Review findings
Reviewing the findings (flaws and vulnerabilities) from completed scans of your applications involves:
- Accessing the scan results, which are available in several Veracode products
- Reviewing the findings with your teams
- Mitigating flaws or mitigating vulnerabilities you won't resolve
- Remediating findings you must resolve (fix) to secure your applications
The Veracode Platform uses a methodology and several analysis techniques to identify findings in your applications, and determine their severity, or level of risk. To learn about risk assessment and scoring using Veracode Risk Manager, see Using factors.
If you use Veracode products that access the Veracode Platform, such as Veracode Upload and Scan and Veracode DAST, we recommend reviewing the results in the Veracode Platform. If you perform multiple scan types on an application, such as SAST, DAST, SCA, and MPT scans, you can access all results from the Results page, and review and manage SAST and DAST findings with your teams on the Triage Flaws page.
In the Veracode Platform, the results are available in multiple reports. You can also access and use analytics data to get insight into findings for supported scan types.
If you are new to reviewing results from application security tests, or you want to review the results with your teams, we recommend scheduling a consultation with Veracode security experts. Also, before attempting to resolve findings, we recommend reviewing our guidance on developing a remediation plan.
Flaws from Veracode Pipeline Scan, and any integrations that use it for Static Analysis, are not available in the Veracode Platform.
Prerequisites
To access and review scan results or reports in the Veracode Platform, you must have:
-
A license for the type of scan, such as Static Analysis or SCA, for which you want to review findings.
-
A Veracode account with one or more of the following roles.
- Administrator
- Reviewer
- Sandbox User
- Security Lead
- Executive
-
A scanned application, using either the Veracode Platform or an integration that accesses the Veracode Platform, and the scan results must be available in the Veracode Platform.
-
To access DAST scan results, the results must be linked to the application profile. See the instructions for DAST Essentials or Dynamic Analysis.
-
To access SCA scan results from SCA Agent-based Scan, the SCA project must be linked to the application profile.
Access results in the Veracode Platform
Access the findings for a scanned application from its application profile in the Veracode Platform.
The scan results from Veracode integrations are typically available within the integration. The results for several integrations, such as IDEs, SCMs, and APIs, that connect to the Veracode Platform are available in the Veracode Platform interface.
If you need help or guidance with reviewing findings from Veracode's expert security professionals, schedule a consultation.
To complete this task:
- Sign in to the Veracode Platform.
- Select My Portfolio > Applications.
- On the All Applications page, locate an application with results ready.
- In the Results column, select View. The Results page opens with details about the flaws found by SAST and DAST scans. To access vulnerabilities from SCA scans, from the left menu, select Software Composition Analysis to open the SCA Results page.
- For a Static Analysis scan, if the scan is in progress, select the View Partial Results link (if available) to review a portion of your results while the remainder of your application is scanned.
Results page
In the Veracode Platform, the Results page provides a single point of reference for the results of all completed scans. View the results of all scans performed on the application, including security policy evaluations and a summary of the results.
You can also access reports (Veracode and PCI compliance) showing detailed information about your scans and findings, download reports, bookmark reports, and schedule a consultation call with Veracode Technical Support.
Reporting options
At the top of the Results page, select from the following options to access and manage reports for the selected results.
- Veracode Report: opens the Veracode Report that summarizes the security flaws found by Static Analysis or Dynamic Analysis scans of your application. It explains how the application fared against the assigned security policy, and outlines Veracode recommendations for resolving the flaws. This report contains the same information as the Detailed Report.
- PCI Compliance Report: the PCI Compliance Report provides guidance on how to fix the discovered flaws to achieve PCI compliance and how the application performed against the PCI policy.
- Download: opens a dropdown menu of the reports you can download as a PDF or XML file.
- Bookmark: bookmark the displayed Results page. Bookmarked reports capture a snapshot of findings and policy compliance at a specific point in time. Enter a name for the bookmark and select Save. To access bookmarked reports, select Bookmarked Reports from the left menu.
- Share: if you have a vendor-enterprise relationship with other organizations, select this option to share the results with your vendors.
