Review findings
Reviewing the findings (flaws and vulnerabilities) from completed scans of your applications involves:
- Accessing the scan results, which are available in several Veracode products
- Reviewing the findings with your teams
- Mitigating findings you won't resolve
- Resolving (remediating) findings you must fix to secure your applications
We use a methodology and several analysis techniques to identify findings in your applications, and determine their severity, or level of risk.
If you use Veracode products that access the Veracode Platform, such as Veracode Upload and Scan and Veracode DAST, we recommend reviewing the results in the Veracode Platform. If you perform multiple scan types on an application, such as SAST, DAST, SCA, and MPT scans, you can access all results from the Results page, and review and manage SAST and DAST findings with your teams on the Triage Flaws page.
In the Veracode Platform, the results are available in multiple reports. You can also access and use analytics data to get insight into findings for supported scan types.
If you are new to reviewing results from application security tests, or you want to review the results with your teams, we recommend scheduling a consultation with Veracode security experts. Also, before attempting to resolve findings, we recommend reviewing our guidance on developing a remediation plan.
Findings from Veracode Pipeline Scan, and any integrations that use it for Static Analysis, are not available in the Veracode Platform.
Prerequisites
To access and review scan results or reports, you must have:
-
A license for the type of scan, such as Static Analysis or SCA, for which you want to review findings.
-
A Veracode account with one or more of the following roles.
- Administrator
- Reviewer
- Sandbox User
- Security Lead
- Executive
-
A scanned application, using either the Veracode Platform or an integration that accesses the Veracode Platform, and the scan results must be available in the Veracode Platform.
-
To access findings from DAST scans, the results must be linked to the application profile. See the instructions for DAST Essentials or Dynamic Analysis.
-
To access findings from SCA Agent-based Scan, the SCA project must be linked to the application profile.
Access results in the Veracode Platform
Access the findings for a scanned application from its application profile in the Veracode Platform.
The scan results from Veracode integrations are typically available within the integration. The results for several integrations, such as IDEs, SCMs, and APIs, that connect to the Veracode Platform are available in the Veracode Platform interface.
If you need help or guidance with reviewing findings from Veracode's expert security professionals, schedule a consultation.
To complete this task:
- Sign in to the Veracode Platform.
- Select My Portfolio > Applications.
- On the All Applications page, locate an application with results ready.
- In the Results column, select View. The Results page opens.
- If the scan is in progress, select the View Partial Results link to review a portion of your results while the remainder of your application is scanned.
Results page
In the Veracode Platform, the Results page provides a single point of reference for the results of all completed scans. View the results of all scans performed on the application, including security policy evaluations and a summary of the results.
You also access reports (Veracode and PCI compliance) showing detailed information about your scans and findings, download reports, bookmark reports, and schedule a consultation call with Veracode Technical Support.
Reporting options
At the top of the Results page, select from the following options to access and manage reports for the selected results.
- Veracode Report: the Veracode Report contains the same information as the Detailed Report. The Veracode Report summarizes the security flaws identified during this scan, explains how the application fared against the associated policy controls, and outlines the Veracode recommendations.
- PCI Compliance Report: the PCI Compliance Report provides guidance on how to fix the discovered flaws to achieve PCI compliance and how the application performed against the PCI policy.
- Download: opens a dropdown menu of the reports you can download as PDF or XML.
- Bookmark: bookmark the displayed Results page. Bookmarked reports capture a snapshot of findings and policy compliance at a specific point in time. Enter a name for the bookmark and select Save. To access bookmarked reports, select Bookmarked Reports from the left menu.
- Share: if you have a vendor-enterprise relationship with other organizations, select this option to share the results with your vendors.
- Schedule a Consultation: schedule a consultation with Veracode security experts to get help with reviewing your results and resolving findings.
Left menu items
Select from the following links in the left menu. The list of links varies depending on the types of scans (SAST, DAST, SCA, MPT) run on the application.
