Explore your data

Use explores to navigate your Veracode Analytics data and configure visualizations, such as charts, graphs, and counts, of your data. Then, add the visualizations to existing or new dashboards.

Veracode Analytics displays data in the Veracode Platform using Google Looker.

Use Analytics explores

You can review all analytics data for your applications on pages called explores. You can see all the explores on the Explore Your Data page, however, Veracode only provides data for products that your organization has purchased.

1. Sign in to the Veracode Platform.
2. Select Analytics > Explore Your Data. The Explore Your Data page opens.
3. Select an explore, such as Applications or Scans.
4. From the All Fields tab, configure dimensions and measures of the data you want to view.
5. To create a visualization of the data, select Run. These sessions timeout after 30 minutes. To avoid timeout, select Run.
6. Optionally, save the visualization to a dashboard or as a Look file.

Available explores

The following explores are available in the Veracode Platform. To learn about the data (dimensions and measures) you can access in an explore, and add to a visualization, select it.

• Applications: information on your application, including custom fields, application metadata, application counts, and security consultations.
• Scans: data on your scan information, including scan types, scan counts, scan duration, and analysis size.
• Findings: data on the findings discovered in your application, including CWE data, flaw age, mitigation status, and flaw counts.
• IDE and Pipeline Scans: data on Veracode Pipeline Scan usage (including Veracode Scan IDE plugins and the REST API) by users, language, and scan results. You only have data in this explore if you are a licensed user of the products providing the data.
• Users: data on Veracode Platform user accounts, including login status, account state, and username details.
• SCA Agent-Based Scans: data on SCA Agent-Based Scan usage and results, including workspaces, projects, scans, libraries, and license risk.
• SCA Agent-Based Scan Issues: data from the SCA Agent-Based Scans explore with the addition of data on issues, including CVEs and CWEs.

About dimensions and measures

Dimensions and measures define the analytics data to display in a visualization.

Dimensions

Dimensions are qualitative pieces of information in a parent explore.

For example, under the Applications explore, Business Unit, Created Date, and Current Policy Compliance are all dimensions of that explore.

Measures

Measures are mathematical aggregations. Similar to dimensions, measures are always related to the parent explore.

For example, under the Scans explore, Count, Count 365 Days, and Count 90 Days are all measures related to the scan.

Applications explore data dictionary

The following definitions describe the dimensions and measures used on the applications explore in Veracode Analytics.

Application dimensions

Dimension	Description
Application Custom Fields	The metadata entered in application custom fields 1-25. Located from Application > Metadata > Asset > Custom Fields.
Application ID	The unique numerical identifier associated with the application profile, provided by Veracode.
Application Name	The name of the application, created by the user when creating an application on the Veracode Platform.
Application Passed Policy (Yes/No)	Determines if the application did or did not pass policy compliance. Values are Yes or No.
Application Purpose	The business purpose of the application, located from the application metadata.
Application Rescanned (Yes/No)	Determines if the application was rescanned. Values are Yes or No.
Application Scanned (Yes/No)	Determines if the application was scanned. Values are Yes or No.
Archer Application Name	The application name where the data is published to Archer. Located from Application > Metadata > Archer Name.
Business Criticality	The business criticality of the application ranging from very high to very low.
Business Owner Email	The email address associated with the business owner of the application.
Business Owner Name	The first and last name of the user responsible for the application. Located from Application > Profile > Organizational Information.
Business Unit	The name of the business unit.
Created Date	The date the application was created.
Current Policy	The current policy associated with the application.
Current Policy Compliance	The application policy compliance based on the latest scan results.
Current Veracode Level	The Veracode Level achieved by an application, which allows a user at a glance to see the how their application measures against best practices. The Veracode Level is determined by the type of scans performed, severity of flaws detected, and/or the security score achieved. Values are VL1, VL2, VL3, VL3+ SCA, VL4, VL4 + SCA, VL5, and VL5 + SCA, with VL5 + SCA being the highest attainable level. This rating includes mitigations.
Current Veracode Level Without Mitigations	The current Veracode level achieved by an application not including mitigations.
Custom KMS Alias (EA Feature)	The name used to identify the customer-managed root key that is stored in the customer's key management system.
Deployment Method	The type of deployment method for the application.
Dynamic Scan Due Date	The date by which a dynamic scan must run, per the application policy. If the date is in the past, the due date was missed.
Dynamic Scan Frequency	The dynamic scan frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Industry	The type of industry for which the application is used. Located from Application > Metadata > Industry.
First Published Date	Earliest date that the scan for the application was published.
Initial Published Date	The earliest date that a scan for the application was published.
Latest Language Scanned	Earliest date that the scan for the application was published.
Latest Published Date	The most-recent date that a scan for the application was published.
License Account	Scans licensed by this account. For third-party applications, it is the account that paid for the scan. For SDLC applications, it is the same as the scanning account.
License Type	The type of license: SDLC license or Third-party license. Most applications are software delivery lifecycle (SDLC) license, third-party license type is not commonly used. Veracode offers you the ability to scan your software supplier partners through the Veracode Platform. Values are either SDLC for internal testing of first-party software or third-party for permitting a software supplier to test the code they are developing for the Veracode user.
Manual Penetration Test Due Date	The date by which a manual penetration test is required, per the application policy. If the date is in the past, the due date was missed.
Manual Penetration Test Frequency	The manual penetration test frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Number of Dynamic Scans	The number of dynamic scans of the application.
Number of Static Scans	The number of static scans of the application.
Requested a Consultation	Veracode offers the ability to schedule a consultation with application security consultants to better understand Veracode scanning and results. Values are No Readout Requested or Readout Requested based on if the application has had a consultation requested.
Scanning Account	The account where scans occurred. For software delivery lifecycle (SDLC) applications, it is the same as the licensed account. For third-party applications, it is the vendor account. Third-party applications are not commonly used.
Scanning Status	The scanning status for the application. Values are DynamicMP + SDLC, DynamicMP Only, No Published Policy Scans, and SDLC only.
Static Scan Due Date	The date by which a static scan must run, per the application policy. If the date is in the past, the due date was missed.
Static Scan Frequency	The static scan frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Tags List	The list of tags for the application that are added from the application metadata. Veracode allows users to provide a tag to organize their applications as part of the application metadata.
Target Veracode Level	The application's Target Veracode Level.
Teams List	The list of teams and security lead teams who need access to the specific applications and scan results.
Web Application Flag	Determines if the application is a web application or not.

Application measures

Measure	Description
Application Scan Counts	The total count of applications scanned, rescanned, and not scanned in the past 90 and 365 days.
Applications with Consultations	The count of applications for which security consultations have been requested.
Count	The count of distinct application IDs
Percentage of Applications with Consultation Requests	The percentage of applications for which a consultation call was requested.

Applications policy compliance history dimensions

Dimension	Description
Calendar Date	The calendar date, month, quarter, week, and year.
Days Since Last Scan	Days from last scan to calendar date.
Policy Compliance Status	Application policy compliance status: Calculating..., Conditional Pass, Did Not Pass, Pass, or Not Assessed.
Published Date	The published date of the last scan.