- Schedule a Consultation: schedule a consultation with Veracode security experts to get help with reviewing your results and resolving findings.
Left menu items
Select from the following links in the left menu. The list of links varies depending on the types of scans (SAST, DAST, SCA, MPT) run on the application.
- View Report - opens the Customizable Report. This report provides detailed information about the application's compliance with the assigned security policies.
- Software Composition Analysis - opens the SCA Results page where you can review SCA scan results, including detected third-party components, license risk, and review and mitigate vulnerabilities.
- Triage Flaws - for Static Analysis using Upload and Scan and Dynamic Analysis scans, opens the Triage Flaws page. This page displays a detailed list of static and dynamic flaws and provides options for managing and mitigating flaws with your teams.
- Mobile Behavioral Analysis - for Static Analysis using Upload and Scan, opens a report with details about detected permissions for mobile access. To view this report, Mobile Behavioral Analysis must be turned on for the scan.
- Flaw Sources - opens the Flaw Sources page that lists the injection points in your code where findings originate.
- Scan details - opens a report with details about the latest selected scan. For example, if you ran Static Analysis and Dynamic Analysis scans, you see the links Static Scan
and Dynamic Analysis Scan . For a dynamic scan report, under Scan Submission Details, select the application name to view the Dynamic Analysis Coverage Report.
Flaw Sources
This page identifies main sources of untrusted data in an application and locates all the flaws that share a flaw source.
Being able to identify multiple flaws that you can fix with a single code change significantly reduces the time developers spend on finding and fixing or mitigating vulnerabilities in software code. If a source is secured by design, developers can report all the flaws stemming from the safe source with a single mitigation action.
To access the flaw sources report in the Veracode Platform after a static scan has completed, in the left navigation pane of the application page, select Results > Flaw Sources.
The flaw sources reports provide this information:
- The function that contains the flaw
- The location in the source file of that function
- The severities of the downstream flaws
- The CWE with which each flaw is associated
Policy Evaluation
The Policy Evaluation section of the Results page provides an overview of how the application fared against its assigned security policy.
The policy evaluation shows whether the application was assessed against constraints, including rules, required scans, and a remediation grace period. The Veracode Level the application achieves is based on the security score it receives from completed scans.
To view more details about the scan results on the overview pages, select the scan names in the Static, Dynamic, and Manual columns. The Policy Evaluation section of the Results page provides an overview of how the application fared against its associated policy.
The policy evaluation shows whether the application was assessed against rules, required scans, and a remediation grace period. The Veracode Level the application achieves is based on the security score from completed scans.
Select the scan names in the static, dynamic, and manual columns to go to the overview pages to see more details of the scan results.
Summarized Results
The Summarized Results section of the Results page provides an overview of all SAST and DAST flaws by severity and status, including a summary of the top risks and how the scan metrics data is trending. You can see the number and types of flaws the application currently contains.
At a glance, you can see the number and types of flaws the application currently contains.
Open Flaw Severities
This section of the Results page shows open flaws characterized by potential impact to confidentiality, integrity, and availability of the application as defined in the CVSS.
| Severity | CVSS rating (SCA and MPT only) | Description |
|---|---|---|
| 5 - Very High | 8.1-10 | These lines of code have a very serious weakness and are an easy target for an attacker. Fix this finding immediately to avoid potential attacks. |
| 4 - High | 6.1-8 | These lines of code have a serious weakness and are an easy target for an attacker. Fix this finding immediately to avoid potential attacks. |
| 3 - Medium | 4.1-6 | These lines of code have a moderate weakness and might be an easy target for an attacker. Fix this finding after fixing all Very High and High findings. |
| 2 - Low | 2.1-4 | These lines of code have a low weakness. Consider fixing this finding after fixing all Very High, High, and Medium findings. |
| 1 - Very Low | 0.1-2 | These lines of code have a very low weakness. The finding might indicate other problems in the code, but you do not need to mitigate it. |
| 0 - Informational | 0 | These lines of code have an issue with no impact on the security of the application, but the finding might indicate other problems in the code. You can safely ignore this issue. |
Remediation Status
This section of the Results page shows the number of SAST and DAST flaws found in an application and their status, as described in the following table. You can use this data to compare the number of new or open flaws for an application to the number of mitigated or remediated (fixed) flaws.
