October 26, 2023​

The Veracode CLI now supports Windows​

You can now install the Veracode CLI on Windows with Chocolatey.

June 28, 2023​

New command for Veracode Fix​

The veracode fix command is a new generative AI feature of the Veracode CLI. It uses the results from a Veracode Pipeline Scan to generate suggested code fixes that you can apply to flaws in your application source code. This feature is currently only available in the Commercial Region. To get started, see the quickstart.

December 30, 2022​

Released Veracode Container Security​

Veracode Container Security is available. Container Security is a feature of the Veracode CLI that does the following:

• Scans for container vulnerabilities
• Scans for infrastructure as code misconfigurations
• Scans for improperly stored secrets
• Helps developers secure their cloud native applications

For more information about Veracode Container Security, contact your Veracode account representative.

December 19, 2023​

Web application and API scans now support multi-factor authentication​

You can now configure web application scans and API scans to use time-based one-time password (TOTP) seeds for URLs that require multi-factor authentication (MFA). You can also configure TOTP with the REST API.

December 12, 2023​

ISM endpoint 23.12.1​

• The endpoint now supports Java 21.
• Adds virtual threading functionality to improve performance and stability. Before you can use this functionality, you must upgrade to Java 21.

November 27, 2023​

Free trial of DAST Essentials​

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 15, 2023​

Introducing DAST Essentials​

DAST Essentials is a new Dynamic Application Security Testing (DAST) product that provides rapid and resilient DAST scanning of web applications and REST APIs, a user-friendly interface, and seamless CI/CD pipeline integration. To get started, see the quickstart.

September 25, 2023​

Web application and API scans now support custom cookies​

You can now configure web application scans and API scans to use one or more custom cookies for authentication.

May 9, 2023​

ISM endpoint 23.5.0​

Added executable scripts that update the JAVA_HOME path for the endpoint.

April 25, 2023​

ISM endpoint 23.4.2​

• The endpoint now supports environments where the target host is on the same host as the client.
• Source code files now include a copyright header.

February 27, 2023​

Set URL Scan Settings at the Organization Level​

You can now use the Dynamic Analysis REST API to set URL scan settings for all analyses and scans in an organization.

February 17, 2023​

New Manual Resume Feature for Paused Analyses​

Veracode Dynamic Analysis adds a new feature that enables you to manually resume a scheduled analysis from a paused state. This feature is only available upon request. To add this feature to your account, contact Veracode Technical Support.

January 20, 2023​

Renamed URL Scan Status Messages​

Veracode has renamed and changed the descriptions for the following URL scan status messages for Dynamic Analysis. The new names more accurately describe the issues that caused these status messages to appear in the Veracode Platform.

• Killed - Partial Results Available is now Lockout - Partial Results Available.
• Killed - Verifying Partial Results is now Lockout - Verifying Partial Results.

December 19, 2022​

ISM endpoint 22.12.3​

• Fixed an endpoint issue that caused threads to lock up until the ISM tunnel closes.
• Improved endpoint logging that Veracode Technical Support can use for troubleshooting.

October 21, 2022​

ISM available for Dynamic Analysis ​

Internal Scanning Management (ISM) is now available for Veracode Dynamic Analysis of web applications and API specifications in the European Region.

October 18, 2022​

API Scanning Adds Support for Scriptable Request Modification​

Veracode API Scanning adds a new option for using JavaScript to modify an HTTP request, at runtime, when authenticating with a remote host.

October 5, 2022​

New Similarity Threshold for Web Applications​

When configuring an analysis of a web application, you can now set a threshold for ignoring similar web pages during the analysis.

September 7, 2022​

Dynamic Analysis Now Creates Screenshots for Consecutive Login Failures​

The Veracode scan engine now creates a verification screenshot if it is unable to log in to a target application after 50 attempts. The screenshot image shows when and where in the scanning process the failed login attempts occurred. You can use this information for troubleshooting.

August 2, 2022​

New Historical Details for Dynamic Analyses and Scans​

You can now view detailed information about all past occurrences of both a dynamic analysis and its scans.

July 28, 2022​

Dynamic Analysis available for European Region ​

Veracode Dynamic Analysis is now available in the European Region. If you have a Veracode Dynamic Analysis subscription, you can now perform dynamic analysis security testing and API testing against public facing web applications and APIs.

May 18, 2022​

Re-Enabled Pause and Resume for Scheduled Analyses​

When scheduling a Dynamic Analysis, you can now set it to pause and resume scanning at specific days and times. Veracode disabled this option on October 7, 2021.

April 28, 2022​

New Status Messages for Partial Scan Results​

Dynamic Analysis now provides status messages that indicate when Veracode is verifying partial results and when partial results are available for review. Partial results can occur when a scan stops prematurely due to:

• Errors during scanning
• Users stopping the scan early
• The scan exceeding its configured duration

March 23, 2022​

API Scanning Adds Support for OpenID Connect to OAuth 2.0​

Veracode API Scanning adds a new option to specify an OpenID Connect URL when configuring OAuth 2.0 authentication.

March 10, 2022​

Dynamic Analysis Adds Support for Concurrent Browsers Running Dynamic Analysis Scans​

Veracode Dynamic Analysis now supports concurrent browsers for running multiple Dynamic Analysis scans at the same time. When configuring a web application scan, you can specify up to 12 concurrent browsers.

March 8, 2022​

API Scanning Adds OAuth 2.0 Authentication and Analysis History Options​

Veracode API Scanning includes these changes:

• New option to configure OAuth 2.0 authentication for the API endpoints in your API specifications. You can select to use either the Client Credentials or Password Credentials grant type.
• New Associated Analysis field on the API Specification Details page for a given API specification. This field provides options for viewing, reconfiguring, and rerunning previous scans.

March 3, 2022​

Dynamic Analysis Now Detects Log4j Vulnerability CWE-115​

Veracode Dynamic Analysis can now detect Log4j vulnerability CWE-115 when scanning web applications or API specifications.

February 4, 2022​

Updated Dynamic Analysis Scan Engine​

The Dynamic Analysis scan engine includes these updates:

• Updated Chromium to version 98.0.4758.80
• Log4j security updates
• Improved connectivity when authenticating with Veracode
• Fix for insecure cookies that prevented flaw matching

January 25, 2022​

ISM endpoint 22.1.10​

• The endpoint upgraded to Log4j 2.17.1 to address security findings.
• Improved thread management for connection stability.
• Advanced memory usage diagnostics.

December 21, 2021​

ISM endpoint 21.12.13​

• The endpoint upgraded to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.
• Additional libraries upgraded to address security findings.

November 24, 2020​

New Target URL Search Feature​

• Veracode Dynamic Analysis now allows you to search for individual URL scans in addition to searching for a specific Dynamic Analysis. This capability enables you to easily identify which scans are associated with a specified URL.

CSP Header Checks​

• Veracode Dynamic Analysis now checks for missing or misconfigured script execution policies in Content Security Policy (CSP) headers of web applications.

Expanded Secure Cookie Attributes List​

• Veracode Dynamic Analysis has expanded its list of known secure cookie attributes, such as SameSite, Secure, and HttpOnly, that are common to cloud infrastructures. Veracode checks web applications for secure cookie attributes on this list before reporting missing attributes as flaws.

August 10, 2020​

ISM endpoint 20.8.5​

• The endpoint now supports not resolving the hostname when accessing the ISM gateway via proxy. This support enables you to only allow the gateway hostname for outbound HTTPS calls.
• The endpoint now supports not resolving the hostname when accessing scanned URLs via proxy. This support simplifies proxy configuration if you do not want to access external sites, such as Okta, during the scan.
• Improved interface for configuring a proxy for the endpoint installer.
• The endpoint installer supports configuring hostname resolution properties.
• Java WebSocket library for the endpoint upgraded to version 1.5.1.
• The endpoint supports specifying non-default network interface via endpoint properties, including the option to see a list of available network interfaces.
• The endpoint process name on Linux includes a Veracode identifier.
• Improved endpoint logging.

For more information, see the endpoint release history

July 22, 2020​

New Video - Configure Dynamic Analysis Login Settings​

• This video describes the different types of authentication that Veracode Dynamic Analysis can require to log in to your application and how to configure your Dynamic Analysis so that Veracode can log in.

June 11, 2020​

Crawl Script Support for Comprehensive Scans​

• Veracode Dynamic Analysis now supports the use of prerecorded crawl sequences to supplement the default automated crawling capability of the Veracode scan engine. You must use Selenium to record the crawl scripts and save them in SIDE test suite or HTML formats. Dynamic Analysis runs the crawl script during prescan to check for any commands that might fail during the URL scan.

June 8, 2020​

Improved Dynamic Analysis Coverage​

Veracode has improved the scan engine coverage with:

• Increased coverage for CWE 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).
• Increased reporting for SSL issues and updated description and remediation text. The Dynamic Analysis scan engine now reports the use of Cipher Block Chaining (CBC) ciphers, and key exchange algorithms that do not provide perfect forward secrecy (such as RSA with no EDH).

New Screenshot Verifications and Scan Notes Features​

• Veracode Dynamic Analysis now shows additional troubleshooting information on the Prescan Details and Scan Details pages. The new Verification Screenshots section shows screenshots that the Veracode scan engine takes at predetermined points. The Scan Notes section contains observations from the scan engine on issues encountered at runtime or best practices that you can apply to the scan configuration.

Updated Video - Initiate a Dynamic Analysis Prescan​

• This video shows you how to submit a Dynamic Analysis for prescan, what the Dynamic Analysis is testing during prescan, and how to tell if your Dynamic Analysis has passed prescan successfully.

May 26, 2020​

Enhanced Access Control for ISM Endpoints​

• Veracode Dynamic Analysis Internal Scanning Management (ISM) provides new options for granting Veracode support engineers access to your endpoints. You can now allow support access for a specific number of days, up to 30, or allow access indefinitely until you choose to disable it.

May 21, 2020​

Client Certificate Authentication Support​

• Dynamic Analysis now supports client certificate-based authentication. When you upload your certificate and the associated password, Veracode can log in to websites that require this method of authentication.

Engine JSON Web Token and Obsolete JavaScript Support​

• Dynamic Analysis has added security auditing for JSON Web Tokens (JWT) and obsolete JavaScript resources. JWT auditing detects common flaws, including signature vulnerabilities, in sites that use JWT for authentication. Obsolete JavaScript resource detection reports known-vulnerable libraries, such as older versions of jQuery, through signature matching.

Improved Scan Status Details​

• Veracode Dynamic Analysis now has improved end-user visibility into scan statuses. Additional status information is available in the status fields and columns of the All Analyses, Dynamic Analysis Summary, and URL Scan Summary pages. You now have more detailed information when scans stop due to network issues or because they exceeded the allocated scan duration time.

Updated Video - Create Login Scripts with Selenium​

• This video shows you how to use the Selenium IDE plugin to create a login sequence script that enables Veracode Dynamic Analysis to scan URLs that have form-based authentication.

May 7, 2020​

Prescan Workflow Improvements​

Veracode has released several improvements to the Dynamic Analysis workflow to enhance these user experiences:

• The prescan option has moved to the Schedule page. In addition, you can now use the new prescan-only option if you want to verify your configuration before submitting the analysis.
• There is a new option on the Schedule page to enable you to save your Dynamic Analysis configuration and continue working on it or submitting it later.
• Icons have replaced the menu in the individual rows of the URLs table, providing greater ease of use when you want to edit the configuration, link to an application, or delete the URL.

April 28, 2020​

ISM Notifications Include Endpoint Names​

• Emails from Veracode about your ISM endpoints now specify the endpoint names to help with troubleshooting.

April 16, 2020​

Scheduling Improvement​

• Veracode Dynamic Analysis now provides the ability to select a start date up to 90 days in the future. This enhancement enables you to initiate a one-time scan immediately as well as schedule a recurring, quarterly scan of the same Dynamic Analysis.

Update to Supported Selenium Commands​

• Dynamic Analysis now supports these Selenium commands: keyUp, keyDown, keyPress, assertTextPresent, waitForElementVisibile, and clickAt.

March 31, 2020​

Dynamic Analysis User Agent Defaults to Chrome​

• When configuring a Dynamic Analysis, if you do not provide a user agent string for a browser of your choice, the user agent value now defaults to the Chrome browser.

March 30, 2020​

Auto-Linking Now Available in Dynamic Analysis​

• Veracode Dynamic Analysis now supports application auto-linking automation at the organization account level. Auto-linking links a Dynamic Analysis scan to an existing application profile. Auto-linking can also automatically create a new application profile to which Dynamic Analysis can link future scans, if you select that option. Linking a Dynamic Analysis to an application enables you to review the policy evaluation, download PDF results, and access the Veracode Links Report.

March 26, 2020​

Screenshot Provided for Login Script Errors​

• Veracode Dynamic Analysis now provides troubleshooting information for login script authentication failures. If you have provided a login script, the Prescan Details window links to a screenshot of the associated login errors.

March 17, 2020​

Server-Side Request Forgery (SSRF) Attack Support​

• Veracode Dynamic Analysis now enables Server-side Request Forgery (SSRF) attacks to find flaws, by default.

Extended Auto-Login Support​

• The Veracode Dynamic Analysis scan engine has improved support for multi-page forms and login pages containing iframes.

March 9, 2020​

ISM Endpoint Updated with Advanced Diagnostics​

• Veracode Dynamic Analysis Internal Scanning Management (ISM) recently released an updated endpoint version with several new features, including advanced diagnostics options. More information is available in the endpoint release history.

Auto-Login Enhancements​

• Veracode Dynamic Analysis has streamlined authentication configuration with an enhanced auto-login capability. You should use auto-login to provide a username and password for auto-login, browser-generated logins, and NTLMv2. Auto-login is the default setting. A separate, basic authentication section is available to configure authentication for websites that require two forms of authentication: auto-login and browser-generated authentication. Veracode continues to support Selenium-based login scripts with these changes.

Coverage Improvements​

• The latest release of Veracode Dynamic Analysis includes new generic injection techniques in the scan engine and flaw publishing process. Veracode can now detect additional vulnerabilities for CWEs 95, 89, 91, and 74. In addition, SQL Injection, OS Command Injection, Remote File Inclusion (RFI), Server-side Request Forgery (SSRF), XML External Entity (XXE), and Cross-site Scripting (XSS) detection can now attack JSON keys and values in POST bodies by default.

February 21, 2020​

New Video - View Dynamic Analysis Results​

• This video shows you how to view Dynamic Analysis results.

February 14, 2020​

New Video - Create and Run an Unauthenticated Dynamic Analysis​

• This video shows you how to create, configure, and schedule an unauthenticated Dynamic Analysis.

Row Selection Persistence​

• When you select the number of rows you want to display in the All Dynamic Analyses table, the selection persists even if you navigate away from that table. Your selection persists until you log out.

January 8, 2020​

New Auto-Publish Feature​

Auto-Publish is now enabled in Veracode Dynamic Analysis to automatically publish some findings, providing quicker results for specific types of vulnerabilities.

• If every vulnerability found in all URL scans in a Dynamic Analysis meets the criteria for auto-publication, Veracode publishes the findings immediately after the analysis completes.
• If one or more vulnerabilities require a review by a Veracode scan engineer, then any findings eligible for auto-publication must wait for that review. Veracode publishes all findings together within 24 hours of when the manual review is complete.

Change to Failed Verification Status​

Veracode Dynamic Analysis has updated the status definition that displays when any URL scans fail verification for either a connection or authentication issue.

• When a single URL scan in an analysis fails verification:
  • The URL scan status is Verification Failed.
  • The Dynamic Analysis status is All Verifications Failed.
• When an analysis with multiple URL scans has one or more of the URL scans fail verification:
  • The failed URL scan status is Verification Failed.
  • The analysis status is Completed - Partial Results Available.

Application Security Platform

View the list below for highlights of previous releases.

December 7, 2020​

Additional SCA Details Available from the Findings REST API​

• With the Veracode Findings REST API, you can identify whether Software Composition Analysis findings are from agent-based scans or upload scans and whether they are from a direct or transitive dependency. You can also filter your findings by scan type or dependency type.

November 23, 2020​

Updates to the Findings REST API​

You can now perform these tasks with the Veracode Findings REST API:

• Retrieve the expiration date of the remediation grace period for findings that violate a security policy.
• Retrieve findings with comments or mitigations added after a specific date, such as the date of your most recent scan.

Healthcheck REST API​

• You can use the Veracode Healthcheck REST API to test the availability of Veracode core services.

October 29, 2020​

Changes to OWASP Mobile Policy Rules​

• Veracode has updated policy rules that include the OWASP Mobile security standard to reflect additional research. OWASP Mobile policy rules now include these CWEs: CWE-77, 78, 80, 252, 287, 319, 345, 404, 415, 416, 601, 614, 676, 693, 757.

• Applications that contain these flaws may fail OWASP Mobile policy rules as a result of this update. Veracode will apply the update upon rescan of the application.

Improved Notifications for Delayed Scan Results​

• Veracode has improved communication about delayed scan results. You now receive email notifications that include additional details and links for the affected scan. Veracode has also improved the Veracode Platform to indicate delayed scans that are under investigation.

October 19, 2020​

Applications REST API​

• You can now view application data and create, update, and delete applications using the Veracode Applications REST API.

September 30, 2020​

Updates to Required Veracode Domains​

• Veracode has introduced two URLs to which you must allow access. If you restrict access to public internet sites for your organization, add app.pendo.io and analytics2.veracode.com to your allowlist.

September 26, 2020​

Rolling Sandbox Histories​

• Rolling sandbox histories let you limit sandbox data by restricting the number of retained scans for each sandbox to 15. After more than 15 scans, the Veracode Platform deletes the oldest scan, though the data remains available through Veracode Analytics. If enabled, this feature replaces the previous data limitation method of expiring old sandboxes.

• To request access to rolling sandbox histories, contact Veracode Technical Support.

Updates to Some XML API Deletion Calls​

• To improve performance, the deleteuser.do, deleteteam.do, deleteapp.do, and removefiles.do XML API calls now return an HTTP 200 response and a change summary, instead of a list of the items remaining after the deletion.

Shareable Links to Your Analytics Dashboards​

• You can now share links to Veracode Analytics dashboards, including Veracode dashboards and dashboards that your organization creates. To access a dashboard link, you must log in to the Veracode Platform and have permission to view the data in the dashboard.

Activity Log Updates​

• You can now download a report of the full history of application profile activity, scan activity, and sandbox activity. The activity log in the Veracode Platform now displays activity data for the past 90 days.

Technique Removed from TSRV Format for Accepting Risk​

• Veracode has removed Technique from the TSRV standard when you perform the Accept the Risk mitigation action because none of the techniques are relevant to accepting risk. Specifics, Remaining Risk, and Verification are still required fields.

Updates to CWE Top 25 Policy Rules​

• The Latest CWE Top 25 policy rule in the Veracode Platform now reflects the 2020 CWE Top 25 standard. Veracode has also updated the 2019 CWE Top 25 policy rule to disallow the children of CWE-94: CWE-91, 95, 98, 185, and 830.

September 17, 2020​

Improved Business Units Tab​

• On the Administration page in the Veracode Platform, Veracode has improved the usability of the Business Units tab.

September 10, 2020​

New Video - Create and Manage API Users in the Veracode Platform​

• This video shows you how to configure an API service account in the Veracode Platform.

August 29, 2020​

All Applications Page Now Available to Mitigation Approver and Delete Scans Roles​

• You can now access the All Applications page in the Veracode Platform with the Mitigation Approver or Delete Scans roles. From the All Applications page, you can, then, select an application to approve mitigations or delete scans.