Applications policy compliance history measures

Measure	Description
Days in Compliance	Number of days that an application is in compliance.
Days Since Most Recent Scan	Number of days from most recent published date to current day.
Months in Compliance	Number of months that an application is in compliance.

Security consultation dimensions

Dimension	Description
First Name	The first name of the user who requested a consultation.
Last Name	The last name of the user who requested a consultation.
Request Date	The date the consultation was requested.

Security consultation measures

Measure	Description
Count	The count of consultations requested for the application.

Scans explore data dictionary

The following definitions describe the dimensions and measures used on the scans explore in Veracode Analytics.

Applications dimensions

Dimension	Description
Application Custom Fields	The metadata entered in application custom fields 1-25. Located from Application > Metadata > Asset > Custom Fields.
Application ID	The unique numerical identifier associated with the application profile, provided by Veracode.
Application Name	The name of the application, created by the user when creating an application on the Veracode Platform.
Application Passed Policy (Yes/No)	Determines if the application did or did not pass policy compliance. Values are Yes or No.
Application Purpose	The business purpose of the application, located from the application metadata.
Application Rescanned (Yes/No)	Determines if the application was rescanned. Values are Yes or No.
Application Scanned (Yes/No)	Determines if the application was scanned. Values are Yes or No.
Archer Application Name	The application name where the data is published to Archer. Located from Application > Metadata > Archer Name.
Business Owner Email	The email address associated with the business owner of the application.
Business Owner Name	The first and last name of the user responsible for the application. Located from Application > Profile > Organizational Information.
Business Unit	The name of the business unit.
Created Date	The date the application was created.
Current Policy	The current policy associated with the application.
Current Policy Compliance	The application policy compliance based on the latest scan results.
Current Veracode Level	The Veracode Level achieved by an application, which allows a user at a glance to see the how their application measures against best practices. The Veracode Level is determined by the type of scans performed, severity of flaws detected, and/or the security score achieved. Values are VL1, VL2, VL3, VL3+ SCA, VL4, VL4 + SCA, VL5, and VL5 + SCA, with VL5 + SCA being the highest attainable level. This rating includes mitigations.
Current Veracode Level Without Mitigations	The current Veracode level achieved by an application without including mitigations.
Dynamic Scan Due Date	The date by which a dynamic scan must run, per the application policy. If the date is in the past, the due date was missed.
Dynamic Scan Frequency	The dynamic scan frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Industry	The type of industry for which the application is used. Located from Application > Metadata > Industry.
Initial Published Date	The earliest date that a scan for the application was published.
Latest Published Date	The most-recent date that a scan for the application was published.
License Account	Scans licensed by this account. For third-party applications, it is the account that paid for the scan. For SDLC applications, it is the same as the scanning account.
License Type	The type of license: SDLC license or Third-party license. Most applications are software delivery lifecycle (SDLC) license, third-party license type is not commonly used. Veracode offers you the ability to scan your software supplier partners through the Veracode Platform. Values are either SDLC for internal testing of first-party software or third-party for permitting a software supplier to test the code they are developing for the Veracode user.
Manual Penetration Test Due Date	The date by which a manual penetration test is required, per the application policy. If the date is in the past, the due date was missed.
Manual Penetration Test Frequency	The manual penetration test frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Number of Dynamic Scans	The number of dynamic scans of the application.
Number of Static Scans	The number of static scans of the application.
Requested a Consultation	Veracode offers the ability to schedule a consultation with application security consultants to better understand Veracode scanning and results. Values are No Readout Requested or Readout Requested based on if the application has had a consultation requested.
Scanning Account	The account where scans occurred. For software delivery lifecycle (SDLC) applications, it is the same as the licensed account. For third-party applications, it is the vendor account. Third-party applications are not commonly used.
Scanning Status	The scanning status for the application. Values are DynamicMP + SDLC, DynamicMP Only, No Published Policy Scans, and SDLC only.
Static Scan Due Date	The date by which a static scan must run, per the application policy. If the date is in the past, the due date was missed.
Static Scan Frequency	The static scan frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Tags List	The list of tags for the application that are added from the application metadata. Veracode allows users to provide a tag to organize their applications as part of the application metadata.
Web Application Flag	Determines if the application is a web application or not. This flag is set on the application metadata page.

Applications measures

Measure	Description
Application Scan Counts	The total count of applications scanned, rescanned, and not scanned in the past 90 and 365 days.
Applications with Consultations	The count of applications for which security consultations have been requested.
Count	The count of distinct application IDs
Percentage of Applications with Consultation Requests	The percentage of applications for which a consultation call was requested.

