scans, or select an issue tracker with which you have integrated to send the data from Veracode SCA.

What Are Vulnerabilities?

Vulnerabilities represent the set of security concerns across a project or workspace. Unlike issues of type Vulnerability, Veracode SCA counts each vulnerability only once within the context of a workspace, even if the same library and corresponding vulnerabilities exist across multiple projects. Also, you cannot ignore vulnerabilities, which means the number of vulnerabilities could be greater than the number of issues of type Vulnerability.

View Vulnerability Details

Viewing vulnerability details allows you to view information across all versions of a specific vulnerability, such as libraries in which the agent-based scan has found it.

To view vulnerability details:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Click the Agent-Based Scan tab.
  3. Select a workspace.
  4. If you want to view vulnerabilities for an individual project, click Projects and select a project.
  5. Select the Vulnerabilities tab.
  6. In the list of vulnerabilities, select the Vulnerability link for a given issue:

    Clicking this link takes you to the Veracode Vulnerability Database where you can view the vulnerability details in the left navigation menu.