CWE-74 Now Disallowed for the OWASP Security Standard​

• Veracode has reclassified CWE-74 "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" as a high severity finding. CWE-74, which Veracode discovers during Dynamic Analysis, is now included on the disallowed CWE IDs list in the latest version of the OWASP security standard. If your organization is using the OWASP 2017 security standard, you may see more findings violating policy or see your application fail policy as a result of this change.

Support for MITRE CWE List Version 4.1​

• Veracode now provides reporting based on CWE version 4.1 definitions, which changes the names and descriptions of a few existing CWE categories. The complete list of changes in CWE version 4.1 is available from the MITRE website. This new version does not impact the CWE mappings for the OWASP, CWE Top 25, or CERT security standards.

• MITRE is updating their CWE list on a more frequent basis, but Veracode remains committed to staying up-to-date with each new version. As MITRE updates their CWE database, you might notice periodic changes in Veracode reports, such as differences between parent-child relationships or mappings.

August 21, 2020​

Findings API Version 2​

• The Veracode Findings REST API v2 is now available. With this API, you can access information about open and mitigated findings associated with applications and sandboxes. It supports Static Analysis, Dynamic Analysis, Manual Penetration Testing, and Software Composition Analysis scans.

July 28, 2020​

Improved User Activity Report​

• An improved user activity report is now available to download as a CSV file, providing easier access to information about user actions.

July 7, 2020​

Administrators Can Turn Off Optional Notifications for Their Entire Organization​

• Administrators in the Veracode Platform can now turn off all optional notifications for all new and existing users in their organization account. Individual users have the option to turn the notifications back on for their own user account.

June 29, 2020​

New Accept the Risk Mitigation Type​

• Veracode now allows you to resolve a finding by stating that your business is willing to accept the risk associated with that finding. This mitigation type allows you to track and report the risk while continuing to maintain the mitigation and resolution approval process. Veracode updated the mitigationinfo.xsd file to include this mitigation type.

June 27, 2020​

Veracode Policies Now Support 2019 CWE Top 25 Security Standard​

• Veracode updated the PCI security standard in the Veracode Platform to include the 2019 CWE Top 25 Security Standard, previously called the SANS Top 25 standard. Applications with findings included in the new standard may fail the PCI policy or PCI standard requirement as a result. Veracode applies the update to applications upon rescan.

June 16, 2020​

Veracode Analytics Provides Ignored Issue SCA Data​

• Veracode Analytics now supports SCA agent-based scan issue data about ignored issues, including details of when a user ignored an issue and the username for the user who ignored the issue.

June 11, 2020​

New Sandbox Attributes Added to Veracode Analytics​

• Veracode Analytics now provides attributes for tracking sandbox usage. You can view sandbox expiration dates and determine if the Veracode Platform sandboxes are configured for Veracode to automatically recreate them after expiration.

New Dynamic Analysis Dimensions Available in Veracode Analytics​

• Veracode Analytics now provides the Dynamic Analysis fields Path and Vulnerable Parameter, which allow you to better focus and prioritize your remediation efforts.

June 8, 2020​

SCA Agent Data Available in Veracode Analytics​

• The Software Composition Analysis (SCA) dashboard is updated in Veracode Analytics to reflect recommended charts for tracking your use of SCA agent-based and upload-and-scan workflows. In addition, Veracode Analytics provides two new explores for SCA agent data: SCA Agent Issues and SCA Agent Scans. These explores enable you to create your own charts and dashboards, providing a better understanding of your open-source risk.

May 28, 2020​

Update to Industry Values in Application Profile​

• Veracode has updated the values for industries in application profiles to more accurately reflect the market. Because applications include industry values to help inform the Veracode State of Software Security report, this change affects the createapp.do and updateapp.do XML API calls.

• If you have a script coded with an expected value for the industry field, please update your script to reflect the updated values or use the default value already provided.

May 13, 2020​

Analytics Scan Frequency Requirements Data​

• Veracode Analytics now provides visibility into scan frequency requirements for an application. These requirements include the frequency mandated by the policy, upcoming scan due dates, and any past due dates.

May 7, 2020​

New Team Admin Role​

• Veracode has added the new Team Admin user role that an administrator can grant to users. With the Team Admin role, you can create, edit, and delete users within the teams you manage. This new role makes it easier for organizations to manage permissions for a large number of users.

New Mitigation Type​

• Veracode has added a new mitigation type to allow you to propose mitigations using the mitigation type Mitigated - Referred to Library Maintainer. You can classify findings related to libraries developed by another development team. Another development team may build libraries in-house, but they may not own the application Veracode is scanning.

April 30, 2020​

New Identity REST APIs​

• The new Identity REST APIs allow you to manage users, teams, and business units. You can also use these REST APIs to create API service accounts and manage API ID/key credentials.

Updated Greenlight Scans Explore Page​

• Veracode has updated the Analytics page Greenlight Scans Explore to reflect the new terminology of IDE scan (formerly known as Greenlight) and to include pipeline scan data.

Updated Applications List View​

• The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering. Veracode is gradually releasing this feature as part of each Platform release, so it may not be immediately available to you.

New Secure Coding Foundation eLearning Courses​

Veracode eLearning has released a new set of secure coding foundation courses:

• Secure Coding Foundations - Authentication
• Secure Coding Foundations - Authorization
• Secure Coding Foundations - Configuration and Deployment
• Secure Coding Foundations - Data Protection
• Secure Coding Foundations - Information and Error Handling
• Secure Coding Foundations - Trust Boundaries
• Secure Coding Foundations - Validation and Encoding

These courses cover application security practices and associated vulnerabilities.

eLearning User Interface Enhancements​

Veracode has improved these eLearning windows:

• Manager window you use to assign learners to a manager
• Curriculum window you use to assign learners to a curriculum

April 21, 2020​

Updated Applications List View

• The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering.

March 28, 2020​

CWE 4.0 Support​

• Veracode CWE support is updated to reflect the latest changes from MITRE in the CWE 4.0 release.

Enable Automatic Re-creation of Existing Sandboxes​

• You can now edit existing sandboxes to enable the setting for automatically re-creating the sandbox when it expires.

Due Date Notifications for eLearning Students​

• eLearning administrators can now specify when to send email reminders to notify students about the due dates for assigned courses.

New Python and JavaScript eLearning Courses​

• Veracode has added secure coding courses for Python and JavaScript to eLearning learner levels.

March 19, 2020​

New Grace Period Expiration Date in Analytics​

• Veracode Analytics now provides the date when a grace period expires. An expired grace period causes the finding to fail the policy associated with the application. Veracode calculates the date based on the First Found or Last Reopened date, whichever is more recent.

Account Lock Does Not Trigger Email to Administrator​

• To prevent redundant notifications, Veracode no longer sends an email to Administrators in the Veracode Platform when users in their organization are locked out of their accounts. This email is now unnecessary because users can unlock their own accounts.

March 3, 2020​

Improved Developer Sandbox Scanning and Added Expiration Date​

Veracode has made these improvements to developer sandboxes:

• You can now perform up to ten sandbox scans simultaneously for a single application. Before starting additional scans, you must wait for at least one running scan to complete.
• The sandbox list in the application profile now shows all sandboxes in the application that have running scans.
• All sandboxes now have an expiration date. After a sandbox reaches its expiration date, you can no longer perform scans in it. Seven days after the expiration date, the Veracode Platform automatically removes the sandbox. All data about the removed sandbox is available from Veracode Analytics. You can use the re-create option to have the Veracode Platform automatically create a new sandbox with the same name as a previously-removed sandbox.

Applications REST API Adds Policy Compliance Information​

• Veracode has improved the Applications REST API to include information about the policy compliance of the application.

Executive Summary in Customizable Report PDF Includes Informational Findings​

• The executive summary in the downloadable PDF of the Customizable Report now shows informational findings. The informational findings provide information that can help you ensure your application meets policy compliance.

Email Notifications for eLearning Curriculum Due Date Changes​

• eLearning administrators can now send emails to notify students and their managers when the due date for an assigned curriculum changes. They can also send emails to notify managers when a due date on a curriculum has passed and students have not completed the curriculum.

February 21, 2020​

New JavaScript eLearning Courses​

Veracode eLearning has released a new set of secure coding courses for JavaScript:

• Secure Coding for JavaScript - Authentication & Authorization
• Secure Coding for JavaScript - Configuration and Deployment
• Secure Coding for JavaScript - Data Protection
• Secure Coding for JavaScript - Information and Error Handling
• Secure Coding for JavaScript - Validation and Encoding

These courses cover application security practices and associated vulnerabilities, including the OWASP Top Ten, and secure coding techniques in JavaScript, including using the AngularJS and ReachJS frameworks.

February 19, 2020​

Updated Look-and-Feel with New Veracode Branding​

• Veracode has updated the look-and-feel of the Veracode Platform with new branding.

January 28, 2020​

Updates to Sandbox Functionality​

Veracode has implemented these changes to improve the performance of sandbox scans:

• You can delete a sandbox and all of its scans when you promote it to policy.
• You may have a maximum number of sandboxes you can create for each application. The default limit is 25.

Automated Emails for eLearning Curriculum Updates​

• Veracode eLearning administrators can turn on automated email notifications to alert eLearning students and managers when the administrator assigns a curriculum to a student.

January 24, 2020​

New Video - Create a Custom Policy in the Veracode Platform​

• This video shows you how to create a custom policy in the Veracode Platform.

January 13, 2020​

SCA Findings Dashboard Available in Analytics​

• Veracode Analytics has a new dashboard that provides Software Composition Analysis (SCA) findings on open vulnerabilities, license risk, issue severities, and library data. Veracode Analytics does not currently display findings from agent-based scans.

January 8, 2020​

New Video - Review Scan Results​

• This video shows you how to view Veracode scan results in the Veracode Platform.

January 2, 2020​

SCA Findings Available in Veracode Analytics​

• Veracode Analytics now provides details about Software Composition Analysis (SCA) findings. If you have an SCA subscription, you can view SCA vulnerabilities displayed in the Findings Status & History dashboard and the Resolution and Mitigation Details dashboard.

• Veracode Analytics does not currently display findings from agent-based scans.

Software Composition Analysis​

View the list below for highlights of previous releases.

December 17, 2020​

Container Scanning for Debian​

• Veracode Software Composition Analysis now supports agent-based scans of Debian Docker containers. You can scan Debian containers through the command-line interface or as part of your continuous integration pipelines.

October 15, 2020​

Set Default Branch to the Most Recently Scanned Branch or Tag​

• You can now set your Veracode Software Composition Analysis projects to automatically update their default branch to be the most recently scanned branch or tag. This enhancement enables the use of tags as default branches and reduces the number of issues that display in the Veracode Platform, by default.

• Existing projects without a default branch selected in their project settings now use the Use Last Scanned option as the default branch.

October 13, 2020​

Vulnerable Method Support for JavaScript​

• Veracode Software Composition Analysis supports vulnerable method analysis for agent-based scans of JavaScript applications. This feature helps prioritize your remediation actions by identifying first-party code that calls a function in a JavaScript library that makes the library vulnerable.

October 1, 2020​

Container Scanning for Ubuntu​

• Veracode Software Composition Analysis now supports agent-based scans of Ubuntu Docker containers. You can scan Ubuntu containers through the command-line interface or as part of your continuous integration pipelines.

September 26, 2020​

Grace Periods for SCA Policy Rules​

• Veracode Software Composition Analysis now allows you to include grace periods for SCA upload scans in your application security policies. You can define a grace period for all scan types, including SCA, or define a grace period that applies specifically to SCA scans.

July 17, 2020​

Default Date Limit Applied to Scan Data in Agent-Based Scan Workspaces​

• To improve performance and usability, the scan data for your workspaces is now limited to projects scanned in the last 30 days, by default. You can change the time window of exported projects on the workspace page in the Veracode Platform.

July 7, 2020​

Advanced License Risk Management for Agent-Based Scans​

• Veracode Software Composition Analysis now provides advanced license risk management capabilities for agent-based scans. You can control the acceptable risk from open-source libraries by adding rules based on Veracode license risk ratings or by rejecting specific licenses.

June 17, 2020​

New API Endpoints for Agent Management​

• The Veracode SCA Agent REST API includes new endpoints for creating and deleting agents. This update enables you to more effectively scale your agent administration and improve productivity with agent-based scans.

May 28, 2020​

Issue Summary for Agent-Based Scans​

• Veracode Software Composition Analysis now provides a summary table on each agent-based scan workspace and project page that provides a quick view of the state of your open-source issues.

April 29, 2020​

Vulnerability Database Update​

• The Veracode Vulnerability Database is updated to resolve a discrepancy in severity rating compared to the National Vulnerability Database (NVD) for approximately 200 of over 20,000 total vulnerabilities. Veracode has already contacted all organizations that have applications that fail policy as a result of this update.

• If your Veracode account manager has not contacted you, you do not need to take any action.

April 6, 2020​

Alpine Linux Support for Agent-Based Scans​

• Veracode Software Composition Analysis (SCA) now supports the Alpine Linux distribution for agent-based scans.

Organization Rules for Agent-Based Scans​

• Veracode Software Composition Analysis (SCA) now supports configuring rules for agent-based scans at the organization level. Administrators can apply these rules to all workspaces in an organization to efficiently enforce a common security standard.

April 3, 2020​

New API Endpoint for Auditing Agent-Based Scan Events​

• The Veracode SCA Agent REST API includes a new endpoint that provides a detailed audit of events for agent-based scans.

March 17, 2020​

License Risk Details for Agent-Based Scans​

• Veracode Software Composition Analysis (SCA) provides the license risk rating of each open-source license type identified in agent-based scans to help you make informed decisions about acceptable risk.

Gem Support for Containers​

• Agent-based scans now support the gem package manager for scanning Docker containers.

March 16, 2020​

New Video - Set Up an Agent to Scan with Veracode Software Composition Analysis​

This video shows you how to:

• Create a workspace
• Set up an agent
• Start a scan from your command line
• View scan results

March 9, 2020​

ISM endpoint 20.3.5​

• The endpoint installer supports client-side Java and 32-bit Java.
• The endpoint installer supports proxy gateway-only property.
• The endpoint supports running diagnostics through a DSE tunnel.
• The endpoint supports new advanced diagnostics options.
• Consolidated direct diagnostic options and diagnostics options that run through a DSE tunnel.
• The ISM service from the Windows installer runs under the less privileged LocalService account instead of LocalSystem.
• Proxy configuration in the installer no longer requires web access to veracode.com.
• Resolved issue with property merge in the endpoint installer.
• Improved endpoint memory management and out of memory protection.

February 13, 2020​

NPM and Pip Support for Containers​

• Agent-based scans now support the NPM and pip package managers for scanning Docker containers.

January 29, 2020​

Update to Integrated SCA Upload and Scan​

• If you use Veracode Integrated Software Composition Analysis without a Veracode Static Analysis subscription, you can now perform scans using the upload and scan method.

SCA Results Export​

• You can now generate and download your latest Software Composition Analysis results from the Export Data page in the Veracode Platform at any time. This report does not include data from agent-based scans.

January 24, 2020​

New Video - Upload and Scan with Veracode Software Composition Analysis​

• This video shows you how to upload and scan applications with Veracode Software Composition Analysis.

January 15, 2020​

Get Teams List with the SCA Agent REST API​

• The Veracode SCA Agent REST API for Veracode Agent-Based Scan now supports retrieving a list of the teams in an organization, including filtering by the full or partial team name.

October 5, 2023​

Support for JavaScript and TypeScript​

Veracode Fix now provides suggested fixes for JavaScript and TypeScript.

Veracode Fix is now available in the European Region ​

Veracode Fix is now fully supported in the European Region.

December 12, 2023​

Veracode Azure DevOps Extension 3.25.0​

This update includes the following improvements:

• The Flaw Import task and the Upload and Scan task now successfully fail the build when the Fail build if Upload and Scan build step fails checkbox is selected.
• Adds an option to overwrite the iteration path in work items of imported flaws during the next import.

Veracode Integration for Jira Server 4.5.0​

This update adds historical diagnostics data to the Monitoring and Troubleshooting page.

December 4, 2023​

Veracode GitHub Workflow App​

Veracode has released the Veracode Workflow App that allows you to scan your GitHub repositories with Static Analysis, Software Composition Analysis (SCA), and Container Security. The app uses template workflows in a centralized location that you can apply to all repositories across your organization.

The functionality of the app includes:

• Automated scans of up to thousands of repositories from one location
• Static, SCA, and Container Security scans start on developer activity from a single workflow
• Automated scanning does not require developers to configure workflows for individual repositories
• Broad language support

You can download the app from the GitHub marketplace. For more information, view the Veracode documentation.

December 1, 2023​

Veracode Static for Visual Studio 2019 and 2022 v1.9.0​

This update includes the following improvements:

• Adds support for TSRV mitigations.
• Adds support for .NET 7.

November 9, 2023​

Veracode SCA Scan for VS Code 1.3.1​

This update includes the following improvements:

• You can now filter out any findings that are of low importance to your organization by selecting a security policy to apply to your project. To use this feature, your account must have the Unified Policy applied.
• The Vulnerability Details window now includes a link to the related CVE.
• You can now use a debug option to troubleshoot scan errors.
• Minor interface changes.

November 1, 2023​

Veracode Integration for Jira Cloud 4.12.0​

This update includes the following changes:

• The Import Automation page now includes an option for you to retry downloading Detailed Reports that failed to download during import.
• If your account is in the European Region and you select a link in a Jira issue to an application profile, the link now opens the Veracode Platform in the European Region.
• User accounts in the European Region now see the correct values for various fields in imported Jira issues.

October 17, 2023​

Veracode SCA Scan for JetBrains 0.7.1​

This update includes minor performance improvements.

October 13, 2023​

Veracode SCA Scan for VS Code 1.2.1​

This update includes minor performance improvements.

October 4, 2023​

Veracode Integration for Jira Server 4.4.0​

This update adds support for Jira Server version 9.11.2.

September 26, 2023​

Veracode Azure DevOps Extension 3.24.0​

This update includes the following changes:

• End of support for Team Foundation Server (TFS).
• Builds no longer fail when the Fail build if flaw importer build step fails option is cleared and the application name contains special characters.

September 6, 2023​

Veracode Greenlight for IntelliJ 1.9.0​

This updates includes minor performance improvements.

August 31, 2023​

Veracode Integration for Jira Server 4.3.0​

This update includes the following improvements:

• The Monitoring and Troubleshooting page now shows details about the last four imports.
• The Monitoring and Troubleshooting page now includes an option for you to retry downloading Detailed Reports that failed to download during import.

August 17, 2023​

Java API Wrapper 23.8.12.0​

You can now send requests to the Identity REST API from within the Java API wrapper.

August 16, 2023​

Veracode Azure DevOps Extension 3.23.0​

This update includes the following improvements:

• You can now add an iteration path to the work item settings in the Flaw Importer task.
• Adds support for Azure DevOps version 2022 RC2.

August 10, 2023​

Veracode SCA Scan for JetBrains 0.7.0​

This update fixes a minor performance issue.

Veracode Integration for Jira Cloud 4.11.0​

This update includes the following improvements:

• If an imported story for an open-source component with vulnerabilities changes projects, the integration now creates subtasks for SCA vulnerabilities in that story under the new project.
• To avoid failed imports, if the integration encounters errors when it searches for linked Veracode fields, it now skips issue creation for any new findings.

August 8, 2023​

Veracode SCA Scan for VS Code 1.2.0​

This update includes the following improvements:

• The Library Details window now shows the parent dependency for the selected transitive dependency.
• Minor performance updates.

