Skip to main content

About product updates

· 2 min read

Review the product updates for the latest features, enhancements, important announcements, and release notes for Veracode products and services. Subscribe to all posts with the RSS feed Feed-icon.png.

Veracode regions

Your Veracode account is in one of three Veracode regions. Some updates might only be available in specific regions. For example, an update that only applies to a specific product in the Commercial region, or an early release that is first available in the European region, then available in all regions.

If you do not know the region for your account, contact the Veracode Administrator for your organization.

Region icons

By default, all product updates are available in all regions. To indicate that a product update applies to specific regions, it shows one or more of the following icons. Updates that are available in all regions do not show icons.

      Commercial region

      European region

      United States Federal region

Security Labs is only supported in the Commercial region.

Downloads

To download the latest Veracode integrations, see Integrate with Veracode or go to Community Integrations.

Archives

The following sections are archived updates for older releases. Veracode no longer maintains these sections.

CLI updates

· 4 min read

The updates on this page apply to the Veracode CLI. Updates that apply to specific Veracode regions show a region icon.

For updates specific to Veracode Fix, such as language and CWE support, see Fix updates.

July 2, 2024

Veracode CLI v2.27.1

This update includes the following improvements to the veracode package command:

  • Support for C/C++ Windows.
  • Support for multiple target frameworks defined in the *.csproj, Directory.Packages.props, and Directory.Build.props files in .NET projects.
  • Improved language support for .NET.

June 28, 2024

Veracode CLI v2.26.0

This update includes the following improvements to the veracode package command:

  • Support for .NET Framework 4.6-4.8.
  • Support for restoring .NET projects with <TargetFramework>.
  • Improved language support for Flutter, Android, PHP, and .NET.
  • More meaningful --debug messages if the command is not able to locate required build or packaging tools.

June 18, 2024

Veracode CLI v2.25.0

This update includes the following improvements

  • The veracode package and veracode scan commands are now supported on alpine-based environments.
  • Improved Java, Javascript, and Python language support for the veracode package command.

June 12, 2024

Veracode CLI v2.24.0

The veracode static command now provides improved command output.

June 6, 2024

Veracode CLI v2.23.0

The veracode static command output now only displays scannable modules once.

June 5, 2024

Veracode CLI v2.22.0

This update adds the veracode dynamic command. You use this command to run a DAST Essentials dynamic analysis, check the status of the analysis, and output the results.

May 28, 2024

Veracode CLI v2.21.0

The veracode package command now supports Android, React Native, Dart, and Flutter.

May 6, 2024

Veracode CLI v2.18.0

This update includes the following improvements to the veracode package command:

  • Support for streaming log messages.
  • Improved language support for .NET and Python.

April 15, 2024

Veracode CLI v2.16.0

This update includes the following improvements:

  • The veracode package command now supports iOS, in addition to existing support for Java, JavaScript, .NET, Python, PHP, Scala, Kotlin, Go, and Ruby on Rails. You use this command to auto-package your applications for Static Analysis and Software Composition Analysis (SCA) upload scans.
  • The packaged artifacts use a Veracode approved filename format.
  • Improved error messaging.
  • The veracode package command output now displays the installed CLI version.

March 29, 2024

Fix flaws in multiple files in a directory

The veracode fix command now provides suggested fixes for a directory of source files, in addition to a single source file. You can fix flaws in multiple files as a batch, without having to rescan your code each time you apply a fix.

March 27, 2024

Veracode CLI v2.14.0

The veracode package command now supports application packaging for the following languages:

  • .NET
  • Go
  • Kotlin
  • PHP
  • Ruby on Rails
  • Scala

February 5, 2024

New commands for reporting on repository contributors

The Veracode CLI now includes the following commands:

January 18, 2024

The Veracode CLI now supports auto-packaging for Veracode Static Analysis

The Veracode CLI now supports Static Analysis auto-packaging for Java, JavaScript, and Python. The package command removes manual packaging steps to streamline your application security tests.

January 9, 2024

Install the CLI on Windows with a PowerShell script

You can now install the Veracode CLI on Windows with a PowerShell script.

October 26, 2023

The Veracode CLI now supports Windows

You can now install the Veracode CLI on Windows with Chocolatey.

October 5, 2023

Veracode Fix is now available in the European Region

Veracode Fix is now fully supported in the European Region.

June 28, 2023

Introducing Veracode Fix

The veracode fix command is a new generative AI feature of the Veracode CLI. It uses the results from a Veracode Pipeline Scan to generate suggested code fixes that you can apply to flaws in your application source code. This feature is currently only available in the Commercial Region. To get started, see the quickstart.

December 30, 2022

Released Veracode Container Security

Veracode Container Security is available. Container Security is a feature of the Veracode CLI that does the following:

  • Scans for container vulnerabilities
  • Scans for infrastructure as code misconfigurations
  • Scans for improperly stored secrets
  • Helps developers secure their cloud native applications

For more information about Veracode Container Security, contact your Veracode account representative.

Dynamic Analysis updates

· 8 min read

The updates on this page apply to the following Veracode Dynamic Application Security Testing (DAST) products and features. Updates that apply to specific Veracode regions show a region icon.

July 15, 2024

Improved target configuration pages in DAST Essentials

DAST Essentials has a new look and feel for target configuration. Additionally, you can now switch between non-invasive quick scans and invasive full scans.

June 27, 2024

API Scanning now supports Postman Collections

You can now upload and scan Postman Collections in the Veracode Platform.

May 15, 2024

ISM endpoint 24.5.5

This update includes performance improvements to Internal Scanning Management (ISM). To install this endpoint, you must have Java 21 or greater.

March 28, 2024

Improved pause and resume scheduling

You can now schedule an analysis to pause and resume on specific days of the week, during specific periods, or both.

December 19, 2023

Web application and API scans now support multi-factor authentication

You can now configure web application scans and API scans to use time-based one-time password (TOTP) seeds for URLs that require multi-factor authentication (MFA). You can also configure TOTP with the REST API.

December 12, 2023

ISM endpoint 23.12.1

  • The endpoint now supports Java 21.
  • Adds virtual threading functionality to improve performance and stability. Before you can use this functionality, you must upgrade to Java 21.

November 27, 2023

Free trial of DAST Essentials

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 15, 2023

Introducing DAST Essentials

DAST Essentials is a new Dynamic Application Security Testing (DAST) product that provides rapid and resilient DAST scanning of web applications and REST APIs, a user-friendly interface, and seamless CI/CD pipeline integration. To get started, see the quickstart.

September 25, 2023

Web application and API scans now support custom cookies

You can now configure web application scans and API scans to use one or more custom cookies for authentication.

May 9, 2023

ISM endpoint 23.5.0

Added executable scripts that update the JAVA_HOME path for the endpoint.

April 25, 2023

ISM endpoint 23.4.2

  • The endpoint now supports environments where the target host is on the same host as the client.
  • Source code files now include a copyright header.

February 27, 2023

Set URL Scan Settings at the Organization Level

You can now use the Dynamic Analysis REST API to set URL scan settings for all analyses and scans in an organization.

February 17, 2023

New Manual Resume Feature for Paused Analyses

Veracode Dynamic Analysis adds a new feature that enables you to manually resume a scheduled analysis from a paused state. This feature is only available upon request. To add this feature to your account, contact Veracode Technical Support.

January 20, 2023

Renamed URL Scan Status Messages

Veracode has renamed and changed the descriptions for the following URL scan status messages for Dynamic Analysis. The new names more accurately describe the issues that caused these status messages to appear in the Veracode Platform.

  • Killed - Partial Results Available is now Lockout - Partial Results Available.
  • Killed - Verifying Partial Results is now Lockout - Verifying Partial Results.

December 19, 2022

ISM endpoint 22.12.3

  • Fixed an endpoint issue that caused threads to lock up until the ISM tunnel closes.
  • Improved endpoint logging that Veracode Technical Support can use for troubleshooting.

October 21, 2022

ISM available for Dynamic Analysis

Internal Scanning Management (ISM) is now available for Veracode Dynamic Analysis of web applications and API specifications in the European Region.

October 18, 2022

API Scanning Adds Support for Scriptable Request Modification

Veracode API Scanning adds a new option for using JavaScript to modify an HTTP request, at runtime, when authenticating with a remote host.

October 5, 2022

New Similarity Threshold for Web Applications

When configuring an analysis of a web application, you can now set a threshold for ignoring similar web pages during the analysis.

September 7, 2022

Dynamic Analysis Now Creates Screenshots for Consecutive Login Failures

The Veracode scan engine now creates a verification screenshot if it is unable to log in to a target application after 50 attempts. The screenshot image shows when and where in the scanning process the failed login attempts occurred. You can use this information for troubleshooting.

August 2, 2022

New Historical Details for Dynamic Analyses and Scans

You can now view detailed information about all past occurrences of both a dynamic analysis and its scans.

July 28, 2022

Dynamic Analysis available for European Region

Veracode Dynamic Analysis is now available in the European Region. If you have a Veracode Dynamic Analysis subscription, you can now perform dynamic analysis security testing and API testing against public facing web applications and APIs.

May 18, 2022

Re-Enabled Pause and Resume for Scheduled Analyses

When scheduling a Dynamic Analysis, you can now set it to pause and resume scanning at specific days and times. Veracode disabled this option on October 7, 2021.

April 28, 2022

New Status Messages for Partial Scan Results

Dynamic Analysis now provides status messages that indicate when Veracode is verifying partial results and when partial results are available for review. Partial results can occur when a scan stops prematurely due to:

  • Errors during scanning
  • Users stopping the scan early
  • The scan exceeding its configured duration

March 23, 2022

API Scanning Adds Support for OpenID Connect to OAuth 2.0

Veracode API Scanning adds a new option to specify an OpenID Connect URL when configuring OAuth 2.0 authentication.

March 10, 2022

Dynamic Analysis Adds Support for Concurrent Browsers Running Dynamic Analysis Scans

Veracode Dynamic Analysis now supports concurrent browsers for running multiple Dynamic Analysis scans at the same time. When configuring a web application scan, you can specify up to 12 concurrent browsers.

