Skip to main content

Findings data dictionary

The following definitions describe the dimensions and measures in the Findings explore in Veracode Analytics.

DimensionDescription
Application Custom FieldsThe metadata entered in application custom fields 1-25. Located from Application > Metadata > Asset > Custom Fields.
Application IDThe unique numerical identifier associated with the application profile, provided by Veracode.
Application NameThe name of the application, created by the user when creating an application on the Veracode Platform.
Application Passed Policy (Yes/No)Determines if the application did or did not pass policy compliance. Values are Yes or No.
Application PurposeThe business purpose of the application, located from the application metadata.
Application Rescanned (Yes/No)Determines if the application was rescanned. Values are Yes or No.
Application Scanned (Yes/No)Determines if the application was scanned. Values are Yes or No.
Archer Application NameThe application name where the data is published to Archer. Located from Application > Metadata > Archer Name.
Business Owner EmailThe email address associated with the business owner of the application.
Business Owner NameThe first and last name of the user responsible for the application. Located from Application > Profile > Organizational Information.
Business UnitThe name of the business unit.
Created DateThe date the application was created.
Current PolicyThe current policy associated with the application.
Current Policy ComplianceThe application policy compliance based on the latest scan results.
Dynamic Scan Due DateThe date by which a dynamic scan must run, per the application policy. If the date is in the past, the due date was missed.
Dynamic Scan FrequencyThe dynamic scan frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
IndustryThe type of industry for which the application is used. Located from Application > Metadata > Industry.
Initial Published DateThe earliest date that a scan for the application was published.
Latest Published DateThe most-recent date that a scan for the application was published.
License AccountScans licensed by this account. For third-party applications, it is the account that paid for the scan. For SDLC applications, it is the same as the scanning account.
License TypeThe type of license: SDLC license or Third-party license. Most applications are software delivery lifecycle (SDLC) license, third-party license type is not commonly used. Veracode offers you the ability to scan your software supplier partners through the Veracode Platform. Values are either SDLC for internal testing of first-party software or third-party for permitting a software supplier to test the code they are developing for the Veracode user.
Manual Penetration Test Due DateThe date by which a manual penetration test is required, per the application policy. If the date is in the past, the due date was missed.
Manual Penetration Test FrequencyThe manual penetration test frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Number of Dynamic ScansThe number of dynamic scans of the application.
Number of Static ScansThe number of static scans of the application.
Requested a ConsultationVeracode offers the ability to schedule a consultation with application security consultants to better understand Veracode scanning and results. Values are No Readout Requested or Readout Requested based on if the application has had a consultation requested.
Scanning AccountThe account where scans occurred. For software delivery lifecycle (SDLC) applications, it is the same as the licensed account. For third-party applications, it is the vendor account. Third-party applications are not commonly used.
Scanning StatusThe scanning status for the application. Values are DynamicMP + SDLC, DynamicMP Only, No Published Policy Scans, and SDLC only.
Static Scan Due DateThe date by which a static scan must run, per the application policy. If the date is in the past, the due date was missed.
Static Scan FrequencyThe static scan frequency, such as weekly, monthly, quarterly, that the policy determines for the application.
Tags ListThe list of tags for the application that are added from the application metadata. Veracode allows users to provide a tag to organize their applications as part of the application metadata.
Web Application FlagDetermines if the application is a web application or not. This flag is set on the application metadata page.

Applications measures

MeasureDescription
Application Scan CountsThe total count of applications scanned, rescanned, and not scanned in the past 90 and 365 days.
Applications with ConsultationsThe count of applications for which security consultations have been requested.
CountThe count of distinct application IDs
Percentage of Applications with Consultation RequestsThe percentage of applications for which a consultation call was requested.

CVE dimensions

DimensionDescription
Access ComplexityAccording to the CVSS standard, this metric measures the complexity of the attack required to exploit the vulnerability after an attacker has gained access to the target system.
Access VectorAccording to the CVSS standard, this metric represents how the vulnerability is exploited.
AuthenticationAccording to the CVSS standard, this metric measures the number of times an attacker must authenticate to a target to be able to exploit a vulnerability.
Availability ImpactAccording to the CVSS standard, this metric measures the impact a successfully exploited vulnerability will have on the accessibility of information resources.
Confidentiality ImpactFrom the CVSS standard, this metric measures the impact on confidentiality of a successfully exploited vulnerability.
CVE IDThe ID established by MITRE of publicly known cybersecurity vulnerabilities.
CVSSv2 ScoreThe numerical score produced by Version 2 of the Common Vulnerability Scoring System (CVSS) that reflects the severity of the principal characteristics of a vulnerability.
CVSSv3 ScoreThe numerical score produced by Version 3 of the Common Vulnerability Scoring System (CVSS) that reflects the severity of the principal characteristics of a vulnerability.
Integrity ImpactAccording to the CVSS standard, this value is the measure of the impact to the trustworthiness and guaranteed veracity of information by a successfully exploited vulnerability.
No-CVE IDThe ID Veracode provides in its proprietary database of vulnerabilities found in open-source libraries.
Published DateDate the vulnerability was published to the Veracode Vulnerability Database.
SummaryThe description and details of the vulnerability.
Vulnerability TitleA short summary of the vulnerability.