- View Report - opens the Customizable Report. This report provides detailed information about the application's compliance with the assigned security policies.
- Software Composition Analysis - for Upload and Scan, which runs SAST and SCA scans, opens a page where you can review detected third-party components, license risk, vulnerabilities, projects linked to the application profile, and perform mitigation actions on vulnerabilities. For SCA Agent-based Scan results, review SCA agent issues
- Triage Flaws - for Static Analysis using Upload and Scan and Dynamic Analysis scans, opens the Triage Flaws page. This page displays a detailed list of static and dynamic findings (flaws) and provides options for managing and mitigating findings with your team.
- Mobile Behavioral Analysis - for Static Analysis using Upload and Scan, opens a report with details about detected permissions for mobile access. To view this report, Mobile Behavioral Analysis must be turned on for the scan.
- Flaw Sources - opens the Flaw Sources page that lists the injection points in your code where findings originate.
- Scan details - opens a report with details about the latest selected scan. For example, if you ran Static Analysis and Dynamic Analysis scans, you see the links Static Scan
and Dynamic Analysis Scan . For a dynamic scan report, under Scan Submission Details, select the application name to view the Dynamic Analysis Coverage Report.
Policy Evaluation
The Policy Evaluation section provides an overview of how the application fared against its assigned security policy.
The policy evaluation shows whether the application was assessed against constraints, including rules, required scans, and a remediation grace period. The Veracode Level the application achieves is based on the security score it receives from completed scans.
To view more details about the scan results on the overview pages, select the scan names in the Static, Dynamic, and Manual columns. The Policy Evaluation section of the Results page provides an overview of how the application fared against its associated policy.
The policy evaluation shows whether the application was assessed against rules, required scans, and a remediation grace period. The Veracode Level the application achieves is based on the security score from completed scans.
Select the scan names in the static, dynamic, and manual columns to go to the overview pages to see more details of the scan results.
Summarized Results
The Summarized Results section provides an overview of all the flaws by severity and status, as well as a summary of the top risks and how your metrics data is trending. You can see the number and types of flaws the application currently contains. The trend data shows the history of the scans and their findings.
At a glance, you can see the number and types of flaws the application currently contains.
Open Flaw Severities shows open flaws characterized by potential impact to confidentiality, integrity, and availability of the application as defined in the CVSS.
| Severity | CVSS rating (SCA and MPT only) | Description |
|---|---|---|
| 5 - Very High | 8.1-10 | These lines of code have a very serious weakness and are an easy target for an attacker. Fix this finding immediately to avoid potential attacks. |
| 4 - High | 6.1-8 | These lines of code have a serious weakness and are an easy target for an attacker. Fix this finding immediately to avoid potential attacks. |
| 3 - Medium | 4.1-6 | These lines of code have a moderate weakness and might be an easy target for an attacker. Fix this finding after fixing all Very High and High findings. |
| 2 - Low | 2.1-4 | These lines of code have a low weakness. Consider fixing this finding after fixing all Very High, High, and Medium findings. |
| 1 - Very Low | 0.1-2 | These lines of code have a very low weakness. The finding might indicate other problems in the code, but you do not need to mitigate it. |
| 0 - Informational | 0 | These lines of code have an issue with no impact on the security of the application, but the finding might indicate other problems in the code. You can safely ignore this issue. |
Remediation Status data shows the number of flaws found in an application, characterized by remediation status.
| Status | Scan type | Description |
|---|---|---|
| New | Policy | The number of flaws that Veracode did not find in any previous policy scan. |
| New | Sandbox | The number of flaws that Veracode did not find in any previous scan. |
| Open | Policy | The number of flaws Veracode found in a previous policy scan. |
| Open | Sandbox | The number of flaws Veracode found in a previous scan, not necessarily within this sandbox. |
| Reopened | Policy or Sandbox | The number of flaws Veracode found in a previous scan within the sandbox or policy scan, not found in a subsequent scan within the sandbox or policy scan, but found again in the current scan. |
| Fixed | Policy or Sandbox | The number of flaws Veracode found in a previous scan within the policy or sandbox scan, but did not find again in the current scan. |
| Mitigated | Policy or Sandbox | The number of flaws that someone approved as mitigated by OS environment, mitigated by network environment, and mitigated by design. |
| Potential False Positive | Policy or Sandbox | The number of flaws that someone approved as a potential false positive. |
Trend Data shows the history of the scans and their scores over time. You can hover over data points on the chart to view the name, date, and score of each scan.