March 8, 2022

API Scanning Adds OAuth 2.0 Authentication and Analysis History Options

Veracode API Scanning includes these changes:

  • New option to configure OAuth 2.0 authentication for the API endpoints in your API specifications. You can select to use either the Client Credentials or Password Credentials grant type.
  • New Associated Analysis field on the API Specification Details page for a given API specification. This field provides options for viewing, reconfiguring, and rerunning previous scans.

March 3, 2022

Dynamic Analysis Now Detects Log4j Vulnerability CWE-115

Veracode Dynamic Analysis can now detect Log4j vulnerability CWE-115 when scanning web applications or API specifications.

February 4, 2022

Updated Dynamic Analysis Scan Engine

The Dynamic Analysis scan engine includes these updates:

  • Updated Chromium to version 98.0.4758.80
  • Log4j security updates
  • Improved connectivity when authenticating with Veracode
  • Fix for insecure cookies that prevented flaw matching

January 25, 2022

ISM endpoint 22.1.10

  • endpoint upgraded to Log4j 2.17.1 to address security findings.
  • Improved thread management for connection stability.
  • Advanced memory usage diagnostics.

December 21, 2021

ISM endpoint 21.12.13

  • endpoint upgraded to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.
  • Additional libraries upgraded to address security findings.

August 10, 2020

ISM endpoint 20.8.5

  • endpoint now supports not resolving the hostname when accessing the ISM gateway via proxy. This support enables you to only allow the gateway hostname for outbound HTTPS calls.
  • endpoint now supports not resolving the hostname when accessing scanned URLs via proxy. This support simplifies proxy configuration if you do not want to access external sites, such as Okta, during the scan.
  • Improved interface for configuring a proxy for the endpoint installer.
  • endpoint installer supports configuring hostname resolution properties.
  • Java WebSocket library for the endpoint upgraded to version 1.5.1.
  • endpoint supports specifying non-default network interface via endpoint properties, including the option to see a list of available network interfaces.
  • endpoint process name on Linux includes a Veracode identifier.
  • Improved endpoint logging.

March 9, 2020

ISM endpoint 20.3.5

  • endpoint installer supports client-side Java and 32-bit Java.
  • endpoint installer supports proxy gateway-only property.
  • endpoint supports running diagnostics through a DSE tunnel.
  • endpoint supports new advanced diagnostics options.
  • Consolidated direct diagnostic options and diagnostics options that run through a DSE tunnel.
  • The ISM service from the Windows installer runs under the less privileged LocalService account instead of LocalSystem.
  • Proxy configuration in the installer no longer requires web access to veracode.com.
  • Resolved issue with property merge in the endpoint installer.
  • Improved endpoint memory management and out of memory protection.

Fix updates

· One min read

The updates on this page apply to Veracode Fix.

For updates specific to products that integrate Fix, see the updates pages for those products.

April 25, 2024

Support for Go and additional CWEs

Veracode Fix now provides suggested fixes for Go. It detects CWE-73, 78, and 117.

March 29, 2024

Support for Kotlin and Scala

Veracode Fix now provides suggested fixes for Kotlin and Scala.

February 14, 2024

Support for Python and PHP

Veracode Fix now provides suggested fixes for Python and PHP.

October 5, 2023

Support for JavaScript and TypeScript

Veracode Fix now provides suggested fixes for JavaScript and TypeScript.

Integrations updates

· 31 min read

The updates on this page apply to the Veracode integrations and APIs. Updates that apply to specific Veracode regions show a region icon. Veracode Greenlight is not supported in the European region.

For updates specific to Veracode Fix, such as language and CWE support, see Fix updates. For updates specific to the SCA integrations, see SCA updates.

July 10, 2024

Java API Wrapper 24.7.14.0

This update adds the failbuild parameter. You use this parameter to fail the build if any artifacts of your packaged applications fail to upload.

July 9, 2024

Veracode Integration for Jira Cloud 4.15.0

This update includes the following improvements:

  • The Monitoring and Troubleshooting page now successfully displays remarks if an import fails.
  • Projects with more than 50 components now import successfully.

June 28, 2024

Veracode Workflow App 0.2.3 for GitHub

This update includes the following improvements:

  • Auto-packager support for .NET repositories.
  • The names of GitHub check runs for Veracode Static Analysis now indicate whether they are pipeline scans or policy scans.
  • The GitHub check run summary pages now display the Veracode Platform URL. You can review results regardless of the check run status. Previously, the URL only appeared after the check run succeeded.

If you have not previously granted the app permissions to your GitHub repository, you might receive a notification requesting those permissions when you update your app.

To update your app to reflect these changes, you must fork or import the app repository.

June 24, 2024

Veracode Scan for JetBrains 1.1.0

This update includes the following improvements:

  • Adds Veracode Fix to Veracode Scan for JetBrains. To fix flaws in seconds from within your IDE, you can now apply AI-generated fixes directly to flaws.
  • Adds support for the JetBrains Rider IDE.

June 6, 2024

Veracode Workflow App 0.2.2 for GitHub

This update includes the following improvements:

  • Upgraded GitHub Actions artifacts to version 4.
  • Auto-packaging of Java repositories that do not contain build files in the root directory.
  • Improved memory handling.

To update your app to reflect these changes, you must fork or import the app repository.

Veracode for JetBrains 1.0.0

This update includes the following improvements:

  • You can now run Static Analysis (SAST) scans to find flaws in your source code. Before scanning, the plugin auto-packages your code according to Veracode packaging requirements.
  • Use the filtering options to focus on the static findings that are most important to your organization.
  • Use the provided remediation guidance to fix static findings or use the ignore option to ignore findings you won't fix.

May 30, 2024

Veracode Scan for VS Code 1.9.2

This update includes the following improvements:

  • The proxy support option is now generally available.
  • The timeout limit for Static Analysis scans has increased to 60 minutes.

Veracode Azure DevOps Extension 3.27.2

This update adds support for Node 10 and Node 16.

May 21, 2024

Veracode Scan for VS Code 1.9.1 - Pre-release

This update improves the proxy support option. Before you install this update, on the Visual Studio Code Marketplace, select Switch to Pre-Release Version.

May 16, 2024

Veracode Integration for Jira Cloud 4.14.0

The Monitoring and Troubleshooting page now successfully displays imports from One Time Import and Selective Import.

May 10, 2024

Veracode Scan for VS Code 1.9.0 - Pre-release

This update is a pre-release that supports signing in to Veracode through a proxy server. Before you install this update, on the Visual Studio Code Marketplace, select Switch to Pre-Release Version.

May 3, 2024

Veracode SCA Scan for JetBrains 0.8.1

The debug option now successfully saves all logs.

May 2, 2024

Veracode Static for Eclipse 3.9.0

This update includes minor performance improvements.

April 18, 2024

Veracode Scan for VS Code 1.8.1

This update includes the following improvements:

  • The timeout limit for Static Analysis scans has increased to 10 minutes.
  • Fixed findings no longer appear on the PROBLEMS tab in VS Code.

April 17, 2024

Veracode Static for Visual Studio (New) 1.12.0

This update includes the following improvements:

  • After you import an XML file of your results into Visual Studio, the View Policy Results pane now shows the correct data paths.
  • If you use both the Greenlight extension and the Static Analysis extension in your IDE, you no longer experience conflicts between these extensions.

April 11, 2024

Veracode SCA Scan for JetBrains 0.8.0

This update includes a refreshed user experience.

April 10, 2024

Veracode Workflow App 0.2.0 for GitHub

This update includes the following improvements:

  • For policy and pipeline scans:
    • To turn on policy or pipeline scans, you must now add the analysis_on_platform true flag. By default, this feature is turned off.
    • By default, the analysis_branch flag is now set to your default branch automatically. You can set this flag to a different branch.
    • When you open a pull request (PR) against a branch you are scanning, the integration creates a sandbox scan from the source branch. You can view the scan results under the branch name in the Veracode Platform. When you merge the PR, the integration removes the sandbox scan, and then starts a new policy scan in the target branch. You can view the scan results under the repo name in the Veracode Platform.
    • Mitigated findings from a pipeline scan no longer appear in the list of findings.
  • For GitHub Issues:
    • New issues flag to enter a command that runs on-demand scans on a repo issue.
    • New create_issue flag that creates GitHub Issues from Static Analysis findings.
    • New create_code_scanning_alerts flag that creates code scanning alerts from Static Analysis findings. The alerts appear on the GitHub Security page.
  • For configuration options:
    • You can now configure an allowlist with in the central repo_list.yml file.
    • You can now override most global configurations by adding custom configurations to a veracode.yml file at the root of your source repo.
    • New use_custom_workflow flag that can use a workflow from the source repo to build the project or artifact you can upload for scanning.
  • For error handling:
    • New error messages that display as annotations if API credentials are invalid.
    • New error message when the integration is not able to find a policy name.
  • The integration now auto-packages Java projects for more reliable builds and more accurate scan results.

Java API Wrapper 24.4.13.0

This update includes the following improvements:

April 3, 2024

Veracode Scan for VS Code 1.8.0

This update includes the following improvements:

  • Adds Veracode Fix support for Kotlin and Scala.
  • The Flaw Details tab now renders correctly for .NET projects.
  • Minor improvements to packaging support.

April 1, 2024

Veracode Integration for Jira Server 4.7.0

You no longer see a NullPointerException error when you run a one-time import, selective import, or automated import.

March 28, 2024

Veracode Static for Visual Studio (New) 1.11.0

The integration now successfully verifies your Veracode API credentials.

March 25, 2024

Veracode Scan for VS Code 1.7.0

This update includes minor improvements to packaging support.

March 21, 2024

Veracode Static for Visual Studio (New) 1.10.0

In the Project Settings Wizard, when you select an application, the list of sandboxes now shows the sandboxes for the selected application only.

March 14, 2024

Veracode Static for IntelliJ 3.6.0

This update includes the following changes:

  • The Veracode option is now visible on the main menu.
  • Adds support for IntelliJ version 2023.3.4.

March 7, 2024

Veracode Scan for VS Code 1.6.0

This update includes the following improvements:

  • The debug option now supports Static Analysis scans, Veracode Fix, and the auto-packager, in addition to SCA scans.
  • You can now clear all findings.
  • Minor performance improvements.