July 28, 2023​

Veracode Greenlight for IntelliJ 1.8.8​

This update includes the following improvements:

• Adds support for IntelliJ version 1.8.7.
• Exception errors no longer appear during Greenlight scans at the file or folder level.

July 27, 2023​

Veracode SCA Scan for JetBrains 0.6.1​

Veracode SCA Scan for JetBrains version 0.6.1 adds support for IntelliJ IDEA version 2023.2.

July 21, 2023​

Introducing Veracode SCA Scan for JetBrains​

Veracode SCA Scan for JetBrains version 0.6.0 is a new extension that integrates Software Composition Analysis (SCA) into the IntelliJ IDEA and PyCharm IDEs. Developers can scan their code to detect security risks in open-source libraries, library dependencies, and licenses. The detailed scan results help developers learn about vulnerabilities, prioritize security fixes, and remediate security issues from within their IDE.

July 20, 2023​

Veracode SCA Scan for VS Code 1.1.0​

This update includes the following improvements:

• You can now select a project to scan when you have multiple projects in VS Code.
• The SCAN OVERVIEW view now shows the name of the project you scanned.
• In the extension settings, you can now enable or disable recursive scanning.
• If your API credentials or the local SCA agent are invalid, the SETUP view now opens after you select Start Scanning or Rescan.
• Spaces in the USER_HOME directory no longer result in an error.

July 14, 2023​

Veracode Integration for Jira Server 4.2.0​

This update fixes an issue where IssueCreatorImpl errors on the Monitoring and Troubleshooting page caused unexpected failures.

Veracode Jenkins Plugin 23.7.22.0​

This update includes the following improvements:

• Improves the usability of the option Show Unstable Status for Failed Policy Evaluation.
• Builds that failed after you upgraded to version 23.5.21.0 now complete successfully.
• Adds support for Jenkins version 2.412.

July 6, 2023​

Veracode Static for Visual Studio 2019 and 2022 v1.8.0​

This update includes the following improvements:

• In the Static Findings window, when you double-click a finding, or right-click a finding and select Go to Line, the selected finding now remains selected.
• After you add a new application to a project and scan it, the extension now adds the details about the new application to the file veracode-project-user.json.

Veracode Integration for Jira Server 4.1.0​

This update includes the following improvements:

• The Import Automation now provides an option that attempts to import any flaws that failed to import. If an import fails, the Import Automation no longer uses the last import date of the failed import.
• The Troubleshooting page now provides a diagnostic dashboard that shows details about the latest import, including information about any errors.

June 26, 2023​

Veracode Greenlight for Visual Studio 2019 and 2022 v1.4.0​

This update improves error handling.

June 15, 2023​

Veracode Greenlight for VS Code Adds Support for .NET 7​

See Veracode Greenlight for VS Code.

June 13, 2023​

C# API Wrapper 23.5.8.8​

You can now provide a proxy host, port, and its credentials in an environment variable. The environment variable name must be https_proxy.

June 5, 2023​

Veracode Azure DevOps Extension 3.22.0​

This update includes the following changes:

• The Upload and Scan task now supports the optional parameter scanpollinginterval.
• You can now configure the Flaw Import task to only import findings from Static Analysis and SCA.
• Minor security improvements.

Veracode SCA Scan for VS Code 1.0.0​

This update adds security improvements.

June 1, 2023​

Veracode Jenkins Plugin 23.5.21.0​

This update includes the following changes:

• Adds a Show Unstable Status for Failed Policy Evaluation option. Select this option to show the job status as Unstable if the scan succeeds but fails the security policy.
• Minor security improvements.

May 22, 2023​

Veracode Integration for Jira Cloud 4.10.0​

This update includes the following changes:

• Findings you import with the Import Automation feature now show the date of the last successful import, instead of the last import.
• When you configure a Selective Import and select the left/right arrows to switch between pages, the selected flaws are no longer cleared.
• Minor security fixes.

May 4, 2023​

Veracode Azure DevOps Extension 3.21.0​

This update includes the following changes:

• Adds support for the lifecyclestage parameter as an optional argument in the Upload and Scan task. This parameter is not supported in YAML.
• The scan polling interval for the Upload and Scan task is no longer twice the expected default value of 120 seconds.

April 27, 2023​

Veracode SCA Scan for VS Code 0.8.0​

This update includes the following improvements:

• You can now filter the VULNERABILITIES view based on direct or transitive libraries.
• The Rescan button is now located at the top of the SCAN OVERVIEW view.
• The SCAN OVERVIEW view is no longer empty when the scan does not find vulnerabilities.
• In the Library Details window, the Last published field now shows the months and days since the vendor last published the library or it shows Unknown.

April 19, 2023​

Veracode Jenkins Plugin 23.4.20.0​

This version includes the following updates:

• Adds Dynamic Analysis scan statuses STOPPED_VERIFYING_PARTIAL_RESULTS and STOPPED_PARTIAL_RESULTS_AVAILABLE.
• Fixes an issue where the scan poll interval for upload and scan was twice the expected default value of 120 seconds.

April 13, 2023​

Veracode Integration for Jira Cloud 4.9.0​

The integration now imports findings from scanned applications with COTS (commercial off-the-shelf) enabled.

April 5, 2023​

Java API Wrapper 23.4.11.2​

This update includes the following changes:

• Adds Dynamic Analysis scan statuses STOPPED_VERIFYING_PARTIAL_RESULTS and STOPPED_PARTIAL_RESULTS_AVAILABLE.
• The logs for scanpollinginterval are now consistent with any imposed time delays during polling.
• Adds support for the -includenewmodules parameter.

March 31, 2023​

Veracode Static for Eclipse 3.8.0​

This update adds support for Eclipse IDE version 2023-03.

March 30, 2023​

Veracode Integration for Jira Cloud 4.8.0​

This version includes the following changes:

• Adds additional logs for troubleshooting.
• To ensure your imported flaws are current, the integration re-imports them after you fix any configuration issues.
• On the Selective Import page, the Flaws Per Page and Next Page options no longer show an error message.

March 27, 2023​

Veracode Jenkins Plugin 23.3.19.0​

This version includes the following changes:

• Addresses the low severity information disclosure issues detailed in CVE-2023-25721 and CVE-2023-25722. For more information, go to the Veracode Community.
• Correctly escapes the -ppassword parameter for a proxy password.

Veracode Azure DevOps Extension 3.20.0​

This version addresses the low severity information disclosure issue detailed in CVE-2023-25722. For more information, go to the Veracode Community.

March 20, 2023​

Veracode SCA Scan for VS Code 0.7.0​

This update includes the following improvements:

• The extension now includes an SCA Agent. After you install the extension, you can install the SCA Agent from within the IDE and start scanning.
• You can point to a vulnerability in the VULNERABILITIES view to see whether it passes the built-in policy.
• The Vulnerability Details window now shows the policy for the selected vulnerability.
• To indicate which vulnerabilities have passed the built-in policy, the VULNERABILITIES view now groups them by Did Not Pass Policy and Passed Policy.

March 8, 2023​

Java API Wrapper 23.3.11.0​

This version includes the following changes:

• You can now provide a proxy host, port, and its credentials in an environment variable. The environment variable name must be https_proxy.
• Displays error messages for code 429 if you exceed the request limit.

March 2, 2023​

Veracode Azure DevOps Extension 3.19.0​

This update adds support for both of the following YAML property values:

• ConnectionDetailsSelection='Endpoint'
• ConnectionDetailsSelection='Service Connection'

March 1, 2023​

Veracode Azure DevOps Extension 3.18.0​

This update includes the following changes:

• Changes the YAML property value ConnectionDetailsSelection='Endpoint' to ConnectionDetailsSelection='Service Connection'. When you upgrade to this new extension, you must update your YAML with the new value name.
• Static Analysis work items now have a Grace Period Expiration field.
• SCA works items now have a First Found Date field and File Path field for vulnerabilities.
• The Summary Report now shows a link to the Scan Details page.
• The extension now fails the build if Development Sandbox scans find SCA vulnerabilities.
• Builds no longer fail when the Fail build if Upload and scan build steps fails option is cleared, but the application name contains special characters.

February 28, 2023​

Veracode Greenlight for IntelliJ Supports IntelliJ v2022.2.3​

Veracode Greenlight v1.8.7 adds support for IntelliJ v2022.2.3.

February 22, 2023​

Updated Identity REST API​

You can now use the Identity REST API to manage Veracode API credentials for API service accounts, also called API users.

February 9, 2023​

Updated Veracode SCA Scan for VS Code​

Veracode SCA Scan for VS Code version 0.6.0 includes the following updates:

• Adds a Create a Case link that you can use to send a support case to Veracode Technical Support.
• Adds a Leave Feedback link that you can use to provide feedback in a survey.
• Fixes an issue where the extension did not verify undefined or null values.

February 3, 2023​

Mandatory Upgrade for Veracode Greenlight for IntelliJ​

Veracode Greenlight for IntelliJ version 1.8.6 supports a recent change to the Greenlight API. To continue using this plugin, you must upgrade to this version by February 13, 2023.

February 2, 2023​

Mandatory Upgrade for Veracode Greenlight for Eclipse​

Veracode Greenlight for Eclipse version 2.9.7 includes these changes:

• Supports a recent change to the Greenlight API. To continue using this plugin, you must upgrade to this version by February 13, 2023.
• Fixes a refresh issue that flashes various status messages at the bottom of the Eclipse interface.

February 1, 2023​

Updated Java API Wrapper​

Veracode Java API Wrapper version 23.1.10.5 adds logic to identify and remove unicode application names from the XML response.

Veracode Mobile Application Packager Has Reached End of Life​

Veracode Mobile Application Packager is now End of Life (EOL) and is no longer supported by Veracode Technical Support. To compile and package tvOS or iOS applications that you developed in the Xcode IDE, see the packaging requirements.

January 30, 2023​

Mandatory Greenlight Upgrades for Eclipse and IntelliJ​

Veracode has made a change to the Greenlight API that will impact the following plugins.

• Veracode Greenlight for Eclipse version 2.9.6 and earlier
• Veracode Greenlight for IntelliJ version 1.8.5.2022 and earlier

New versions of these plugins will be available on February 2, 2023 and February 3, 2023, respectively. To continue using these plugins, you must upgrade to the new versions by February 13, 2023.

January 23, 2023​

Veracode Integration for Jira Supports Jira Server 9​

Veracode Integration for Jira version 4.0.1 adds support for Jira Server 9. This integration no longer supports Jira Server 8.6.0 and earlier.

January 17, 2023​

Introducing Veracode SCA Scan for VS Code​

Veracode SCA Scan for VS Code version 0.5.0 is a new extension that integrates Software Composition Analysis (SCA) into VS Code. Developers can scan their code to detect security risks in open-source libraries, library dependencies, and licenses. The detailed scan results help developers learn about vulnerabilities, prioritize security fixes, and remediate security issues from within their IDE. Version 0.5.1 only removes an obsolete README.

January 10, 2023​

Renaming the ConnectionDetailsSelection='Endpoint' YAML Property​

In February 2023, Veracode will release a new Azure DevOps Extension that uses the YAML property value ConnectionDetailsSelection='Service Connection' rather than the current value ConnectionDetailsSelection='Endpoint'. When upgrading to this new extension, you must update your YAML with the new value name.

January 5, 2023​

Improved Veracode Azure DevOps Extension​

Veracode Azure DevOps Extension version 3.17.0 includes the following improvements:

• Renamed the Veracode Analysis Center link to Veracode Platform.
• The extension no longer fails a pipeline build if it has a policy assessment of Conditional Pass, even if the Fail build if application fails security policy checkbox is selected.
• Fixed a minor error-handling issue when the build artifact directory is empty.
• The Flaw Import task now fails the build when importing flaws with an unsupported process template and the Fail build if flaw importer build step fails checkbox is selected.

January 3, 2023​

Improved Veracode Integration for Jira Cloud​

Veracode Integration for Jira Cloud version 4.7.0 now successfully loads the Findings Import page when importing large Jira projects.

December 19, 2022​

Improved Veracode Integration for Jira Server​

Veracode Integration for Jira Server version 3.38.0 includes the following improvements:

• Jira tickets from imported Static Analysis flaws now show the detected CWEs with a dash instead of an underscore. This CWE format matches the results in the Veracode Platform. For example, CWE_123 is now CWE-123.
• Jira tickets from imported SCA vulnerabilities now support the Mitigation Status and Mitigation Status Description fields.

December 15, 2022​

Veracode Mobile Application Packager is Deprecated​

Veracode Mobile Application Packager is now deprecated and will be obsolete on February 1, 2023.

December 14, 2022​

Veracode for VS Code Renamed to Veracode Greenlight for VS Code​

Veracode for VS Code version 1.6.0 includes the following updates:

• Changed the name of the extension to Veracode Greenlight for VS Code.
• Using File > Save on a single file now saves only that file, not all unsaved files.

December 13, 2022​

Veracode Azure DevOps Extension Fixes Link to Veracode Platform​

Veracode Azure DevOps Extension version 3.16.0 fixes the link on the Veracode Scan Summary tab. The link now opens the scan results in the Veracode Platform instead of the Application page.

December 6, 2022​

Updated Veracode Static for Visual Studio​

Veracode Static for Visual Studio version 1.7.0 fixes an issue where the extension could not authenticate with Veracode from a European Region instance.

November 16, 2022​

Updated Veracode Integration for Jira​

Veracode Integration for Jira version 3.37.0 fixes an issue where the plugin ignores all remaining applications after attempting to import findings from an application with COTS enabled.

November 14, 2022​

Updated C# API Wrapper​

Veracode C# API wrapper version 22.10.8.6 includes these updates:

• Fixed an error that can occur if the filename of an uploaded file contains certain characters or symbols. For example, ~ ^ ' { }
• The -debug parameter now logs timestamped messages that identify connectivity issues, error conditions, and the status of various composite actions.

Improved Veracode Greenlight for IntelliJ​

Veracode Greenlight for IntelliJ version 1.8.5 adds support for IntelliJ IDEA 2022.2.3.

October 27, 2022​

Java API Wrapper Has Improved Error Handling​

Veracode Java API Wrapper version 22.10.10.4 now cancels any scans that exceed the upload limit.

October 21, 2022​

Veracode Azure DevOps Extension Now Supports Automatic Deletion of Incomplete Scans​

Veracode Azure DevOps Extension version 3.15.0 adds options for deleting incomplete scans in your pipeline. When configuring the extension, you can add -deleteincompletescan as an optional argument or add -deleteIncompleteScan as a YAML property.

Updated Veracode Static for Visual Studio​

Veracode Static for Visual Studio 2019 and 2022 version 1.6.0 includes these changes:

• Fixed an issue where web projects inside folders did not publish.
• Fixed an issue where the scan progress bar in the IDE displayed as incomplete after clicking Custom Workflow.
• Run Scan button in the IDE is now disabled when the scan status is in a failed state. In the Veracode Platform, you also see a warning message to resolve this issue.

September 29, 2022​

Updated Greenlight for Eclipse​

Greenlight for Eclipse version 2.9.6 includes minor security and documentation updates.

September 22, 2022​

Improved Finding Import Performance for Veracode Integration for Jira Cloud​

Veracode Integration for Jira Cloud version 4.6.0 adds a new filter that only imports findings with new scan data, policy changes, or changes to applied mitigations since the last import.

September 13, 2022​

Java API Wrapper JavaDoc Update​

In Veracode Java API Wrapper version 22.9.10.3 the documentation available in the wrapper installation file now describes the Credentials class.

August 29, 2022​

Veracode Azure DevOps Extension Has Improved Flaw Importer Task​

Veracode Azure DevOps Extension version 3.14.0 includes the following improvements to the Flaw Importer Task.

• Uses fewer calls to complete flaw imports.
• Fixes an issue where flaws without comments did not sync or close.
• Fixes an issue where development sandbox findings did not import.

August 12, 2022​

Veracode TeamCity Plugin Now Supports Automatic Deletion of Incomplete Scans​

Veracode TeamCity Plugin version 2.7.0 adds configuration options for deleting incomplete scans.

August 9, 2022​

Veracode Integration for Jira Server Now Retries Downloading the Detailed XML Report​

Veracode Integration for Jira version 3.36.0 fixes an issue where the integration did not create tickets of imported flaws if it could not retrieve the Detailed XML Report. The integration now attempts to retrieve the Detailed XML Report during the next import cycle.

July 27, 2022​

Updated C# API Wrapper​

Veracode C# API wrapper version 22.8.8.5 includes these updates:

• Supports the -debug parameter.
• Fixes an issue to filter out Dynamic Analysis results.
• Adds transaction ID header to uploadandscan.

July 20, 2022​

Veracode Azure DevOps Extension Now Supports Importing SCA Vulnerabilities as Work Items​

Veracode Azure DevOps Extension version 3.13.0 updates the Flaw Importer task to support importing Software Composition Analysis (SCA) vulnerabilities as work items.

July 14, 2022​

Veracode Jenkins Plugin Now Supports Automatic Deletion of Incomplete Scans​

Veracode Jenkins Plugin version 22.6.18.0 adds configuration options for deleting incomplete scans.

June 27, 2022​

Improved Finding Import Performance for Veracode Integration for Jira Server​

Veracode Integration for Jira Server version 3.35.0 adds a new filter that only imports findings with new scan data, policy changes, or changes to applied mitigations since the last import.

June 22, 2022​

Deprecation of Admin XML APIs​

Veracode has deprecated the Admin XML APIs for user and team management. End-of-support for these APIs is scheduled for June 30, 2023. Veracode recommends that you begin updating your automations to use the Identity REST APIs. Also, enabling the Single Sign-on and Just-in-Time Provisioning feature automatically disables the Admin XML APIs for user management. Before enabling this feature, ensure all of your automations are using the Identity APIs.

June 8, 2022​

Updated Veracode Static for Visual Studio (New)​

Veracode Static for Visual Studio (New) version 1.5.0 includes these changes:

• Change the scan name from the name that Veracode generates and assigns during scanning.
• Import and review XML scan results from Veracode Detailed Reports.

May 18, 2022​

Java API Wrapper Updates -deleteincompletescan Parameter with Backward Compatibility​

Java API Wrapper version 22.5.10.1 updates the -deleteincompletescan parameter to be backward compatible with Java API wrapper versions earlier than 22.5.10.0, which released on May 4, 2022. After upgrading the wrapper, the parameter value automatically changes from boolean to an integer:

• If set to true, the value changes to 1.
• If set to false, the value changes to 0.

May 4, 2022​

Java API Wrapper Has Improved -deleteincompletescan Parameter​

Java API Wrapper version 22.5.10.0 includes changes to the -deleteincompletescan parameter for deleting incomplete scans when running the uploadandscan action. This parameter now accepts an integer value, rather than boolean, for deleting an incomplete scan based on the scan status.

April 15, 2022​

Introducing New Veracode Static Extensions for Visual Studio 2019 and 2022​

Veracode Static for Visual Studio version 1.4.0 is a new extension for adding Static Analysis to Visual Studio 2019 and 2022. The new extension for Visual Studio 2019 provides major improvements compared to our current legacy extension for version 2019, which Veracode continues to support.

The extensions include these features:

• Improved user experience for developers.
• Powerful Summary View grid for reviewing and managing findings.
• Streamlined workflow for building, packaging, and scanning your code.
• Support for policy and sandbox scans.

An extension for each Visual Studio version is available from the Visual Studio Marketplace.

April 12, 2022​

Veracode Greenlight Now Supports the New Visual Studio 2019 and 2022​

Veracode Greenlight for Visual Studio version 1.3.184.96 is a new extension for adding Greenlight scanning to the newer versions of Visual Studio 2019 and 2022. An extension for each Visual Studio version is available from the Visual Studio Marketplace.