| Status | Scan type | Description |
|---|---|---|
| New | Policy | The number of flaws that Veracode did not find in any previous policy scan. |
| New | Sandbox | The number of flaws that Veracode did not find in any previous scan. |
| Open | Policy | The number of flaws Veracode found in a previous policy scan. |
| Open | Sandbox | The number of flaws Veracode found in a previous scan, not necessarily within this sandbox. |
| Reopened | Policy or Sandbox | The number of flaws Veracode found in a previous scan within the sandbox or policy scan, not found in a subsequent scan within the sandbox or policy scan, but found again in the current scan. |
| Fixed | Policy or Sandbox | The number of flaws Veracode found in a previous scan within the policy or sandbox scan, but did not find again in the current scan. |
| Mitigated | Policy or Sandbox | The number of flaws that someone approved as mitigated by OS environment, mitigated by network environment, and mitigated by design. |
| Potential False Positive | Policy or Sandbox | The number of flaws that someone approved as a potential false positive. |
Top Risks
This section of the Results page lists the top flaws, by CWE name, and the number of each flaw found in the application.
Trend Data
This section of the Results page shows scan history and scan scores for the application over time. To view the name, date, and score of each scan, hover over data points on the chart.
View partial scan results
The Veracode Platform publishes Static Analysis results incrementally, by top-level module, so that you can begin reviewing your results while the remainder of your application is scanned.
Top-level modules are the binaries identified during prescan verification that have entry points for external data. If the flaws are found in code shared across top-level modules, Veracode recommends that you wait for the entire application to scan to view results in the context of the entire application.
To complete this task:
-
From the Applications page in the Veracode Platform, select the View Partial Results link, when available. The Triage Flaws page opens, where you can review any available results.
Veracode also sends email stating that partial results are available when the first module with results is published. You must have one of these roles to receive this email: Internal Reviewer, External Reviewer, Executive, Security Lead, Archer Reports, or Results API.
-
To view which modules have finished scanning:
a. At the top of the Triage Flaws page, select the % of modules scanned link. A popup opens, where you can view the number of modules that have already scanned and the number of modules in the queue for the current scan.
b. To view information about a specific module, search by module name, then select Go.
-
To view a set of results published at a certain time:
a. From the Search dropdown, select Publish Time.
b. For Publish Times, select the range of time you want to view.
c. Select Go.
Access SCA results in the Veracode Platform
Access Software Composition Analysis (SCA) scan results, from both SCA Upload and Scan and SCA Agent-based Scan, for a specific application in the Veracode Platform. You can also access SCA results for all scanned applications.
The results provide details about the scanned components, detected vulnerabilities, license risk, and whether the results violate the assigned security policy.
Alternatively, access SCA results using the Findings REST API.
Before you begin:
To access results from SCA Agent-based Scan, the SCA project must be linked to the application profile for the scanned application.
To complete this task:
- Sign in to the Veracode Platform.
- Select My Portfolio > Applications.
- On the All Applications page, locate an application with results ready.
- In the Results column, select View. The Results page opens.
- From the left menu, select Software Composition Analysis. The SCA Results page opens.
SCA Results page
The SCA Results page in the Veracode Platform displays results from both SCA Upload and Scan and SCA Agent-based Scan to provide a unified view of all open-source risk for a specific application.
The SCA Results page displays components, vulnerabilities, and licenses from SCA Agent-based Scan, but not issues. You can view and mitigate issues on the Issues List page for a selected workspace.
To access SCA results for all scanned applications, use the main Software Composition Analysis page.
Select from the following tabs.
Third-Party Components
The Third-Party Components tab lists all the third-party components in your applications, and provides version, usage, license risk, and known vulnerability information.
To determine which scan type (SCA Upload and Scan, SCA Agent-based Scan, or both) found the component, select the numeral in the Occurrences column to open the Occurrence Details window. In the Source column, you see upload_scan for SCA Upload and Scan, and the repository name for SCA agent-based.