March 4, 2024

Veracode Integration for Jira Cloud 4.13.2

This update adds historical diagnostics data about each import to the Monitoring and Troubleshooting page.

February 29, 2024

Veracode Jenkins Plugin 24.2.23.0

This update improves security by increasing the minimum supported versions of Jenkins and Java. To install this update, you must have a minimum Jenkins version of 2.414.3 and Java 11.

February 28, 2024

Veracode SCA Scan for JetBrains 0.7.2

This update includes the following improvements:

  • You can now use a debug option to troubleshoot scan errors.
  • Minor performance improvements.

Veracode Greenlight for Visual Studio (New) 1.5.0

This update includes the following improvements:

  • Scans no longer fail with this error message: “The selected file must be in a solution. Open the solution that contains this file and try again.”
  • Improved error handling.

February 23, 2024

Veracode Integration for Jira Server 4.6.0 euro-icon.png us-fed-eagle-icon.png

With this update, when you select links in Jira tickets that open application profiles located in the European Region or US Federal Region, the links no longer open in the Commercial instance of the Veracode Platform.

February 20, 2024

Veracode Azure DevOps Extension 3.26.0

This update includes the following improvements:

  • Adds support for the includenewmodules parameter.
  • You can now add the following information as tags in work items: scan type, finding severity, due date, and CVE ID (SCA only).
  • Work items now show the correct CWE ID.
  • The Upload and Scan task no longer fails when you use the environment variable JAVA_TOOL_OPTIONS.

February 15, 2024

Veracode Scan for VS Code 1.5.0

This update adds Veracode Fix to Veracode Scan for VS Code. To fix flaws in seconds from within your IDE, you can now apply AI-generated fixes directly to flaws.

January 30, 2024

Veracode Scan for VS Code 1.4.1

This update includes the following improvements:

  • Fixes a typo in the Views and More Actions menu.
  • The Remediation Guidance text in the Flaw Details tab is now visible in light mode.
  • Minor performance improvements.

January 29, 2024

C# API Wrapper 24.1.10.1

This update adds support for the -includenewmodules parameter.

January 11, 2024

Veracode Scan for VS Code 1.4.0

This update adds Static Application Security Testing (SAST) to VS Code. Developers can use SAST to find and fix flaws in their code and use Software Composition Analysis (SCA) to find and fix vulnerabilities in open-source code from within the IDE.

This extension replaces Veracode SCA Scan for VS Code. Greenlight for VS Code is now deprecated and will not be supported after June 2024.

December 12, 2023

Veracode Azure DevOps Extension 3.25.0

This update includes the following improvements:

  • The Flaw Import task and the Upload and Scan task now successfully fail the build when the Fail build if Upload and Scan build step fails checkbox is selected.
  • Adds an option to overwrite the iteration path in work items of imported flaws during the next import.

Veracode Integration for Jira Server 4.5.0

This update adds historical diagnostics data to the Monitoring and Troubleshooting page.

October 5, 2023

Veracode Fix now supports JavaScript and TypeScript

Veracode Fix has improved language coverage to include JavaScript and TypeScript.

December 4, 2023

Veracode GitHub Workflow App

Veracode has released the Veracode Workflow App that allows you to scan your GitHub repositories with Static Analysis, Software Composition Analysis (SCA), and Container Security. The app uses template workflows in a centralized location that you can apply to all repositories across your organization.

The functionality of the app includes:

  • Automated scans of up to thousands of repositories from one location
  • Static, SCA, and Container Security scans start on developer activity from a single workflow
  • Automated scanning does not require developers to configure workflows for individual repositories
  • Broad language support

You can download the app from the GitHub marketplace. For more information, view the Veracode documentation.

December 1, 2023

Veracode Static for Visual Studio (New) 1.9.0

This update includes the following improvements:

  • Adds support for TSRV mitigations.
  • Adds support for .NET 7.

November 9, 2023

Veracode SCA Scan for VS Code 1.3.1

This update includes the following improvements:

  • You can now filter out any findings that are of low importance to your organization by selecting a security policy to apply to your project. To use this feature, your account must have the Unified Policy applied.
  • The Vulnerability Details window now includes a link to the related CVE.
  • You can now use a debug option to troubleshoot scan errors.
  • Minor interface changes.

November 1, 2023

Veracode Integration for Jira Cloud 4.12.0

This update includes the following changes:

  • The Import Automation page now includes an option for you to retry downloading Detailed Reports that failed to download during import.
  • If your account is in the European Region and you select a link in a Jira issue to an application profile, the link now opens the Veracode Platform in the European Region.
  • User accounts in the European Region now see the correct values for various fields in imported Jira issues.

October 17, 2023

Veracode SCA Scan for JetBrains 0.7.1

This update includes minor performance improvements.

October 13, 2023

Veracode SCA Scan for VS Code 1.2.1

This update includes minor performance improvements.

October 4, 2023

Veracode Integration for Jira Server 4.4.0

This update adds support for Jira Server version 9.11.2.

September 26, 2023

Veracode Azure DevOps Extension 3.24.0

This update includes the following changes:

  • End of support for Team Foundation Server (TFS).
  • Builds no longer fail when the Fail build if flaw importer build step fails option is cleared and the application name contains special characters.

September 6, 2023

Veracode Greenlight for IntelliJ 1.9.0

This updates includes minor performance improvements.

August 31, 2023

Veracode Integration for Jira Server 4.3.0

This update includes the following improvements:

  • The Monitoring and Troubleshooting page now shows details about the last four imports.
  • The Monitoring and Troubleshooting page now includes an option for you to retry downloading Detailed Reports that failed to download during import.

August 17, 2023

Java API Wrapper 23.8.12.0

You can now send requests to the Identity REST API from within the Java API wrapper.

August 16, 2023

Veracode Azure DevOps Extension 3.23.0

This update includes the following improvements:

  • You can now add an iteration path to the work item settings in the Flaw Importer task.
  • Adds support for Azure DevOps version 2022 RC2.

August 10, 2023

Veracode SCA Scan for JetBrains 0.7.0

This update fixes a minor performance issue.

Veracode Integration for Jira Cloud 4.11.0

This update includes the following improvements:

  • If an imported story for an open-source component with vulnerabilities changes projects, the integration now creates subtasks for SCA vulnerabilities in that story under the new project.
  • To avoid failed imports, if the integration encounters errors when it searches for linked Veracode fields, it now skips issue creation for any new findings.

August 8, 2023

Veracode SCA Scan for VS Code 1.2.0

This update includes the following improvements:

July 28, 2023

Veracode Greenlight for IntelliJ 1.8.8

This update includes the following improvements:

  • Adds support for IntelliJ version 1.8.7.
  • Exception errors no longer appear during Greenlight scans at the file or folder level.

July 27, 2023

Veracode SCA Scan for JetBrains 0.6.1

Veracode SCA Scan for JetBrains version 0.6.1 adds support for IntelliJ IDEA version 2023.2.

July 21, 2023

Introducing Veracode SCA Scan for JetBrains

Veracode SCA Scan for JetBrains version 0.6.0 is a new extension that integrates Software Composition Analysis (SCA) into the IntelliJ IDEA and PyCharm IDEs. Developers can scan their code to detect security risks in open-source libraries, library dependencies, and licenses. The detailed scan results help developers learn about vulnerabilities, prioritize security fixes, and remediate security issues from within their IDE.

July 20, 2023

Veracode SCA Scan for VS Code 1.1.0

This update includes the following improvements:

  • You can now select a project to scan when you have multiple projects in VS Code.
  • The SCAN OVERVIEW view now shows the name of the project you scanned.
  • In the extension settings, you can now enable or disable recursive scanning.
  • If your API credentials or the local SCA agent are invalid, the SETUP view now opens after you select Start Scanning or Rescan.
  • Spaces in the USER_HOME directory no longer result in an error.

July 14, 2023

Veracode Integration for Jira Server 4.2.0

This update fixes an issue where IssueCreatorImpl errors on the Monitoring and Troubleshooting page caused unexpected failures.

Veracode Jenkins Plugin 23.7.22.0

This update includes the following improvements:

July 6, 2023

Veracode Static for Visual Studio (New) 1.8.0

This update includes the following improvements:

  • In the Static Findings window, when you double-click a finding, or right-click a finding and select Go to Line, the selected finding now remains selected.
  • After you add a new application to a project and scan it, the extension now adds the details about the new application to the file veracode-project-user.json.

Veracode Integration for Jira Server 4.1.0

This update includes the following improvements:

  • The Import Automation now provides an option that attempts to import any flaws that failed to import. If an import fails, the Import Automation no longer uses the last import date of the failed import.
  • The Troubleshooting page now provides a diagnostic dashboard that shows details about the latest import, including information about any errors.

June 26, 2023

Veracode Greenlight for Visual Studio (New) 1.4.0

This update improves error handling.

June 15, 2023

Veracode Greenlight for VS Code Adds Support for .NET 7

See Veracode Greenlight for VS Code.

June 13, 2023

C# API Wrapper 23.5.8.8

You can now provide a proxy host, port, and its credentials in an environment variable. The environment variable name must be https_proxy.

June 5, 2023

Veracode Azure DevOps Extension 3.22.0

This update includes the following changes:

  • The Upload and Scan task now supports the optional parameter scanpollinginterval.
  • You can now configure the Flaw Import task to only import findings from Static Analysis and SCA.
  • Minor security improvements.

Veracode SCA Scan for VS Code 1.0.0

This update adds security improvements.

June 1, 2023

Veracode Jenkins Plugin 23.5.21.0

This update includes the following changes:

  • Adds a Show Unstable Status for Failed Policy Evaluation option. Select this option to show the job status as Unstable if the scan succeeds but fails the security policy.
  • Minor security improvements.

May 22, 2023

Veracode Integration for Jira Cloud 4.10.0

This update includes the following changes:

  • Findings you import with the Import Automation feature now show the date of the last successful import, instead of the last import.
  • When you configure a Selective Import and select the left/right arrows to switch between pages, the selected flaws are no longer cleared.
  • Minor security fixes.