Scan dimensions

Dimension	Description
Analysis Type	The types of scans. Values are DynamicDS, DynamicMP - Scan Linked, Dynamic Analysis - Scan Linked, Manual Penetration Testing, or Static Analysis.
Dynamic Scan - Uses Logout Flag	Indicates whether or not the dynamic scan uses a logout.
Dynamic Scan Advanced Mode	Determines if the dynamic scan used advanced mode.
Dynamic Scan Duration - Hours	Dynamic scan duration in hours.
Dynamic Scan Duration Tier	Dynamic scan duration tiers.
Dynamic Script-Based Login Flag	Indicates if the script provided for this dynamic scan contains a login.
Dynamic Target URL	The URL provided in the dynamic scan configuration. The target URL scanned by the Veracode dynamic scan engine.
Dynamic Total Links Crawled	Determines the total number of links the dynamic scan engine crawled for each scan.
Dynamic VSA Flag	Determines if the scan was from a VSA (Virtual Scan Appliance) that enables dynamic application security testing behind your firewall through the installation of VM in a data center.
First Scan	Determines if the scan was or was not the first scan for the application. Values are Yes or No.
Integration User Agent	Raw user agent of the incoming API call, if any.
Is Most Recent Scan	Determines if the scan is or is not the most recent scan. Values are Yes or No.
Most Recent Scan by Type	Provides the ability to filter with a Yes or No to the most recent scan published in the application profile per scan type (Static, Dynamic, or MPT). This filter is only supported for policy scans.
Number of Flaws - General	Dimensions on specific flaw data such as number of new flaws, existing flaws, mitigated flaws, reopened flaws.
Number of Severity 0 (Informational Flaws)	The number of flaws that are S0 severity. You can filter on additional dimensions such as number of S0 flaws with proposed, rejected, and mitigated flaws.
Number of Severity 1 (Very Low Flaws)	The number of flaws that are S1 severity. You can filter on additional dimensions such as number of S1 flaws with proposed, rejected, and mitigated flaws.
Number of Severity 2 (Low Flaws)	The number of flaws that are S2 severity. You can filter on additional dimensions such as number of S2 flaws with proposed, rejected, and mitigated flaws.
Number of Severity 3 (Medium Flaws)	The number of flaws that are S3 severity. You can filter on additional dimensions such as number of S3 flaws with proposed, rejected, and mitigated flaws.
Number of Severity 4 (High Flaws)	The number of flaws that are S4 severity. You can filter on additional dimensions such as number of S4 flaws with proposed, rejected and mitigated flaws.
Number of Severity 5 (Very High Flaws)	The number of flaws that are S5 severity. You can filter on additional dimensions such as number of S5 flaws with proposed, rejected, and mitigated flaws.
Policy or Sandbox	Determines whether the scan was a policy scan or a sandbox scan.
Prescan Information	Information on specific prescan end and start times by Date, Month, Week, Quarter, Year. The usage of prescan dimensions is not common.
Prescan Submitted	The prescans that were submitted successfully. The usage of prescan dimensions is not common.
Promoted Scan (Yes/No)	The scan record was promoted from a sandbox context to the policy context.
Published (Yes/No)	Determines whether the scan was published or not published. Values are Yes or No.
Published Date	The date the scan was published. Use additional dimensions to filter on Date, Month, Week, Quarter, Time, or Year.
Sandbox > Archived Sandbox Scan Data (Yes /No)	The flag to denote if Veracode archived the scan data and deleted the scan from view when the sandbox expired or when there were more than the maximum number of scans in the sandbox.
Sandbox > Sandbox Auto-recreate (Yes / No)	When a sandbox is set to auto-recreate, Veracode automatically recreates it with the same name after the expiration date.
Sandbox > Sandbox Name	The sandbox name for the scan.
Sandbox > Sandbox Scan Archived Date	The date Veracode archived the sandbox scan data and deleted the scan from view due to sandbox expiration. Although the scan data is no longer available in the Triage Flaws page, the data remains available in Veracode Analytics and through data exports.
Scan ID	The identifier associated of the scan.
Scan Name	The scan name.
Scan Policy	The policy that was assigned to the application at the time of the scan.
Scan Policy Compliance	The status of whether or not the scan results passed or failed the policy that was assigned at the time of the scan.
Scan State	The current state of the scan. Values are Active or Deleted.
Submitted By API Account	Determines if the scan was or was not submitted by an API account. Values are API Account or Human Account.
Scan Published By	The user who published the scan.
Scan Submit Information	Dimensions on the user or API account who submitted the scan.
Scan Submitted By	The user who submitted the scan.
Scan Submitted Date	The date the scan was submitted.
Scan Time	The time it took for the scan to complete. Use the additional dimensions to filter on Hours, Minutes, Seconds.
Scan Time Bucket	The minutes of scan time grouped in different periods of time. Values are Less than 5 minutes, 5-10 minutes, 10-15 minutes, 15-30 minutes, 30-60 minutes, 1-4 hours, 4-16 hours, 16-40 hours, 40-96 hours, 96+ hours. This dimension is calculated from the scan submitted date to the scan published date. You can use this dimension to easily graph scan time data.
Score	The security quality score for the scan, including mitigations.
Score without Mitigations	The security quality score without mitigations.
SDLC Stage	The stage of the software delivery lifecycle for the application. This option is set in scan metadata.
Static Scan - General	Dimensions on specific static scan details such as lines of code scanned, prescan duration, and primary language scanned.
Static Scan - Analysis Size v1 MB	The size in MB of the submitted scan using the v1 method, including third-party libraries, depending on the language.
Static Scan - Analysis Size v2 MB	The size in MB of the submitted scan using the v2 method based on first-party code, depending on the language.
Static Scan - Language Group	The primary language of the scanned application.
Static Scan - Lines of Code	The number of lines of code in the static scan.
Static Scan - Primary Language	The primary programming language of the application that was scanned.
Static Scan Duration Tier	The minutes of scan time grouped by: less than 5 minutes, 5-10 minutes, 10-15 minutes, 15-30 minutes, 30-60 minutes, 1-4 hours, 4-16 hours, 16-40 hours, 40-96 hours, 96+ hours. This dimension is calculated from the scan submitted date to the scan published date. You can use this dimension to easily graph scan time data.
Total Scan Duration Tiers	The periods of time for how long it takes for a scan (prescan time + scan time) to complete. Values are 15 minutes, 30 minutes, 1 hour, 4 hours, 16 hours, 48 hours, or 3 days.
Veracode Level	The Veracode Level achieved for the scan. This dimension does not include mitigations.
Veracode Level with Mitigations	The Veracode Level achieved for the scan including mitigations.

Scan measures

Measure	Description
Application Scan Counts	The measure of specific scan count details such as count of applications, count of non-rescanned applications, count of non-scanned applications.
Count of Applications - Past 365 Days	The number of applications that have been scanned in the past 365 days.
Count of Applications - Past 90 Days	The number of applications that have been scanned in the past 90 days.
Count of Applications Rescanned - Past 365 Days	The number of applications that have been rescanned in the past 365 days.
Count of Applications Scanned - Past 365 Days	The number of applications that have been scanned in the past 365 days.
Count of Applications Scanned - Past 90 Days	The number of applications that have been scanned in the past 90 days.
Count of Non-Scanned Applications	The number of applications that have not been scanned.
Count of Non-Rescanned Applications	The number of applications that have not been scanned more than once.
Count of Rescanned Applications.	The number of applications that have been rescanned.
Count of Rescanned Applications - Past 90 Days	The number of applications that have been rescanned in the past 90 days.
Count of Scanned Applications	The number of applications that have been scanned.
Average Dynamic Scan Duration - Hours	The average time in hours a dynamic scan takes to complete.
Average Dynamic Scan Duration - Minutes	The average time in minutes a dynamic scan takes to complete.
Average Dynamic Scan Duration - Seconds	The average time in seconds a dynamic scan takes to complete.
Average Flaws Per MB	The average flaws per MB found in the scan. Calculated by total number of static flaws divided by total analysis size.
Average Prescan Duration - Hours	The average time in hours a prescan takes to complete.
Average Prescan Duration - Minutes	The average time in minutes a prescan takes to complete.
Average Prescan Duration - Seconds	The average time in seconds a prescan takes to complete.
Average Static Scan Duration - Hours	The average time in hours a static scan takes to complete.
Average Static Scan Duration - Minutes	The average time in minutes a static scan takes to complete.
Average Static Scan Duration - Seconds	The average time in seconds a static scan takes to complete.
Average Total Scan Duration - Hours	The average time in hours a scan takes to complete.
Average Total Scan Duration - Minutes	The average time in minutes a scan takes to complete.
Average Total Scan Duration - Seconds	The average time in seconds a scan takes to complete.
Count of Dynamic URLs	The number of URLs associated with a dynamic scan.
Sandboxes with Scans	The number of sandboxes with scans.
Count of First Scans	The number of initial scans.
Count of Scans Submitted by API	The number of scans submitted by an API account.
Count of Scans Submitted by User Account	The number of scans submitted by a user account.
Largest Static Scan Size	The size (MB) of the largest scan across all the scans within the selected dimension, including all the sandbox scans.
Legacy Flaws Per MB	The flaws per MB found in the scan. This is a historical calculation from legacy analytics that is available for consistency but is not recommended for regular use due to the inclusion of multiple scan types and the method by which the calculation is done.
Median Dynamic Scan Duration - Hours	The central data point of hours it takes for a dynamic scan to complete.
Median Dynamic Scan Duration - Minutes	The central data point of minutes it takes for a dynamic scan to complete.
Median Dynamic Scan Duration - Seconds	The central data point of seconds it takes for a dynamic scan to complete.
Median Prescan Duration - Hours	The central data point of hours it takes for a prescan to complete.
Median Prescan Duration - Minutes	The central data point of minutes it takes for a prescan to complete.
Median Prescan Duration - Seconds	The central data point of seconds it takes for a prescan to complete.
Median Static Scan Duration - Hours	The central data point of hours it takes for a static scan to complete.
Median Static Scan Duration - Minutes	The central data point of minutes it takes for a static scan to complete.
Median Static Scan Duration - Seconds	The central data point of seconds it takes for a static scan to complete.
Median Total Scan Duration - Hours	The central data point of hours it takes for a scan to complete.
Median Total Scan Duration - Minutes	The central data point of minutes it takes for a scan to complete.
Median Total Scan Duration - Seconds	The central data point of seconds it takes for a scan to complete.
Percentage of Applications Without Rescans	The percentage of applications that only have one scan.
Percentage of Passed Scans	The percentage of scans that passed policy.
Scan Count	The total number of scans.
Scan Count - Past 365 Days	The total number of scans in the past 365 days.
Scan Count - Past 90 Days	The total number of scans in the past 90 days.
Scan Counts	The measures of specific scan type and policy scans such as dynamic, policy, rescanned, passed scans, sandbox scan counts.
Scan Counts Per Month	The number of scans that occur per month.
Scan Counts Per Week	The number of scans that occur per week.
Total Analysis Size	The total analysis size in MB of the scan.
Total Lines of Static Code	The total number of lines of static code scanned. This number is an estimate based on the information provided in the debug symbols of the scan.
Total Number of Flaws	The total number of flaws for the scan. Use the measures below to filter on specific flaw severity and status.
Total Number of Static Flaws	The total number of static flaws.