The list of components shows the filename and an at-a-glance view of the severity of each vulnerability that Veracode found in each component. The Count column shows you how many times a component is used across all of your applications. The License column details the first license the scan found for the component, and a risk rating Veracode assigned for the license.
If you scanned a JavaScript application that uses both Bower and NPM package managers, and a component exists in both the bower_components and node_modules folders, Veracode SCA displays both of the components individually.
Select a component filename to view the following information about the component.
- Other Versions: a list of all known versions of this component, an indication of whether that component is currently in your application portfolio, and the known vulnerabilities in that component.
- Vulnerabilities: the list of vulnerabilities in this component as well as its severity, CVE ID, CWE ID, and description.
- Dependent Applications: lists any applications that contain this component, the policy associated with that application, and a color-coded shield icon that indicates if the application is in compliance with its policy.
Licenses
The Licenses tab lists the licenses that the SCA scan associated with the open-source components in the selected application. You can use this information to further investigate your license obligations.
To see all licenses found for a component, select the Third-Party Components tab. If a component has multiple licenses, select the Show More link to view all licenses. In addition to the results that Veracode provides, you should also perform your own investigation, because the contents in a file could be subject to different or additional licenses.
To mitigate licenses you won't resolve, add comments, or manage proposed mitigations, select from the Mitigation Actions menu.
Select the link in the License column of a third-party component to go to the Open Source Initiative website for details about the license. You can also filter your third-party component data by risk rating. Use the filter function on the Third-Party Components tab to list applications by CVE ID, component, application name, or any combination of these filters.
To prevent an application from passing policy when a scan detects any license with the specified risk rating, add a license rule to your policy.
| License risk rating | Icon | Risk details |
|---|---|---|
| Low |  | Low-risk licenses are typically permissive licenses that require you to preserve the copyright and license notices, but allow distribution under different terms without disclosing source code. |
| Medium |  | Medium-risk licenses are typically weak copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms. |
| High |  | High-risk licenses are typically strong copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms. |
| Non-OSS |  | Non-OSS indicates that this file could be subject to commercial license terms. If so, you should refer to your applicable license agreement with such vendor for additional information. |
| Unrecognized | Unrecognized indicates that no license was found for the component. However, this does not indicate that there is no risk associated with the license. |
Vulnerabilities
The Vulnerabilities tab lists all the vulnerabilities and malicious libraries for the selected application. It sorts vulnerabilities by severity rating and lists the associated Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) IDs. It also includes a severity rating and a description for each entry.
The Vulnerability column might list two different data sources for vulnerabilities: a CVE ID indicates that the vulnerability came from the NVD and a SRCCLR ID indicates that the vulnerability came from the Veracode Vulnerability Database.
To mitigate vulnerabilities you won't resolve, add comments, or manage proposed mitigations, select from the Actions menu.
The Veracode Platform makes daily updates to this list of vulnerabilities to reflect any changes in the National Vulnerability Database or the Veracode Vulnerability Database to provide the latest information on third-party component vulnerabilities in your applications. In turn, SCA results and related dashboards such as a Governance Risk and Compliance (GRC) systems are updated to reflect any new vulnerabilities. You do not need to rescan your applications to reflect the latest vulnerability changes. Veracode recommends that you review your SCA policy compliance after every vulnerability update.
Veracode also sends an email to users when a newly identified or upgraded vulnerability affects your policy. To receive SCA email notifications, navigate to Your Account Settings, enter your email address, and select I wish to receive email notifications when a newly identified vulnerability or change in severity causes my application to violate policy.
The link to the Veracode Platform provided in the email notification is only accessible to users with the Security Lead role.
Linked Projects
For SCA Agent-based Scan results, the Linked Projects tab lists the linked SCA agent projects.
Access SCA results for all applications
To review all applications scanned using SCA Upload and Scan or SCA Agent-based Scan, go to the main Software Composition Analysis page in the Veracode Platform.
To complete this task:
-
Sign in to the Veracode Platform.
-
Select Scans & Analysis > Software Composition Analysis.
