Custom rules for agent-based scanning

note

If your organization has activated the Unified Policy feature, which replaces agent rules, you can create a custom policy that uses agent-based scan rules, and assign it to a workspace or set it as the default policy for all workspaces. For example, you can copy the Veracode Recommended SCA Very High policy and edit it to create a new SCA policy.

Custom rules help you take greater control of your software delivery workflow.

Rules are sets of controls to which your codebase must adhere. Veracode Software Composition Analysis (SCA) agent-based scanning includes default rules, which are hard-coded and applied to all workspaces.

The custom rules feature in agent-based scanning exposes the controls that the rules engine uses. It allows you to edit these controls per workspace and decide what actions to take when projects violate controls, ensuring that no software ships unless it meets your security requirements.

When projects violate a control, you can choose to create an issue to track a problem, break the build, or both. Set your own severity for different kinds of control violations. Veracode uses this severity for agent-based scanning issues and as the exit code when a build breaks. You cannot create custom rules for a workspace if your organization enforces organization rules.

At scan time, the scanner identifies open-source libraries in your code and any transitive library dependencies, generates a dependency graph and a call graph, and then sends the results of the scan to the Veracode Platform. Veracode checks the scan results against each control in the rule. If a control fails, the specified action for that control is triggered, and the highest severity of the violated controls returns as the exit code.

Structure of the controls

There is one rule for each Veracode Software Composition Analysis (SCA) agent-based scanning workspace. Every project in a workspace inherits the workspace rules.

Each rule consists of one or more controls. A control checks if the project meets specific parameters.

Each control has this structure:

• Properties
  • Control Name
  • Severity
  • Level
• Condition
  • Matcher
  • Descriptor
    • Parameters for vulnerability descriptors
      • Severity
        • Check for a vulnerability of high, medium, or low risk. The level of risk that a vulnerability has is determined by its CVSS score. Veracode SCA supports the use of vulnerability severities based off of either CVSS v2 or CVSS v3 scores.
      • Vulnerable Method
      • Override Control Severity with CVSS Score
    • Parameters for license descriptor
      • Kind
        • Check for specific licenses by name or select a risk rating.
      • Including
        • If you select License by name, select the licenses to include in the rule.
      • Excluding
        • If you select a risk rating, select the licenses to exclude from the rule.
• Action
  • Create Issue

Properties of the controls

The properties of a control are basic fields that identify a control and its severity.

• Control Name: a string that helps you quickly identify the control.
• Severity: a number from 0.1 (lowest) to 10.0 (highest) that lets you determine how serious a control violation is considered in this rule. If you choose to create an issue when a control is violated, the severity of the failed control defines the severity of the issue. Severities appear on lists of issues to make them easier to rank.
  • Severity is different from a vulnerability risk (CVSS) score. However, if you wish to use the CVSS score as the severity for vulnerability issues, you can set that option. See Descriptor.
• Level: there are two levels
  • Error: A level of error means that a non-zero will be returned, which can be used (for example, by CI build scripts) to break a build. The exact value of the exit code depends on the severity of all controls which were violated. See note below for more details.
  • Warning: A level of warning will return an exit code of 0 which can be used to allow the build to continue.
  • To determine the exit code for a scan, enter echo $? in the CLI after the scan concludes. If 0 is returned, that means no controls of level error were violated. If a number greater than 0 is returned, that means a control of level error was violated, and the number reflects the highest-severity control that was violated, rounded to the nearest integer.

Conditions of the controls

A control condition is a rule to enforce, such as library should not contain high-risk vulnerabilities.

A condition is made up of three parts:

• Resource: the entity which is being inspected for certain conditions. Currently, Veracode SCA agent-based scanning can inspect libraries with four dependency relationships
  • Any: a library which is either referenced in your configuration file or used by a direct dependency. Encompasses all your libraries.
  • Direct: a library which is specifically referenced in your configuration file.
  • Transitive: other libraries which are used by the direct dependencies.
  • Both: a library which is both referenced in your configuration file and used by a direct dependency.
• Matcher: a comparison operator that defines how the resource is inspected. The values are should not contain and should be.
• Descriptor: the descriptor and its parameters define the checks performed against the resource. The current descriptors available are vulnerability, license, and library.
  • Veracode SCA agent-based scanning can check that:
    • A library should not contain vulnerabilities with certain parameters. This check uses the should not contain matcher.
    • A library should not contain licenses with certain parameters. This check uses the should not contain matcher.
    • A library should be the latest version. This check uses the should be matcher.
  • Parameters for vulnerability descriptor
    • Severity: check for a vulnerability of high, medium, or low risk.
    • Vulnerable Method: check for vulnerabilities where vulnerable methods were or were not found.
    • Override Control Severity with CVSS Score: for vulnerability issues only, set the severity of the violated control to the CVSS score of that vulnerability instead of manually assigning a severity. See Properties of the control.
  • Parameters for license descriptor
    • Kind: check for specific licenses by name or check for licenses with a selected risk rating. You can exclude specific licenses by name from the risk rating parameter.