Findings explore data dictionary

The following definitions describe the dimensions and measures in the Findings explore in Veracode Analytics.

Application dimensions

Dimension	Description
Application Custom Fields	The metadata entered in application custom fields 1-25. Located from Application > Metadata > Asset > Custom Fields.
Application ID	The unique numerical identifier associated with the application profile, provided by Veracode.
Application Name	The name of the application, created by the user when creating an application on the Veracode Platform.
Application Passed Policy (Yes/No)	Determines if the application did or did not pass policy compliance. Values are Yes or No.
Application Purpose	The business purpose of the application, located from the application metadata.
Application Rescanned (Yes/No)	Determines if the application was rescanned. Values are Yes or No.
Application Scanned (Yes/No)	Determines if the application was scanned. Values are Yes or No.
Archer Application Name	The application name where the data is published to Archer. Located from Application > Metadata > Archer Name.
Business Owner Email	The email address associated with the business owner of the application.
Business Owner Name	The first and last name of the user responsible for the application. Located from Application > Profile > Organizational Information.
Business Unit	The name of the business unit.
Created Date	The date the application was created.
Current Policy	The current policy associated with the application.
Current Policy Compliance	The application policy compliance based on the latest scan results.
Current Veracode Level	The Veracode Level achieved by an application, which allows a user at a glance to see the how their application measures against best practices. The Veracode Level is determined by the type of scans performed, severity of flaws detected, and/or the security score achieved. Values are VL1, VL2, VL3, VL3+ SCA, VL4, VL4 + SCA, VL5, and VL5 + SCA, with VL5 + SCA being the highest attainable level. This rating includes mitigations.
Current Veracode Level Without Mitigations	The current Veracode level achieved by an application without including mitigations.
Dynamic Scan Due Date	The date by which a dynamic scan must run, per the application policy. If the date is in the past, the due date was missed.
Dynamic Scan Frequency	The dynamic scan frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Industry	The type of industry for which the application is used. Located from Application > Metadata > Industry.
Initial Published Date	The earliest date that a scan for the application was published.
Latest Published Date	The most-recent date that a scan for the application was published.
License Account	Scans licensed by this account. For third-party applications, it is the account that paid for the scan. For SDLC applications, it is the same as the scanning account.
License Type	The type of license: SDLC license or Third-party license. Most applications are software delivery lifecycle (SDLC) license, third-party license type is not commonly used. Veracode offers you the ability to scan your software supplier partners through the Veracode Platform. Values are either SDLC for internal testing of first-party software or third-party for permitting a software supplier to test the code they are developing for the Veracode user.
Manual Penetration Test Due Date	The date by which a manual penetration test is required, per the application policy. If the date is in the past, the due date was missed.
Manual Penetration Test Frequency	The manual penetration test frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Number of Dynamic Scans	The number of dynamic scans of the application.
Number of Static Scans	The number of static scans of the application.
Requested a Consultation	Veracode offers the ability to schedule a consultation with application security consultants to better understand Veracode scanning and results. Values are No Readout Requested or Readout Requested based on if the application has had a consultation requested.
Scanning Account	The account where scans occurred. For software delivery lifecycle (SDLC) applications, it is the same as the licensed account. For third-party applications, it is the vendor account. Third-party applications are not commonly used.
Scanning Status	The scanning status for the application. Values are DynamicMP + SDLC, DynamicMP Only, No Published Policy Scans, and SDLC only.
Static Scan Due Date	The date by which a static scan must run, per the application policy. If the date is in the past, the due date was missed.
Static Scan Frequency	The static scan frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Tags List	The list of tags for the application that are added from the application metadata. Veracode allows users to provide a tag to organize their applications as part of the application metadata.
Web Application Flag	Determines if the application is a web application or not. This flag is set on the application metadata page.

Applications measures

Measure	Description
Application Scan Counts	The total count of applications scanned, rescanned, and not scanned in the past 90 and 365 days.
Applications with Consultations	The count of applications for which security consultations have been requested.
Count	The count of distinct application IDs
Percentage of Applications with Consultation Requests	The percentage of applications for which a consultation call was requested.

CVE dimensions

Dimension	Description
Access Complexity	According to the CVSS standard, this metric measures the complexity of the attack required to exploit the vulnerability after an attacker has gained access to the target system.
Access Vector	According to the CVSS standard, this metric represents how the vulnerability is exploited.
Authentication	According to the CVSS standard, this metric measures the number of times an attacker must authenticate to a target to be able to exploit a vulnerability.
Availability Impact	According to the CVSS standard, this metric measures the impact a successfully exploited vulnerability will have on the accessibility of information resources.
Confidentiality Impact	From the CVSS standard, this metric measures the impact on confidentiality of a successfully exploited vulnerability.
CVE ID	The ID established by MITRE of publicly known cybersecurity vulnerabilities.
CVSSv2 Score	The numerical score produced by Version 2 of the Common Vulnerability Scoring System (CVSS) that reflects the severity of the principal characteristics of a vulnerability.
CVSSv3 Score	The numerical score produced by Version 3 of the Common Vulnerability Scoring System (CVSS) that reflects the severity of the principal characteristics of a vulnerability.
Integrity Impact	According to the CVSS standard, this value is the measure of the impact to the trustworthiness and guaranteed veracity of information by a successfully exploited vulnerability.
No-CVE ID	The ID Veracode provides in its proprietary database of vulnerabilities found in open-source libraries.
Published Date	Date the vulnerability was published to the Veracode Vulnerability Database.
Summary	The description and details of the vulnerability.
Vulnerability Title	A short summary of the vulnerability.