-
Select one of the following tabs:
- Upload and Scan: lists the scanned applications, analyzed components, and detected vulnerabilities from the last SCA Upload and Scan. The Applications tab lists the scanned applications. In the Policy Control column, a colored-coded shield icon indicates the application's policy assessment status. The number of components within the application that are in violation of this policy is also listed. To view the details of the associated policy and its rules, select the blue ? icon. Select the name of an application profile to open the SCA Results page.
- Agent-Based Scan: lists the available workspaces, with a count of the detected issues for vulnerabilities, libraries, and licenses from the last SCA Agent-based Scan performed on the applications in the workspaces. To see all scan results in a workspace, and access various actions you can perform, select the name of a workspace.
Filter SCA Upload and Scan results
In the Veracode Platform, on the Software Composition Analysis page, you can filter the results on the Upload and Scan tab.
Use the filter function to find applications by CVE ID, application name, blocklist presence, component name, severity, or any combination of these filters. If you switch tabs after filtering data, the filter sorts the content in the new tab unless you clear the filter. If you are an enterprise customer, you see the name of the software vendor before the application name for third-party applications.
To see how different versions of the Common Vulnerability Scoring System (CVSS) affect the severity of the detected licenses and vulnerabilities, on the Third-Party Components or Vulnerabilities tabs, select a CVSS version from the Display dropdown menu. By default, the selected CVSS version is the one associated with your organization.
You can apply version 3 of the CVSS to your policies. The severity ratings are based on CVSS version 3.
If your organization is still using CVSS v2, you must contact Veracode Technical Support to switch to CVSS v3. The CVSS version can determine whether a vulnerability causes an application to fail policy.
After updating the scoring system, Veracode determines policy evaluations for all future scans of your applications based on the new CVSS version.
Access results using Veracode integrations
The scan results from Veracode integrations are typically available within the integration. The results for several integrations, such as IDEs, SCMs, and APIs, that connect to the Veracode Platform are available in the Veracode Platform interface.
Flaws from Veracode Pipeline Scan, and any integrations that use it for Static Analysis, are not available in the Veracode Platform.
IDEs
See the following topics on reviewing findings within your IDE:
SCMs
See the following topics on reviewing findings within your SCM tools:
CI/CDs
See the following topics on reviewing findings within your CI/CD systems:
Ticketing
To review and manage findings as issues and work items, use the following integrations to import scan results in to your ticketing systems.
Veracode APIs
Access and review results using the REST and XML APIs:
REST APIs
XML APIs
Access Veracode Container Security results
You can access the results from Veracode Container Security scans in the Veracode Platform (explained in this section), using the Veracode CLI, or in the repos you scanned using Veracode Repository Scanning. The results show the vulnerabilities and risks for your containers and Infrastructure as Code (IaC) files, and details about the scans.
The Veracode Platform provides a visual representation of the severity count of scan findings, categorized as critical, high, medium, and low.
You can also search and filter findings, assess the findings against your security policy, view the scan history of each scanned asset, and get mitigation guidance for each finding.
Before you begin:
- Ensure you set
analysis_on_platformtotruein yourveracode.ymlfile. - Ensure you have completed a scan using the Veracode CLI or using Veracode Repository Scanning in your repos.
To complete this task:
-
Sign in to the Veracode Platform.
-
Select Scans & Analysis > Container and IaC Analysis. The Container and IaC Analysis page opens and displays the following information for each asset. The scanned assets appear in chronological order, with the most recently scanned assets listed first.
- Asset type and scan type
- Source or location of the asset
- Completion status of the scan
- Count of the findings based on the severity for completed scans
-
To review the results for a scanned asset, select the asset's name. If several assets are listed, search for a specific asset or source.
-
To filter the list based on given parameters, such as asset type and scan status, select Filter.
View scan summary
The scan summary shows whether a scan passed policy requirements and provides details for a scanned asset. A scan passes a policy only if each of the findings in the scan passes the policy.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.
- Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
- To see details of earlier scans, select a scan from the Scan Name dropdown.
The summary page of asset belonging to the container scan type (images and archives) has an extra field called Tag. For this asset, first select the tag, then select a scan from the Scan Name dropdown.
The Findings by severity graph provides a visual representation of the count of the findings based on the severity.