Access results using Veracode integrations
The scan results from Veracode integrations are typically available within the integration. The results for several integrations, such as IDEs, SCMs, and APIs, that connect to the Veracode Platform are available in the Veracode Platform interface.
Findings from Veracode Pipeline Scan, and any integrations that use it for Static Analysis, are not available in the Veracode Platform.
IDEs
See the following topics on reviewing findings within your IDE:
SCMs
See the following topics on reviewing findings within your SCM tools:
CI/CDs
See the following topics on reviewing findings within your CI/CD systems:
Ticketing
To review and manage findings as issues and work items, use the following integrations to import scan results in to your ticketing systems.
Veracode APIs
Access and review results using the REST and XML APIs:
REST APIs
XML APIs
Access container and IaC results
To access results from container and infrastructure as code (IaC) scans in the Veracode Platform, select Scans & Analysis > Container and IaC Analysis.
Access MPT results
After Veracode security experts perform Manual Penetration Tests (MPT) on your applications, access the results in the Veracode Platform.
Access VRM results
Veracode Risk Manager manages findings as issues. See Access and review issues in Veracode Risk Manager.
Schedule a consultation
Consultation calls provide you the opportunity to get assistance with configuring and running a scan or with interpreting the findings in your application. During scan configuration calls, Veracode can answer specific questions you have about your scan configuration or walk you through the best practices for setting up your scan. During scan results calls, Veracode can help you understand the significance of the findings and provide guidance on remediation and mitigation actions.
Before you begin:
To enable consultation calls, you must meet these requirements:
- You have an Enhanced Support subscription. If you have not purchased a subscription, contact [email protected] for more information about the support options.
- You have the necessary Veracode Platform role:
- Scan configuration calls require the Creator, Security Lead, or Submitter role.
- Scan results calls for policy scans require the Executive, Reviewer, or Security Lead role.
- Scan results calls for sandbox scans require the Sandbox User role.
- For scan results calls, you have results available.
If you have a scan configuration call scheduled, you cannot schedule any additional consultations for your application.
You can have one scan results call scheduled at a time for policy scans in addition to one for each sandbox.
To be included on all consultation calls for your organization, contact your Veracode account manager.
To complete this task:
-
Go to the appropriate page in the Veracode Platform.
- For calls concerning scan configuration, go to the application overview page.
- For calls concerning scan results of policy scans, go to the application overview page, the Results page, or the Triage Flaws page of the latest results for the application.
- For calls concerning scan results of sandbox scans, go to the Sandbox Results page.
-
Select Schedule a Consultation to open the schedule window.
-
Select the type of assistance you need.
- Understanding how to configure and run a scan
- Understanding my scan results
noteWhile a scan is being promoted from sandbox to policy, the Understanding my scan results option is turned off. This option is available when the scan finishes promotion to policy.
Even if you have sandbox results, you can discuss only policy scan results in scan results calls scheduled from the Application page.
-
Select the type of consultation:
- Specific Questions
- General Walkthrough
-
Select the scan type you want to review.
-
If you select Specific Questions, select any of the options that apply to your questions, and enter details in the free-text fields.
-
Select Next.
-
In Your Details, enter your name, select your timezone, and enter your email address.
-
In Additional Call Attendees, add the email address for all the other people attending the consultation. There is no limit to the number of attendees you can invite.
-
Select Next.
-
Select the date and time in which you want to have the consultation.
-
To schedule the consultation, select Schedule. If you schedule a Manual Penetration Testing consultation, you are prompted to provide three possible times when you can receive the consultation call.