CWE dimensions

Dimension	Description
Category Name	Category of the common weakness enumeration (CWE) category for the finding found after the application was scanned.
Description	The CWE category description for the finding.
Flaw Name	The CWE name of the finding.
Flaw Severity and Name	A concatenation of the CWE name of the finding and its associated base Veracode severity.
ID	The CWE ID of the finding. This dimension is most useful when combined with the Flaw Name dimension.
Latest CWE Top 25	A list of errors that can lead to the most serious software vulnerabilities according to the latest SANS/MITRE CWE Top 25.
OWASP 2013	The top ten vulnerabilities identified by the 2013 version of the Open Web Application Security Project (OWASP).
OWASP 2017	The top ten vulnerabilities identified by the 2017 version of the Open Web Application Security Project (OWASP).
Remediation Effort	The level of effort it takes to remediate the finding.
SANS 25	The list of the most significant errors that can lead to software vulnerabilities, according to the SANS top 25 list.
Top 5 Categories	The finding by CWE top 5 category of the most significant errors that can lead to software vulnerabilities, according to the SANS top 25 list.

Findings dimensions

Dimension	Description
Application ID	The application ID associated with the finding.
Archived by Sandbox Expiration (Yes / No)	The flag to denote if Veracode archived the finding and deleted the scan from view due to sandbox scan expiration. Use this flag to filter in or out findings that only existed in archived scan data. Findings that exist in non-archived scan data is not considered archived.
Component Path	The custom name and severity of the library at the time of the build of the compilation of the application.
Custom Severity	The user-created severity for the finding. Located fromPolicy > Policies > Custom Severities.
Custom Severity Description	The description for the finding with user-created severity.
Custom Severity Name	The name of the severity of the finding. Values are Informational, Very Low, Low, Medium, High, or Very High.
CWE ID	The ID and the name of the common weakness enumeration (CWE) found after the application was scanned.
Description	Provides a brief description of the finding. For a category description, see the CWE Description dimension.
Dynamic Findings - General	Contains: Path: Provides the URL path where Dynamic Analysis discovered the vulnerability. Vulnerable Parameter: The specific injection point that identifies the vulnerability discovered by Dynamic Analysis. Examples include cookies, query strings, and POST body data. Not all vulnerabilities have a vulnerable parameter.
Exploitability	The rating for the likelihood that an attacker could exploit the finding.
Exploitability Description	The description for the likelihood that an attacker could exploit the finding.
Fixable (Yes / No)	Determines if a finding could be resolved using Veracode Fix.
Fixed Date	The date a finding was closed because it was no longer present in the scan results for the application.
Finding Status	The status of the finding. Values are Open or Closed.
First Found Date	Very first overall occurrence of the finding in a given context. In most cases, First Found in Application Date should be used. For findings from SCA Upload and Scan, this is the latest of either: A vulnerable library was scanned in a given context. A CVE was published for a previously in-use library. For application-linked SCA agent-based findings, this is the latest of either: A vulnerable library was scanned in a linked project. A CVE was published for a previously in use-library. You can filter by Date, Month, Quarter, Time, Week, Year.
First Found in Application Date	Very first overall occurrence of the finding in either sandbox or policy. In most cases, First Found in Application Date should be used. For findings from SCA Upload and Scan, this is the latest of either: A vulnerable library was scanned in a given context. A CVE was published for a previously in-use library. For application-linked SCA agent-based findings, this is the latest of either: A vulnerable library was scanned in a linked project. A CVE was published for a previously in-use library. You can filter by Date, Month, Quarter, Time, Week, Year.
Flaw Age	The range between the Finding Found Date and Finding Resolved Date dimensions. If the resolved date is null, use today's date.
Flaw Age Tier	The length of time by days the finding was open. Values are 1, 7, 30, or 90 days.
Flaw ID	The ID of the finding on the Veracode Platform.
Grace Period Expiration Date	The date on which a grace period expires for the finding. Veracode calculates this date based on the last date a finding was opened (First Found or Last Reopened date), and based on the grace period provided in the security policy assigned to the application. This date only applies to open findings that impact policy compliance.
Last Found Date	The date the finding was last found. You can filter by Date, Month, Quarter, Time, Week, Year.
Last Updated Date (Reporting API only)	Used for incremental reporting of findings data in the Reporting API. This date is the latest date of the following data points: First Found Date, Last Found Date, Resolved Date, Most Recent Mitigation Action Date, and timestamp of any application-level changes (e.g., Application Name changed, Business Unit changed, Policy changed).
Library First Found in Active Scans	The earliest date of a scan where this library was found. This date can be later than when the Veracode SCA tool detected a vulnerability because you may have archived or deleted earlier scans with that library.
Mitigation Status	The mitigation status for the finding. Values are Proposed, Accepted, Rejected, or Not Mitigated. Provides the latest mitigation workflow status for a mitigation on a finding.
Module Language	The language of the module in which the finding was found. This is based on the latest published static scan of this application.
Module Name	The name of the scanned module that has the finding. To identify the precise location of the flaw, use the values in Submodule Path and Second Party Component.
Most Recent Mitigation Details	The fields in this menu include the most recent mitigations details for: Acceptance Comment - the comment provided with the most recent acceptance action on a mitigation proposal. Acceptance Date - date the most recent mitigation proposal was accepted. Acceptance Time - time the most recent mitigation proposal was accepted. Accepter Username - name of the person who accepted the most recent mitigation proposal. MPR Comment - comment provided by Veracode in the most recent Mitigation Proposal Review of a mitigation proposal. MPR Date - date of the most recent occurrence of a Mitigation Proposal Review for this mitigation proposal. MPR Status - determines whether or not the finding conforms to the risk tolerance guidelines established by your organization. MPR Time - time of the most recent occurrence of a Mitigation Proposal Review for this mitigation proposal. MPR Username - Veracode provides Mitigation Proposal Reviews as a service to offer guidance on validity, propriety, and effectiveness of mitigation proposals according to the risk tolerance guidelines of your organization. Veracode is always the username returned in this field. Proposal Comment - comment provided with the most recent mitigation proposal. Proposal Date - date the most recent mitigation proposal was made. Proposal Time - time the most recent mitigation proposal was made. Proposer Username - username of the user who provided the most recent mitigation proposal. Rejecter Username - username of the user who rejected the most recent mitigation proposal. Rejection Comment - comment provided with the rejection of the most recent mitigation proposal. Rejection Date - date of the most recent rejection the most recent mitigation proposal was rejected. Rejection Time - time the most recent mitigation proposal was rejected.
New Finding (Yes/No)	Determines if the finding is new. Values are Yes or No.
Policy or Sandbox Scan	Determines if the finding is in a policy or sandbox scan. Because sandboxes do not support Veracode DAST, DAST findings are always reported in the context of policy.
Policy Rule Passed (Yes/No)	Determines if a finding passed policy. For open findings or mitigated closed findings, this is determined by the current policy attached to the application. For closed fixed findings, this is determined by the version of the policy that was attached at the time the finding was closed. Values are Yes or No.
Policy Status	Evaluation of whether the finding has passed, failed, or conditionally passed (rule failed but within grace period) policy.
Reopened Date	The date a finding was reopened. A finding can be reopened if it was previously fixed, then found in a later scan in the same context again. You can filter by Date, Month, Quarter, Time, Week, Year.
Reopened Finding (Yes/No)	Determines if the finding is a reopened finding.
Resolved Date	The date a finding was closed either through remediation, indicating the finding is no longer available in the results, or through a mitigation or resolution workflow that has been approved. You can filter by Date, Month, Quarter, Time, Week, Year.
Sandbox Name	The name of the sandbox scan in which the finding was found.
Scan Type	The type of scan that produced this finding. Values are Dynamic, Static or Manual Penetration Test.
Second Party Component	The name of the second party component used by the module in which the finding was seen.
Static Findings - General	Contains: Attack Vector: the location of the flaw (the sink) discovered by Static Analysis in the function call, as seen in the Triage Flaws page of the Veracode Platform. Class Path: the full name of the class path containing the finding, as seen in the Data Path details page in the Triage Flaws view of the Veracode Platform. Filename/Class: the filename or class in which Veracode discovered the static finding. This value is combined with the line number in the Source field in the Triage Flaws view of the Veracode Platform. Function Name: the name of the function in which Veracode discovered the static finding. This value replaces the filename in the Source field of the Triage Flaws view in the Veracode Platform when you compile and upload the modules without debug symbols. Most Recent Line Number: in the most recent static scan, this value is the line number in which Veracode discovered this finding, or the relative location in the function that contains the finding.
Submodule Path	Secondary party module information.
Unique to a Single Context (Yes/No)	A finding is unique and has only been seen in a single sandbox or policy context within an application.

