Skip to main content

SCA agent-based issues explore data dictionary

The following definitions describe the dimensions and measures used on the Software Composition Analysis (SCA) agent-based issues explore in Veracode Analytics.

SCA agent-based issues dimensions

DimensionDescription
Workspaces > Creation DateThe date the workspace was created. Possible values include date, month, quarter, time, week, and year.
Workspaces > Most Recent Repository Scan IDThe ID of the most recent scan in the workspace.
Workspaces > Most Recent Scan DateThe date of the most recent scan in the workspace.
Workspaces > NameName of the workspace.
Workspaces > Total ProjectsCount of all the projects within the workspace.
Workspaces > Workspace Issue SummaryConsists of:
  • Vulnerability Issues: count of issue IDs associated with vulnerabilities in the workspace.
  • Library Issues: count of issue IDs associated with outdated libraries in the workspace.
  • License Issues: count of issue IDs associated with software licenses in the workspace.
  • Total Issues: count of total issues created, regardless of type, associated with the workspace.
Workspaces > Team NameName of workspace team.
Projects > Client Repository IDAlternate unique project identifier.
Projects > Creation DateThe date the project was created. Possible values include date, month, quarter, time, week, and year.
Projects > Default BranchThe name of the default branch in the project, if configured.
Projects > Display NameYou can optionally set a user-friendly display name for the project which, if present, overrides the name in the UI.
Projects > HostThe generic term for the host of the repo. For example, in https://github.com/veracode/example-java-maven the path is srcclr and the name is example-java-maven. Host + path + name + subpath uniquely identify a repository in a workspace.
Projects > LanguagesThe mix of software languages within the project.
Projects > Latest Repository Scan IDThe scan ID for the most recent scan within the project.
Projects > Linked Application IDThe ID for the application profile linked to the project.
Projects > Linked ApplicationThe name of the linked application.
Projects > Most Recent Scan DateThe date of the most recent scan in the project. Possible values include date, month, quarter, time, week, and year.
Projects > NameThe generic term for grouping within a repository. For example, in https://github.com/veracode/example-java-maven the path is srcclr and the name is example-java-maven. Host + path + name + subpath.
Projects > PathThe generic term for either the Git repository user or organization (might be called something else in Bitbucket-style repositories). For example, in https://github.com/veracode/example-java-maven the path is srcclr and the name is example-java-maven. Host + path + name + subpath uniquely identifies a repository in a workspace.
Projects > Project Issue SummaryConsists of:
  • Vulnerability Issues: count of issue IDs associated with vulnerabilities in the project.
  • Library Issues: count of issue IDs associated with outdated libraries in the project.
  • License Issues: count of issue IDs associated with software licenses in the project.
  • Total Issues: count of total issues created, regardless of type, associated with the project.
Projects > Project NameThe name of the project within the workspace.
Projects > SubpathThe generic term for grouping within a repository. For example, in https://github.com/veracode/example-java-maven the path is srcclr and the name is example-java-maven. Host + path + name + subpath.
Projects > TypeThe type of project, application, repository, or container.
Projects > Web URLThe scanned repository URL (for example, the cloned GitHub URL).
Issues > BranchThe branch where the issue was discovered.
Issues > Commit HashThe commit hash where the issue was discovered.
Issues > Creation DateThe date the issue was created. Possible values are date, month, quarter, time, week, and year.
Issues > CVE IDThe CVE (Common Vulnerabilities and Exposures) of the issue, if there is one. Applied to vulnerability type issues only.
Issues > CWE IDThe CWE (Common Weakness Enumeration) for the issue. Applied to vulnerability type issues only.
Issues > Issue Fix DateThe date the issue was fixed. Possible values are date, month, quarter, time, week, and year.
Issues > Delta ScoreThe Update Risk Score for an out-of-date library issue only.
Issues > Dependency ModeTracks how the given library that caused the issue is pulled into the user repository: direct, transitive, or both.
Issues > Direct Library or Transitive LibraryDoes the issue arise from a direct library or a transitive library?
Issues > Duration to ResolveThe number of days from opening to closing of the issue, regardless of issue type.
Issues > Fixed Repository Scan IDThe scan that marked the issue as fixed, if any.
Issues > Has Vulnerable Methods (Yes/No)Does the project use the vulnerable part of the library associated with the issue? Yes or no.
Issues > Ignored (Yes/No)Indicates if the user ignored the issue.
Issues > Ignored by UsernameThe username of the user who ignored the issue.
Issues > Issue Ignored DateThe date the user ignored the issue. Possible values are date, week, month, quarter, and year.
Issues > Issue IDThe unique identifier for this issue.
Issues > Issue NameThe name of the issue.
Issues > Issue TypeThe type of issue: license, outdated library, or vulnerability.
Issues > Last Repository Scan IDThe most recent scan associated with this issue.
Issues > Most Recent VersionThe most current version of the library.
Issues > Name TagThe tag where the issue was discovered.
Issues > Opened Repository Scan IDThe scan ID that created the issue.
Issues > Policy IDThe ID for the policy or rules that created or updated the issue at scan time.