If you need to cancel a consultation, please cancel it in the Veracode Platform or by contacting [email protected] at least 24 hours in advance. Declining the meeting invite does not cancel the meeting. If you do not cancel a scheduled consultation call at least 24 hours before the scheduled time, you incur a deduction of up to 2 hours of support or service hours from your account.
Schedule a next-day consultation
You can schedule a consultation for the following day if you have a next-day consultation subscription. A consultation call with Veracode can help answer specific questions you have about your scan results, help you understand the significance of the findings, and provide guidance on remediation and mitigations.
Before you begin:
To enable next-day consultation calls, you must meet these requirements:
- You have a next-day consultation subscription.
- Next-day consultations are allowed in your application profile.
- You have scan results.
- You have the necessary Veracode Platform role:
- Calls for policy scans require the Executive, Reviewer, or Security Lead role.
- Calls for sandbox scans require the Sandbox User role.
To complete this task:
- In the Veracode Platform, go to the Results page for the most recent scan of your application.
- Select the Schedule a Consultation button. A window opens where you can enter details about the call.
- Select the Show Next-Day Consultations checkbox, if available. Under the checkbox, you can view the number of next-day consultation calls available to you this month. If you have no next-day consultations this month, or you do not want to use a next-day consultation, do not select the Show Next-Day Consultations checkbox. Standard scheduling options are available for two business days from the date of the request.
- Select Next.
- Select a time for the call. If the time slot is grayed out, that time is unavailable.
- Select Schedule.
Ignore findings
We recommend resolving findings, including findings that might not be exploited by attackers. These findings might be exploited in the future.
You might want to ignore findings for the following reasons:
- There is no manual fix or suggested code patch from Veracode Fix.
- The finding isn't relevant to the application, is a potential false positive, or your team is willing to accept the risk of not resolving it. For example, a finding might be technically present in the code, but the application's overall security architecture or deployment policies effectively mitigate the risk.
Using the Veracode Platform
To ignore flaws from Static Analysis or Dynamic Analysis scans in the Veracode Platform, you can use mitigation actions, such as mitigating a finding as a potential false positive or accepting the risk of not resolving them, using the Triage Flaws page or the APIs.
To ignore issues for open-source components in the Veracode Platform, see SCA Agent-based Scan or SCA Upload and Scan.
Using your IDE
To ignore flaws in your IDE, select from the following topics. Veracode Scan for Visual Studio doesn't support ignoring findings.
If you're using the Static-only IDE integrations, see the topics on mitigating findings.
Using the APIs
Ignore findings using the REST and XML APIs.
REST APIs
XML APIs
Resolve findings
To resolve findings, remediate them by fixing the code where the flaws exist or replacing vulnerable open-source components with safe versions. You can also mitigate findings you won't resolve, or use the mitigation workflow to prioritize findings you will resolve.
To resolve findings from Veracode Pipeline Scan, we recommend using Veracode Fix to apply AI-generated code patches to flaws.
For examples of resolving vulnerabilities from SCA Agent-based Scan, see Find and resolve vulnerabilities.
For help with resolving and mitigating findings, schedule a consultation with Veracode Technical Support.
Verify your fixes
After fixing findings in your application, perform subsequent scans of your application to verify that the fixes were effective and that additional security flaws were not introduced by the fixes. The first step in verifying your fixes is to submit a new scan of your application. Once the scan is complete, a number of features are provided in the Veracode Platform and in the application report.
For Static Analysis scans, we provide cleansing functions that these scans use to verify your fix.
Review the score trend
The score trend chart, which is available in the PDF reports, shows the trend of the application score over time and provides quick, at-a-glance feedback to indicate whether the changes made have improved the security of the application.
Identify new findings
Findings that were not present in the prior scan of the application are flagged with a NEW badge in the PDF reports.
Only static flaws are flagged as new.
Identify resolved findings
The appendix in the PDF reports lists flaws that were present in prior scans that were not found in the scan currently being verified.