CWE dimensions

DimensionDescription
Category NameCategory of the common weakness enumeration (CWE) category for the finding found after the application was scanned.
DescriptionThe CWE category description for the finding.
Flaw NameThe CWE name of the finding.
IDThe CWE ID of the finding. This dimension is most useful when combined with the Flaw Name dimension.
Latest CWE Top 25A list of errors that can lead to the most serious software vulnerabilities according to the latest SANS/MITRE CWE Top 25.
OWASP 2013The top ten vulnerabilities identified by the 2013 version of the Open Web Application Security Project (OWASP).
OWASP 2017The top ten vulnerabilities identified by the 2017 version of the Open Web Application Security Project (OWASP).
Remediation EffortThe level of effort it takes to remediate the finding.
SANS 25The list of the most significant errors that can lead to software vulnerabilities, according to the SANS top 25 list.
Top 5 CategoriesThe finding by CWE top 5 category of the most significant errors that can lead to software vulnerabilities, according to the SANS top 25 list.

Findings dimensions

DimensionDescription
Application IDThe application ID associated with the finding.
Archived by Sandbox Expiration (Yes / No)The flag to denote if Veracode archived the finding and deleted the scan from view due to sandbox scan expiration. Use this flag to filter in or out findings that only existed in archived scan data. Findings that exist in non-archived scan data is not considered archived.
Component PathThe custom name and severity of the library at the time of the build of the compilation of the application.
Custom SeverityThe user-created severity for the finding. Located fromPolicy > Policies > Custom Severities.
Custom Severity DescriptionThe description for the finding with user-created severity.
Custom Severity NameThe name of the severity of the finding. Values are Informational, Very Low, Low, Medium, High, or Very High.
CWE IDThe ID and the name of the common weakness enumeration (CWE) found after the application was scanned.
DescriptionProvides a brief description of the finding. For a category description, see the CWE Description dimension.
Dynamic Findings - GeneralContains:
  • Path: Provides the URL path where Dynamic Analysis discovered the vulnerability.
  • Vulnerable Parameter: The specific injection point that identifies the vulnerability discovered by Dynamic Analysis. Examples include cookies, query strings, and POST body data. Not all vulnerabilities have a vulnerable parameter.
ExploitabilityThe rating for the likelihood that an attacker could exploit the finding.
Exploitability DescriptionThe description for the likelihood that an attacker could exploit the finding.
Fixable (Yes / No)Determines if a finding could be resolved using Veracode Fix.
Fixed DateThe date a finding was closed because it was no longer present in the scan results for the application. The finding has been fixed or remediated.
Finding StatusThe status of the finding. Values are Open or Closed.
First Found DateThe date the finding was first found. You can filter by Date, Month, Quarter, Time, Week, Year.
Flaw AgeThe range between the Finding Found Date and Finding Resolved Date dimensions. If the resolved date is null, use today's date.
Flaw Age TierThe length of time by days the finding was open. Values are 1, 7, 30, or 90 days.
Flaw IDThe ID of the finding on the Veracode Platform.
Grace Period Expiration DateThe date on which a grace period expires for the finding. Veracode calculates this date based on the last date a finding was opened (First Found or Last Reopened date), and based on the grace period provided in the security policy assigned to the application. This date only applies to open findings that impact policy compliance.
Last Found DateThe date the finding was last found. You can filter by Date, Month, Quarter, Time, Week, Year.
Last Updated Date (Reporting API only)Used for incremental reporting of findings data in the Reporting API. This date is the latest date of the following data points: First Found Date, Last Found Date, Resolved Date, Most Recent Mitigation Action Date, and timestamp of any application-level changes (e.g., Application Name changed, Business Unit changed, Policy changed).
Library First Found in Active ScansThe earliest date of a scan where this library was found. This date can be later than when the Veracode SCA tool detected a vulnerability because you may have archived or deleted earlier scans with that library.
Mitigation StatusThe mitigation status for the finding. Values are Proposed, Accepted, Rejected, or Not Mitigated. Provides the latest mitigation workflow status for a mitigation on a finding.
Module NameThe name of the module in which the finding was seen.
Most Recent Mitigation DetailsThe fields in this menu include the most recent mitigations details for:
  • Acceptance Comment - the comment provided with the most recent acceptance action on a mitigation proposal.
  • Acceptance Date - date the most recent mitigation proposal was accepted.
  • Acceptance Time - time the most recent mitigation proposal was accepted.
  • Accepter Username - name of the person who accepted the most recent mitigation proposal.
  • MPR Comment - comment provided by Veracode in the most recent Mitigation Proposal Review of a mitigation proposal.
  • MPR Date - date of the most recent occurrence of a Mitigation Proposal Review for this mitigation proposal.
  • MPR Status - determines whether or not the finding conforms to the risk tolerance guidelines established by your organization.
  • MPR Time - time of the most recent occurrence of a Mitigation Proposal Review for this mitigation proposal.
  • MPR Username - Veracode provides Mitigation Proposal Reviews as a service to offer guidance on validity, propriety, and effectiveness of mitigation proposals according to the risk tolerance guidelines of your organization. Veracode is always the username returned in this field.
  • Proposal Comment - comment provided with the most recent mitigation proposal.
  • Proposal Date - date the most recent mitigation proposal was made.
  • Proposal Time - time the most recent mitigation proposal was made.
  • Proposer Username - username of the user who provided the most recent mitigation proposal.
  • Rejecter Username - username of the user who rejected the most recent mitigation proposal.
  • Rejection Comment - comment provided with the rejection of the most recent mitigation proposal.
  • Rejection Date - date of the most recent rejection the most recent mitigation proposal was rejected.
  • Rejection Time - time the most recent mitigation proposal was rejected.
New Finding (Yes/No)Determines if the finding is new. Values are Yes or No.
Policy or Sandbox ScanDetermines if the finding is in a policy or sandbox scan.
Policy Rule Passed (Yes/No)Determines if a finding passed policy. For open findings or mitigated closed findings, this is determined by the current policy attached to the application. For closed fixed findings, this is determined by the version of the policy that was attached at the time the finding was closed. Values are Yes or No.
Policy StatusEvaluation of whether the finding has passed, failed, or conditionally passed (rule failed but within grace period) policy.