May 4, 2023

Veracode Azure DevOps Extension 3.21.0

This update includes the following changes:

  • Adds support for the lifecyclestage parameter as an optional argument in the Upload and Scan task. This parameter is not supported in YAML.
  • The scan polling interval for the Upload and Scan task is no longer twice the expected default value of 120 seconds.

April 27, 2023

Veracode SCA Scan for VS Code 0.8.0

This update includes the following improvements:

  • You can now filter the VULNERABILITIES view based on direct or transitive libraries.
  • The Rescan button is now located at the top of the SCAN OVERVIEW view.
  • The SCAN OVERVIEW view is no longer empty when the scan does not find vulnerabilities.
  • In the Library Details window, the Last published field now shows the months and days since the vendor last published the library or it shows Unknown.

April 19, 2023

Veracode Jenkins Plugin 23.4.20.0

This version includes the following updates:

  • Adds Dynamic Analysis scan statuses STOPPED_VERIFYING_PARTIAL_RESULTS and STOPPED_PARTIAL_RESULTS_AVAILABLE.
  • Fixes an issue where the scan poll interval for upload and scan was twice the expected default value of 120 seconds.

April 13, 2023

Veracode Integration for Jira Cloud 4.9.0

The integration now imports findings from scanned applications with COTS (commercial off-the-shelf) enabled.

April 5, 2023

Java API Wrapper 23.4.11.2

This update includes the following changes:

March 31, 2023

Veracode Static for Eclipse 3.8.0

This update adds support for Eclipse IDE version 2023-03.

March 30, 2023

Veracode Integration for Jira Cloud 4.8.0

This version includes the following changes:

  • Adds additional logs for troubleshooting.
  • To ensure your imported flaws are current, the integration re-imports them after you fix any configuration issues.
  • On the Selective Import page, the Flaws Per Page and Next Page options no longer show an error message.

March 27, 2023

Veracode Jenkins Plugin 23.3.19.0

This version includes the following changes:

  • Addresses the low severity information disclosure issues detailed in CVE-2023-25721 and CVE-2023-25722. For more information, go to the Veracode Community.
  • Correctly escapes the -ppassword parameter for a proxy password.

Veracode Azure DevOps Extension 3.20.0

This version addresses the low severity information disclosure issue detailed in CVE-2023-25722. For more information, go to the Veracode Community.

March 20, 2023

Veracode SCA Scan for VS Code 0.7.0

This update includes the following improvements:

  • The extension now includes an SCA Agent. After you install the extension, you can install the SCA Agent from within the IDE and start scanning.
  • You can point to a vulnerability in the VULNERABILITIES view to see whether it passes the built-in policy.
  • The Vulnerability Details window now shows the policy for the selected vulnerability.
  • To indicate which vulnerabilities have passed the built-in policy, the VULNERABILITIES view now groups them by Did Not Pass Policy and Passed Policy.

March 8, 2023

Java API Wrapper 23.3.11.0

This version includes the following changes:

March 2, 2023

Veracode Azure DevOps Extension 3.19.0

This update adds support for both of the following YAML property values:

  • ConnectionDetailsSelection='Endpoint'
  • ConnectionDetailsSelection='Service Connection'

March 1, 2023

Veracode Azure DevOps Extension 3.18.0

This update includes the following changes:

  • Changes the YAML property value ConnectionDetailsSelection='Endpoint' to ConnectionDetailsSelection='Service Connection'. When you upgrade to this new extension, you must update your YAML with the new value name.
  • Static Analysis work items now have a Grace Period Expiration field.
  • SCA works items now have a First Found Date field and File Path field for vulnerabilities.
  • The Summary Report now shows a link to the Scan Details page.
  • The extension now fails the build if Development Sandbox scans find SCA vulnerabilities.
  • Builds no longer fail when the Fail build if Upload and scan build steps fails option is cleared, but the application name contains special characters.

February 28, 2023

Veracode Greenlight for IntelliJ Supports IntelliJ v2022.2.3

Veracode Greenlight v1.8.7 adds support for IntelliJ v2022.2.3.

February 22, 2023

Updated Identity REST API

You can now use the Identity REST API to manage Veracode API credentials for API service accounts, also called API users.

February 9, 2023

Updated Veracode SCA Scan for VS Code

Veracode SCA Scan for VS Code version 0.6.0 includes the following updates:

  • Adds a Create a Case link that you can use to send a support case to Veracode Technical Support.
  • Adds a Leave Feedback link that you can use to provide feedback in a survey.
  • Fixes an issue where the extension did not verify undefined or null values.

February 3, 2023

Mandatory Upgrade for Veracode Greenlight for IntelliJ

Veracode Greenlight for IntelliJ version 1.8.6 supports a recent change to the Greenlight API. To continue using this plugin, you must upgrade to this version by February 13, 2023.

February 2, 2023

Mandatory Upgrade for Veracode Greenlight for Eclipse

Veracode Greenlight for Eclipse version 2.9.7 includes these changes:

  • Supports a recent change to the Greenlight API. To continue using this plugin, you must upgrade to this version by February 13, 2023.
  • Fixes a refresh issue that flashes various status messages at the bottom of the Eclipse interface.

February 1, 2023

Updated Java API Wrapper

Veracode Java API Wrapper version 23.1.10.5 adds logic to identify and remove unicode application names from the XML response.

Veracode Mobile Application Packager Has Reached End of Life

Veracode Mobile Application Packager is now End of Life (EOL) and is no longer supported by Veracode Technical Support. To compile and package tvOS or iOS applications that you developed in the Xcode IDE, see the packaging requirements.

January 30, 2023

Mandatory Greenlight Upgrades for Eclipse and IntelliJ

Veracode has made a change to the Greenlight API that will impact the following plugins.

  • Veracode Greenlight for Eclipse version 2.9.6 and earlier
  • Veracode Greenlight for IntelliJ version 1.8.5.2022 and earlier

New versions of these plugins will be available on February 2, 2023 and February 3, 2023, respectively. To continue using these plugins, you must upgrade to the new versions by February 13, 2023.

January 23, 2023

Veracode Integration for Jira Supports Jira Server 9

Veracode Integration for Jira version 4.0.1 adds support for Jira Server 9. This integration no longer supports Jira Server 8.6.0 and earlier.

January 17, 2023

Introducing Veracode SCA Scan for VS Code

Veracode SCA Scan for VS Code version 0.5.0 is a new extension that integrates Software Composition Analysis (SCA) into VS Code. Developers can scan their code to detect security risks in open-source libraries, library dependencies, and licenses. The detailed scan results help developers learn about vulnerabilities, prioritize security fixes, and remediate security issues from within their IDE. Version 0.5.1 only removes an obsolete README.

January 10, 2023

Renaming the ConnectionDetailsSelection='Endpoint' YAML Property

In February 2023, Veracode will release a new Azure DevOps Extension that uses the YAML property value ConnectionDetailsSelection='Service Connection' rather than the current value ConnectionDetailsSelection='Endpoint'. When upgrading to this new extension, you must update your YAML with the new value name.

January 5, 2023

Improved Veracode Azure DevOps Extension

Veracode Azure DevOps Extension version 3.17.0 includes the following improvements:

  • Renamed the Veracode Analysis Center link to Veracode Platform.
  • The extension no longer fails a pipeline build if it has a policy assessment of Conditional Pass, even if the Fail build if application fails security policy checkbox is selected.
  • Fixed a minor error-handling issue when the build artifact directory is empty.
  • The Flaw Import task now fails the build when importing flaws with an unsupported process template and the Fail build if flaw importer build step fails checkbox is selected.

January 3, 2023

Improved Veracode Integration for Jira Cloud

Veracode Integration for Jira Cloud version 4.7.0 now successfully loads the Findings Import page when importing large Jira projects.

December 19, 2022

Improved Veracode Integration for Jira Server

Veracode Integration for Jira Server version 3.38.0 includes the following improvements:

  • Jira tickets from imported Static Analysis flaws now show the detected CWEs with a dash instead of an underscore. This CWE format matches the results in the Veracode Platform. For example, CWE_123 is now CWE-123.
  • Jira tickets from imported SCA vulnerabilities now support the Mitigation Status and Mitigation Status Description fields.

December 15, 2022

Veracode Mobile Application Packager is Deprecated

Veracode Mobile Application Packager is now deprecated and will be obsolete on February 1, 2023.

December 14, 2022

Veracode for VS Code Renamed to Veracode Greenlight for VS Code

Veracode for VS Code version 1.6.0 includes the following updates:

  • Changed the name of the extension to Veracode Greenlight for VS Code.
  • Using File > Save on a single file now saves only that file, not all unsaved files.

December 13, 2022

Veracode Azure DevOps Extension version 3.16.0 fixes the link on the Veracode Scan Summary tab. The link now opens the scan results in the Veracode Platform instead of the Application page.

December 6, 2022

Updated Veracode Static for Visual Studio

Veracode Static for Visual Studio version 1.7.0 fixes an issue where the extension could not authenticate with Veracode from a European Region instance.

November 16, 2022

Updated Veracode Integration for Jira

Veracode Integration for Jira version 3.37.0 fixes an issue where the plugin ignores all remaining applications after attempting to import findings from an application with COTS enabled.

November 14, 2022

Updated C# API Wrapper

Veracode C# API wrapper version 22.10.8.6 includes these updates:

  • Fixed an error that can occur if the filename of an uploaded file contains certain characters or symbols. For example, ~ ^ ' { }
  • The -debug parameter now logs timestamped messages that identify connectivity issues, error conditions, and the status of various composite actions.

Improved Veracode Greenlight for IntelliJ

Veracode Greenlight for IntelliJ version 1.8.5 adds support for IntelliJ IDEA 2022.2.3.

October 27, 2022

Java API Wrapper Has Improved Error Handling

Veracode Java API Wrapper version 22.10.10.4 now cancels any scans that exceed the upload limit.

October 21, 2022

Veracode Azure DevOps Extension Now Supports Automatic Deletion of Incomplete Scans

Veracode Azure DevOps Extension version 3.15.0 adds options for deleting incomplete scans in your pipeline. When configuring the extension, you can add -deleteincompletescan as an optional argument or add -deleteIncompleteScan as a YAML property.