The list of flaws not found might include flaws that were not fixed in some circumstances, for example, when a module of the application is not re-uploaded for scanning. For best results, the same modules should be uploaded during the verification scan that were uploaded for the initial scan.
Matching flaws between scans of the same application
Carrying mitigations and comments forward from one scan to the next requires that the flaws match from one scan to the next of the same application.
The flaw-matching process occurs when you perform two scans of the same application. To identify flaws that might be identical between the two scans, Veracode compares the results of the second scan to the first scan. If Veracode finds a match for any given flaw, it forwards any comments or mitigation information you supplied for the original flaw.
Static Analysis flaw matching
When publishing new static analysis scan results, Veracode searches these locations within the application to determine if a potentially matching flaw exists:
- All Static Analysis policy scans
- All Static Analysis sandbox scans
Veracode uses a complete model of the application program logic and data flow to identify the location of a flaw. Small changes in code location, including changes in line numbers, do not affect how Veracode identifies flaws. You can still change the code containing a flaw so that it no longer matches to a flaw that Veracode found previously.
For a flaw to match across scans, it must meet these criteria:
- The source file name has not changed.
- The name of the module in which the flaw is located cannot change between scans. However, Veracode can match flaws if the end of the module name contains a varying numeric sequence. For example,
foo-123.jarmatches withfoo-125.jar.
Veracode Static Analysis requires debug information to find flaw locations for some languages, including .NET and Java. If an application is compiled without debug information, flaw matching might be impaired. For the list of languages that require compilation with debug information, see the Veracode packaging requirements.
This table lists some known scenarios in which flaw matching does not occur. If a flaw is tagged as mitigated in a given scan, but the same flaw appears in a later scan with a different ID and not mitigated, it is likely because of one of these scenarios:
| Cause of problem | Explanation |
|---|---|
| Different module names | When identifying if a flaw is the same as a previously mitigated flaw, Veracode uses the module name to ensure that the analysis matches flaws that are in the same context. Veracode matches modules with different version numbers, as described above, but there are styles of versioning that can cause this matching to fail. |
| High flaw density | Veracode sometimes cannot determine which flaws in the new scan map to flaws in the old scan. For example, one scan of an application has five flaws of a specific type in a function, and the next scan has four flaws of that same type in that same function. |
| Moved source files | Veracode tries to detect source files that have moved within the source tree. For example, com/veracode/Foo.java moved to com/veracode/bar/Foo.java. Veracode does not explicitly detect source filename changes. |
| Multiple flaws on the same line | Flaw matching has improved to be able to correctly distinguish between flaws in applications that have multiple flaws on the same line. However, some past scans might have occurred when Veracode was not able to tell the difference between these flaws, causing flaws to close and reopen incorrectly. Future scans of these applications might cause some new flaws to appear because Veracode can now distinguish between multiple flaws on the same line. |
Known limitations
When the code provided to Veracode from the previous scanned code undergoes changes, flaw matching becomes more challenging, and it introduces the following limitations, which Veracode is actively addressing.
Duplications
If there are identical copies of a flaw within different source files, you expect to see separate flaws reported. However, Veracode does not recognize this duplication and only reports a single flaw.
Third-party fingerprinting
In some cases, when there is a build upon the work of a third party, there might not be any changes to a module. As a result, Veracode copies the results from the original module without recognizing that the module actually contains different information. This issue, known as third-party fingerprinting, occurs because Veracode does not utilize shared dependencies effectively. Therefore, it sometimes reports two separate flaws instead of matching them with existing flaws, even though the underlying vulnerabilities are the same.
Dynamic Analysis flaw matching
Dynamic Analysis flaw matching requires you to link the scan results to an application profile. Each scan identifies flaws in the latest version of the application and Veracode determines their statuses based on whether they were found in the previous scan.
MPT flaw matching
To learn about matching flaws from Manual Penetration Testing (MPT), see MPT Flaw Matching.