Findings measures

Measure	Description
Average Mitigation Process - Days	The average time that elapses between a finding being proposed to accepted.
Time to Resolve	The count of days that elapsed from the time a finding was opened or reopened to the earliest subsequent resolution. Resolution types are remediation or an accepted mitigation. This measure is calculated within a single sandbox. The Time To Resolve measure is always calculated on a per-context basis, meaning it is calculated for the time to resolve a finding within a single sandbox context, instead of the multiple instances of a finding across several sandboxes.
Total Mitigation Process Days	The total time that elapses between a finding being proposed to accepted.
Total Number of Flaws - Application	The total number of findings by application. You can use the dimensions below to filter on count of findings by severity.
Total Number of Sandbox Flaws	The total number of findings by sandbox. You can use the dimensions below to filter on count of findings by severity. Because sandboxes do not support Veracode DAST scans, DAST findings are reported in the context of policy. This count does not remove findings that are flaw-matched but instead counts the total number of findings for each context. By design, the measures Findings Policy or Sandbox and Count of Flaws Sandbox only show the count of DAST findings context of policy. To see findings from the sandbox context, change the filter to Sandbox to include those counts. To design a chart or report for yourself, we recommend using the Count of Flaws Application measure because it only provides the flaw-matched, unique findings for the policy context.

Resolution and mitigation

Measure	Description
Latest Resolution and Mitigation Status	The latest resolution and mitigation status for a flaw. If a flaw is closed through scan, that status supersedes all others. Possible statuses are: Approved, Closed - Previously Reported, Closed - through Scan, No Resolution/Mitigation, Proposed, Rejected.
Resolution and Mitigation Status	The mitigation status of the finding and resolution: Approved, Proposed, Automated, or None. If the flaw is closed, this field reflects the reason for its original closure. Veracode recommends you use the Latest Resolution Status to surface the final closure reason.
Resolution and Mitigation Type	The type of resolution and mitigation.

SCA dimensions

Dimension	Description
Component ID	ID that Veracode gives to each unique component.
Component Name	Name of the library component, including version. For some languages, this name is the component filename.
Component Version	Version or extension of the component file.
Library	Name of the library component without version or extension.
Library Description	Description of the library. For Java, descriptions are sourced from Maven. For other languages, the description field is often blank.
Library Vendor	The organization of open-source projects that provides the library. For Java, vendor identities are sourced from Maven. For other languages, the vendor field is often blank.

SCA measures

Measure	Description
Component Count	Count of unique component IDs.

SCA license dimensions

Dimension	Description
License Name	Name of intellectual property licenses associated with a library.
License Risk	The risk ratings associated with the license (Low, Medium, High).

SCA license measures

Measure	Description
License Count	Name of intellectual property licenses associated with a library.

IDE and Pipeline Scans explore data dictionary

These definitions describe the dimensions and measures used on the IDE and Pipeline Scans explore in Veracode Analytics.

IDE and Pipeline Scans dimensions

Dimension	Description
Account Name	The account name provided in the Veracode Platform.
IDE	The development environment in which the scan ran.
IDE Version	The version of the IDE where the scan started. If empty, it was an API scan.
OS	The operating system of the IDE that the user is using.
Plugin Version	The version of the Veracode IDE scan plugin or Pipeline Scan JAR file.
Project Name	Optional field for the name of the project containing the scanned files, where applicable.
Project Reference	Optional field for the source control reference, revision, or branch of the development project.
Project URI	Optional field for the URI of the development project.
Results Size (MB)	The size of the JSON results file (MB).
Scan End Date	The date and time the scan completed. Possible values are date, month, month name, quarter, time, week, and year.
Scan Language	The language of the files to be scanned.
Scan Start Date	The date and time the scan started. Possible values are date, month, month name, quarter, time, week, and year.
Scan Status	The status of the scan.
Scan Type	How the scan was submitted. Active = User-Initiated IDE Scan, Passive = Auto-Initiated IDE Scan, API = Pipeline Scan API, DevOps = Pipeline Scan Pre-Release, Pipeline = Pipeline Scan.
User Email	The email address of the user who submitted the scan.
User Timeout	User-defined value for the number of seconds to wait before a scan times out. This field only populates if you provide a value.

IDE and Pipeline Scans measures

Measure	Description
Scan Counts	The total count of unique scans.
User Counts	The count of distinct users.

Users explore data dictionary

The following definitions describe the dimensions and measures used on the users explore in Veracode Analytics.

User dimensions

Dimension	Description
Email	The email address associated with the account.
Last Login Host Failure	The user’s IP address from the most recent failed sign-in attempt on the Veracode Platform.
Last Login Host Success	The user’s IP address from the most recent successful sign-in on the Veracode Platform.
Last Login Status	The user’s status during their most recent sign-in to the Veracode Platform.
Last Successful Login Date	The last date the user successfully logged in to the Veracode Platform.
Login Account State	The state of the account. Values are Deleted or Active.
Login Account Status	The status of the account. Values are Enabled or Disabled.
Login Account Type	The type of user account. Values are User Account or API Account.
MFA Token Status	The status of the user's MFA token. Values are Token Required or No Token Required.
SAML User	Indicates if the user uses SAML. Values are Yes or No.
Teams List	A list of teams to which the user belongs.
User First Name	The user's first name on the Veracode Platform.
User Full Name	The user's full name (concatenation of the user's first name and last name) on the Veracode Platform.
User Last Name	The user's last name on the Veracode Platform.
User Roles List	A list of roles assigned to the user.
Username	The username on the Veracode Platform.