Updated Veracode Static for Visual Studio

Veracode Static for Visual Studio (New) version 1.6.0 includes these changes:

  • Fixed an issue where web projects inside folders did not publish.
  • Fixed an issue where the scan progress bar in the IDE displayed as incomplete after clicking Custom Workflow.
  • Run Scan button in the IDE is now disabled when the scan status is in a failed state. In the Veracode Platform, you also see a warning message to resolve this issue.

September 29, 2022

Updated Greenlight for Eclipse

Greenlight for Eclipse version 2.9.6 includes minor security and documentation updates.

September 22, 2022

Improved Finding Import Performance for Veracode Integration for Jira Cloud

Veracode Integration for Jira Cloud version 4.6.0 adds a new filter that only imports findings with new scan data, policy changes, or changes to applied mitigations since the last import.

September 13, 2022

Java API Wrapper JavaDoc Update

In Veracode Java API Wrapper version 22.9.10.3 the documentation available in the wrapper installation file now describes the Credentials class.

August 29, 2022

Veracode Azure DevOps Extension Has Improved Flaw Importer Task

Veracode Azure DevOps Extension version 3.14.0 includes the following improvements to the Flaw Importer Task.

  • Uses fewer calls to complete flaw imports.
  • Fixes an issue where flaws without comments did not sync or close.
  • Fixes an issue where development sandbox findings did not import.

August 12, 2022

Veracode TeamCity Plugin Now Supports Automatic Deletion of Incomplete Scans

Veracode TeamCity Plugin version 2.7.0 adds configuration options for deleting incomplete scans.

August 9, 2022

Veracode Integration for Jira Server Now Retries Downloading the Detailed XML Report

Veracode Integration for Jira version 3.36.0 fixes an issue where the integration did not create tickets of imported flaws if it could not retrieve the Detailed XML Report. The integration now attempts to retrieve the Detailed XML Report during the next import cycle.

July 27, 2022

Updated C# API Wrapper

Veracode C# API wrapper version 22.8.8.5 includes these updates:

  • Supports the -debug parameter.
  • Fixes an issue to filter out Dynamic Analysis results.
  • Adds transaction ID header to uploadandscan.

July 20, 2022

Veracode Azure DevOps Extension Now Supports Importing SCA Vulnerabilities as Work Items

Veracode Azure DevOps Extension version 3.13.0 updates the Flaw Importer task to support importing Software Composition Analysis (SCA) vulnerabilities as work items.

July 14, 2022

Veracode Jenkins Plugin Now Supports Automatic Deletion of Incomplete Scans

Veracode Jenkins Plugin version 22.6.18.0 adds configuration options for deleting incomplete scans.

June 27, 2022

Improved Finding Import Performance for Veracode Integration for Jira Server

Veracode Integration for Jira Server version 3.35.0 adds a new filter that only imports findings with new scan data, policy changes, or changes to applied mitigations since the last import.

June 22, 2022

Deprecation of Admin XML APIs

Veracode has deprecated the Admin XML APIs for user and team management. End-of-support for these APIs is scheduled for June 30, 2023. Veracode recommends that you begin updating your automations to use the Identity REST APIs. Also, enabling the Single Sign-on and Just-in-Time Provisioning feature automatically disables the Admin XML APIs for user management. Before enabling this feature, ensure all of your automations are using the Identity APIs.

June 8, 2022

Updated Veracode Static for Visual Studio (New)

Veracode Static for Visual Studio (New) version 1.5.0 includes these changes:

May 18, 2022

Java API Wrapper Updates -deleteincompletescan Parameter with Backward Compatibility

Java API Wrapper version 22.5.10.1 updates the -deleteincompletescan parameter to be backward compatible with Java API wrapper versions earlier than 22.5.10.0, which released on May 4, 2022. After upgrading the wrapper, the parameter value automatically changes from boolean to an integer:

  • If set to true, the value changes to 1.
  • If set to false, the value changes to 0.

May 4, 2022

Java API Wrapper Has Improved -deleteincompletescan Parameter

Java API Wrapper version 22.5.10.0 includes changes to the -deleteincompletescan parameter for deleting incomplete scans when running the uploadandscan action. This parameter now accepts an integer value, rather than boolean, for deleting an incomplete scan based on the scan status.

note

These changes are not backward compatible with the -deleteincompletescan parameter available in earlier versions of the Java API Wrapper. If you currently use this parameter, after upgrading the wrapper you must change the value from boolean to one of the accepted integer values.

April 15, 2022

Introducing New Veracode Static Extensions for Visual Studio 2019 and 2022

Veracode Static for Visual Studio version 1.4.0 is a new extension for adding Static Analysis to Visual Studio 2019 and 2022. The new extension for Visual Studio 2019 provides major improvements compared to our current legacy extension for version 2019, which Veracode continues to support.

The extensions include these features:

  • Improved user experience for developers.
  • Powerful Summary View grid for reviewing and managing findings.
  • Streamlined workflow for building, packaging, and scanning your code.
  • Support for policy and sandbox scans.

An extension for each Visual Studio version is available from the Visual Studio Marketplace.

April 12, 2022

Veracode Greenlight Now Supports the New Visual Studio 2019 and 2022

Veracode Greenlight for Visual Studio version 1.3.184.96 is a new extension for adding Greenlight scanning to the newer versions of Visual Studio 2019 and 2022. An extension for each Visual Studio version is available from the Visual Studio Marketplace.

March 9, 2022

Updated Azure DevOps Extension

Veracode Azure DevOps Extension version 3.10.0 includes these changes:

  • TFS 2017 is no longer supported.
  • TFS 2018 support now requires Azure Pipeline Agent 2.196.2 or later.
  • Flaw Importer task can now import custom fields when using custom process templates.
  • Flaw Importer task can now overwrite the area path in work items when importing flaws.

Platform updates

· 8 min read

The updates on this page apply to the Veracode Platform. Updates that apply to specific Veracode regions show a region icon.

June 20, 2024

Project scan IDs added to Reporting API

Added the following fields to the Findings report of the Reporting API for findings from agent-based scans that are linked to applications:

  • original_project_scan_id: The original project scan in which an SCA agent identified the application-linked finding.
  • latest_project_scan_id: The most recent project scan in which an SCA agent identified the application-linked finding.

Changes to dates for application-linked SCA agent findings in Analytics

Veracode Analytics and the Reporting API have updated how they determine the values for date fields of agent-based scan findings that are linked to applications. The following fields now retrieve data from the agent-based scanning history instead of the SCA upload scan history:

  • First Found Date
  • First Found in Application Date
  • Library First Found in Active Scans Date
  • Last Found Date
  • Reopened Date
  • Fixed Date

This update impacts the following fields because they derive data from the updated fields listed above:

  • Resolved Date
  • Grace Period Expiration Date
  • Flaw Age

May 6, 2024

New columns in SCA License Risk Data Export report

The SCA License Risk Data Export report now includes the following columns:

  • Business Unit for applications associated with SCA upload scans
  • Project Name for SCA agent-based scanning projects
  • Library Version for libraries found in SCA agent-based scans
  • Last Scanned Date and SPDX ID for libraries found in SCA agent-based scans or upload scans

April 28, 2024

Upgrade to Looker 24.0

Veracode has upgraded Analytics to use version 24.0 of the Looker platform. Key updates include:

  • AND/OR filtering
  • Performant field picker
  • Quick resize and tile repositioning

The complete list of changes is available in the Looker documentation.

April 10, 2024

Add a Git repository to application metadata

You can now add the URL of a Git repository to the application profile metadata using the Applications REST API and the Veracode Platform.

April 4, 2024

Veracode Analytics updates

The Veracode Analytics Findings explore includes the following improvements:

  • Updated the Policy Rule Passed (Yes / No) field to match the new policy logic changes to findings from a Software Compsition Analysis (SCA). If SCA findings violate policy, but are within the grace period, the Veracode Platform does not report them as not passing policy, or "No".
  • Added a new Findings Policy Status field that you can use to tag findings that violate policy and are within grace period as Conditional Pass.
  • The SCA Agent-Based Scan Issues page now provides data about the projects and workspaces that generated the issues.

April 3, 2024

The Veracode Documentation has the following improvements:

  • New Learning paths provide a sequence of videos and documentation that walk you through using Veracode products. For example, the steps show you how to prepare applications for scanning, run a Static Analysis or Dynamic Analysis in the Veracode Platform, and then review the results. By following these paths, new users can onboard and experienced users can gain a deeper understanding of Veracode products, features, and best practices.
  • New search experience that helps you more easily search across all documentation and filter the results.

March 26, 2024

Add Git repository to application metadata

You can now specify the URL of a Git repository in the application profile metadata using the Applications REST API and the Veracode Platform.

November 27, 2023

Free trial of DAST Essentials

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 27, 2023

Free trial of DAST Essentials

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

October 17, 2023

New Veracode Analytics fields available

The new Second Party Component and Fixable (Yes / No) fields in the Veracode Analytics Findings explore are now available.

October 16, 2023

New Veracode Analytics fields available in European Region

The new Second Party Component and Fixable (Yes / No) fields in the Veracode Analytics Findings explore are now available in the European Region.

September 29, 2022

New Application Security Platform features available in European Region

The following features are now available in the European Region.

July 19, 2023

Upgrade to Looker 22.20

Veracode has upgraded Analytics to use version 22.20 of the Looker platform. All existing dashboards now reflect the new Looker experience.

This upgrade introduces a known issue that prevents you from scrolling in the Timeline visualization. Additionally, you may experience an issue that automatically enables the Row Totals column in some pivot tables, which can cause rows to be double counted in stacked visualizations. To fix this issue, edit the dashboard and visualization, clear the Row Totals option, and save your changes.

Updated Security Program Overview Dashboard

The default number of applications displayed in the What is my policy compliance over time? section of the Security Program Overview dashboard in Veracode Analytics has decreased from 100 to 25.

To view additional applications, customize the visualization and adjust the Application Rank by Published Date Descending filter.

