Managing application profiles
The application profile describes your application, identifies the policy used to evaluate the application, and provides metadata that enables a thorough analysis of security performance across all applications in your organization.
To access the Applications page, select All Applications on the Veracode Platform homepage.
From the Applications page, you can:
- Add an application to the portfolio.
- Bulk-add several applications at one time to the portfolio.
- Edit an existing application profile.
- Delete an existing application profile.
You can also manage application profiles with the Applications REST API.
You must have the appropriate roles to perform application profile tasks.
The following table lists common application architectures and the number of application profiles you might need for each architecture.
| Application architecture | Number of application profiles |
|---|---|
| Monolith or single application | One |
| Front-end and back-end | Two |
| Microservices | Multiple |
| Customized versions of the same codebase | Multiple |
| Application Suite | Multiple |
Considerations for application profiles
When you create an application profile for Static Analysis, consider the following:
- The policy assigned to an application profile applies to all applications associated with that profile.
- Flaws, mitigations, and comments are specific to an application profile. You cannot transfer them to another profile. To match flaws between scans, see flaw matching. There are several Community projects that allow you to copy some of this information.
- Don't associate a binary or a source file directory with multiple application profiles unless it is used as a library or framework.
- Profiles for applications such as web pages or desktop applications require an entry point to access functions and data in the associated application.
- Ensure that all dependencies (binary or source code) are packaged with the corresponding application and mapped to the relevant application profile. Do not create a separate profile for code that cannot be accessed directly (over the network or through the CLI).
- For compiled languages such as C, C++, Java, and .NET, avoid placing multiple versions of the same library in the root of a packaged application. Instead, add each version to separate WAR files or statically compile each version into separate applications.
- Some Veracode Static Analysis licenses limit the number of application profiles you can create. If you are unsure whether this applies to your license, contact your Veracode Customer Success Manager.
- To ensure consistent scan results, upload the same packaged application files for each scan. Features such as flaw matching rely on consistent uploads.
- Scans of small uploads typically complete faster. Uploading a large, complex application to a single profile might increase scan duration and lead to inconsistent results.