Actions of the controls

The action for a control defines what happens automatically when the condition evaluates to false.

If you select Create Issue, Veracode creates an issue when the condition is false and the control is violated at scan time.

note

Creating an issue from a rule does not automatically create issues in third-party applications. However, if you have an integration to Jira or GitHub set up for agent-based scanning, you can manually create a Jira or GitHub issue from a Veracode SCA issue in the Veracode Platform.

Create custom rules

Creating custom rules lets you define unique security requirements for your workspace.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select the Agent-Based Scan tab.

3. Either select a workspace to view workspace rules or select Agent-Based Scan Settings to view organization rules.

4. Select Rules.

5. Select the Custom Rules tab. A copy of the default rules appears.

6. To open edit mode, select Edit.

7. Make your adjustments, then select Save.

To define a control, see Structure of the controls and Add, remove, and rearrange controls.

Edit custom rules

You can edit custom rules if you want to change the security requirements for your workspace.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select the Agent-Based Scan tab.

3. Either select a workspace to view workspace rules or select Agent-Based Scan Settings to view organization rules.

4. Select Rules. The currently applied custom rules appear.

5. Select Edit. The controls change from view-only mode to edit mode. The details of each control are collapsed by default.

6. Make your adjustments, then select Save. The custom rules are active for any future scans in the workspace.

To define a control, see Structure of the controls rule and Add, remove, and rearrange controls.

Add, remove, and rearrange controls

When a rule is in edit mode, you can add new controls, remove controls, and move controls up and down.

To add a new control, select the Add Control button below the last control row.

To remove a control, select the trash can icon at the far right.

To move controls up and down, use the up and down arrows next to the trash can icon.

The order of controls in a rule does not affect which issues will be created, whether a build is broken or not, or the order in which controls are evaluated. You order the controls to visually group them in an order that is meaningful to you. However, if you create two nearly identical controls that only differ by a property, such as a different severity rating, the control furthest down the list takes precedence.

Reset custom rules

You might want to update your custom rules by starting over from the default rules and making new customizations. Complete the following steps to discard any customizations, reset all controls to the default rules, and apply the changes immediately.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select the Agent-Based Scan tab.
3. To view workspace rules, select a workspace. To view organization rules, select Agent-Based Scan Settings.
4. Select Rules. The currently applied custom rules appear.
5. Select Edit.
6. Select Veracode Defaults.
7. Select Reset rules.

View rules

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select the Agent-Based Scan tab.
3. Either select a workspace to view workspace rules or select Agent-Based Scan Settings to view organization rules.
4. Select Rules.

Custom rule examples

This section provides some examples of custom rules you can apply to a workspace.

High-risk vulnerabilities with vulnerable methods

There should be no CVSS v2 high-risk vulnerabilities where vulnerable methods are found. If there are, assign a severity of 10, break the build, and create a Veracode SCA issue.

Medium-risk vulnerabilities without vulnerable methods

There should be no CVSS v3 medium-risk vulnerabilities where vulnerable methods are not found. If there are, use the CVSS score of the vulnerabilities as the control severity, do not break the build, but do create a Veracode SCA issue.

Allow low-risk vulnerabilities without vulnerable methods

If you do not want to track low-risk vulnerabilities where no vulnerable methods are found, you can delete any controls where Descriptor = vulnerability, Severity = low risk, and Vulnerable Method = no. The SCA scan will not create SCA issues for this kind of vulnerability.

Alternatively, you can clear the Create Issue checkbox in a control where Descriptor = vulnerability, Severity = low risk, and Vulnerable Method = no. You might prefer this method if you may want to create Veracode SCA issues for this control in the future.

High-risk licenses with exceptions

If your condition rejects libraries that contain high-risk licenses, you can select one or more specific high-risk licenses to allow. In this example, you allow one exception for Open Software License 1.0.

Out-of-date libraries

Ensure all direct libraries are up-to-date. For any out-of-date libraries, do not break the build, but do create a Veracode SCA issue with severity = 1.