View scan findings
The Findings page in the Veracode Platform shows the following details about each finding in a scanned asset. This information helps you to understand the finding and mitigate it.
- The policy status of each finding, that is, whether the finding passed or failed the policy. If the asset was scanned without a policy, the status of the finding is
not assessed. - The finding ID based on the finding type.
- A brief description on the finding.
- Finding type which could be vulnerability, misconfiguration or secret.
- The file or location where the finding was identified.
- The severity of the finding
- The line number in the code where this finding is present.
- A reference URL that provides insight into the finding.
- A suggested fix that can mitigate or resolve the finding.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.
- Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
- Select the Findings tab. The list of findings along with corresponding details are displayed.
- Optionally, search for findings based on the finding ID or description using the search box.
- To filter the finding based on finding type or severity, select Filter.
View scan history
The Scan history page shows the list of scans performed along with the following information for each scan:
- The date the scan was performed.
- The user who performed the scan.
- The count of findings based on the severity
Use the Scan history to track changes in reported findings.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Container and IaC Analysis. The scanned assets are listed.
- Select the scanned asset for which you want to see scan details. The scan summary of the latest scan is displayed.
- Select the Scan history tab. The list of scans performed for the asset is displayed. To search for a scan, use the search box.
Access MPT results
After Veracode security experts perform Manual Penetration Tests (MPT) on your applications, access the results in the Veracode Platform.
Access VRM results
Veracode Risk Manager manages findings as issues. See Access and review issues in Veracode Risk Manager.
Schedule a consultation
Consultation calls provide you the opportunity to get assistance with configuring and running a scan or with interpreting the findings in your application. During scan configuration calls, Veracode can answer specific questions you have about your scan configuration or walk you through the best practices for setting up your scan. During scan results calls, Veracode can help you understand the significance of the findings and provide guidance on remediation and mitigation actions.
Before you begin:
To enable consultation calls, you must meet the following requirements:
-
You have an Enhanced Support subscription. If you have not purchased a subscription, contact Veracode Technical Support for more information about the support options.
-
You have the necessary Veracode Platform role:
- Scan configuration calls require the Creator, Security Lead, or Submitter role.
- Scan results calls for policy scans require the Executive, Reviewer, or Security Lead role.
- Scan results calls for sandbox scans require the Sandbox User role.
-
For scan results calls, you have results available.
If you have a scan configuration call scheduled, you cannot schedule any additional consultations for your application.
You can have one scan results call scheduled at a time for policy scans in addition to one for each sandbox.
To be included on all consultation calls for your organization, contact your Veracode account manager.
To complete this task:
-
Go to the appropriate page in the Veracode Platform.
- For calls concerning scan configuration, go to the application overview page.
- For calls concerning scan results of policy scans, go to the application overview page, the Results page, or the Triage Flaws page of the latest results for the application.
- For calls concerning scan results of sandbox scans, go to the Sandbox Results page.
-
Select Schedule a Consultation to open the schedule window.
-
Select the type of assistance you need.
- Understanding how to configure and run a scan
- Understanding my scan results
noteWhile a scan is being promoted from sandbox to policy, the Understanding my scan results option is turned off. This option is available when the scan finishes promotion to policy.
Even if you have sandbox results, you can discuss only policy scan results in scan results calls scheduled from the Application page.
-
Select the type of consultation:
- Specific Questions
- General Walkthrough
-
Select the scan type you want to review.
-
If you select Specific Questions, select any of the options that apply to your questions, and enter details in the free-text fields.
-
Select Next.
-
In Your Details, enter your name, select your timezone, and enter your email address.
-
In Additional Call Attendees, add the email address for all the other people attending the consultation. There is no limit to the number of attendees you can invite.
-
Select Next.
-
Select the date and time in which you want to have the consultation.
-
To schedule the consultation, select Schedule. If you schedule a Manual Penetration Testing consultation, you are prompted to provide three possible times when you can receive the consultation call.
If you need to cancel a consultation, please cancel it in the Veracode Platform or by contacting Veracode Technical Support at least 24 hours in advance. Declining the meeting invite does not cancel the meeting. If you do not cancel a scheduled consultation call at least 24 hours before the scheduled time, you incur a deduction of up to 2 hours of support or service hours from your account.