March 9, 2022​

Updated Azure DevOps Extension​

Veracode Azure DevOps Extension version 3.10.0 includes these changes:

• TFS 2017 is no longer supported.
• TFS 2018 support now requires Azure Pipeline Agent 2.196.2 or later.
• Flaw Importer task can now import custom fields when using custom process templates.
• Flaw Importer task can now overwrite the area path in work items when importing flaws.

December 10, 2021​

Veracode Integration for CA Agile Central/Rally Now End-of-Life​

• The Veracode Integration for CA Agile Central/Rally is now end-of-life and no longer supported. The plugin and documentation are no longer available. To avoid potential security vulnerabilities, Veracode strongly recommends that you uninstall this integration. To integrate with other ticketing systems, visit the Veracode Integrations Hub.

November 22, 2021​

Java API Wrapper Now Retries Requests​

• Veracode Java API Wrapper version 21.11.9.0 updates the maxretrycount parameter to now retry requests that fail due to certain error conditions. Previously, this parameter polled for failed build status and only applied to the uploadandscan action.

October 18, 2021​

Veracode Greenlight for IntelliJ Supports Additional IntelliJ IDEA Versions​

• Veracode Greenlight for IntelliJ version 1.7.0 adds support for IntelliJ IDEA 2019.3–2021.2.3. If you are using IntelliJ IDEA 2020 or later, you must install JavaFX Runtime for Plugins.

October 8, 2021​

Improved Veracode Greenlight for IntelliJ​

• Veracode Greenlight for IntelliJ version 1.6.0 adds support for IntelliJ IDEA 2019.3–2021.1.3. If you are using IntelliJ IDEA 2020 or later, you must install JavaFX Runtime for Plugins.

July 8, 2021​

New Video - Use the Jenkins Credentials Binding Plugin to Protect Your Veracode Credentials​

This video shows you how to:

• Use the Jenkins Credentials Binding plugin to bind your Veracode API credentials to environment variables
• Generate a script containing the bound environment variables
• Add this script to your Jenkins pipeline script

June 23, 2021​

Veracode Integration for Jira Supports the Jira Select List Field Type for Multiple Choices​

• The Veracode Integration for Jira version 3.30.0 adds support for the Select List (multiple choices) field type. You can use this field type to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira Server issues.

May 18, 2021​

Veracode Integration for Jira Cloud Supports the Select List Field Types​

• The Veracode Integration for Jira Cloud version 3.7.0 adds support for the Select List (single choice) and Select List (multiple choices) field types. You can use these field types to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira Cloud issues.

April 30, 2021​

Veracode Azure DevOps Extension Has Renamed YAML Property and Improved Logging​

Veracode Azure DevOps Extension version 3.5.0 includes these changes:

• For YAML pipelines with the Flaw Importer task, Veracode renamed the optargs property to proxySettings. This new name more accurately identifies the valid values for this property. Ensure you update your pipelines with this new property name.
• Added logs, with error messages, for invalid or missing values. The errors apply to both standard and YAML pipelines.

April 22, 2021​

Java API Wrapper Adds Parameter for Deleting Incomplete Scans Automatically​

Veracode Java API Wrapper version v21.2.7.5 includes these changes:

• New deleteincompletescan parameter for automatically deleting scans that did not complete due to one or more errors.
• Additional debug logs for troubleshooting upload and scan issues.

April 20, 2021​

Veracode Integration for Jira Supports the Select List Field for a Single Choice​

• The Veracode Integration for Jira version 3.29.0 adds support for the Select List (single choice) field type. You can use this field type to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira issues.

March 24, 2021​

Veracode Greenlight for VS Code Now Requires the JRE​

• Veracode Greenlight for VS Code version 1.4.0 introduces a change that requires you to install a current version of the Java Runtime Environment (JRE) and set your Java PATH.

March 19, 2021​

New Video - Create and Manage API Service Accounts with the Identity API]​

This video shows you how to:

• Create an API service account
• Create teams
• Assign user roles and teams to API service accounts
• Update an API service account

February 23, 2021​

Updated Video - Working with Scan Results Using Veracode Static for Visual Studio​

• This video shows you how to download, import, and view Veracode scan results using Veracode Static for Visual Studio. You can also learn how to mitigate findings discovered during the scan in Visual Studio.

Veracode Jenkins Plugin No Longer Encrypts Non-Sensitive Data for Build Jobs​

• Starting with Veracode Jenkins Plugin version 21.2.12.0, the plugin no longer encrypts non-sensitive data stored in the config.xml file for a build job. This change enables you to import jobs between Jenkins instances.

February 5, 2021​

Updated Veracode Azure DevOps Extension​

Veracode Azure DevOps Extension version 3.4.0 includes these updates:

• Use YAML to add Veracode analysis to build pipelines.
• Use YAML to import findings as work items into Azure DevOps.
• Include mitigation and annotation comments when importing new findings as work items.
• Set a timeout to fail a build if Veracode analysis does not complete within a specified time.

December 23, 2020​

Updated Video - Build and Upload Files to Scan Using Veracode Static for Visual Studio​

• This video shows you how to prepare a build of your application using Veracode Static for Visual Studio and upload the build to a new or existing application profile in your Veracode portfolio.

December 17, 2020​

Veracode Static for IntelliJ Supports Mitigation Proposals in TSRV Format​

• Veracode Static for IntelliJ version 3.2.1 now supports submitting mitigation proposals using the Technique, Specifics, Remaining Risk, and Verification (TSRV) format. If you have a Mitigation Proposal Review (MPR) subscription, you are required to use the TSRV format when proposing mitigations from within IntelliJ.

December 11, 2020​

Veracode Java Wrapper Provides Improved Diagnostic Information​

• The Veracode Java wrapper version 20.12.7.3 provides improved debug-level, diagnostic information. You can include the debug parameter in your command to show this diagnostic information in the output.

New REST APIs for Findings, Development Sandboxes, and Summary Reports​

Veracode now provides these REST APIs:

• Annotations API for commenting on findings and proposing, accepting, and rejecting mitigations. You can combine this API with the Findings API to manage applications.
• Development Sandbox API for creating, updating, and deleting sandboxes. You can combine this API with the Applications API to manage both applications and sandboxes.
• Additional Findings APIs for obtaining detailed findings information for a static analysis or dynamic analysis and generating Summary Reports.

December 9, 2020​

New Video - Reviewing Findings in Veracode Greenlight for VS Code​

This video shows you how to:

• Link findings in source code
• Filter Veracode findings
• Ignore findings in Veracode Greenlight for VS Code results
• Stop ignoring findings in Veracode Greenlight for VS Code results

November 19, 2020​

Docker Hub Images for the Java API Wrapper, the Python Authentication Library, and the Pipeline Scan​

Veracode now provides these products as container images on Docker Hub:

• Java API wrapper
• Python authentication library to enable HMAC for Veracode APIs
• Pipeline Scan

Veracode Static for Eclipse Now Supports Mitigation Proposals in TSRV Format​

• Veracode Static for Eclipse version 3.5.0 now supports submitting mitigation proposals using the Technique, Specifics, Remaining Risk, and Verification (TSRV) format. If you have a Mitigation Proposal Review (MPR) subscription, you are required to use the TSRV format when proposing mitigations from within Eclipse.

Veracode Integration for Jira Cloud Improves Findings Import Options​

The Veracode Integration for Jira Cloud version 3.5.0 includes these improvements:

• Uses mapped custom fields in the Veracode Platform when assigning issues of imported findings. If Veracode custom fields are not mapped to Jira fields, Jira Cloud assigns the issues to the default assignee for the Jira project.
• Adds the ability to map Jira Cloud fields to Veracode Platform fields for SCA components and SCA vulnerabilities.

October 6, 2020​

Install Veracode Greenlight for VS Code to Run Greenlight Scans​

• This video shows you how to how to install the Veracode Greenlight for VS Code extension. The Veracode Greenlight for VS Code extension is available from the Visual Studio Marketplace.

October 1, 2020​

Veracode Static for IntelliJ Supports the Veracode API Credentials File​

• Veracode Static for IntelliJ version 3.2.0 allows you to store your Veracode API credentials securely in an external file.

September 30, 2020​

Introducing Veracode for GitHub​

• Veracode for GitHub enables you to use GitHub Actions for performing static analysis of your application source code from within GitHub. Veracode provides preconfigured GitHub Actions for uploading your code to Veracode for static analysis or running a pipeline scan from within your GitHub development workflow.

September 24, 2020​

Veracode Static for Eclipse Supports the Veracode API Credentials File​

• Veracode Static for Eclipse version 3.4.1 allows you to store your Veracode API credentials securely in an external file.

September 11, 2020​

Veracode Integration for Jira Cloud Adds Description Field Override Option​

• The Veracode Integration for Jira Cloud version 3.4.0 adds the global option for overriding the Description field in Jira issues. When importing findings as issues into Jira Cloud, this option replaces any content in the issue Description field with your provided text.

September 10, 2020​

Veracode Greenlight for Eclipse Free Trial Option Removed​

• Veracode Greenlight for Eclipse version 2.8.8 removes the free trial option from the Eclipse plugin. Veracode no longer provides a free trial of Greenlight for the Eclipse IDE.

August 29, 2020​

Changes to deletesandbox.do and deletebuild.do XML API Calls​

• To improve the performance of the deletebuild.do and deletesandbox.do XML API calls, these calls now return an HTTP 200 response and a summary of the deleted items, instead of a list of items remaining after deletion. These calls also use new schema files.

August 13, 2020​

Veracode Integration for Jira Adds Description Field Override Option​

• The Veracode Integration for Jira version 3.25.0 adds the global option for overriding the Description field in Jira issues. When importing findings as issues into Jira Server, this option replaces any content in the issue Description field with your provided text.

August 12, 2020​

New Video - Configure the Veracode API Credentials file on Windows​

• This video shows you how to generate Veracode API credentials in the Veracode Platform and configure a Veracode API credentials file for storing your Veracode API credentials on Windows.

New Video - Configure the Veracode API Credentials File on macOS and Linux​

• This video shows you how to generate Veracode API credentials in the Veracode Platform and configure a Veracode API credentials file for storing your Veracode API credentials on macOS and Linux.

July 28, 2020​

Veracode C# API Wrapper Supports the Veracode API Credentials File​

• The Veracode C# API wrapper version 20.7.8.0 now supports the Veracode API credentials file for storing your API credentials securely in an external file. If your API credentials file contains multiple credentials, you can use the new -credprofile parameter to specify the profile to use for Veracode authentication. The existing -vid and -vkey parameters, for specifying your API credentials at the command line, are now optional.

July 23, 2020​

Veracode Java API Wrapper Supports the Veracode API Credentials File​

• The Veracode Java API wrapper version 20.7.7.0 now supports the Veracode API credentials file for storing your API credentials securely in an external file. If your API credentials file contains multiple credentials, you can use the new -credprofile parameter to specify the profile to use for Veracode authentication. The existing -vid and -vkey parameters, for specifying your API credentials at the command line, are now optional.

June 25, 2020​

Introducing Veracode for AWS CodeStar​

• Veracode for AWS CodeStar version 1.0.0 enables you to add Veracode Static Analysis and Veracode Software Composition Analysis (SCA) as a build stage in your AWS CodePipeline. You can review the results of each analysis in the Veracode Platform.

Veracode Integration for Jira Improves Issue Assignment of Imported Findings​

• The Veracode Integration for Jira version 3.24.0 can now use mapped custom fields in the Veracode Platform when assigning issues of imported findings. If Veracode custom fields are not mapped to Jira fields, Jira Server assigns the issues to the default assignee for the Jira project.

June 16, 2020​

Veracode Jenkins Plugin Now Open Source and on Jenkins Marketplace​

• The Veracode Jenkins Plugin version 20.6.10.0 is an open-source plugin that Veracode is distributing with an MIT license. You can download the plugin from both the Jenkins Marketplace and the Plugin Manager within Jenkins. The plugin source code is available from GitHub.

June 10, 2020​

Introducing Veracode for Artifactory

The new Veracode for Artifactory version 1.3.0 allows you to perform security scanning of your application artifacts from within Artifactory. This release includes these features:

• Static analysis of your application artifacts from within Artifactory using manual scans, scheduled scans, or event-triggered scans.
• Support for Artifactory High Availability (HA) clusters.
• Python script to automate tagging artifacts with the required properties for static analysis.

May 29, 2020​

Veracode Integration for Jira Cloud Adds Findings Import Options​

The Veracode Integration for Jira Cloud version 3.3.0 adds these new options for importing findings from Veracode to Jira Cloud:

• Automatically assign imported findings to a Jira Cloud epic or link them to a related issue.
• Map string, number, and date/time data types from Veracode fields to text, number, and date/time field types in Jira Cloud. The integration imports the values from the Veracode fields to fields in Jira Cloud issues.

May 28, 2020​

Veracode Greenlight for IntelliJ Supports IntelliJ 2020.1​

• Veracode Greenlight for IntelliJ version 1.5.3 adds support for IntelliJ IDEA Ultimate and Community 2020.1. This release also allows you to store your Veracode API credentials in an external file.

May 21, 2020​

Veracode Greenlight for Eclipse Supports Eclipse 2020-03​

• Veracode Greenlight for Eclipse version 2.8.7 adds support for Eclipse 2020-03 and allows you to store your Veracode API credentials in an external file.

May 19, 2020​

Veracode Azure DevOps Extension Adds New Scan Summary for Multi-Stage Pipelines​

• The Veracode Azure DevOps Extension version 3.1.0 shows scan results in a new Veracode Scan Summary tab to support multi-stage pipelines.

May 7, 2020​

Veracode Integration for Jira Adds Findings Import Options​

The Veracode Integration for Jira version 3.23.0 adds these new options for importing findings from Veracode to Jira Server or Jira Data Center:

• Automatically assign imported findings to a Jira epic or link them to a related issue.
• Map string, number, and date/time data types from Veracode fields to text, number, and date/time field types in Jira. The integration imports the values from the Veracode fields to fields in Jira issues.

April 10, 2020​

Veracode Integration for Jira Supports Jira Server 8.7.x​

• The Veracode Integration for Jira version 3.22.1 adds support for Jira Server and Jira Data Center 8.7.x.

Updated Video - Install Veracode Static for Visual Studio​

This video shows you how to:

• Install Veracode Static for Visual Studio
• Generate API credentials in the Veracode Platform
• Configure an API credentials file for storing your API credentials

March 24, 2020​

Veracode Azure DevOps Extension Removes Basic Authentication​

• The Veracode Azure DevOps Extension version 3.0.0 removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

February 21, 2020​

Veracode Greenlight for Eclipse Supports Eclipse IDE 2019-12​

• Veracode Greenlight for Eclipse version 2.8.6 adds support for Eclipse IDE 2019-12 (4.14).

February 14, 2020​

Veracode Greenlight for IntelliJ Supports IntelliJ IDEA 2019.3​

• Veracode Greenlight for IntelliJ version 1.5.1 adds support for IntelliJ IDEA Ultimate and Community 2019.3.

February 12, 2020​

Veracode Jenkins Plugin Removes Basic Authentication​

• The Veracode Jenkins Plugin version 20.2.6.1 removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

January 31, 2020​

Veracode Static for Eclipse Supports Eclipse 2019-09​

• Veracode Static for Eclipse version 3.4.0 replaces the Veracode Eclipse Plugin. This version adds support for Eclipse 2019-09. It also adds support for Java Runtime Environment (JRE) 11 and 13.

• You can no longer use basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

January 24, 2020​

Veracode Static for IntelliJ Supports IntelliJ IDEA 2019.3​

• Veracode Static for IntelliJ version 3.0.0 replaces the Veracode IntelliJ Plugin. This version supports IntelliJ IDEA Ultimate and Community 2017.x to 2019.3. It also adds support for Java Runtime Environment (JRE) 11 and 13.

• You can no longer use basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

January 23, 2020​

Updated Veracode Integration for Jira​

The Veracode Integration for Jira version 3.22.0 includes these updates:

• Removes support for basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.
• Enhances Jira logging, so that you can more easily read the logs.
• Improves the performance of importing findings from the Veracode Platform to Jira using custom fields.

January 17, 2020​

Veracode Static for Visual Studio Supports Visual Studio 2019​

• Veracode Static for Visual Studio version 4.0.0.1 replaces the Veracode for Visual Studio Extension. This version supports Visual Studio 2015, 2017, and 2019. In Visual Studio 2015 and 2017, the name of the top-level Veracode menu is now Veracode Static. In Visual Studio 2019, the Veracode Static menu appears under the Extensions menu.

• You are required to configure an API credentials file, which you use to provide your Veracode API ID and key credentials to Veracode Static for Visual Studio.

January 8, 2020​

Updated Veracode Integration for Jira Cloud​

The Veracode Integration for Jira Cloud version 3.2.0 includes these updates:

• Adds a new Veracode Integration Severity Mappings page in the Jira Cloud interface for mapping severities from the Veracode Platform to your customized priorities in Jira Cloud.
• On the Veracode Integration Field Mapping page in the Jira Cloud interface, the Veracode Platform column adds these new options:
• A Description (overwrite) option to have the content from a selected Veracode Platform field overwrite the Description field in Jira Cloud upon import. If the selected Veracode Platform field is empty, the mapping erases the contents of the Description field in Jira Cloud.
• An option for mapping Veracode SCA component paths.
• Removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

Developer Training​

View the list below for highlights of previous releases.

November 23, 2020​

Auto-Extend for eLearning Enabled by Default​

• The default setting for new Veracode eLearning course track assignments is to automatically extend when their subscription periods end.

Improved eLearning Performance​

• Veracode has increased the loading speed of the My Team's Courses page in Veracode eLearning.

October 29, 2020​

Improvements to eLearning​

Veracode has made these improvements to eLearning:

• eLearning administrators can now assign a learner to multiple eLearning curricula.
• Veracode added seven new Secure Coding Foundation courses to learner level 1. Learners who previously completed level 1 must take the newly-added courses to complete this level. Because each level depends on the previous level, these levels show as incomplete until the learner completes them.
• The eLearning report for learners now includes a Date Started column.
• The eLearning settings have been removed from the Admin > Manage Users page. All eLearning administration actions are now available from the Admin > eLearning page. This page provides a centralized location where you can use filtering options and perform all actions on one or more learners.
• The eLearning fields have been removed from the SAML Self-Registration page.

August 29, 2020​

Improvements to Security Labs​

Veracode has made these improvements to Security Labs:

• Integration with the Veracode Platform. By default, if you have the Security Labs User role, Veracode automatically creates your Security Labs account in the Platform. If you have the Administrator role, you automatically have administrator permissions within Security Labs.
• New Assignment Creation wizard. When creating a new set of lab assignments on the Assign Content page, you can now get suggested lab assignments based on a focus. For example, Beginner/Intermediate/Advanced, PCI Training, Backend/Frontend, or Competition.
• New Scala labs for the OWASP Top 10. These labs use the Play framework.

June 27, 2020​

Enhancements to eLearning Curriculum Creation​

• Veracode has improved the user interface for creating an eLearning curriculum to make it easier for administrators to identify courses to add to a curriculum. The new user interface now includes the length and description of each course. When selecting courses, the administrator can also use a checkbox to make courses required.

June 2, 2020​

Bulk Actions for eLearning Administrators​

• Veracode eLearning administrators can now apply actions, including assigning learners to tracks or curricula and enabling automatic track extensions, to multiple users at once. This enhancement simplifies the process of onboarding and managing eLearning users.