Issues > Policy RevisionThe version of the policy, if any, that created or updated the issue at scan time.
Issues > Repository IDThe project ID that contains the issue.
Issues > SeverityThe numerical ranking of the severity (1 = Low, 10 = Critcal).
Issues > Severity LevelThe severity of the issue: Critical, High, Medium, or Low.
Issues > StatusThe status of the issue: Open or Fixed.
Libraries > AuthorThe author of the library in use.
Libraries > Author URLThe author URL of the library in use.
Libraries > Bug Tracker URLThe URL for viewing bugs found with the library.
Libraries > Code Repository URLThe URL for the code repository of the library.
Libraries > Coordinate TypeWhere the library is located in the open-source community, such as Maven, NPM, Nuget.
Libraries > Current VersionThe version of the library in use.
Libraries > Current Version Release DateThe date the library found in the scan was first released publicly. Possible values are date, month, quarter, time, week, and year.
Libraries > DescriptionThe description of the library from the maintainer.
Libraries > Language TypeThe high-level language classification of the library.
Libraries > Library NameThe name of the library component.
Libraries > Most Recent Release DateThe date of the most recent update to the library. Possible values are date, month, quarter, time, week, and year.
Libraries > Most Recent VersionThe most recent version of the library to be released.
Libraries > Updated DateThe date the library was updated. Possible values are date, month, quarter, time, week, and year.
CVE > Access ComplexityAccording to the CVSS standard, this metric measures the complexity of the attack required to exploit the vulnerability after an attacker has gained access to the target system.
CVE > Access VectorAccording to the CVSS standard, this metric represents how the vulnerability is exploited.
CVE > AuthenticationAccording to the CVSS standard, this metric measures the number of times an attacker must authenticate to a target to be able to exploit a vulnerability.
CVE > Availability ImpactAccording to the CVSS standard, this metric measures the impact a successfully exploited vulnerability will have on the accessibility of information resources.
CVE > Confidentiality ImpactFrom the CVSS standard, this metric measures the impact on confidentiality of a successfully exploited vulnerability.
CVE > CVE IDThe ID established by MITRE of publicly known cybersecurity vulnerabilities.
CVE > CVSSv2 ScoreThe numerical score produced by Version 2 of the Common Vulnerability Scoring System (CVSS) that reflects the severity of the principal characteristics of a vulnerability.
CVE > CVSSv3 ScoreThe numerical score produced by Version 3 of the Common Vulnerability Scoring System (CVSS) that reflects the severity of the principal characteristics of a vulnerability.
CVE > Integrity ImpactAccording to the CVSS standard, this value is the measure of the impact to the trustworthiness and guaranteed veracity of information by a successfully exploited vulnerability.
CVE > Published DateDate or time when Veracode published the vulnerability to the Veracode Vulnerability Database. The values are date, month, quarter, time, week, or year.
CVE > SRCCLR IDThe ID Veracode provides in its proprietary database of vulnerabilities found in open-source libraries.
CVE > SummaryThe description and details of the vulnerability.
CVE > Vulnerability TitleA short summary of the vulnerability.
CWE > Category NameCategory of the Common Weakness Enumeration (CWE) found after the application was scanned.
CWE > DescriptionThe description of the CWE.
CWE > Flaw NameThe name of the Common Weakness Enumeration (CWE) found after the application was scanned.
CWE > IDThe ID of the Common Weakness Enumeration (CWE) found after the application was scanned. Most useful in combination with CWE Name.
CWE > NameThe CWE ID and the name of the Common Weakness Enumeration (CWE) found after the application was scanned.
CWE > OWASP 2013The top ten vulnerabilities identified by the Open Web Application Security Project (OWASP) in 2013. The dimension is infrequently used.
CWE > OWASP 2017The top ten vulnerabilities identified by the Open Web Application Security Project (OWASP) in 2017.
CWE > Remediation EffortThe level of effort it takes to remediate the finding.
CWE > SANS 25The list of the most significant errors that can lead to serious software vulnerabilities, according to the SANS top 25 list.
CWE > SeverityThe severity of the finding.
Licenses > Full TextThe full text of the license associated with the library.
Licenses > License NameThe name of the license associated with the library.
Licenses > OSI-ApprovedWhether or not the Open Source Initiative (OSI) has approved the license. To be approved, a license must go through the Open Source Initiative license review process.
Licenses > RiskThe risk associated with the use of this license.
Licenses > SPDX IDThe classification for the license from the Software Package Data Exchange (SPDX) license list (https://spdx.org/licenses/).
Licenses > VersionLicense version.

SCA agent-based scans measures

MeasureDescription
Workspaces > CountCount of unique workspaces.
Projects > CountCount of unique projects.
Projects > Count of Projects Linked to Application ProfilesCount of projects linked to application profiles.
Issues > Issue CountCount of issues, regardless of type.
Issues > Libraries with IssueNumber of unique libraries with at least one issue.
Issues > Time to ResolveThe average count of days from the opening to the closing of the issue, regardless of issue type.
Issues > Vulnerability CountCount of vulnerability issues.
Libraries > CountCount of distinct libraries.
CWE > CountCount of CWE vulnerabilities.
Licenses > License CountCount of unique licenses associated with a library.