Schedule a next-day consultation
You can schedule a consultation for the following day if you have a next-day consultation subscription. A consultation call with Veracode can help answer specific questions you have about your scan results, help you understand the significance of the findings, and provide guidance on remediation and mitigations.
Before you begin:
To enable next-day consultation calls, you must meet these requirements:
- You have a next-day consultation subscription.
- Next-day consultations are allowed in your application profile.
- You have scan results.
- You have the necessary Veracode Platform role:
- Calls for policy scans require the Executive, Reviewer, or Security Lead role.
- Calls for sandbox scans require the Sandbox User role.
To complete this task:
- In the Veracode Platform, go to the Results page for the most recent scan of your application.
- Select Schedule a Consultation. A window opens where you can enter details about the call.
- Select the Show Next-Day Consultations checkbox, if available. Under the checkbox, you can view the number of next-day consultation calls available to you this month. If you have no next-day consultations this month, or you do not want to use a next-day consultation, do not select the Show Next-Day Consultations checkbox. Standard scheduling options are available for two business days from the date of the request.
- Select Next.
- Select a time for the call. If the time slot is grayed out, that time is unavailable.
- Select Schedule.
Ignore findings
Ignoring findings is a method of mitigating findings you won't resolve. We recommend resolving findings, including findings that might not be exploited by attackers. These findings might be exploited in the future.
You might want to ignore findings for the following reasons:
- There is no manual fix or suggested code patch from Veracode Fix.
- The finding isn't relevant to the application, is a potential false positive, or your team is willing to accept the risk of not resolving it. For example, a finding might be technically present in the code, but the application's overall security architecture or deployment policies effectively mitigate the risk.
To learn more about mitigating findings, see the following sections:
Mitigations do not provide long-term fixes for application security findings. For example, changes to your environment or new attack techniques can make many mitigating factors, such as network and operating system mitigations, ineffective. We recommend using mitigations as part of a long-term plan to remediate findings in your applications.
Using the Veracode Platform
To ignore flaws from Static Analysis or Dynamic Analysis scans in the Veracode Platform, use the mitigation actions, such as mitigating a finding as a potential false positive or accepting the risk of not resolving them, using the Triage Flaws page or the APIs.
To ignore vulnerabilities detected by Veracode SCA scans using the Veracode Platform, see SCA Agent-based Scan or SCA Upload and Scan. To ignore issues from SCA Agent-based Scan, use the Issues List page for a selected workspace.
Using your IDE
To ignore flaws in your IDE, select from the following topics. Veracode Scan for Visual Studio doesn't support ignoring findings.
If you're using the Static-only IDE integrations, see the topics on mitigating findings.
Using the APIs
Ignore findings using the REST and XML APIs.
REST APIs
XML APIs
Resolve findings
To resolve findings, remediate them by fixing the code where the flaws exist or replacing vulnerable open-source components with safe versions. You can also mitigate flaws or mitigate vulnerabilities you won't resolve, or use the Triage Flaws page in the Veracode Platform to prioritize SAST and DAST findings you will resolve.
To resolve flaws from Veracode Pipeline Scan, we recommend using Veracode Fix to apply AI-generated code patches to flaws.
For examples of resolving vulnerabilities from SCA Agent-based Scan, see Find and resolve vulnerabilities.
For help with resolving and mitigating findings, schedule a consultation with Veracode Technical Support.
Verify your fixes
After fixing findings in your application, perform subsequent scans of your application to verify that the fixes were effective and that additional security flaws were not introduced by the fixes. The first step in verifying your fixes is to submit a new scan of your application. Once the scan is complete, a number of features are provided in the Veracode Platform and in the application report.
For Static Analysis scans, we provide cleansing functions that these scans use to verify your fix.
Review the score trend
The score trend chart, which is available in the PDF reports, shows the trend of the application score over time and provides quick, at-a-glance feedback to indicate whether the changes made have improved the security of the application.
Identify new findings
Findings that were not present in the prior scan of the application are flagged with a NEW badge in the PDF reports.