November 27, 2023​

Free trial of DAST Essentials​

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 27, 2023​

Free trial of DAST Essentials ​

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

October 17, 2023​

New Veracode Analytics fields available​

The new Second Party Component and Fixable (Yes / No) fields in the Veracode Analytics Findings explore are now available.

October 16, 2023​

New Veracode Analytics fields available in European Region ​

The new Second Party Component and Fixable (Yes / No) fields in the Veracode Analytics Findings explore are now available in the European Region.

September 29, 2022​

New Application Security Platform features available in European Region ​

The following features are now available in the European Region.

• CWE Top 25 now reflects 2022 version
• Issue vulnerability count update in Analytics
• Sandbox Information Available in Unsubmitted Scans Report

July 19, 2023​

Upgrade to Looker 22.20​

Veracode has upgraded Analytics to use version 22.20 of the Looker platform. All existing dashboards now reflect the new Looker experience.

This upgrade introduces a known issue that prevents you from scrolling in the Timeline visualization. Additionally, you may experience an issue that automatically enables the Row Totals column in some pivot tables, which can cause rows to be double counted in stacked visualizations. To fix this issue, edit the dashboard and visualization, clear the Row Totals option, and save your changes.

Updated Security Program Overview Dashboard​

The default number of applications displayed in the What is my policy compliance over time? section of the Security Program Overview dashboard in Veracode Analytics has decreased from 100 to 25.

To view additional applications, customize the visualization and adjust the Application Rank by Published Date Descending filter.

July 15, 2022​

CWE Top 25 Now Reflects 2022 Version​

The Auto-Update CWE Top 25 security standard that you use in Veracode policies now reflects the 2022 CWE Top 25 list.

June 28, 2022​

Updated Single Sign-On and Just-In-Time Provisioning​

New single sign-on (SSO) and Just-In-Time (JIT) provisioning capabilities in the Veracode Platform improve reliability and supportability and extend the roles that JIT provisioning supports. Before using this feature, you must update your SSO settings in your identity provider.

To begin the process of enabling these capabilities, contact Veracode Support.

May 19, 2022​

The Issues Vulnerability Count Measure Changed​

Issues Vulnerability Count now includes only issues where the Issue Type is a Vulnerability Issue. In the past, this measure included the count of Vulnerability, License, and Library issues. The calculation of Issues Vulnerability Count is still based on the filters you select.

• Issues Issue Count: count of issues, regardless of type
• Issues Vulnerability Count: count of vulnerability issues
• Issues Libraries with Issues: total number of unique libraries with at least one issue

May 10, 2022​

Sandbox Information Available in Unsubmitted Static Scans Data Export​

Veracode has added sandbox information to the Unsubmitted Static Scans data export to make it easier to find the incomplete static scans for an application.

SCA dashboards available in Analytics ​

Data from Veracode Software Composition Analysis (SCA) agent-based scans and upload scans is now available in Veracode Analytics for the European Region. The predefined Veracode dashboards, including the SCA Findings dashboard, now contain SCA scan data. You can also use the Findings, SCA Agent-Based Scans, and SCA Agent-Based Scan Issues data explores for custom reporting.

May 6, 2022​

End of Support for Internet Explorer 11​

Veracode will no longer support Microsoft Internet Explorer 11 after June 30, 2022. This change follows the Microsoft updates to its support model for Internet Explorer. Veracode recommends that you switch to a supported browser to avoid issues.

Official Support for Microsoft Edge​

The Veracode Docs are updated to confirm that Microsoft Edge is a supported browser.

May 3, 2022​

Support cases and scheduled consultations now available ​

You can now raise a support case and schedule a consultation from the Veracode Platform in the European Region.

Veracode Platform services updated to current versions ​

Applications and policies for the European Region now run on the current versions in the Veracode Platform.

April 4, 2022​

Improved Team Management in the Veracode Platform​

Veracode has improved the usability of the team management options on the Administration page in the Veracode Platform.

March 22, 2022​

View Applications by Policy Evaluation Date​

You can now view the date and time of the most recent event that triggered a policy evaluation for an application in a new field in the Applications REST API and the Applications list in the Veracode Platform. You can use this field to search for applications that have had new scans or approved mitigations since the listed date.

December 9, 2021​

OWASP Top 10 2021​

• The Auto-Update OWASP requirement available for application security policies now reflects the 2021 version of the OWASP Top 10.

November 5, 2021​

New Veracode Documentation URL​

• The Veracode Documentation website is moving to a new URL at https://docs.veracode.com. Any links to https://help.veracode.com will continue to work.

Deprecation of Veracode Documentation PDFs​

• Veracode has deprecated the PDF files of publications available on the Veracode Documentation website. By December 2021, you will no longer be able to download these PDFs, but you can create custom PDFs using the print feature in your browser. To create a custom PDF, click Print (printer icon) in a publication title bar or to the right of a topic title, select the topics to include or exclude, then click Print.

September 28, 2021​

API Rate Limit Enforcement​

• Veracode is now enforcing API rate limiting to ensure optimal performance and availability of Veracode services.

September 15, 2021​

Updated Subprocessor List​

• Veracode has updated the list of subprocessors used to process customer personal information.

August 31, 2021​

2021 CWE Top 25 Support​

• The Auto-Update CWE Top 25 policy rule in Veracode security policies now reflects the 2021 CWE Top 25 standard. In a future release, Veracode will add the option to specifically select the 2021 CWE Top 25 standard in policy rules.

CWE 4.5 Support​

• Veracode CWE support now reflects the changes MITRE introduced in version 4.5 of the CWE list.

August 12, 2021​

Updated Video - Create a Policy in the Veracode Platform​

• This video shows you how to create a custom policy in the Veracode Platform.

July 20, 2021​

Improved Veracode Onboarding Experience​

• Veracode has improved the onboarding experience to help developers and application security managers get started with Veracode. In the Veracode Platform, select Resource Center > Getting Started to open the new Getting Started with Veracode guidance, which provides a walk-through of Veracode products and training offerings.

July 8, 2021​

Updated Video - Create a New Application Profile in the Veracode Platform​

• This video shows you how to create a new application profile in the Veracode Platform.

June 29, 2021​

Improved Veracode Platform Homepage​

• The homepage in the Veracode Platform is updated to make it easier to perform several common functions, such as generating API credentials.

May 25, 2021​

Automatically Update to Latest Version of Security Standards in Policy Rules​

• You can set rules in your application security policies that automatically update to use the most recent version of the supported security standards. With this update, you can require applications to comply with the latest version of security standards, such as OWASP Top 10 or CERT, as soon as Veracode supports them.

2020 CWE Top 25 Standard Available in Policy Rules​

• Veracode now supports using the 2020 version of the CWE Top 25 standard as a requirement in application security policies.

PCI Standard Includes 2020 CWE Top 25 Most Dangerous Software Weaknesses​

• A new version of the PCI security standard, which includes the 2020 CWE Top 25 most dangerous software weaknesses, is now available as a requirement in application security policies.

PCI Report Now Evaluated Against the Auto-Update PCI Standard​

• The PCI report available from the Veracode Platform is now evaluated against the Auto-Update version of the PCI security standard. This update ensures that the report always uses the latest version of the PCI standard.

April 8, 2021​

Access the Veracode Community from the Veracode Platform​

• You can now access the Veracode Community directly from the Veracode Platform without logging in to a separate Community account. The Veracode Community provides best practice documentation, new feature previews, and a forum for asking questions about how to most effectively use Veracode products and services.

April 7, 2021​

Evaluation Timeframe for Security Policies​

You can now include evaluation timeframes in Veracode application security policies to define when findings can impact policy compliance. In your policies, you can:

• Disallow findings opened after a specific date to ignore technical debt.
• Disallow findings opened before a specific date to ignore new findings that are out of scope for an audit requirement.

April 6, 2021​

End of Browser Support for Legacy Versions of Safari and Android​

Veracode no longer supports these legacy versions of Safari and Android because of their use of weak ciphers (TLS 1.2):

• Safari 6 on iOS 6.0.1

• Safari 7 on iOS 7.1

• Safari 8 on iOS 8.4

• Safari 7 on OS X 10.9

• Safari 8 on OS X 10.10

• Android 5.0.0

• Android 6.0

You cannot access analysiscenter.veracode.com using these browsers.

Administrators Cannot Assign Applications to Teams​

• Administrators in the Veracode Platform can no longer assign applications to teams unless they have another role that grants them permission to edit application profiles. Veracode removed this rarely used functionality to provide a more consistent experience for users.

Allow Access to New URL for Penetration Testing Services​

• Veracode has introduced a new URL for a future feature that will support better reporting of our penetration testing services. If you restrict access to public internet sites for your organization, add pt.analysiscenter.veracode.com to your allowlist.

March 31, 2021​

Changes to Email Addresses Require Verification​

• If you update the email address in your Veracode Platform user account, Veracode sends you an email to confirm the new address. You must confirm the email address to complete the update.

March 26, 2021​

New Analytics Dimension for Findings and Scans​

• Veracode Analytics provides you with the ability to filter findings and scans based on their archive status. You can use these filters to easily find findings and scans that Veracode deleted as part of the sandbox scan retention process.

March 22, 2021​

Improved User Management in The Veracode Platform​

• Veracode has improved the usability of the user management options in the Veracode Platform. Administrators and Team Admins can now search for users by name, email address, username, or API ID.

March 9, 2021​

Veracode Analytics Updates to the SCA Findings Dashboard​

• Veracode has updated the SCA Findings dashboard to improve the visualization of data and provide more information on how fixing code libraries impacts findings.

February 9, 2021​

New Static Analysis Findings Information in Veracode Analytics​

• Veracode Analytics now provides more details about findings that relate to your Static Analysis scans, including the function name, class path, and most recent line number in which Veracode discovers the findings. This data enables you to recreate a similar view as the Triage Flaw view in the Veracode Platform, but across multiple application profiles.

February 8, 2021​

New Security Program Overview Dashboard in Veracode Analytics​

• Veracode Analytics provides a new dashboard that contains data to help you track and understand how your AppSec program is trending, based on your target goals. With this dashboard, you can see current and historical trends for policy compliance, as well as better understand policy compliance behavior. New information available to you includes details such as how an application is meeting compliance over time.

January 26, 2021​

Improved User Interface for Managing Applications​

• Veracode has updated the user interface in the Veracode Platform for creating, viewing, updating, and deleting applications to improve usability.

January 19, 2021​

Improved Email Notifications for Expiring API Credentials​

• Veracode sends an email notification when your Veracode API credentials are about to expire. The email now displays your API username for quickly identifying the account for which you need to generate new credentials.

December 7, 2020​

Additional SCA Details Available from the Findings REST API​

• With the Veracode Findings REST API, you can identify whether Software Composition Analysis findings are from agent-based scans or upload scans and whether they are from a direct or transitive dependency. You can also filter your findings by scan type or dependency type.

November 23, 2020​

Updates to the Findings REST API​

You can now perform these tasks with the Veracode Findings REST API:

• Retrieve the expiration date of the remediation grace period for findings that violate a security policy.
• Retrieve findings with comments or mitigations added after a specific date, such as the date of your most recent scan.

Healthcheck REST API​

• You can use the Veracode Healthcheck REST API to test the availability of Veracode core services.

October 29, 2020​

Changes to OWASP Mobile Policy Rules​

• Veracode has updated policy rules that include the OWASP Mobile security standard to reflect additional research. OWASP Mobile policy rules now include these CWEs: CWE-77, 78, 80, 252, 287, 319, 345, 404, 415, 416, 601, 614, 676, 693, 757.

• Applications that contain these flaws may fail OWASP Mobile policy rules as a result of this update. Veracode will apply the update upon rescan of the application.

Improved Notifications for Delayed Scan Results​

• Veracode has improved communication about delayed scan results. You now receive email notifications that include additional details and links for the affected scan. Veracode has also improved the Veracode Platform to indicate delayed scans that are under investigation.

October 19, 2020​

Applications REST API​

• You can now view application data and create, update, and delete applications using the Veracode Applications REST API.

September 30, 2020​

Updates to Required Veracode Domains​

• Veracode has introduced two URLs to which you must allow access. If you restrict access to public internet sites for your organization, add app.pendo.io and analytics2.veracode.com to your allowlist.

September 26, 2020​

Rolling Sandbox Histories​

• Rolling sandbox histories let you limit sandbox data by restricting the number of retained scans for each sandbox to 15. After more than 15 scans, the Veracode Platform deletes the oldest scan, though the data remains available through Veracode Analytics. If enabled, this feature replaces the previous data limitation method of expiring old sandboxes.

• To request access to rolling sandbox histories, contact Veracode Technical Support.

Updates to Some XML API Deletion Calls​

• To improve performance, the deleteuser.do, deleteteam.do, deleteapp.do, and removefiles.do XML API calls now return an HTTP 200 response and a change summary, instead of a list of the items remaining after the deletion.

Shareable Links to Your Analytics Dashboards​

• You can now share links to Veracode Analytics dashboards, including Veracode dashboards and dashboards that your organization creates. To access a dashboard link, you must log in to the Veracode Platform and have permission to view the data in the dashboard.

Activity Log Updates​

• You can now download a report of the full history of application profile activity, scan activity, and sandbox activity. The activity log in the Veracode Platform now displays activity data for the past 90 days.

Technique Removed from TSRV Format for Accepting Risk​

• Veracode has removed Technique from the TSRV standard when you perform the Accept the Risk mitigation action because none of the techniques are relevant to accepting risk. Specifics, Remaining Risk, and Verification are still required fields.

Updates to CWE Top 25 Policy Rules​

• The Latest CWE Top 25 policy rule in the Veracode Platform now reflects the 2020 CWE Top 25 standard. Veracode has also updated the 2019 CWE Top 25 policy rule to disallow the children of CWE-94: CWE-91, 95, 98, 185, and 830.

September 17, 2020​

Improved Business Units Tab​

• On the Administration page in the Veracode Platform, Veracode has improved the usability of the Business Units tab.

September 10, 2020​

New Video - Create and Manage API Users in the Veracode Platform​

• This video shows you how to configure an API service account in the Veracode Platform.

August 29, 2020​

All Applications Page Now Available to Mitigation Approver and Delete Scans Roles​

• You can now access the All Applications page in the Veracode Platform with the Mitigation Approver or Delete Scans roles. From the All Applications page, you can, then, select an application to approve mitigations or delete scans.

CWE-74 Now Disallowed for the OWASP Security Standard​

• Veracode has reclassified CWE-74 "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" as a high severity finding. CWE-74, which Veracode discovers during Dynamic Analysis, is now included on the disallowed CWE IDs list in the latest version of the OWASP security standard. If your organization is using the OWASP 2017 security standard, you may see more findings violating policy or see your application fail policy as a result of this change.

Support for MITRE CWE List Version 4.1​

• Veracode now provides reporting based on CWE version 4.1 definitions, which changes the names and descriptions of a few existing CWE categories. The complete list of changes in CWE version 4.1 is available from the MITRE website. This new version does not impact the CWE mappings for the OWASP, CWE Top 25, or CERT security standards.

• MITRE is updating their CWE list on a more frequent basis, but Veracode remains committed to staying up-to-date with each new version. As MITRE updates their CWE database, you might notice periodic changes in Veracode reports, such as differences between parent-child relationships or mappings.

August 21, 2020​

Findings API Version 2​

• The Veracode Findings REST API v2 is now available. With this API, you can access information about open and mitigated findings associated with applications and sandboxes. It supports Static Analysis, Dynamic Analysis, Manual Penetration Testing, and Software Composition Analysis scans.

July 28, 2020​

Improved User Activity Report​

• An improved user activity report is now available to download as a CSV file, providing easier access to information about user actions.

July 7, 2020​

Administrators Can Turn Off Optional Notifications for Their Entire Organization​

• Administrators in the Veracode Platform can now turn off all optional notifications for all new and existing users in their organization account. Individual users have the option to turn the notifications back on for their own user account.

June 29, 2020​

New Accept the Risk Mitigation Type​

• Veracode now allows you to resolve a finding by stating that your business is willing to accept the risk associated with that finding. This mitigation type allows you to track and report the risk while continuing to maintain the mitigation and resolution approval process. Veracode updated the mitigationinfo.xsd file to include this mitigation type.

June 27, 2020​

Veracode Policies Now Support 2019 CWE Top 25 Security Standard​

• Veracode updated the PCI security standard in the Veracode Platform to include the 2019 CWE Top 25 Security Standard, previously called the SANS Top 25 standard. Applications with findings included in the new standard may fail the PCI policy or PCI standard requirement as a result. Veracode applies the update to applications upon rescan.

June 16, 2020​

Veracode Analytics Provides Ignored Issue SCA Data​

• Veracode Analytics now supports SCA agent-based scan issue data about ignored issues, including details of when a user ignored an issue and the username for the user who ignored the issue.

June 11, 2020​

New Sandbox Attributes Added to Veracode Analytics​

• Veracode Analytics now provides attributes for tracking sandbox usage. You can view sandbox expiration dates and determine if the Veracode Platform sandboxes are configured for Veracode to automatically recreate them after expiration.

New Dynamic Analysis Dimensions Available in Veracode Analytics​

• Veracode Analytics now provides the Dynamic Analysis fields Path and Vulnerable Parameter, which allow you to better focus and prioritize your remediation efforts.

June 8, 2020​

SCA Agent Data Available in Veracode Analytics​

• The Software Composition Analysis (SCA) dashboard is updated in Veracode Analytics to reflect recommended charts for tracking your use of SCA agent-based and upload-and-scan workflows. In addition, Veracode Analytics provides two new explores for SCA agent data: SCA Agent Issues and SCA Agent Scans. These explores enable you to create your own charts and dashboards, providing a better understanding of your open-source risk.

May 28, 2020​

Update to Industry Values in Application Profile​

• Veracode has updated the values for industries in application profiles to more accurately reflect the market. Because applications include industry values to help inform the Veracode State of Software Security report, this change affects the createapp.do and updateapp.do XML API calls.

• If you have a script coded with an expected value for the industry field, please update your script to reflect the updated values or use the default value already provided.

May 13, 2020​

Analytics Scan Frequency Requirements Data​

• Veracode Analytics now provides visibility into scan frequency requirements for an application. These requirements include the frequency mandated by the policy, upcoming scan due dates, and any past due dates.

May 7, 2020​

New Team Admin Role​

• Veracode has added the new Team Admin user role that an administrator can grant to users. With the Team Admin role, you can create, edit, and delete users within the teams you manage. This new role makes it easier for organizations to manage permissions for a large number of users.

New Mitigation Type​

• Veracode has added a new mitigation type to allow you to propose mitigations using the mitigation type Mitigated - Referred to Library Maintainer. You can classify findings related to libraries developed by another development team. Another development team may build libraries in-house, but they may not own the application Veracode is scanning.

April 30, 2020​

New Identity REST APIs​

• The new Identity REST APIs allow you to manage users, teams, and business units. You can also use these REST APIs to create API service accounts and manage API ID/key credentials.

Updated Greenlight Scans Explore Page​

• Veracode has updated the Analytics page Greenlight Scans Explore to reflect the new terminology of IDE scan (formerly known as Greenlight) and to include pipeline scan data.

Updated Applications List View​

• The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering. Veracode is gradually releasing this feature as part of each Platform release, so it may not be immediately available to you.

New Secure Coding Foundation eLearning Courses​

Veracode eLearning has released a new set of secure coding foundation courses:

• Secure Coding Foundations - Authentication
• Secure Coding Foundations - Authorization
• Secure Coding Foundations - Configuration and Deployment
• Secure Coding Foundations - Data Protection
• Secure Coding Foundations - Information and Error Handling
• Secure Coding Foundations - Trust Boundaries
• Secure Coding Foundations - Validation and Encoding

These courses cover application security practices and associated vulnerabilities.

eLearning User Interface Enhancements​

Veracode has improved these eLearning windows:

• Manager window you use to assign learners to a manager
• Curriculum window you use to assign learners to a curriculum

April 21, 2020​

Updated Applications List View

• The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering.

