Veracode uses multiple data sources for vulnerabilities: Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD), and Veracode vulnerabilities (SRCCLR) from the Veracode Vulnerability Database.
To find vulnerabilities outside of the NVD, the researchers at Veracode curate and validate public database entries and track developer lists, code commits and releases, discussion forums, underground bulletin boards, and social chatter. The technology uses machine learning, extracting patterns from known vulnerabilities and applying new techniques and theories. Veracode Software Composition Analysis agent-based scanning uses clone verification to validate versions are patched as intended.
Vulnerability Data Sources
The Veracode Platform may list two different data sources in the Vulnerability column for vulnerabilities: a CVE ID indicates that the vulnerability came from the NVD and a SRCCLR ID indicates that the vulnerability came from the SCA Vulnerability Database.