July 15, 2022

CWE Top 25 Now Reflects 2022 Version

The Auto-Update CWE Top 25 security standard that you use in Veracode policies now reflects the 2022 CWE Top 25 list.

June 28, 2022

Updated Single Sign-On and Just-In-Time Provisioning

New single sign-on (SSO) and Just-In-Time (JIT) provisioning capabilities in the Veracode Platform improve reliability and supportability and extend the roles that JIT provisioning supports. Before using this feature, you must update your SSO settings in your identity provider.

To begin the process of enabling these capabilities, contact Veracode Support.

May 19, 2022

The Issues Vulnerability Count Measure Changed

Issues Vulnerability Count now includes only issues where the Issue Type is a Vulnerability Issue. In the past, this measure included the count of Vulnerability, License, and Library issues. The calculation of Issues Vulnerability Count is still based on the filters you select.

  • Issues Issue Count: count of issues, regardless of type
  • Issues Vulnerability Count: count of vulnerability issues
  • Issues Libraries with Issues: total number of unique libraries with at least one issue

May 10, 2022

Sandbox Information Available in Unsubmitted Static Scans Data Export

Veracode has added sandbox information to the Unsubmitted Static Scans data export to make it easier to find the incomplete static scans for an application.

SCA dashboards available in Analytics

Data from Veracode Software Composition Analysis (SCA) agent-based scans and upload scans is now available in Veracode Analytics for the European Region. The predefined Veracode dashboards, including the SCA Findings dashboard, now contain SCA scan data. You can also use the Findings, SCA Agent-Based Scans, and SCA Agent-Based Scan Issues data explores for custom reporting.

May 6, 2022

End of Support for Internet Explorer 11

Veracode will no longer support Microsoft Internet Explorer 11 after June 30, 2022. This change follows the Microsoft updates to its support model for Internet Explorer. Veracode recommends that you switch to a supported browser to avoid issues.

Official Support for Microsoft Edge

The Veracode Docs are updated to confirm that Microsoft Edge is a supported browser.

May 3, 2022

Support cases and scheduled consultations now available

You can now raise a support case and schedule a consultation from the Veracode Platform in the European Region.

Veracode Platform services updated to current versions

Applications and policies for the European Region now run on the current versions in the Veracode Platform.

April 4, 2022

Improved Team Management in the Veracode Platform

Veracode has improved the usability of the team management options on the Administration page in the Veracode Platform.

March 22, 2022

View Applications by Policy Evaluation Date

You can now view the date and time of the most recent event that triggered a policy evaluation for an application in a new field in the Applications REST API and the Applications list in the Veracode Platform. You can use this field to search for applications that have had new scans or approved mitigations since the listed date.

SCA updates

· 19 min read

The updates on this page apply to Veracode Software Composition Analysis (SCA). Updates that apply to specific Veracode regions show a region icon.

July 3, 2024

SCA results data export

The SCA Results Export that you can download from the Export Data page in the Veracode Platform now contains 13 months of data instead of 24 months of data.

June 28, 2024

SCA agent enhancement​

Agent enhancements in preparation for future scanning of .NET projects.

June 25, 2024

Vulnerable method support for Java 21, 22, and 23​

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java versions 21, 22, and 23.

June 24, 2024

New component metrics added to SCA agent results

If an SCA agent-based scan detects a component from a GitHub repository, the CLI summary and the JSON file now include metrics about that repository. Metrics include the number of commits, how long the repository has been stagnant, and more.

June 11, 2024

New Component Activity API

Veracode has released a new API to help you understand the health of your components. You can submit library coordinates, and if the library comes from a GitHub repository, the API retrieves metrics about that repository. Metrics include the number of commits, how long the repository has been stagnant, and more. The SCA Component Activity API specification is available on SwaggerHub for more details.

May 30, 2024

Vulnerabilities and Licenses tabs added to new SCA homepage (Beta)

You can now see all vulnerabilities from scans performed after March 27, 2024 from the Vulnerabilities tab of the new Beta version of the new SCA homepage. This tab also includes exploitability information from EPSS, KEV, and exploit-DB. License risks from scans you ran after March 27, 2024, are available from the Licenses tab.

To access the new Beta version of the new SCA homepage, select Scans & Analysis > Software Composition Analysis, then, turn on New SCA Home (Beta).

May 28, 2024

SCA agent enhancement

Agent enhancements in preparation for future scanning of .NET projects.

May 22, 2024

SCA agent enhancement

Agent enhancements in preparation for future scanning of .NET projects.

May 15, 2024

Fix for SCA scans of NPM projects

Veracode has fixed an issue that caused some SCA upload scans and some agent-based scans using the --quick flag to not detect libraries in NPM projects when both the project version in the package.json file was empty and the package-lock.json file used v3 format.

May 8, 2024

Fix for SCA agent-based scans of NPM projects

Veracode has fixed an issue that caused some SCA agent-based scans to identify libraries in NPM projects as transitive dependencies when they are both direct and transitive dependencies.

April 30, 2024

Exploitability data added to JSON file produced by SCA agent

The JSON file produced by SCA agent-based scans now includes the following exploitability data:

April 29, 2024

SCA agent enhancement

This update includes the following improvements for SCA agent-based scans:

  • Veracode proxy authentication is more reliable.
  • Improved support of projects that use the version 2 format of yarn.lock.

April 24, 2024

Fixed SCA agent error

Veracode has fixed an issue that caused some agent-based scans to fail when Maven is not installed locally.

April 23, 2024

Additions to JSON file produced by SCA agent

The JSON file produced by SCA agent-based scans now includes the following enhancements:

  • Includes the Common Vulnerability Scoring System (CVSS) vector string for each vulnerability
  • Associates each vulnerable method with a specific vulnerability

April 17, 2024

Veracode Vulnerability Database now includes data from Exploit-DB

The Veracode Vulnerability Database now includes data from Exploit-DB. You can view this data using the SCA Agent Issues APIs and the Findings API. For more information, see Understanding SCA exploitability information.

April 16, 2024

Fix for SCA agent update advisor

Veracode has fixed an issue that caused the SCA agent update advisor to not work properly when cloning a repo with https instead of ssh.

April 11, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of iOS and .NET projects and fixed a bug caused by libraries with no versions in Go projects.

April 3, 2024

API to scan SBOMs

Veracode has released a REST API for scanning SBOMs. You can use this API to upload and scan an SBOM to identify vulnerabilities associated with the libraries listed in the SBOM. The API can produce a new SBOM that includes results from the scan in CycloneDX or SPDX format. For more information, see SBOM Scan REST API.

April 2, 2024

Reporting changes for ‘conditional pass’ SCA findings

Even though policy status can have three possible values—pass, fail, and conditional pass—several reports and APIs with finding-level policy status fields are limited to only two possible values, such as true and false. Veracode has changed how it populates these fields for SCA upload scans to be more consistent with Static Analysis scans.

These changes only affect findings with a conditional pass status. There is no impact on how Veracode calculates the application-level policy status or how the user interface displays the finding-level policy status. For more details, review the post in the Product Announcement group in the Veracode Community.

April 1, 2024

include_metrics parameter for getWorkspaces API set to FALSE by default

The default value for the include_metrics parameter has changed from TRUE to FALSE for the getWorkspaces API. When the parameter is FALSE, the API responds more quickly but provides data only for the following fields: id, name, projects_count, and site_id. If you set the parameter to TRUE, the API also provides data for the following fields: last_scan_date, library_issues_count, vulnerability_issues_count, and total_issues_count.

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 28, 2024

New SCA homepage (Beta)

A Beta version of the new SCA homepage is now available in the Veracode Platform. To access the new homepage, select Scans & Analysis > Software Composition Analysis. Then, turn on New SCA Home (Beta). This page is built on a new infrastructure that Veracode will use to provide unified results from SCA upload scans and SCA agent-based scans. To see all applications and workspaces that you scanned after March 27, 2024, select the Portfolio tab. To see all discovered components from scans you ran after March 27, 2024, select the Components tab.

March 27, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 21, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 15, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of Ruby and iOS projects.

March 5, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of iOS projects.

February 29, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET, Go, Java Gradle, and Scala SBT projects.

February 27, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET projects.

February 8, 2024

Vulnerable methods for Go

Veracode SCA agent-based scanning now supports detecting vulnerable methods in Go projects that use Go modules as the package manager.

Gradle scanning enhancement

Veracode SCA agent-based scanning now supports scanning Gradle projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Gradle for more details.

New include_metrics parameter for getWorkspaces API

Veracode has added the include_metrics parameter to the getWorkspaces API. When the parameter is TRUE, there are no changes to the issue count and other metrics that the API includes in the payload. When the parameter is FALSE, the API responds more quickly but provides data only for the following fields: id, name, projects_count, and site_id.

Through March 31st, 2024, the default value for the include_metrics parameter is TRUE. On April 1st, the default will change to FALSE. If you have automation that relies on having issue counts and other metrics, Veracode recommends you adjust the parameter in your API call before April 1st.

January 23, 2024

Maven scanning enhancement

Veracode SCA agent-based scanning now supports scanning Maven projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Maven for more details.

Fix for Python scans

Veracode fixed an issue that caused an error in SCA agent-based scans of Python projects when using a newer version of pipenv.

January 5, 2024

SCA API enhancements

Veracode has fixed an issue that caused the SCA Agent Issues APIs to exclude fixed issues from the payload when the vuln_methods parameter was set to true. This fix applies to scans performed after January 5th, 2024.

Additionally, the getProjectIssues endpoint now supports all of the same parameters as the getWorkspaceIssues endpoint.

January 4, 2024

Veracode Vulnerability Database now includes exploit information

The Veracode Vulnerability Database now includes data from both the Exploit Prediction Scoring System (EPSS) and the Cybersecurity & Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog. To access this data, you must sign in to the Veracode Platform. For more information, see Understanding SCA exploitability information.

December 19, 2023

SCA agent enhancement

The SCA agent can now scan target directories that contain spaces when SRCCLR_NO_GIT is set to 1.

December 18, 2023

APIs now include KEV data

Veracode has added data from the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog to the SCA Agent Issues APIs and the Findings API. See Understanding SCA exploitability information for more details.