March 28, 2020​

CWE 4.0 Support​

• Veracode CWE support is updated to reflect the latest changes from MITRE in the CWE 4.0 release.

Enable Automatic Re-creation of Existing Sandboxes​

• You can now edit existing sandboxes to enable the setting for automatically re-creating the sandbox when it expires.

Due Date Notifications for eLearning Students​

• eLearning administrators can now specify when to send email reminders to notify students about the due dates for assigned courses.

New Python and JavaScript eLearning Courses​

• Veracode has added secure coding courses for Python and JavaScript to eLearning learner levels.

March 19, 2020​

New Grace Period Expiration Date in Analytics​

• Veracode Analytics now provides the date when a grace period expires. An expired grace period causes the finding to fail the policy associated with the application. Veracode calculates the date based on the First Found or Last Reopened date, whichever is more recent.

Account Lock Does Not Trigger Email to Administrator​

• To prevent redundant notifications, Veracode no longer sends an email to Administrators in the Veracode Platform when users in their organization are locked out of their accounts. This email is now unnecessary because users can unlock their own accounts.

March 3, 2020​

Improved Developer Sandbox Scanning and Added Expiration Date​

Veracode has made these improvements to developer sandboxes:

• You can now perform up to ten sandbox scans simultaneously for a single application. Before starting additional scans, you must wait for at least one running scan to complete.
• The sandbox list in the application profile now shows all sandboxes in the application that have running scans.
• All sandboxes now have an expiration date. After a sandbox reaches its expiration date, you can no longer perform scans in it. Seven days after the expiration date, the Veracode Platform automatically removes the sandbox. All data about the removed sandbox is available from Veracode Analytics. You can use the re-create option to have the Veracode Platform automatically create a new sandbox with the same name as a previously-removed sandbox.

Applications REST API Adds Policy Compliance Information​

• Veracode has improved the Applications REST API to include information about the policy compliance of the application.

Executive Summary in Customizable Report PDF Includes Informational Findings​

• The executive summary in the downloadable PDF of the Customizable Report now shows informational findings. The informational findings provide information that can help you ensure your application meets policy compliance.

Email Notifications for eLearning Curriculum Due Date Changes​

• eLearning administrators can now send emails to notify students and their managers when the due date for an assigned curriculum changes. They can also send emails to notify managers when a due date on a curriculum has passed and students have not completed the curriculum.

February 21, 2020​

New JavaScript eLearning Courses​

Veracode eLearning has released a new set of secure coding courses for JavaScript:

• Secure Coding for JavaScript - Authentication & Authorization
• Secure Coding for JavaScript - Configuration and Deployment
• Secure Coding for JavaScript - Data Protection
• Secure Coding for JavaScript - Information and Error Handling
• Secure Coding for JavaScript - Validation and Encoding

These courses cover application security practices and associated vulnerabilities, including the OWASP Top Ten, and secure coding techniques in JavaScript, including using the AngularJS and ReachJS frameworks.

February 19, 2020​

Updated Look-and-Feel with New Veracode Branding​

• Veracode has updated the look-and-feel of the Veracode Platform with new branding.

January 28, 2020​

Updates to Sandbox Functionality​

Veracode has implemented these changes to improve the performance of sandbox scans:

• You can delete a sandbox and all of its scans when you promote it to policy.
• You may have a maximum number of sandboxes you can create for each application. The default limit is 25.

Automated Emails for eLearning Curriculum Updates​

• Veracode eLearning administrators can turn on automated email notifications to alert eLearning students and managers when the administrator assigns a curriculum to a student.

January 24, 2020​

New Video - Create a Custom Policy in the Veracode Platform​

• This video shows you how to create a custom policy in the Veracode Platform.

January 13, 2020​

SCA Findings Dashboard Available in Analytics​

• Veracode Analytics has a new dashboard that provides Software Composition Analysis (SCA) findings on open vulnerabilities, license risk, issue severities, and library data. Veracode Analytics does not currently display findings from agent-based scans.

January 8, 2020​

New Video - Review Scan Results​

• This video shows you how to view Veracode scan results in the Veracode Platform.

January 2, 2020​

SCA Findings Available in Veracode Analytics​

• Veracode Analytics now provides details about Software Composition Analysis (SCA) findings. If you have an SCA subscription, you can view SCA vulnerabilities displayed in the Findings Status & History dashboard and the Resolution and Mitigation Details dashboard.

• Veracode Analytics does not currently display findings from agent-based scans.

December 19, 2023​

SCA agent enhancement​

The SCA agent can now scan target directories that contain spaces when SRCCLR_NO_GIT is set to 1.

December 18, 2023​

APIs now include KEV data​

Veracode has added data from the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog to the SCA Agent Issues APIs and the Findings API. See Understanding SCA exploitability information for more details.

December 11, 2023​

API to link projects to application profiles​

Veracode has released the SCA App-Linking REST API. You can use this API to link a project for SCA agent-based scans to an application profile. The linked application profile receives all libraries, licenses, and discovered vulnerabilities from that project, along with all results from SCA Upload scans. To link a project, use the linkAppProject endpoint. To unlink a project, use the unlinkAppProject endpoint.

SCA agent enhancement​

Veracode has fixed an issue that prevented the SCA agent from cleaning up local scan directories and added enhancements to the agent that will be used in the future for scanning Java projects.

December 4, 2023​

SCA agent enhancement​

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 21, 2023​

SCA agent enhancement​

Veracode has added several enhancements and fixes to the SCA agent.

November 14, 2023​

SCA agent enhancement​

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 6, 2023​

API to propose and approve mitigations for SCA findings​

Veracode has released the SCA Annotations REST API. This API includes the getSCAannotations endpoint to retrieve comments and mitigations applied to findings from SCA upload scans and the createSCAannotations endpoint to annotate SCA upload findings, including adding comments and proposing, accepting, and rejecting mitigations.

The SCA Annotations API specification is available on SwaggerHub.

This API is not part of the Annotations API, which works with findings from Static Analysis and Dynamic Analysis.

October 11, 2023​

Exploit probability (EPSS) added to Findings API​

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the Findings REST API. See Understanding SCA exploitability information for more details.

Fixed SCA agent error​

Veracode has fixed an issue that caused a null pointer exception when performing an agent-based scan on some projects.

September 27, 2023​

Correction of SCA Fix By dates in sandboxes​

Veracode has fixed an issue impacting the calculation of Fix By dates in sandbox scans. Previously, SCA used the scan date or the scan promotion date as the date that a component was first found, causing the Fix By date to be pushed out continuously. This fix is not retroactive and only impacts scans completed after Sept 27, 2023.

September 22, 2023​

Assign policies to SCA agent-based scan workspaces​

The new Unified Policy feature allows you to assign policies to workspaces used for SCA agent-based scans. Like the existing agent rules, you can use policies to create issues and break your build based on certain criteria. See more details about applying rules to a policy, assigning policies to agent-based workspaces, and setting default policies.

Veracode will migrate customers from agent rules to Unified Policy in batches and will retire agent rules before April 1, 2024.

August 28, 2023​

Agent-based scan UI now displays CVSS v3​

Because the National Vulnerability Database stopped supporting CVSS v2 in July 2022 and most users have moved to v3, the Library and Vulnerability pages of SCA's agent-based scan user interface now display CVSS v3 scores, instead of v2. You must clear the cache in your web browser to see these changes.

To also display CVSS v3 on the workspace Issue pages and the project Issue tab, you must update your agent rules to use CVSS v3.

August 16, 2023​

Enhancements to SCA agent dependency graph traversal​

Veracode has improved the performance of the SCA agent by optimizing how it handles dependencies with very complicated and intertwined dependency graphs.

August 8, 2023​

Exploit probability (EPSS) added to SCA Agent APIs​

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the SCA Agent REST APIs. See Understanding SCA Exploitability Information for more details.

July 21, 2023​

Enhancements to .NET scanning​

Veracode has added the following enhancements to SCA scanning for .NET applications:

• Reduced false positives and false negatives in SCA upload scans by adding support for deps.json and project.asset.json files.
• Enhanced SCA Agent scans by adding ability to perform --quick scans on NuGet projects.

July 28, 2023​

API to retrieve list of SCA agent projects linked to an application​

Veracode has released the getApplicationProjects API to allow users to retrieve a list of SCA agent projects that are linked to a specific application. Users who have rights to call the getApplications API may also call the getApplicationProjects API.

July 11, 2023​

Additional roles can call SBOM APIs​

Veracode has expanded the list of roles that are allowed to call the CycloneDX Software Bill of Materials (SBOM) API and the SPDX SBOM API. See the SBOM API instructions for application profiles and agent-based projects for details.

June 28, 2023​

SCA agent CLI now displays CVSS v3 severities​

The Vulnerabilities section of the Summary Report that appears in your CLI after an SCA agent-based scan now displays CVSS v3 severities, instead of v2.

The Issues section still displays CVSS v2 severities by default, but you can edit the severity in your agent-based scanning rules to reflect v3. If you have not modified your rules to use CVSS v3, Veracode recommends setting up organization-level rules to avoid having to edit rules on every workspace individually.

June 20, 2023​

Support for v3 format of NPM lockfiles​

Veracode has added support for NPM lockfile format version 3. See Run an Agent-Based Scan for NPM or JavaScript and TypeScript Packaging for details.

May 15, 2023​

Fixed agent error for Yarn scans​

Veracode has fixed an issue causing SCA agent-based scans of Yarn projects to erroneously fail.

May 9, 2023​

Upgraded JRE for SCA agent​

Veracode has upgraded the Java Runtime Environment (JRE) for the SCA agent from version 11 to 17.

Added GNU Privacy Guard to SCA agent downloads​

Veracode has added GNU Privacy Guard (GPG) signature files to all SCA agent downloads to verify you are downloading a valid version.

May 3, 2023​

Fixed scope parameter for NPM scans​

Veracode has resolved an issue impacting the scope parameter for SCA agent-based scans of NPM projects.

April 14, 2023​

SCA agent enhancements​

Veracode has added the following enhancements to the SCA agent:

• Support for Gradle version 8.
• The default scope for scans of NPM projects is now production dependencies instead of all dependencies.

Temporarily ignore issues from agent-based scans​

You can now specify a date for Veracode to stop ignoring issues from SCA agent-based scans.

April 6, 2023​

Enhancements to Go scanning​

Veracode has added the following enhancements to SCA scanning for Go projects:

• Reduced false positives.
• Reduced false negatives.
• Increased scan speed.
• Fixed an issue that removed component names when agent-based scan results were linked to an application.
• Fixed an issue that caused indirect dependencies to appear in agent-based scan results as direct libraries instead of transitive libraries.

April 4, 2023​

Enhanced SCA agent support for Java 17 features​

Veracode SCA has improved agent-based scan support for projects that contain Java 17 features.

April 3, 2023​

NVD severity ratings for SCA upload scans​

Veracode Software Composition Analysis (SCA) upload scans now support displaying updated severity ratings that more closely match the National Vulnerability Database (NVD) severity ratings. To enable this feature for your account, contact Veracode Technical Support.

March 16, 2023​

New mitigation type available for SCA upload scans​

You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.

February 3, 2023​

Region flag for agent-based scans​

Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.

February 2, 2023​

JRE upgrade for SCA agent​

Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.

January 13, 2023​

Improved SCA support for Python 3​

Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.

December 21, 2022​

Generate SBOM in SPDX format​

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) in SPDX JSON format from the results of your Veracode SCA upload scans.

December 14, 2022​

SCA support for Android​

Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.

September 15, 2022​

SCA support for Go aliases​

Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.

Vulnerable method support for Java 17​

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.

August 22, 2022​

Set SCM URI as project name​

You can now set the source code management (SCM) URI as your project name using the --uri-as-name option in your Veracode SCA agent-based scans.

July 22, 2022​

SBOM API support for SCA agent-based scans linked to application profiles​

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.

June 6, 2022​

Generate SBOMs for SCA agent-based scans with the REST API​

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.

May 9, 2022​

SBOM API support for promoted sandbox scans​

You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.

SCA upload and scan table update​

Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.

April 26, 2022​

Generate SBOMs for SCA upload scans with the REST API​

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.

January 20, 2022​

JSON output for agent-based scans includes CVSS v3 score​

Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.

October 20, 2021​

Veracode European Region now available ​

The Veracode European Region is now available for new customers. This region, which initially supports Veracode Static Analysis and Veracode Software Composition Analysis, provides European data residency for Veracode customers.

December 17, 2020​

Container Scanning for Debian​

• Veracode Software Composition Analysis now supports agent-based scans of Debian Docker containers. You can scan Debian containers through the command-line interface or as part of your continuous integration pipelines.

October 15, 2020​

Set Default Branch to the Most Recently Scanned Branch or Tag​

• You can now set your Veracode Software Composition Analysis projects to automatically update their default branch to be the most recently scanned branch or tag. This enhancement enables the use of tags as default branches and reduces the number of issues that display in the Veracode Platform, by default.

• Existing projects without a default branch selected in their project settings now use the Use Last Scanned option as the default branch.

October 13, 2020​

Vulnerable Method Support for JavaScript​

• Veracode Software Composition Analysis supports vulnerable method analysis for agent-based scans of JavaScript applications. This feature helps prioritize your remediation actions by identifying first-party code that calls a function in a JavaScript library that makes the library vulnerable.

October 1, 2020​

Container Scanning for Ubuntu​

• Veracode Software Composition Analysis now supports agent-based scans of Ubuntu Docker containers. You can scan Ubuntu containers through the command-line interface or as part of your continuous integration pipelines.

September 26, 2020​

Grace Periods for SCA Policy Rules​

• Veracode Software Composition Analysis now allows you to include grace periods for SCA upload scans in your application security policies. You can define a grace period for all scan types, including SCA, or define a grace period that applies specifically to SCA scans.

July 17, 2020​

Default Date Limit Applied to Scan Data in Agent-Based Scan Workspaces​

• To improve performance and usability, the scan data for your workspaces is now limited to projects scanned in the last 30 days, by default. You can change the time window of exported projects on the workspace page in the Veracode Platform.

July 7, 2020​

Advanced License Risk Management for Agent-Based Scans​

• Veracode Software Composition Analysis now provides advanced license risk management capabilities for agent-based scans. You can control the acceptable risk from open-source libraries by adding rules based on Veracode license risk ratings or by rejecting specific licenses.

June 17, 2020​

New API Endpoints for Agent Management​

• The Veracode SCA Agent REST API includes new endpoints for creating and deleting agents. This update enables you to more effectively scale your agent administration and improve productivity with agent-based scans.

May 28, 2020​

Issue Summary for Agent-Based Scans​

• Veracode Software Composition Analysis now provides a summary table on each agent-based scan workspace and project page that provides a quick view of the state of your open-source issues.

April 29, 2020​

Vulnerability Database Update​

• The Veracode Vulnerability Database is updated to resolve a discrepancy in severity rating compared to the National Vulnerability Database (NVD) for approximately 200 of over 20,000 total vulnerabilities. Veracode has already contacted all organizations that have applications that fail policy as a result of this update.

• If your Veracode account manager has not contacted you, you do not need to take any action.

April 6, 2020​

Alpine Linux Support for Agent-Based Scans​

• Veracode Software Composition Analysis (SCA) now supports the Alpine Linux distribution for agent-based scans.

Organization Rules for Agent-Based Scans​

• Veracode Software Composition Analysis (SCA) now supports configuring rules for agent-based scans at the organization level. Administrators can apply these rules to all workspaces in an organization to efficiently enforce a common security standard.

April 3, 2020​

New API Endpoint for Auditing Agent-Based Scan Events​

• The Veracode SCA Agent REST API includes a new endpoint that provides a detailed audit of events for agent-based scans.

March 17, 2020​

License Risk Details for Agent-Based Scans​

• Veracode Software Composition Analysis (SCA) provides the license risk rating of each open-source license type identified in agent-based scans to help you make informed decisions about acceptable risk.

Gem Support for Containers​

• Agent-based scans now support the gem package manager for scanning Docker containers.

March 16, 2020​

New Video - Set Up an Agent to Scan with Veracode Software Composition Analysis​

This video shows you how to:

• Create a workspace
• Set up an agent
• Start a scan from your command line
• View scan results

February 13, 2020​

NPM and Pip Support for Containers​

• Agent-based scans now support the NPM and pip package managers for scanning Docker containers.

January 29, 2020​

Update to Integrated SCA Upload and Scan​

• If you use Veracode Integrated Software Composition Analysis without a Veracode Static Analysis subscription, you can now perform scans using the upload and scan method.

SCA Results Export​

• You can now generate and download your latest Software Composition Analysis results from the Export Data page in the Veracode Platform at any time. This report does not include data from agent-based scans.

January 24, 2020​

New Video - Upload and Scan with Veracode Software Composition Analysis​

• This video shows you how to upload and scan applications with Veracode Software Composition Analysis.

January 15, 2020​

Get Teams List with the SCA Agent REST API​

• The Veracode SCA Agent REST API for Veracode Agent-Based Scan now supports retrieving a list of the teams in an organization, including filtering by the full or partial team name.

December 27, 2023​

New COBOL scanner for Static Analysis​

The new COBOL scanner for Veracode Static Analysis includes advanced pattern recognition and static analysis techniques, allowing for more accurate and efficient detection of security vulnerabilities in COBOL code.

The improved detection may result in the identification of additional vulnerabilities and potential threats. The updates may also impact flaw matching for your applications. If you need help resolving these changes, contact Veracode Technical Support.

All COBOL scans now use the upgraded scanner.

More details are available in the Veracode Community.

