Prescan URLs Prior to a Dynamic Analysis

Dynamic Analysis

Publication
Dynamic Analysis
Edition date
2022-11-29
Last publication
2022-11-29T16:31:45.191867

You can prescan all URLs in a Dynamic Analysis to verify that Veracode can reach and, if necessary, authenticate with each target web application URL or API endpoint.

Overview

Prescanning saves time by alerting you to any issues that Veracode finds with the configuration before the Dynamic Analysis runs.

Steps

  1. Go to the Schedule page of the Dynamic Analysis workflow and select the Prescan Only option.

    The prescan starts immediately after submission. When the prescan completes, you receive an email notification of the results. The Dynamic Analysis still starts regardless of the results of the prescan.

  2. If the prescan fails, correct any connection and authentication configuration settings, and run prescan again.

  3. If you need assistance from Veracode with any of the issues found during prescan, click Contact Support in the bottom-left of the Review and Submit window.

Results

The prescan results are available on the Dynamic Analysis summary page. You can view the details of the prescan at any time by going to the URL row and, either clicking the URL or selecting View Prescan Details in the Actions column.

Additional troubleshooting information is available in the Verification Screenshots section, which provides screenshot images that the Veracode scan engine takes at predetermined points. You can use these images to gain insight into what the scan engine discovers during a Dynamic Analysis. For example, the Authentication: Logged In screenshot can verify that the page on which the scan engine lands after executing the login script matches expectations. The Connection: Target URL screenshot can determine that a login script failed because a page redirects to different content for requests that originate from outside the corporate intranet.

Verification Screenshots

Screenshot Type Description
Connection: Target URL The web page state seen by the Veracode scan engine at the end of connection verification, at the start of a scan or prescan.
Authentication: Consecutive Login Failure Shown after the Veracode scan engine is unable to log in to a target application after 50 consecutive attempts.
Authentication: Logged In Shown after the Veracode scan engine executes a user-provided Selenium login script. If the best practice of including a verification command in the Selenium script is not followed, the screenshot may show an early snapshot of the page, which may not show what the site really looks like when logged in.
Authentication: Logged Out Shown after the Veracode scan engine executes a user-provided Selenium logout script. Logout scripts are optional, and this screenshot is omitted if one is not specified.
Authentication Failure Shown if the Veracode scan engine encounters an error while verifying authentication using a user-specified login or logout script.

Prescan Notes

Displays one or more scan notes based on these severities:

  • Information: non-actionable issues encountered by the scan engine.
  • Warning: issues that could impact coverage of the scan. For example, a login script that does not contain commands to verify its successful execution could possibly fail in future scans.
  • Error: exceptions that have resulted in early scan termination, such as the repeated inability to execute Selenium scripts due to a site changing during a scheduled scan.