User measures

Measure	Description
Count	The count of total users.

SCA Agent-Based Scans explore data dictionary

The following definitions describe the dimensions and measures used on the SCA Agent-Based Scans explore in Veracode Analytics.

Scan dimensions

Dimension	Description
Branch	The branch associated with the scan.
User Scan ID	The scan ID provided by the user.
Languages	The list of software languages found during the scan.
Most Recent Scan	Indicates if this is the most recent scan. Values are Yes or No.
Most Recent Scan per Branch	Indicates if this is the most recent scan in the branch. Values are Yes or No.
Line Count	The count of lines of user code in the scanned repositories.
Tag	The tag associated with the scan.
Scan Commit Hash	The commit hash used per scan to assign scan results to the appropriate library.
Scan ID	The unique identifier for the scan.
Workspace Issue Summary > Vulnerability Issues	The count of issue IDs associated with vulnerabilities in the workspace.
Workspace Issue Summary > Library Issues	The count of issue IDs associated with outdated libraries in the workspace.
Workspace Issue Summary > License Issues	The count of issue IDs associated with software licenses in the workspace.
Workspace Issue Summary > Total Issues	The count of all issues associated with the workspace, regardless of type.
Project Issue Summary > Vulnerability Issues	The count of issue IDs associated with vulnerabilities in the project.
Project Issue Summary > Library Issues	The count of issue IDs associated with outdated libraries in the project.
Project Issue Summary > License Issues	The count of issue IDs associated with software licenses in the project.
Project Issue Summary > Total Issues	The count of all issues associated with the project, regardless of issue type.
Issues > Vulnerability Issues	The total count of vulnerability issues in the scan.
Issues > License Issues	The total count of license issues in the scan.
Issues > Outdated License Issues	The count of issue IDs associated with outdated licenses in the project.
Issues > Total Issues	The total count of all issues in the scan, regardless of issue type.
Issues > Outdated Library Issues	The total count of outdated library issues discovered in the scan.
Severity Count > Severity High Count	The total count of all High-severity issues, regardless of issue type.
Severity Count > Severity Medium Count	The total count of all Medium-severity issues, regardless of issue type.
Severity Count > Severity Low Count	The total count of all Low-severity issues, regardless of issue type.
Latest Scanned Libraries > Safe Version	The recommended safe version of the library.
Latest Scanned Libraries > Severity High Count	The count of High-severity vulnerabilities in this library. One vulnerability might have multiple issues.
Latest Scanned Libraries > Severity Medium Count	The count of Medium-severity vulnerabilities in this library. One vulnerability might have multiple issues.
Latest Scanned Libraries > Severity Low Count	The count of Low-severity vulnerabilities in this library. One vulnerability might have multiple issues.

Scan measures

Measure	Description
Workspaces > Count	The count of unique workspaces.
Projects > Count	The count of unique projects.
Projects > Count of Projects Linked to Application Profiles	The count of projects linked to application profiles.
Scans > Average Count of Vulnerability Issues per Scan	The average number of vulnerability issues per scan.
Scans > Scan Count	The count of agent scans.
Scans > Total Severity Count	This category comprises the measures: The total count of High-severity issues The total count of Medium-severity issues The total count of Low-severity issues
Scans > Total Vulnerability Issues	The total number of vulnerability issues.
Latest Scanned Libraries > Count	The count of unique libraries found in the agent scans.
Latest Scanned Libraries > Count with Safe Version	The count of unique libraries with vulnerabilities found in agent scans for which Veracode recommends a safe library version.
Latest Scanned Libraries > Count with Vulnerabilities	The count of unique libraries with vulnerabilities found in agent scans.
Licenses > License Count	The count of unique licenses associated with a library.

SCA Agent-Based Scan Issues explore data dictionary

The following definitions describe the dimensions and measures used on the SCA Agent-Based Scan Issues explore in Veracode Analytics.

note

The information in Analytics may appear differently from the Veracode Platform because Analytics provides a more complete representation of the data. To align your data, do the following:

• Ensure that the projects have been scanned within the past 13 months.
• Check the branch where the vulnerability was found. If the issue is not in the default branch, it will not appear in the SCA Agent UI.