December 14, 2023​

Updated language and framework support​

• Added .NET 8 initial support
• Added JavaScript / ECMAScript 2023 (ES14) support
• Added Config support from AWS SDK for Go
• Enhanced Android 13 support
• Enhanced Node.js v20 support
• Added Dart 3.2 and Flutter 3.16 support
• Improved CWE-327 (Use of Broken or Risky Cryptographic Algorithm) and CWE-352 (Cross-Site Request Forgery (CSRF)) detection for Ruby on Rails
• Improved CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET
• Improved CWE-352 (Unchecked Return Value) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
• Improved accuracy of modeling Python method calls resulting in a reduction in false positives
• Improved CWE-926 (Improper Export of Android Application Components) detection for Android
• Improved CWE-321 (Use of Hard-coded Cryptographic Key) detection for all languages
• Improved CWE-331 (Insufficient Entropy) detection for Java
• Improved CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')) detection for PHP
• Improved parsing for PL/SQL
• Improved Python jsonify cleanser support for flaw class CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
• Improved support for JavaScript crypto APIs
• Improved iOS detection of CWE-252 (Unchecked Return Value)
• Improved support for JavaScript Axios library
• Improved .NET third-party detection
• Improved mixed-Java/Kotlin analysis
• Improved Java third-party detection
• Improved Android version detection
• Improved CWE-326 (Inadequate Encryption Strength) accuracy in .NET
• Improved accuracy for CWE-259 (Use of Hard-coded Password)and CWE-798 (Use of Hard-coded Credentials)
• Added detection of CWE-489 (Active Debug Code) in Go
• Improved analysis of JavaScript listeners

November 15, 2023​

Updated language and framework support​

• Added Javax to Jakarta transition support
• Added support for Java Records
• Added Spring Boot 3 support
• Added Spring Security 6 support
• Added Spring Core 6 support
• Added Android 14 Initial support
• Added KMS support for AWS SDK for Go
• Improved flaw detection for Dart apps
• Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for all languages
• Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation), CWE-352 (Cross-Site Request Forgery), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
• Improved third-party detection for Android, C/C++, Dart, and JavaScript
• Improved CWE-73 (External Control of File Name or Path) detection for Java
• Improved third-party detection in Java WAR files
• Improved CWE-252 (Unchecked Return Value), CWE-201(Insertion of Sensitive Information Into Sent Data), and CWE-297 (Improper Validation of Certificate with Host Mismatch) detection for iOS
• No longer report MemoryStream for CWE-404 in .NET
• Improved detection for unsupported mobile applications

October 26, 2023​

Updated language and framework support​

• Added Dart 3.1 and Flutter 3.13 support
• Added JDK 21 (LTS) support
• Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for Kotlin
• Improved .NET analysis to ignore .NET ClickOnce “.deploy” files
• Improved third-party detection for Java, JavaScript, PHP, iOS, PL/SQL and C++
• Improved parsing for PL/SQL
• Improved CWE-798 (Use of Hard-coded Credentials) detection for PHP
• Enhanced Python analysis to treat modules consisting of all third-party code as first-party modules
• Improved Groovy analysis of objects
• Improved CWE-252 (Unchecked Return Value) detection for iOS
• Improved JavaScript analysis of objects
• Improved analysis of iOS apps to reduce CWE-284 (Improper Access Control) false positives
• Improved CWE-693 (Protection Mechanism Failure), CWE-926 (Improper Export of Android Application Components), CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-798 (Use of Hard-coded Credentials) detection for Android

October 2, 2023​

Updated language and framework support​

• Added iOS 17 initial support
• Added Go 1.21 support
• Added PHP Laravel 10 support
• Added .NET Minimal API support
• Enhanced .NET 7 support
• Enhanced Groovy 3 support
• Enhanced AWS SDK for Go support
• Enhanced Android 13 support
• Improved third-party detection for JavaScript
• Improved CWE-80 detection for Vue.js
• Improved CWE-259 detection for all languages
• Improved CWE-89 detection for Transact-SQL
• Improved third-party detection for C++
• Improved symmetric-key parsing rules for Transact-SQL
• Improved attribute idiomatic transformation support for Jakarta
• Improved CWE-693 detection for Android
• Improved scan performance for Micronaut framework
• Improved Node.js modeling to reduce false positives
• Improved handling of explicitly typed generic function calls in Go
• Improved data path quality for JavaScript
• Improved reporting of CWE-352 and CWE-915 in .NET to consolidate flaws reported on the same line and file as separate flaws into one flaw
• Added CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET applications

Deprecated support for some .NET cleansing functions​

Veracode has deprecated support of .NET cleansers for the following functions for flaw classes CWE-93, CWE-113, and CWE-117:

• antixsslibrary.dll : Microsoft.Security.Application.AntiXss.HtmlAttributeEncode
• antixsslibrary.dll : Microsoft.Security.Application.AntiXssEncoder.HtmlAttributeEncode
• antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlAttributeEncode
• antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlEncode
• mscorlib.dll : System.Security.SecurityElement.Escape
• system.dll : System.Net.WebUtility.HtmlEncode
• system.web.dll : System.Web.HttpServerUtility.HtmlEncode
• system.web.dll : System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode
• system.web.dll : System.Web.Util.HttpEncoder.HtmlAttributeEncode
• system.web.dll : System.Web.Util.HttpEncoder.HtmlEncode
• system.web.mvc.dll : System.Web.Mvc.HtmlHelper.AttributeEncode
• system.web.mvc.dll : System.Web.Mvc.HtmlHelper.Encode
• system.windows.browser.dll : System.Windows.Browser.HttpUtility.HtmlEncode
• system.windows.dll : System.Net.HttpUtility.HtmlEncode
• System.Runtime.dll : System.Net.WebUtility.HtmlEncode

These cleansing functions are insufficient for addressing their targeted flaw classes and better alternatives are available.

For more details on why Veracode deprecated support for these functions and how to protect your applications against CRLF injection attacks, see the Veracode Community.

September 11, 2023​

Fixed bug causing false positives for CWE-798​

In last month’s release, Veracode added improved support for CWE-798 (Use of Hard-coded Credentials) detection. However, a bug in the pattern matching caused a significant number of false positives for some users. Veracode has resolved this issue and the improvement should result in significantly fewer CWE-798 false positives.

August 23, 2023​

Updated language and framework support​

• Added Kotlin 1.9 support
• Added TypeScript 5.x support
• Added GCC 12 (RHEL 8) support
• Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation) detection on controller-derived classes
• Improved support for JavaScript URLSearchParams API
• Improved support for Spring produces annotation attribute
• Improved third-party detection for JavaScript
• Improved third-party detection for Android
• Improved third-party detection for Java
• Improved hardcoded password/credential detection (CWE-259 and 798)
• Improved .NET CWE-80 basic XSS detection
• Improved JavaScript detection of document elements
• Improved performance for Vue applications
• Improved .NET Entity Framework support
• Added ability to allow third-party PHP software if the entire upload is third-party
• Improved detection of Java CWE-611 XXE
• Improved support for Python Django views

July 25, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has added support for Quarkus, a Kubernetes-native Java stack tailored for OpenJDK HotSpot and GraalVM.

Veracode has improved static analysis by adding support for these new versions of supported technologies:

• Dart 3
• Angular 16

Improved Detection of CWE-259 and CWE-798​

Improvements to the detection methods Veracode uses to identify CWE-259 (Use of Hard-coded Password), and CWE-798 (Use of Hard-coded Credentials) vulnerabilities should reduce the number of false positives during static analysis. Improved CWE-259 coverage for Python language submissions.

June 22, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has added support for Micronaut 3.8.x, which is a JVM-based framework you use to build lightweight, modular applications.

Veracode has improved static analysis by enhancing support for Android 12.

Veracode has improved static analysis by adding support for these new versions of supported technologies:

• Ruby 3.2
• Kotlin 1.8
• Python Django 4.x

Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) Detection​

Improvements to the detection methods utilized to identify CWE-259 and CWE-798 vulnerabilities should reduce the number of false positives found during static analysis.

Additional CWE-693 Coverage for Android​

Veracode has added an additional CWE-693 (Protection Mechanism Failure) check for Android applications to ensure that the Play Integrity API is used appropriately.

May 23, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Full support for iOS 16
• Enhanced support for Java 20

Improved CWE-89 Coverage for Java and JavaScript/TypeScript​

The improved coverage increases the number of potential CWE-89 flaws that Veracode discovers in Java and JavaScript/TypeScript applications, which might affect your scan results.

Added CWE-451 Coverage for Android​

Veracode has added CWE-451 (Tapjacking) coverage for Android applications.

May 18, 2023​

Pipeline Scan Adds Support for Module Selection​

Pipeline Scan adds a new --include parameter. You use this parameter to specify the top-level modules to include during scanning. The scan results now show both the modules that Veracode identified during prescan and the modules included in the scan.

This update is available with Veracode CLI version 23.4.3-0 and Veracode Docker image version 23.4.3.

April 27, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Support for JDK 20
• Enhanced support for .NET 7
• Enhanced support for Python SQLAlchemy
• Enhanced support for React Native 0.7x
• Support for AWS SDK for Go v2

Improved Static Analysis for Python Language Submissions​

Static analysis of Python applications inaccurately reports certain CWE-918 (Server-Side Request Forgery (SSRF)) flaws as CWE-201 (Insertion of Sensitive Information Into Sent Data) flaws. This update recategorizes these incorrectly reported flaws as CWE-918. This update might impact existing flaw matching and you might need to apply new mitigations to these flaws.

After you apply this update, any Python applications that contain CWE-201 flaws and have any of the following policy requirements might fail your security policy:

• Security Standard rule for Auto-Update CWE Top 25

• Findings by Severity rule for Medium or higher

• Minimum Scan Score rule

March 23, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Support for Vue 3.x
• Support for React Native 0.7x
• Enhanced support for Python Flask 2.x

Improved Static Analysis for WebMethodAttribute use in ASP.NET Classic​

Veracode has improved static analysis for WebMethodAttribute use in ASP.NET Classic (non MVC and/or MVC Core) WebForms and WebServices. This will affect the flaws found and associated policy results for customers by reducing the number of FPs found.

February 23, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Support for Go 1.20
• Support for Angular 14 & 15
• Support for React 18
• Support for Dart 2.17, 2.18, 2.19 and Flutter 3.0, 3.3, 3.7

Improved COBOL Parser Error Handling​

Veracode no longer reports parser errors in standalone copybook files that COBOL files do not include. These files are not relevant for security scanning unless COBOL files reference them.

January 26, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Initial Support for .NET 7

Veracode has improved static analysis by adding support for:

• Server-side request forgery (SSRF) reporting for JavaScript

Veracode has released a new version of our new iOS packaging tool:

• Gen IR version 0.2.1: gen-ir

December 15, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Support for Node.js 18
• Support for PHP Laravel 6-9
• Initial Support for Kotlin 1.7
• Initial Support for Android 13
• Support for Python Flask 2.x
• Support for Go 1.18-1.19
• Support for React Native 0.67

Veracode improved static analysis by adding support for these new languages and frameworks:

• Support for Dart and Flutter
• Support for .NET MAUI

Veracode has improved static analysis by adding a new iOS packaging tool to support Xcode 14 without the Enable_Bitcode setting:

• New iOS packaging tool: gen-ir
• Updated documentation: iOS and tvOS Application Packaging

November 17, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these languages and frameworks:

• Support for JDK 19
• Support for Azure Functions v4 for .NET

October 27, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these languages and frameworks:

• Support for Visual C++ 14.3.x for Visual Studio 2022
• Support for Azure Functions for Python

October 19, 2022​

New Packaging Guidance Tool​

You can use the new Veracode Packaging Cheat Sheet to generate language-specific packaging guidance for Static Analysis.

October 4, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these languages and frameworks:

• Support for JDK 18
• Full support for .NET 6
• Initial support for iOS 16
• Enhanced support for Golang Gorilla
• Enhanced support for React and React Router

August 25, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Full support for PHP Symfony 5.x
• Initial support for PHP Symfony 6.x
• Support for PL/SQL for Oracle 19c and 21c

August 1, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Initial support for Rails 7.0 and Ruby 3.x
• Full support for iOS 15
• Initial support for PHP Symfony

June 24, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Initial support of Ruby on Rails 6.1

April 28, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Initial support of PHP 8 and 8.1
• Support of Python Flask 1.1

March 28, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Support for Django 3.x
• Support for Android Jetpack
• Support for Go Gin-Gonic
• Support of Azure DevOps functions for JavaScript and TypeScript

February 24, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Full support of Xamarin platform versions and Xamarin.Essentials namespace
• Initial support of Azure Functions for Java

Veracode has improved static analysis by adding support for these new versions:

• Full support of Go 1.17
• Initial support of Angular 13
• Initial support of GCC 11
• Initial support of PHP 7.4

February 3, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Full support of Android 11

Veracode has improved static analysis by adding support for these new versions:

• Initial support of Kotlin 1.5
• Initial support of Kotlin 1.6

Veracode Static Analysis Improvements​

Veracode has improved accuracy of hard-coded Passwords. You can expect:

• Fewer false positives where local files are in known valid locations
• Better identification of sensitive variable names

Veracode has improved modeling for TypeScript support. You can expect:

• Fewer false positives, and more true positives in TypeScript applications where type information is specified.

December 20, 2021​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding support for:

• Azure Functions used in .NET
• Thymeleaf templates for Spring Boot

Veracode has improved static analysis by adding support for these new versions:​

• Initial support of .NET 6.0
• Initial support of Android 12

November 18, 2021​

New Veracode Static Analysis Support​

Veracode has improved static analysis by adding:

• Full support for JDK 17
• Full support for ColdFusion 2016

October 21, 2021​

New Veracode Static Analysis Support​

• Veracode has improved static analysis by adding support for Apex 52.0.

Improved Veracode Static Analysis Support​

• Veracode has further improved its accuracy in its detection of hard-coded credentials in applications. You might see a decrease in false positives related to hard-coded credentials.

October 20, 2021​

Veracode European Region now available ​

The Veracode European Region is now available for new customers. This region, which initially supports Veracode Static Analysis and Veracode Software Composition Analysis, provides European data residency for Veracode customers.

September 28, 2021​

New Veracode Static Analysis Support​

Veracode has improved static analysis by adding:

• Initial support for iOS 15
• Full support for .NET 5.0

Improved Veracode Static Analysis Support​

• Veracode has improved its detection of hard-coded passwords in applications. You might see an increase in findings related to hard-coded passwords.

August 26, 2021​

New Support for GCC 10 on Red Hat Enterprise Linux 8​

• Veracode has improved static analysis by adding support for the GCC 10 compiler on Red Hat Enterprise Linux.

Improved Static Analysis Support​

Veracode has made several improvements to static analysis, including:

• Prevention of reporting hard-coded credentials for variables related to mock libraries
• Prevention of reporting hard-coded credentials for nonsensitive data in JavaScript dictionaries
• Improved recognition of password keywords in concatenated strings
• Improved heuristics to identify potentially sensitive data

July 22, 2021​

New Veracode Static Analysis Support​

• Veracode has improved static analysis by adding support for Angular 12 applications.

Improved Veracode Static Analysis Results​

• Veracode has improved static analysis for Node.js 13 and 14 applications.

June 16, 2021​

Pipeline Scan Supports Uploading Larger Files​

• Veracode Pipeline Scan now supports the analysis of applications up to 200 MB.

June 2, 2021​

New Veracode Static Analysis Support​

Veracode has improved static analysis by adding support for these new technologies:

• Initial Support of Java 16
• tvOS

Compatibility Updates for iOS and tvOS Application Packager​

• Veracode has improved the mobile application packager used for preparing iOS and tvOS applications to support the latest versions of macOS. This update also includes several usability improvements based on user feedback.

New Distribution Method for the Ruby Gem Packager​

• Veracode began distributing the Gem file required for preparing Ruby on Rails applications. For the latest updates to the Gem file, retrieve the file from rubygems.org using these Veracode instructions.

May 3, 2021​

New Veracode Static Analysis Support​

• Veracode has improved static analysis by adding support for AWS SDK for .NET.

Improved Veracode Static Analysis Results​

• Veracode has improved static analysis of Java applications by identifying additional security flaws related to deserialization vulnerabilities.

April 6, 2021​

Improved Veracode Static Analysis Support for Android Applications​

• Veracode has improved static analysis of Android applications by adding support for Android applications packaged as Android App Bundles (AAB).

April 1, 2021​

Deprecated Support for Older Versions of Veracode Pipeline Scan​

• On April 1 2021, Veracode will no longer support versions of pipeline-scan.jar that you have downloaded before September 2020. These versions are 20.9.1 and earlier. To identify the version of the pipeline-scan.jar that you are using, you can run it with the --version option at the command line.

• To transition to a supported version of the JAR file, replace the version that you are using with the latest one, which you can download here: https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip Veracode also provides Pipeline Scan as a Docker image on ##### Docker Hub](https://hub.docker.com/r/veracode/pipeline-scan).

• Updating to the latest version of pipeline-scan.jar ensures that you are working with the latest version of the Veracode software, which includes many new features and bug fixes.

March 31, 2021​

New Veracode Static Analysis Support​

• Veracode has improved static analysis by adding support for Blazor WebAssembly for.NET applications.

Improved Veracode Static Analysis Results​

• Veracode has improved static analysis of .NET Core 3.1 applications.

Remediation Guidance Added to Pipeline Scan Results​

• The Pipeline Scan results now include links to the Veracode Knowledge Base, which provides suggestions for remediating issues.

March 2, 2021​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding support for these new versions of supported technologies:

• Transact-SQL 15.x
• Ember.js 3.x for JavaScript

Veracode has improved static analysis by adding initial support for these versions of supported technologies:

• .NET 5
• Kotlin 1.4
• Groovy 3

Improved Veracode Static Analysis Support for iOS​

• Veracode has provided additional security checks for applications built using iOS 14. You may see additional findings for applications as a result of these improvements.

Improved Results for Cryptography Findings for Java Applications​

• Veracode has improved static analysis of Java applications by updating the list of acceptable cryptography algorithms.

February 4, 2021​

New Veracode Static Analysis Support​

Veracode has improved static analysis by adding support for these new technologies:

• C++ applications built with GCC 9 on RedHat 8
• Koa.js version 2.13
• Hibernate framework version 5
• Autofac framework. Static analysis of .NET applications that use Autofac may report additional findings as a result of these improvements.

Improved Veracode Static Analysis Results​

Veracode provides these improvements for supported technologies:

• Additional security checks for applications built using functions specific to Android 10. You may see additional findings for applications as a result of these improvements.
• Enhanced accuracy of scan results of PHP and Python applications. The scan results now provide more emphasis on custom first-party components rather than third-party libraries.

Improved Prescan Warning Messages​

• Veracode has improved warning messages to identify applications that do not meet Veracode packaging requirements.

• Veracode has also improved the accuracy of warning messages for several languages and file types by providing more descriptive error resolution recommendations.

Improved Results Consistency for Java Applications​

• Veracode has improved static analysis of Java web applications packaged as WAR and EAR files. Veracode provides more consistent results between subsequent scans and more accurately recognizes first-party components in the applications.

• You may notice a one-time change to scan results as a result of this improvement.

Improved Results Accuracy Within JSP Files​

• Veracode has improved static analysis of JSP applications to prevent static analysis from reporting duplicate flaws.

January 12, 2021​

Compilation Guide Renamed​

• To more accurately describe its contents, the Compilation Guide is now called Veracode Packaging Requirements.

January 7, 2021​

Pipeline Scan Integration with Veracode Security Policies​

• Veracode has improved the Pipeline Scan to support the use of policy rules defined in the Veracode Platform. This enhancement allows you to assess applications against consistent rules for pass or fail.

December 17, 2020​

New Veracode Pipeline Scan Support for PHP Applications​

• Veracode has improved the Pipeline Scan by adding support for PHP applications.

December 15, 2020​

New Support for Languages and Frameworks​

Veracode has improved static analysis by adding support for these new versions of supported technologies:

• Android 11
• C++ Support for Red Hat Enterprise Linux 8
• Grails 4
• Java 15
• Slick Library for Scala

Improved Support for Java​

• Veracode has improved static analysis of Java applications by adding support for JNDI injection flaws. See the Veracode blog post for details about these types of flaws.

Improved Prescan Warning Messages​

• Veracode has improved its warning messages to notify you when the JavaScript and TypeScript files you submit have parsing errors. Parsing errors can affect the quality of the prescan results.

• Veracode has also improved the accuracy of warning messages for several other languages and file types.

Simplified Packaging Requirements for iOS Applications​

• Veracode has improved the user experience of analyzing iOS applications by simplifying the requirements for packaging.

November 24, 2020​

New Support for GCC 8.3 on Red Hat Enterprise Linux 7​

• Veracode has improved static analysis by adding support for the GCC 8.3 compiler on Red Hat Enterprise Linux.

October 30, 2020​

New Pipeline Scan Support for React Native, Titanium, and Cordova Applications​

• Veracode has improved the Pipeline Scan by adding support for React Native, Titanium, and Cordova applications.

October 29, 2020​

Improved Veracode Static Analysis Results​

Veracode has improved static analysis of these supported technologies:

• Angular templates
• Apache Commons
• AWS SDK for Java
• JavaScript
• Python

New Pipeline Scan Reporting Options:

• Veracode has improved the Pipeline Scan to support reporting a filtered list in JSON format of issues that caused the analysis to fail.