December 11, 2023

Veracode has released the SCA App-Linking REST API. You can use this API to link a project for SCA agent-based scans to an application profile. The linked application profile receives all libraries, licenses, and discovered vulnerabilities from that project, along with all results from SCA Upload scans. To link a project, use the linkAppProject endpoint. To unlink a project, use the unlinkAppProject endpoint.

SCA agent enhancement

Veracode has fixed an issue that prevented the SCA agent from cleaning up local scan directories and added enhancements to the agent that will be used in the future for scanning Java projects.

December 4, 2023

SCA agent enhancement

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 21, 2023

SCA agent enhancement

Veracode has added several enhancements and fixes to the SCA agent.

November 14, 2023

SCA agent enhancement

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 6, 2023

API to propose and approve mitigations for SCA findings

Veracode has released the SCA Annotations REST API. This API includes the getSCAannotations endpoint to retrieve comments and mitigations applied to findings from SCA upload scans and the createSCAannotations endpoint to annotate SCA upload findings, including adding comments and proposing, accepting, and rejecting mitigations.

The SCA Annotations API specification is available on SwaggerHub.

This API is not part of the Annotations API, which works with findings from Static Analysis and Dynamic Analysis.

October 11, 2023

Exploit probability (EPSS) added to Findings API

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the Findings REST API. See Understanding SCA exploitability information for more details.

Fixed SCA agent error

Veracode has fixed an issue that caused a null pointer exception when performing an agent-based scan on some projects.

September 27, 2023

Correction of SCA Fix By dates in sandboxes

Veracode has fixed an issue impacting the calculation of Fix By dates in sandbox scans. Previously, SCA used the scan date or the scan promotion date as the date that a component was first found, causing the Fix By date to be pushed out continuously. This fix is not retroactive and only impacts scans completed after Sept 27, 2023.

September 22, 2023

Assign policies to SCA agent-based scan workspaces

The new Unified Policy feature allows you to assign policies to workspaces used for SCA agent-based scans. Like the existing agent rules, you can use policies to create issues and break your build based on certain criteria. See more details about applying rules to a policy, assigning policies to agent-based workspaces, and setting default policies.

Veracode will migrate customers from agent rules to Unified Policy in batches and will retire agent rules before April 1, 2024.

August 28, 2023

Agent-based scan UI now displays CVSS v3

Because the National Vulnerability Database stopped supporting CVSS v2 in July 2022 and most users have moved to v3, the Library and Vulnerability pages of SCA's agent-based scan user interface now display CVSS v3 scores, instead of v2. You must clear the cache in your web browser to see these changes.

To also display CVSS v3 on the workspace Issue pages and the project Issue tab, you must update your agent rules to use CVSS v3.

August 16, 2023

Enhancements to SCA agent dependency graph traversal

Veracode has improved the performance of the SCA agent by optimizing how it handles dependencies with very complicated and intertwined dependency graphs.

August 8, 2023

Exploit probability (EPSS) added to SCA Agent APIs

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the SCA Agent REST APIs. See Understanding SCA Exploitability Information for more details.

July 21, 2023

Enhancements to .NET scanning

Veracode has added the following enhancements to SCA scanning for .NET applications:

  • Reduced false positives and false negatives in SCA upload scans by adding support for deps.json and project.asset.json files.
  • Enhanced SCA Agent scans by adding ability to perform --quick scans on NuGet projects.

July 28, 2023

API to retrieve list of SCA agent projects linked to an application

Veracode has released the getApplicationProjects API to allow users to retrieve a list of SCA agent projects that are linked to a specific application. Users who have rights to call the getApplications API may also call the getApplicationProjects API.

July 11, 2023

Additional roles can call SBOM APIs

Veracode has expanded the list of roles that are allowed to call the CycloneDX Software Bill of Materials (SBOM) API and the SPDX SBOM API. See the SBOM API instructions for application profiles and agent-based projects for details.

June 28, 2023

SCA agent CLI now displays CVSS v3 severities

The Vulnerabilities section of the Summary Report that appears in your CLI after an SCA agent-based scan now displays CVSS v3 severities, instead of v2.

The Issues section still displays CVSS v2 severities by default, but you can edit the severity in your agent-based scanning rules to reflect v3. If you have not modified your rules to use CVSS v3, Veracode recommends setting up organization-level rules to avoid having to edit rules on every workspace individually.

June 20, 2023

Support for v3 format of NPM lockfiles

Veracode has added support for NPM lockfile format version 3. See Run an Agent-Based Scan for NPM or JavaScript and TypeScript Packaging for details.

May 15, 2023

Fixed agent error for Yarn scans

Veracode has fixed an issue causing SCA agent-based scans of Yarn projects to erroneously fail.

May 9, 2023

Upgraded JRE for SCA agent

Veracode has upgraded the Java Runtime Environment (JRE) for the SCA agent from version 11 to 17.

Added GNU Privacy Guard to SCA agent downloads

Veracode has added GNU Privacy Guard (GPG) signature files to all SCA agent downloads to verify you are downloading a valid version.

May 3, 2023

Fixed scope parameter for NPM scans

Veracode has resolved an issue impacting the scope parameter for SCA agent-based scans of NPM projects.

April 14, 2023

SCA agent enhancements

Veracode has added the following enhancements to the SCA agent:

  • Support for Gradle version 8.
  • The default scope for scans of NPM projects is now production dependencies instead of all dependencies.

Temporarily ignore issues from agent-based scans

You can now specify a date for Veracode to stop ignoring issues from SCA agent-based scans.

April 6, 2023

Enhancements to Go scanning

Veracode has added the following enhancements to SCA scanning for Go projects:

  • Reduced false positives.
  • Reduced false negatives.
  • Increased scan speed.
  • Fixed an issue that removed component names when agent-based scan results were linked to an application.
  • Fixed an issue that caused indirect dependencies to appear in agent-based scan results as direct libraries instead of transitive libraries.

April 4, 2023

Enhanced SCA agent support for Java 17 features

Veracode SCA has improved agent-based scan support for projects that contain Java 17 features.

April 3, 2023

NVD severity ratings for SCA upload scans

Veracode Software Composition Analysis (SCA) upload scans now support displaying updated severity ratings that more closely match the National Vulnerability Database (NVD) severity ratings. To enable this feature for your account, contact Veracode Technical Support.

March 16, 2023

New mitigation type available for SCA upload scans

You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.

February 3, 2023

Region flag for agent-based scans

Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.

February 2, 2023

JRE upgrade for SCA agent

Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.

January 13, 2023

Improved SCA support for Python 3

Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.

December 21, 2022

Generate SBOM in SPDX format

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) in SPDX JSON format from the results of your Veracode SCA upload scans.

December 14, 2022

SCA support for Android

Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.

September 15, 2022

SCA support for Go aliases

Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.

Vulnerable method support for Java 17

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.

August 22, 2022

Set SCM URI as project name

You can now set the source code management (SCM) URI as your project name using the --uri-as-name option in your Veracode SCA agent-based scans.

July 22, 2022

SBOM API support for SCA agent-based scans linked to application profiles

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.

June 6, 2022

Generate SBOMs for SCA agent-based scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.

May 9, 2022

SBOM API support for promoted sandbox scans

You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.

SCA upload and scan table update

Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.

April 26, 2022

Generate SBOMs for SCA upload scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.

January 20, 2022

JSON output for agent-based scans includes CVSS v3 score

Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.

October 20, 2021

Veracode European Region now available

The Veracode European Region is now available for new customers. This region, which initially supports Veracode Static Analysis and Veracode Software Composition Analysis, provides European data residency for Veracode customers.

Static Analysis updates

· 20 min read

The updates on this page apply to Veracode Static Application Security Testing (SAST). Updates that apply to specific Veracode regions show a region icon.

For language support specific to Veracode Pipeline Scan, see Pipeline Scan Supported Languages.

July 2, 2024

Updated Pipeline Scan language support

Pipeline Scan now supports iOS.

June 27, 2024

Updated language and framework support

.NET

  • Improved CWE-117 and 1174 flaw detection for .NET resulting in a reduction in false positives

Apex

  • Improved parsing for Apex

C/C++

  • Added Visual Studio 2022 MSVC 14.4x compiler support
  • Improved scan performance for C/C++ Linux

COBOL

  • Improved parsing for COBOL
  • Improved CWE-248 flaw detection for COBOL resulting in a reduction in false positives

Dart and Flutter

  • Dart 3.4 and Flutter 3.22 support

iOS

  • Improved CWE-201 support for iOS 17 APIs
  • Improved third-party detection for iOS resulting in a reduction in false positives

Java

  • Improved line number detection for flaws

JavaScript

  • Added Next.js 14.x support
  • Improved parsing for TypeScript

Ruby on Rails

  • Ruby 3.3 and Rails 7.1 support

Other languages

  • Improved CWE-201 support for iOS 17 APIs
  • Improved CWE-331 support for Android
  • Improved CWE-259 and 798 flaw detection for all languages resulting in a reduction in false positives
  • Removed CGI-only restriction for Perl
  • Improved CWE-80 flaw detection for PHP
  • Improved parsing for T-SQL
  • Improved CWE-259 flaw detection for Python resulting in a reduction in false positives

May 23, 2024

Updated language and framework support

.NET

  • Improved CWE-73, 259, and 798 detection
  • Improved third-party detection
  • Improved SQL injection detection

APEX

  • Apex 57, 58, 59, and 60 support

COBOL

  • Stratus VOS COBOL support

Java

  • Enhanced JDK 21 and 22 support
  • Improved cleanser detection for CWE-78
  • Improved CWE-259, 798, and 916 flaw detection resulting in a reduction in false positives
  • Improved third-party detection for Maven repositories

Scala

  • Scala 3.4 support

Other languages

  • Improved CWE-259 and 798 detection for all languages
  • Improved CWE-89 detection for T-SQL
  • Improved CWE-259, 319, and mobile behavioral scan support for iOS 17 APIs
  • Improved parsing for T-SQL
  • Improved CWE-80 flaw detection for TypeScript resulting in a reduction in false positives
  • Improved SQL injection detection for Python

April 25, 2024

Updated language and framework support

.NET

  • Improved third-party detection

COBOL

  • You must now submit all COBOL files as separate files in a single archive. Veracode no longer supports uploading individual COBOL files outside of an archive.