SCA Agent-Based Scan issues dimensions

Dimension	Description
Workspaces > Creation Date	The date the workspace was created. Possible values include date, month, quarter, time, week, and year.
Workspaces > Most Recent Repository Scan ID	The ID of the most recent scan in the workspace.
Workspaces > Most Recent Scan Date	The date of the most recent scan in the workspace.
Workspaces > Name	Name of the workspace.
Workspaces > Total Projects	Count of all the projects within the workspace.
Workspaces > Workspace Issue Summary	Consists of: Vulnerability Issues: count of issue IDs associated with vulnerabilities in the workspace. Library Issues: count of issue IDs associated with outdated libraries in the workspace. License Issues: count of issue IDs associated with software licenses in the workspace. Total Issues: count of total issues created, regardless of type, associated with the workspace.
Workspaces > Team Name	Name of workspace team.
Projects > Client Repository ID	Alternate unique project identifier.
Projects > Creation Date	The date the project was created. Possible values include date, month, quarter, time, week, and year.
Projects > Default Branch	The name of the default branch in the project, if configured.
Projects > Display Name	You can optionally set a user-friendly display name for the project which, if present, overrides the name in the UI.
Projects > Host	The generic term for the host of the repo. For example, in https://github.com/veracode/example-java-maven the path is srcclr and the name is example-java-maven. Host + path + name + subpath uniquely identify a repository in a workspace.
Projects > Languages	The mix of software languages within the project.
Projects > Latest Repository Scan ID	The scan ID for the most recent scan within the project.
Projects > Linked Application ID	The ID for the application profile linked to the project.
Projects > Linked Application	The name of the linked application.
Projects > Most Recent Scan Date	The date of the most recent scan in the project. Possible values include date, month, quarter, time, week, and year.
Projects > Name	The generic term for grouping within a repository. For example, in https://github.com/veracode/example-java-maven the path is srcclr and the name is example-java-maven. Host + path + name + subpath.
Projects > Path	The generic term for either the Git repository user or organization (might be called something else in Bitbucket-style repositories). For example, in https://github.com/veracode/example-java-maven the path is srcclr and the name is example-java-maven. Host + path + name + subpath uniquely identifies a repository in a workspace.
Projects > Project Issue Summary	Consists of: Vulnerability Issues: count of issue IDs associated with vulnerabilities in the project. Library Issues: count of issue IDs associated with outdated libraries in the project. License Issues: count of issue IDs associated with software licenses in the project. Total Issues: count of total issues created, regardless of type, associated with the project.
Projects > Project Name	The name of the project within the workspace.
Projects > Subpath	The generic term for grouping within a repository. For example, in https://github.com/veracode/example-java-maven the path is srcclr and the name is example-java-maven. Host + path + name + subpath.
Projects > Type	The type of project, application, repository, or container.
Projects > Web URL	The scanned repository URL (for example, the cloned GitHub URL).
Issues > Branch	The branch where the issue was discovered.
Issues > Commit Hash	The commit hash where the issue was discovered.
Issues > Creation Date	The date the issue was created. Possible values are date, month, quarter, time, week, and year.
Issues > CVE ID	The CVE (Common Vulnerabilities and Exposures) of the issue, if there is one. Applied to vulnerability type issues only.
Issues > CWE ID	The CWE (Common Weakness Enumeration) for the issue. Applied to vulnerability type issues only.
Issues > Issue Fix Date	The date the issue was fixed. Possible values are date, month, quarter, time, week, and year.
Issues > Delta Score	The Update Risk Score for an out-of-date library issue only.
Issues > Dependency Mode	Tracks how the given library that caused the issue is pulled into the user repository: direct, transitive, or both.
Issues > Direct Library or Transitive Library	Does the issue arise from a direct library or a transitive library?
Issues > Duration to Resolve	The number of days from opening to closing of the issue, regardless of issue type.
Issues > Fixed Repository Scan ID	The scan that marked the issue as fixed, if any.
Issues > Has Vulnerable Methods (Yes/No)	Does the project use the vulnerable part of the library associated with the issue? Yes or no.
Issues > Ignored (Yes/No)	Indicates if the user ignored the issue.
Issues > Ignored by Username	The username of the user who ignored the issue.
Issues > Issue Ignored Date	The date the user ignored the issue. Possible values are date, week, month, quarter, and year.
Issues > Issue ID	The unique identifier for this issue.
Issues > Issue Name	The name of the issue.
Issues > Issue Type	The type of issue: license, outdated library, or vulnerability.
Issues > Last Repository Scan ID	The most recent scan associated with this issue.
Issues > Most Recent Version	The most current version of the library.
Issues > Name Tag	The tag where the issue was discovered.
Issues > Opened Repository Scan ID	The scan ID that created the issue.
Issues > Policy ID	The ID for the policy or rules that created or updated the issue at scan time.
Issues > Policy Revision	The version of the policy, if any, that created or updated the issue at scan time.
Issues > Repository ID	The project ID that contains the issue.
Issues > Severity	The numerical ranking of the severity (1 = Low, 10 = Critcal).
Issues > Severity Level	The severity of the issue: Critical, High, Medium, or Low.
Issues > Status	The status of the issue: Open or Fixed.
Libraries > Author	The author of the library in use.
Libraries > Author URL	The author URL of the library in use.
Libraries > Bug Tracker URL	The URL for viewing bugs found with the library.
Libraries > Code Repository URL	The URL for the code repository of the library.
Libraries > Coordinate Type	Where the library is located in the open-source community, such as Maven, NPM, Nuget.
Libraries > Current Version	The version of the library in use.
Libraries > Current Version Release Date	The date the library found in the scan was first released publicly. Possible values are date, month, quarter, time, week, and year.
Libraries > Description	The description of the library from the maintainer.
Libraries > Language Type	The high-level language classification of the library.
Libraries > Library Name	The name of the library component.
Libraries > Most Recent Release Date	The date of the most recent update to the library. Possible values are date, month, quarter, time, week, and year.
Libraries > Most Recent Version	The most recent version of the library to be released.
Libraries > Updated Date	The date the library was updated. Possible values are date, month, quarter, time, week, and year.
CVE > Access Complexity	According to the CVSS standard, this metric measures the complexity of the attack required to exploit the vulnerability after an attacker has gained access to the target system.
CVE > Access Vector	According to the CVSS standard, this metric represents how the vulnerability is exploited.
CVE > Authentication	According to the CVSS standard, this metric measures the number of times an attacker must authenticate to a target to be able to exploit a vulnerability.
CVE > Availability Impact	According to the CVSS standard, this metric measures the impact a successfully exploited vulnerability will have on the accessibility of information resources.
CVE > Confidentiality Impact	From the CVSS standard, this metric measures the impact on confidentiality of a successfully exploited vulnerability.
CVE > CVE ID	The ID established by MITRE of publicly known cybersecurity vulnerabilities.
CVE > CVSSv2 Score	The numerical score produced by Version 2 of the Common Vulnerability Scoring System (CVSS) that reflects the severity of the principal characteristics of a vulnerability.
CVE > CVSSv3 Score	The numerical score produced by Version 3 of the Common Vulnerability Scoring System (CVSS) that reflects the severity of the principal characteristics of a vulnerability.
CVE > Integrity Impact	According to the CVSS standard, this value is the measure of the impact to the trustworthiness and guaranteed veracity of information by a successfully exploited vulnerability.
CVE > Published Date	Date or time when Veracode published the vulnerability to the Veracode Vulnerability Database. The values are date, month, quarter, time, week, or year.
CVE > SRCCLR ID	The ID Veracode provides in its proprietary database of vulnerabilities found in open-source libraries.
CVE > Summary	The description and details of the vulnerability.
CVE > Vulnerability Title	A short summary of the vulnerability.
CWE > Category Name	Category of the Common Weakness Enumeration (CWE) found after the application was scanned.
CWE > Description	The description of the CWE.
CWE > Flaw Name	The name of the Common Weakness Enumeration (CWE) found after the application was scanned.
CWE > ID	The ID of the Common Weakness Enumeration (CWE) found after the application was scanned. Most useful in combination with CWE Name.
CWE > Name	The CWE ID and the name of the Common Weakness Enumeration (CWE) found after the application was scanned.
CWE > OWASP 2013	The top ten vulnerabilities identified by the Open Web Application Security Project (OWASP) in 2013. The dimension is infrequently used.
CWE > OWASP 2017	The top ten vulnerabilities identified by the Open Web Application Security Project (OWASP) in 2017.
CWE > OWASP Latest	The top ten vulnerabilities identified by the latest Open Web Application Security Project (OWASP) standard.
CWE > Remediation Effort	The level of effort it takes to remediate the finding.
CWE > SANS 25	The list of the most significant errors that can lead to serious software vulnerabilities, according to the SANS top 25 list.
CWE > Severity	The severity of the finding.
Licenses > Full Text	The full text of the license associated with the library.
Licenses > License Name	The name of the license associated with the library.
Licenses > OSI-Approved	Whether or not the Open Source Initiative (OSI) has approved the license. To be approved, a license must go through the Open Source Initiative license review process.
Licenses > Risk	The risk associated with the use of this license.
Licenses > SPDX ID	The classification for the license from the Software Package Data Exchange (SPDX) license list (https://spdx.org/licenses/).
Licenses > Version	License version.

SCA Agent-based Scan Issues measures

Measure	Description
Workspaces > Count	Count of unique workspaces.
Projects > Count	Count of unique projects.
Projects > Count of Projects Linked to Application Profiles	Count of projects linked to application profiles.
Issues > Issue Count	Count of issues, regardless of type.
Issues > Libraries with Issue	Number of unique libraries with at least one issue.
Issues > Time to Resolve	The average count of days from the opening to the closing of the issue, regardless of issue type.
Issues > Vulnerability Count	Count of vulnerability issues.
Libraries > Count	Count of distinct libraries.
CWE > Count	Count of CWE vulnerabilities.
Licenses > License Count	Count of unique licenses associated with a library.