About .NET SCA Agent-Based Scanning

Veracode Software Composition Analysis

You can find vulnerabilities in your .NET repositories using Veracode Software Composition Analysis agent-based scanning. You can run a scan on .NET repositories using the agent-based scanning command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging .NET Applications.

Requirements

Scanning a repository that uses .NET and one of its build or package managers requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes the following requirements based on the various package managers:

.NET Requirements

  • Meet the requirements for the Veracode SCA agent.
  • Have .NET, NuGet CLI, or MSBuild installed.
  • Have CSPROJ, FSPROJ , or VBPROJ files present in the repository.
  • Use the PackageReference format to declare NuGet dependencies in PROJ files.
  • If project.assets.json files do not exist in the project directory tree, you must be able to run the nuget restore <path>, dotnet restore <path>, or msbuild /restore:true <path> command, where <path> is an absolute or relative path to an SLN or a PROJ file, from the project root.

Running a Scan

You can use Veracode SCA agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To demonstrate how to run a scan, you can clone one of the Veracode SCA public repositories:
git clone https://github.com/srcclr/example-dotnet  
Note: You can also scan code repositories hosted on Git by using the --url argument with the CLI agent (see documentation for usage), but for the purposes of this guide it will be assumed you have the code stored locally.

Once the code has been cloned to your desktop, point the Veracode SCA CLI agent at the directory of the repository and scan:

# Replace "example-dotnet" with your project folder name
srcclr scan path/to/example-dotnet

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/example-dotnet --loud

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. The command used varies depending on the build or package manager. When the agent evaluates the open-source libraries in use, a summary of the scan results is produced that includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Configuring Scans

By adding a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your .NET code. This scan directive is specific to .NET projects:

skip_dotnet_restore
Boolean value that skips the restore step for NuGet packages in MSBuild during the scan.
use_dotnet_exec
String value that specifies the .NET toolchain for the Veracode SCA agent to use.
custom_dotnet_exec
String value that specifies the full path to a custom .NET CLI executable.
custom_msbuild_exec
String value that specifies the full path to a custom MSBuild CLI executable.
custom_nuget_exec
String value that specifies the full path to a custom NuGet CLI executable.

Viewing Scan Results

After completing a scan, the bottom of the output in your terminal includes a link to the Veracode Platform to view the scan results in more detail:

Licenses
Unique Library Licenses              3
Libraries Using GPL                  0
Libraries With No License            1

Full Report Details                  https://sca.analysiscenter.veracode.com/teams/abzs0qx/scans/22679557

Navigating to this link allows you to view the results of your scan in its entirety.

The scan results are broken down into the following categories:

  • Issues - This category includes out-of-date libraries, license violations, and vulnerabilities uniquely associated to a specific version of a library within a specific repository.
  • Vulnerabilities - This list represents the set of unique vulnerabilities across a specific project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
  • Libraries - Libraries consist of each open source library that Veracode SCA has identified within a code project.
  • Licenses - Licenses allow users to view the software license information associated with each open-source library in use.

You can find more details on these categories in the Issues, Vulnerabilities, Libraries, and Licenses overview.

Fixing Vulnerability Issues

After viewing the scan results, you can access the clear instructions for fixing vulnerability issues that Veracode SCA provides through the web interface.

Fixing a Direct Vulnerability

When a library is specifically referenced in your configuration file, Veracode SCA refers to the library as a direct dependency. Fixing a vulnerability in a direct dependency using agent-based scanning is simple. Using the open source projects mentioned in Running a Scan and after having navigated to the project scan results within the Veracode Platform, you can filter down to Vulnerability issues which are included only in Direct Libraries.

After filtering the scan results, you can drill into an issue to find out how to fix it by clicking the issue ID next to the vulnerability name. Clicking the ID brings you to the issue details page, where you will find information on fixing the vulnerability. In general, the best way to fix a vulnerability in a direct dependency is to update the version in use to the version recommended by Veracode SCA. The agent-based scan recommends a version that is not associated with the vulnerability you are subject to, in addition to any other vulnerabilities which might result from switching to a different version. In order to prevent the update from having significant impact on your code, the recommended version is the closest to your current version while still not being associated with other vulnerabilities.
Note: Some libraries include vulnerabilities that have not yet been fixed. Therefore Veracode SCA cannot provide a version to update to. In these cases, Veracode recommends you either create a pull request to the unfixed library or use a different library in your code.

Validating a Fixed Vulnerability

Validate a fix you have made to your repository by running an agent-based scan prior to committing your code changes by adding the --allow-dirty option to ignore uncommitted changes within your code:

srcclr scan /path/to/example-dotnet --allow-dirty

When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability and you can proceed to commit your code.