Only static flaws are flagged as new.
Identify resolved findings
The appendix in the PDF reports lists flaws that were present in prior scans that were not found in the scan currently being verified.
The list of flaws not found might include flaws that were not fixed in some circumstances, for example, when a module of the application is not re-uploaded for scanning. For best results, the same modules should be uploaded during the verification scan that were uploaded for the initial scan.
Matching flaws between scans of the same application
Carrying mitigations and comments forward from one scan to the next requires that the flaws match from one scan to the next of the same application.
The flaw-matching process occurs when you perform two scans of the same application. To identify flaws that might be identical between the two scans, Veracode compares the results of the second scan to the first scan. If Veracode finds a match for any given flaw, it forwards any comments or mitigation information you supplied for the original flaw.
Static Analysis flaw matching
When publishing new static analysis scan results, Veracode searches these locations within the application to determine if a potentially matching flaw exists:
- All Static Analysis policy scans
- All Static Analysis sandbox scans
Veracode uses a complete model of the application program logic and data flow to identify the location of a flaw. Small changes in code location, including changes in line numbers, do not affect how Veracode identifies flaws. You can still change the code containing a flaw so that it no longer matches to a flaw that Veracode found previously.
For a flaw to match across scans, it must meet these criteria:
- The source file name has not changed.
- The name of the module in which the flaw is located cannot change between scans. However, Veracode can match flaws if the end of the module name contains a varying numeric sequence. For example,
foo-123.jarmatches withfoo-125.jar.
Veracode Static Analysis requires debug information to find flaw locations for some languages, including .NET and Java. If an application is compiled without debug information, flaw matching might be impaired. For the list of languages that require compilation with debug information, see the Veracode packaging requirements.
This table lists some known scenarios in which flaw matching does not occur. If a flaw is tagged as mitigated in a given scan, but the same flaw appears in a later scan with a different ID and not mitigated, it is likely because of one of these scenarios:
| Cause of problem | Explanation |
|---|---|
| Different module names | When identifying if a flaw is the same as a previously mitigated flaw, Veracode uses the module name to ensure that the analysis matches flaws that are in the same context. Veracode matches modules with different version numbers, as described above, but there are styles of versioning that can cause this matching to fail. |
| High flaw density | Veracode sometimes cannot determine which flaws in the new scan map to flaws in the old scan. For example, one scan of an application has five flaws of a specific type in a function, and the next scan has four flaws of that same type in that same function. |
| Moved source files | Veracode tries to detect source files that have moved within the source tree. For example, com/veracode/Foo.java moved to com/veracode/bar/Foo.java. Veracode does not explicitly detect source filename changes. |
| Multiple flaws on the same line | Flaw matching has improved to be able to correctly distinguish between flaws in applications that have multiple flaws on the same line. However, some past scans might have occurred when Veracode was not able to tell the difference between these flaws, causing flaws to close and reopen incorrectly. Future scans of these applications might cause some new flaws to appear because Veracode can now distinguish between multiple flaws on the same line. |
Known limitations
When the code provided to Veracode from the previous scanned code undergoes changes, flaw matching becomes more challenging, and it introduces the following limitations, which Veracode is actively addressing.
Duplications
If there are identical copies of a flaw within different source files, you expect to see separate flaws reported. However, Veracode does not recognize this duplication and only reports a single flaw.
Third-party fingerprinting
In some cases, when there is a build upon the work of a third party, there might not be any changes to a module. As a result, Veracode copies the results from the original module without recognizing that the module actually contains different information. This issue, known as third-party fingerprinting, occurs because Veracode does not utilize shared dependencies effectively. Therefore, it sometimes reports two separate flaws instead of matching them with existing flaws, even though the underlying vulnerabilities are the same.
Dynamic Analysis flaw matching
Dynamic Analysis flaw matching requires you to link the scan results to an application profile. Each scan identifies flaws in the latest version of the application and Veracode determines their statuses based on whether they were found in the previous scan.
MPT flaw matching
To learn about matching flaws from Manual Penetration Testing (MPT), see MPT Flaw Matching.