|Reopened Date| The date a finding was reopened. You can filter by Date, Month, Quarter, Time, Week, Year. | |Reopened Finding (Yes/No)| Determines if the finding is a reopened finding. | |Resolved Date| The date a finding was closed either through remediation, indicating the finding is no longer available in the results, or through a mitigation or resolution workflow that has been approved. You can filter by Date, Month, Quarter, Time, Week, Year. | |Sandbox Name| The name of the sandbox scan in which the finding was found. | |Scan Type| The type of scan that produced this finding. Values are Dynamic, Static or Manual Penetration Test. | |Second Party Component | The name of the second party component used by the module in which the finding was seen. | |Static Findings - General| Contains:

  • Attack Vector: the location of the flaw (the sink) discovered by Static Analysis in the function call, as seen in the Triage Flaws view of the Veracode Platform.
  • Class Path: the full name of the class path containing the finding, as seen in the Data Path details page in the Triage Flaws view of the Veracode Platform.
  • Filename/Class: the filename or class in which Veracode discovered the static finding. This value is combined with the line number in the Source field in the Triage Flaws view of the Veracode Platform.
  • Function Name: the name of the function in which Veracode discovered the static finding. This value replaces the filename in the Source field of the Triage Flaws view in the Veracode Platform when you compile and upload the modules without debug symbols.
  • Most Recent Line Number: in the most recent static scan, this value is the line number in which Veracode discovered this finding, or the relative location in the function that contains the finding.
| |Submodule Path| Secondary party module information. | |Unique to a Single Context (Yes/No)| A finding is unique and has only been seen in a single sandbox or policy context within an application. |

Findings measures

MeasureDescription
Average Mitigation Process - DaysThe average time that elapses between a finding being proposed to accepted.
Time to ResolveThe count of days that elapsed from the time a finding was opened or reopened to the earliest subsequent resolution. Resolution types are remediation or an accepted mitigation. This measure is calculated within a single sandbox. The Time To Resolve measure is always calculated on a per-context basis, meaning it is calculated for the time to resolve a finding within a single sandbox context, instead of the multiple instances of a finding across several sandboxes.
Total Mitigation Process DaysThe total time that elapses between a finding being proposed to accepted.
Total Number of Flaws - ApplicationThe total number of findings by application. You can use the dimensions below to filter on count of findings by severity.
Total Number of Sandbox FlawsThe total number of findings by sandbox. You can use the dimensions below to filter on count of findings by severity.

Resolution and mitigation

MeasureDescription
Latest Resolution and Mitigation StatusThe latest resolution and mitigation status for a flaw. If a flaw is closed through scan, that status supersedes all others. Possible statuses are: Approved, Closed - Previously Reported, Closed - through Scan, No Resolution/Mitigation, Proposed, Rejected.
Resolution and Mitigation StatusThe mitigation status of the finding and resolution: Approved, Proposed, Automated, or None. If the flaw is closed, this field reflects the reason for its original closure. Veracode recommends you use the Latest Resolution Status to surface the final closure reason.
Resolution and Mitigation TypeThe type of resolution and mitigation.

SCA dimensions

DimensionDescription
Component IDID that Veracode gives to each unique component.
Component NameName of the library component, including version. For some languages, this name is the component filename.
Component VersionVersion or extension of the component file.
LibraryName of the library component without version or extension.
Library DescriptionDescription of the library. For Java, descriptions are sourced from Maven. For other languages, the description field is often blank.
Library VendorThe organization of open-source projects that provides the library. For Java, vendor identities are sourced from Maven. For other languages, the vendor field is often blank.

SCA measures

MeasureDescription
Component CountCount of unique component IDs.

SCA license dimensions

DimensionDescription
License NameName of intellectual property licenses associated with a library.
License RiskThe risk ratings associated with the license (Low, Medium, High).

SCA license measures

MeasureDescription
License CountName of intellectual property licenses associated with a library.