October 21, 2020​

Pipeline Scan Supports Custom GitLab Domains​

• Veracode has improved the Pipeline Scan to support custom GitLab domains when creating GitLab issues.

October 6, 2020​

Improved Pipeline Scan Error Messages and Logging​

Veracode has improved pipeline scans to include these enhancements:

• Improved error message content
• Integration with Log4j to log debug messages

October 2, 2020​

New Pipeline Scan Support for Python Applications​

• Veracode has improved Pipeline Scan to include support for Python applications.

September 26, 2020​

Packaging Improvements for .NET Applications​

• Veracode has improved the user experience of analyzing .NET applications by adding support for .NET applications submitted as standard NuGet packages.

September 24, 2020​

New Pipeline Scan Support​

• Veracode has improved Pipeline Scan to include support for Android applications.

New Veracode Static Analysis Support​

Veracode has added support for new versions of these technologies:

• Angular 9 and 10
• Visual Studio 2019 for Visual C++

Improved Veracode Static Analysis Support​

• Veracode has improved static analysis of AWS SDK for JavaScript.

• Veracode has improved static analysis of .NET and JVM-based applications. Veracode reduced the number of prescan warning messages that it sends for components that are common third-party libraries.

September 17, 2020​

New Static Analysis Support for iOS 14​

• Veracode has improved static analysis by adding initial support for iOS 14.

September 1, 2020​

New Veracode Static Analysis Support​

Veracode has added static analysis support for these technologies:

• React Native 0.6x
• Ruby on Rails 6
• Jinja2 Template Library for Python

Veracode Static Analysis Recognized Cleansers​

As a result of updated security research, Veracode has added several CRLF cleansing functions to the list of supported cleansing functions. Veracode also removed these CRLF functions:

• com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscape
• com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscapeAllowEntities
• com.google.gwt.safehtml.shared.SafeHtmlUtils.fromString
• org.springframework.web.util.HtmlUtils.htmlEscape
• org.springframework.web.util.HtmlUtils.htmlEscapeDecimal
• org.springframework.web.util.HtmlUtils.htmlEscapeHex
• org.apache.axis.components.encoding.XMLEncoder.encode
• com.liferay.portal.kernel.util.HtmlUtil.escapeAttribute
• com.liferay.portal.kernel.util.HtmlUtil.escape
• com.liferay.portal.kernel.util.HtmlUtil.escapeHREF
• com.liferay.portal.kernel.util.HtmlUtil.escapeXPath

Improved Veracode Static Analysis User Experience​

Veracode has improved the user experience of static analysis by providing:

• More consistent naming for the submitted components
• More information added to some prescan error messages

August 7, 2020​

New Pipeline Scan REST APIs​

• The new Pipeline Scan REST APIs allow you to submit pipeline scans directly using an API.

Pipeline Scan Improvements​

Veracode Static Analysis using pipeline scanning includes these enhancements:

• New command parameters for creating GitLab issues and vulnerabilities from scan output:
  • --gl_issue_generation
  • --gl_vulnerability_generation
• New GitLab examples added to the pipeline scan README and the Veracode Help Center

July 10, 2020​

New Pipeline Scan Support for .NET Applications​

• Veracode has added pipeline scan support for .NET applications.

July 1, 2020​

New Veracode Static Analysis Support​

Veracode has added static analysis support for these technologies:

• AWS SDK for
• Ruby 2.6 and 2.7
• AcuCOBOL-GT 10.3
• Xcode 11.5

Improved Veracode Static Analysis Support​

Veracode has improved static analysis of these technologies:

• AWS SDK for Python (Boto3).
• Additional security checks for applications built using Java 12, 13, and 14. You may see additional findings for applications as a result of these improvements.
• Additional security checks for applications built using .NET Core 3.1. You may see additional findings for applications as a result of these improvements.
• Additional security checks for applications using Apache Commons libraries. You may see additional findings for applications as a result of these improvements.
• Additional security checks for applications using Go templates. You may see additional findings for applications as a result of these improvements.
• Improved scan coverage for iOS application submissions. Veracode now analyzes all components submitted with an iOS application, including standalone frameworks, extensions, and watchOS extensions. After a prescan, you can select these components from a list of modules.

New Video - Review Static Analysis Flaws​

This video shows you how to:

• Access static flaw information in the Triage Flaws view of the Veracode Platform.
• Use the Source Code view to load source code from your local system into the Triage Flaws page so that you can view information about the flaw in the context of your original source.
• Document a proposed mitigation for review.

June 13, 2020​

New Veracode Static Analysis Support​

Veracode has added static analysis support for these technologies:

• Improved analysis of Go applications by adding support for the Gorilla framework, and improving overall results quality.
• Improved analysis of JavaScript applications using AWS Lambda and other functions by adding support for the AWS SDK.

Improved Veracode Static Analysis Support​

Veracode has improved static analysis of these technologies:

• Improved static analysis of iOS applications by improving the results of scans, to better focus the results on custom first-party components, instead of third-party libraries.
• Improved static analysis of .NET and Java applications to more accurately report the analysis size of dependent modules. These changes may result in smaller reported sizes for scan submissions.
• Veracode now reads the contents of the go.mod file included in an application submission to more accurately identify which Go components to analyze.

May 13, 2020​

Pipeline Scan Improvements​

Veracode Static Analysis using pipeline scanning includes these enhancements:

• New command parameters for storing information about the application you are scanning:
  • --app_id
  • --development_stage
• New code examples that show how to integrate a pipeline scan with GitHub actions and Azure DevOps. These examples are included in both the pipeline scan Readme file and the Veracode Help Center.

May 4, 2020​

New Veracode Static Analysis Support​

Veracode now supports static analysis of these libraries for Apex:

• Visualforce
• Lightning
• Aura components for Salesforce

Improved Veracode Static Analysis Support​

Veracode now supports static analysis of these technologies:

• Apex version 49.
• Java applications built on Java 14.
• Version 2.6 and 2.7 of the Play framework for Scala. You may see additional findings for Play applications as a result of these improvements.
• Python application analysis improvements, including additional security checks for risks related to certificate management and cryptography settings. You may see additional findings for Python applications as a result of these improvements.
• Updated CWE definitions for flaws that had been reported previously as CWE 100 and 391. MITRE is deprecating these CWEs. MITRE is recategorizing CWE 100 flaws as CWE 1174, and recategorizing CWE 391 flaws as either CWE 252 or CWE 273, depending on the details of the flaw.

Veracode has updated policy rules that included entries for CWE 100 and CWE 391 to include the new CWEs.

After you run the next scan of affected applications, the Veracode Platform reports and analytics reflect the new CWE values. Data for previous scans still include the historical values.

April 23, 2020​

Improved Veracode Static Analysis Support with Pipeline Scanning​

Veracode static analysis using pipeline scanning now includes these features:

• Support for Scala, Kotlin, and Groovy applications
• Veracode authentication using the API credentials file
• Human user accounts with the required user roles can run pipeline scans

April 14, 2020​

New Video - Run a Pipeline Scan in Your CI/CD Environment​

• This video shows you how the pipeline scan runs directly within a CI/CD environment.

April 2, 2020​

New Veracode Static Analysis Support​

• Veracode has improved static analysis by adding support for AWS Lambda functions for Java, .NET, Node.js, and Python.

#####Improved Veracode Static Analysis Support

Veracode has improved static analysis of these technologies:

• Improved results quality for iOS 13 applications
• Support for iOS applications built with Xcode 11.4

Veracode has changed reporting of CWE 404 flaws to be more specific about where they occur, which may result in additional findings. Veracode has also changed the severity of CWE 404 to Informational.

March 16, 2020​

Announcing General Availability of Pipeline Scan for Veracode Static Analysis​

• Veracode is pleased to announce the general availability release of the pipeline scan, a purpose-built tool for DevOps engineers. The pipeline scan directly embeds into your CI tools and provides fast feedback on flaws after each commit.

February 20, 2020​

New Veracode Static Analysis Support​

• Veracode has improved static analysis by adding support for a new version of Visual C++ applications built for Windows 10, Server 2016, and Server 2019.

Improved Veracode Static Analysis Support​

Veracode has improved static analysis of these supported technologies:

• Apache Struts 2
• Safe cryptography libraries in PHP
• Apex triggers submitted with the TGR file extension

January 30, 2020​

New Veracode Static Analysis Support​

Veracode has improved static analysis by adding support for these new versions of supported technologies:

• Java applications built on Java 13
• Initial support for .NET Core 3.1

Improved Veracode Static Analysis Support​

Veracode has improved static analysis of these supported technologies:

• APIs and language features specific to .NET Core 3.0, .NET Standard 2.1, and C# 8. You may see additional findings in .NET applications that use these new features.
• log4net, Serilog, and NLog logging technologies in .NET for detecting log injection flaws in .NET applications. You may see additional findings in .NET applications that use these technologies.
• Additional security checks for Android 9 applications. You may see additional findings for Android applications as a result of these improvements.

December 6, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 1: Redirect Rodeo (.NET, JavaScript)
• OWASP 8: Prototype Protection Agency (JavaScript)

OWASP API Security Top 10 labs​

• OWASP API 8: Own the Database (Java)
• OWASP API 8: Parameterize All the Things (Java)
• OWASP API 8: Bobby Tables (Java)

November 1, 2023​

New Security Labs lessons

OWASP API Security Top 10 labs​

• API 7: Jot Down This Key (Java)
• API 7: Secret Admin (Java)
• API 7: eXternal Entity (Java)
• API 7: XML is Always a Challenge (Java)

May 3, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

New OWASP 10: Get There From Here (Python, Go)

April 5, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

New OWASP 10: Get There From Here (.NET, Flask)

OWASP API Security Top 10 labs​

• API 5: Neglected Endpoints (Java)
• API 6: Bad Design Compromises Security (Java)
• API 6: Bad Design Compromises Security (.NET) (revamped!)

March 1, 2023​

New Security Labs lessons

Getting Started Labs​

New Getting Started - Lesson Zero (Flask, Go, Python)

OWASP Top 10 2021 labs​

• OWASP 1: Broken Access Control - Secrets in the Log (Java)
• OWASP 4: Making Secure Decisions (Flask, Go, Python)

OWASP API Security Top 10 labs​

• API 4: Slow Down (Java)
• API 4: Brute Force (Java)
• API 4: Denial of Service (Java)

February 1, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 1: Broken Access Control - Loose Lips Sink Servers (.NET)
• Beyond OWASP Top 10: Other Web App Risks - Know Your Limits (Java)

OWASP API Security Top 10 labs​

• API 3: Bugs in Debug (Java)
• API 3: Revealing Schemas (Java)

January 4, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

New Beyond OWASP Top 10: Other Web App Risks - Do You Remember? (.NET)

OWASP API Security Top 10 labs​

• API 2: Really, Really Bad Passwords (Java)
• API 2: Terrible Password (Java)

December 6, 2022​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 4: Insecure Design - Insecure Decisions (.NET, Java)
• OWASP 4: Making Secure Decisions (Java)

OWASP API Security Top 10 labs​

• API 1: One ID to Access All Objects (Java)
• API 1: Stronger IDs (Java)

Getting Started Labs​

New Getting Started - Lesson Zero (Java, Node)

November 1, 2022​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 1: Broken Access Control - Loose Lips Sink Servers (Node)
• OWASP 4: Insecure Design - Valid Deficit (.NET)

OWASP API Security Top 10 labs​

New API 4: Lack of Resources & Rate Limiting - Denial of Service

October 4, 2022​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 4: Insecure Design - Valid Deficit (Node)
• OWASP 9: Security Logging and Monitoring Failures - Hold the Line (.NET, Java)

September 26, 2022​

Topic Progress Bar Now Focused on Required Labs​

In Security Labs, the progress bar for a topic now shows the completion status for required labs only. If all required labs in a topic are complete, the progress bar shows 100% completion, even when there are incomplete optional labs.

September 6, 2022​

One New Security Labs Lesson

OWASP Top 10 2021 labs​

New OWASP 9: Security Logging and Monitoring Failures - Hold the Line (Node)

August 24, 2022​

New Click-Through Tour​

• After an administrator assigns a user the Manager role, they are given a one-time option to take a tour about the actions managers can do in Security Labs.
• You can also read new documentation on manager permissions.

August 3, 2022​

Three New API Security Labs Lessons

OWASP API Security Top 10 labs​

• New API 9 Improper Assets Management - Unprotected deployments (.NET)
• New API 10 Insufficient Logging & Monitoring - The Importance of Logging and Monitoring (.NET)
• New API 10 Insufficient Logging & Monitoring - Logging in the API Infrastructure (.NET)

July 6, 2022​

Seven New API Security Labs Lessons and One Updated OWASP Course

OWASP API Security Top 10 labs​

• New API 7 Security Misconfiguration - Jot down this key (.NET)
• New API 7 Security Misconfiguration - Secret Admins (.NET)
• New API 7 Security Misconfiguration - eXternal Entity (injection) (.NET)
• New API 7 Security Misconfiguration - XML is always a Challenge (.NET)
• New API 8 Injection - Own the database (.NET)
• New API 8 Injection - Parameterize all the things (.NET)
• New API 8 Injection - Bobby Tables (.NET)

OWASP Top 10:2021:10 Server-Side Request Forgery​

New Get There From Here (Node)

June 30, 2022​

Updated One eLearning Learner Level Course and Added Two New AppSec Tutorials​

• Updated the OWASP 2017 course to OWASP 2021 on Learner Level 1
• Added two new AppSec Tutorials on Learner Level 2

June 1, 2022​

The Security Training Team Released Two New API Security Courses and Updated Eight OWASP Courses

OWASP API Security Top 10 labs​

• API5:2019 Neglected endpoints (.NET)
• API6:2019 Bad Design Compromises Security (.NET)

OWASP Top 10 2021 labs​

See the Course Catalog for more details.

• A01:2021 Broken Access Control
• A02:2021 Cryptographic Failures
• A03:2021 Injection
• A05:2021 Security Misconfiguration
• A06:2021 Vulnerable and Outdated Components
• A07:2021 Identification and Authentication Failures
• A08:2021 Software and Data Integrity Failures
• A09:2021 Security Logging and Monitoring Failures

May 19, 2022​

The Security Training Team Released Three New eLearning Courses and Updated One Course​

• Updated A04: eLearning Secure Architecture and Design
• OWASP Top 10 2021
• A10: Server-Side Request Forgery AppSec Tutorial
• A08: Software and Data Integrity Failures AppSec Tutorial

May 4, 2022​

The Security Training Team Released Seven Labs​

OWASP API Security Top 10 Labs:

• API3:2019 Excessive Data Exposure - Bugs in Debug (.NET)
• API3:2019 Excessive Data Exposure - Revealing Schemas (.NET)
• API4:2019 Lack of Resources and Rate Limiting - Slow Down (.NET)
• API4:2019 Lack of Resources and Rate Limiting - Brute Force (.NET)

OWASP Top 10 2021 Labs:

• A04:2021 Insecure Design - Making Secure Decisions (.NET)
• A08:2021 Software and Data Integrity Failures - Sleeping With the Enemy (.NET, Node)
• A10:2021 Server-Side Request Forgery - Get There From Here (Java)

April 6, 2022​

Two New Labs​

• OWASP API #1 - Broken Object Level Authorization
• OWASP API #2 - Broken User Authentication

April 28, 2021​

New Video - Access and Navigate the Veracode Security Labs Interface​

This video shows you how to:

• Access and navigate the lab interface
• Access and interact with the web application, when applicable
• Communicate with teammates who have completed the lab
• Save lab progress or restart the lab

New Video - View and Filter Labs in Veracode Security Labs​

This video shows you how to:

• View new, required, and in progress labs
• Filter labs by programming language

New Video - Edit and Assign Security Labs Roles to Users​

• This video shows you how to edit roles, assign roles to users, and create managers for those roles in Veracode Security Labs.

New Video - Create a Campaign and Assign Content to Roles in Security Labs​

• This video shows you how to create a new campaign and assign content to roles in Veracode Security Labs.

New Video - Customize Lab Content in Veracode Security Labs​

Watch this video to learn how to:

• Customize lab content by modifying or writing your own conclusion
• Write your own labs using Security Labs as a sandbox
• Create an example application using your own code

New Video - Add and View Due Dates for Assignments in Veracode Security Labs​

Watch this video to learn how to:

• Add and view a due date for an assignment
• Enable competition mode as an administrator

New Video - View and Report on User Progress in the Veracode Security Labs Reporting Page​

• This video shows you how to report on user progress in Veracode Security Labs and the API.

April 27, 2021​

Automated User Progress Notifications​

You can configure automated email notifications to accomplish these tasks for Veracode Security Labs:

• Inform managers of their team progress in a campaign or assignment
• Remind users when they have required labs that are incomplete

You can define the schedule and customize the message for each notification type.

April 2, 2021​

New Video - Create Users Within Veracode Security Labs or by Using Your Company SSO​

• This video shows you how to create users from within the Security Labs interface.

March 4, 2021​

Enable Team-Based Competition in Security Labs​

• You can create Veracode Security Labs campaigns that allows users to collaborate and compete between groups. If you enable competition mode and assign different roles to users, the leader board for the campaign adds the scores by role and displays the collective team totals.

Continuous Learning Paths in Security Labs​

• You can assign Security Labs users to continuous campaigns that automatically provide the next assignment after the user completes the required labs of the previous assignment.

Allow Step Omissions in Security Labs​

• You can configure Security Labs to allow users to skip steps in a lab that they cannot complete. Users do not receive points for skipped steps.

• This feature only applies to Java OWASP labs.

November 23, 2020​

Auto-Extend for eLearning Enabled by Default​

• The default setting for new Veracode eLearning course track assignments is to automatically extend when their subscription periods end.

Improved eLearning Performance​

• Veracode has increased the loading speed of the My Team's Courses page in Veracode eLearning.

October 29, 2020​

Improvements to eLearning​

Veracode has made these improvements to eLearning:

• eLearning administrators can now assign a learner to multiple eLearning curricula.
• Veracode added seven new Secure Coding Foundation courses to learner level 1. Learners who previously completed level 1 must take the newly-added courses to complete this level. Because each level depends on the previous level, these levels show as incomplete until the learner completes them.
• The eLearning report for learners now includes a Date Started column.
• The eLearning settings have been removed from the Admin > Manage Users page. All eLearning administration actions are now available from the Admin > eLearning page. This page provides a centralized location where you can use filtering options and perform all actions on one or more learners.
• The eLearning fields have been removed from the SAML Self-Registration page.

August 29, 2020​

Improvements to Security Labs​

Veracode has made these improvements to Security Labs:

• Integration with the Veracode Platform. By default, if you have the Security Labs User role, Veracode automatically creates your Security Labs account in the Platform. If you have the Administrator role, you automatically have administrator permissions within Security Labs.
• New Assignment Creation wizard. When creating a new set of lab assignments on the Assign Content page, you can now get suggested lab assignments based on a focus. For example, Beginner/Intermediate/Advanced, PCI Training, Backend/Frontend, or Competition.
• New Scala labs for the OWASP Top 10. These labs use the Play framework.

June 27, 2020​

Enhancements to eLearning Curriculum Creation​

• Veracode has improved the user interface for creating an eLearning curriculum to make it easier for administrators to identify courses to add to a curriculum. The new user interface now includes the length and description of each course. When selecting courses, the administrator can also use a checkbox to make courses required.

June 2, 2020​

Bulk Actions for eLearning Administrators​

• Veracode eLearning administrators can now apply actions, including assigning learners to tracks or curricula and enabling automatic track extensions, to multiple users at once. This enhancement simplifies the process of onboarding and managing eLearning users.