C/C++

  • GCC 12 and 13 (RHEL 9) support
  • openSUSE Leap version 15 support
  • Improved CWE-121 and 454 detection

Dart and Flutter

  • Dart 3.3 and Flutter 3.19 support

Java

  • JDK 22 support
  • Improved CWE-259 and 798 flaw detection for Spring Boot applications, resulting in a reduction in false positives
  • Improved Generic modeling, which impacts all CWEs

JavaScript

  • JavaScript cleansers for CWE-80, 93, 113, and 117
  • Improved CWE-73 detection, resulting in a reduction in false positives

PHP

  • PHP 8.2 and 8.3 support

Other languages

  • Improved CWE-259 and 798 flaw detection, resulting in a reduction in false positives for all languages
  • Improved CWE-416 detection in iOS
  • Improved third-party detection in Android

March 28, 2024

Updated language and framework support

.NET

  • Improved CWE-1174 flaw detection resulting in a reduction in false positives

Android

  • Enhanced Android 14 support

Apex

  • Improved CWE-80 flaw detection resulting in a reduction in false positives

C/C++

  • Improved CWE-190 flaw detection resulting in a reduction in false positives
  • CentOS/RHEL 9 (x64) support

COBOL

  • Improved parsing for COBOL

Go

  • Go 1.22 support

Java

  • Improved CWE-259 flaw detection for Java
  • Improved processing of shaded JAR files

JavaScript

  • Improved processing of large JS files

Kotlin

  • Improved source file name parsing for Kotlin results

PL/SQL

  • Improved scan times for PL/SQL

Python

  • Improved CWE-80 handling for Python resulting in a reduction in false positives

React Native

  • Improved React Native handling of IPA files

T-SQL

  • Improved CWE-89 detection for T-SQL resulting in a reduction in false positives

March 12, 2024

Updated Pipeline Scan language support

Pipeline Scan now supports Ruby on Rails.

February 22, 2024

Updated language and framework support

.NET

  • Enhanced .NET 8 support
  • Improved support for CultureInfo.InvariantCulture
  • Improved CWE-78 flaw detection
  • Improved CWE-117 flaw detection resulting in a reduction in false positives

C/C++

  • Improved CWE-121 flaw detection resulting in a reduction in false positives
  • Improved CWE-125, 129, 134, 170, 190, 191, 195, and 196 flaw detection
  • Improved CWE-477 flaw detection

COBOL

  • Improved flaw analysis for CWE-78, 89, 114, 201, 209, 242, 248, 252, 489, and 798
  • Improved parsing for COBOL
  • Improved scan performance for COBOL
  • Improved scan size calculations

Java

  • Improved CWE-80 fix detection with modern Spring Framework versions
  • Improved generic modeling and modeling of Spring Framework applications, which impacts all CWEs
  • Improved CWE-916 detection
  • Improved Java third-party detection

JavaScript and TypeScript

  • Improved analysis for numeric and boolean datatypes, which impacts all CWEs
  • Improved type detection to prevent false positives for CWE-601 and all other CWEs
  • Detect and ignore webpack-generated files that are concatenated or minified
  • Improved support for fs/promises, which impacts all CWEs

Other languages

  • Improved CWE-259 and 798 flaw detection resulting in a reduction in false positives for all languages
  • Improved analysis of conditionals for all languages
  • Improved CWE-89 flaw detection for Classic ASP
  • Improve support for error_log, which impacts CWE-73, 88, 93 and 117 for PHP

January 25, 2024

Updated language and framework support

.NET

  • Improved third-party detection
  • Enhanced .NET 8 support
  • Improved CWE-80, 89, 404, 501, and 1174 detection

Java

  • Improved flaw detection
  • Improved third-party detection
  • Improved CWE-117, 327, and 749 detection
  • Added ‘jsi’ filetype support

C/C++

  • Improved flaw detection
  • Added openSUSE (x86) version 12 support
  • Improved CWE-121 and 190 detection

Dart

  • Improved flaw detection
  • Improved third-party detection
  • Improved CWE-331 detection

Other languages

  • Improved Android third-party detection
  • Improved JavaScript flaw detection
  • Updated JavaScript third-party detection
  • Improved CWE-99 and 918 detection for Python
  • Improved CWE-259, 798 detection for PHP
  • Improved CWE-252, 259, 311, 522, 614, and 798 detection in iOS
  • Improved CWE-321 detection for all languages
  • Added CWE-639 support for COBOL

January 18, 2024

The Veracode CLI now supports auto-packaging for Veracode Static Analysis

The Veracode CLI now supports Static Analysis auto-packaging for Java, JavaScript, and Python. The package command removes manual packaging steps to streamline your application security tests.

December 27, 2023

New COBOL scanner for Static Analysis

The new COBOL scanner for Veracode Static Analysis includes advanced pattern recognition and static analysis techniques, allowing for more accurate and efficient detection of security vulnerabilities in COBOL code.

The improved detection may result in the identification of additional vulnerabilities and potential threats. The updates may also impact flaw matching for your applications. If you need help resolving these changes, contact Veracode Technical Support.

All COBOL scans now use the upgraded scanner.

More details are available in the Veracode Community.

December 14, 2023

Updated language and framework support

  • Added .NET 8 initial support
  • Added JavaScript / ECMAScript 2023 (ES14) support
  • Added Config support from AWS SDK for Go
  • Enhanced Android 13 support
  • Enhanced Node.js v20 support
  • Added Dart 3.2 and Flutter 3.16 support
  • Improved CWE-327 (Use of Broken or Risky Cryptographic Algorithm) and CWE-352 (Cross-Site Request Forgery (CSRF)) detection for Ruby on Rails
  • Improved CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET
  • Improved CWE-352 (Unchecked Return Value) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
  • Improved accuracy of modeling Python method calls resulting in a reduction in false positives
  • Improved CWE-926 (Improper Export of Android Application Components) detection for Android
  • Improved CWE-321 (Use of Hard-coded Cryptographic Key) detection for all languages
  • Improved CWE-331 (Insufficient Entropy) detection for Java
  • Improved CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')) detection for PHP
  • Improved parsing for PL/SQL
  • Improved Python jsonify cleanser support for flaw class CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
  • Improved support for JavaScript crypto APIs
  • Improved iOS detection of CWE-252 (Unchecked Return Value)
  • Improved support for JavaScript Axios library
  • Improved .NET third-party detection
  • Improved mixed-Java/Kotlin analysis
  • Improved Java third-party detection
  • Improved Android version detection
  • Improved CWE-326 (Inadequate Encryption Strength) accuracy in .NET
  • Improved accuracy for CWE-259 (Use of Hard-coded Password)and CWE-798 (Use of Hard-coded Credentials)
  • Added detection of CWE-489 (Active Debug Code) in Go
  • Improved analysis of JavaScript listeners

November 15, 2023

Updated language and framework support

  • Added Javax to Jakarta transition support
  • Added support for Java Records
  • Added Spring Boot 3 support
  • Added Spring Security 6 support
  • Added Spring Core 6 support
  • Added Android 14 Initial support
  • Added KMS support for AWS SDK for Go
  • Improved flaw detection for Dart apps
  • Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for all languages
  • Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation), CWE-352 (Cross-Site Request Forgery), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
  • Improved third-party detection for Android, C/C++, Dart, and JavaScript
  • Improved CWE-73 (External Control of File Name or Path) detection for Java
  • Improved third-party detection in Java WAR files
  • Improved CWE-252 (Unchecked Return Value), CWE-201(Insertion of Sensitive Information Into Sent Data), and CWE-297 (Improper Validation of Certificate with Host Mismatch) detection for iOS
  • No longer report MemoryStream for CWE-404 in .NET
  • Improved detection for unsupported mobile applications

October 26, 2023

Updated language and framework support

  • Added Dart 3.1 and Flutter 3.13 support
  • Added JDK 21 (LTS) support
  • Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for Kotlin
  • Improved .NET analysis to ignore .NET ClickOnce “.deploy” files
  • Improved third-party detection for Java, JavaScript, PHP, iOS, PL/SQL and C++
  • Improved parsing for PL/SQL
  • Improved CWE-798 (Use of Hard-coded Credentials) detection for PHP
  • Enhanced Python analysis to treat modules consisting of all third-party code as first-party modules
  • Improved Groovy analysis of objects
  • Improved CWE-252 (Unchecked Return Value) detection for iOS
  • Improved JavaScript analysis of objects
  • Improved analysis of iOS apps to reduce CWE-284 (Improper Access Control) false positives
  • Improved CWE-693 (Protection Mechanism Failure), CWE-926 (Improper Export of Android Application Components), CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-798 (Use of Hard-coded Credentials) detection for Android

October 2, 2023

Updated language and framework support

  • Added iOS 17 initial support
  • Added Go 1.21 support
  • Added PHP Laravel 10 support
  • Added .NET Minimal API support
  • Enhanced .NET 7 support
  • Enhanced Groovy 3 support
  • Enhanced AWS SDK for Go support
  • Enhanced Android 13 support
  • Improved third-party detection for JavaScript
  • Improved CWE-80 detection for Vue.js
  • Improved CWE-259 detection for all languages
  • Improved CWE-89 detection for Transact-SQL
  • Improved third-party detection for C++
  • Improved symmetric-key parsing rules for Transact-SQL
  • Improved attribute idiomatic transformation support for Jakarta
  • Improved CWE-693 detection for Android
  • Improved scan performance for Micronaut framework
  • Improved Node.js modeling to reduce false positives
  • Improved handling of explicitly typed generic function calls in Go
  • Improved data path quality for JavaScript
  • Improved reporting of CWE-352 and CWE-915 in .NET to consolidate flaws reported on the same line and file as separate flaws into one flaw
  • Added CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET applications

Deprecated support for some .NET cleansing functions

Veracode has deprecated support of .NET cleansers for the following functions for flaw classes CWE-93, CWE-113, and CWE-117:

  • antixsslibrary.dll : Microsoft.Security.Application.AntiXss.HtmlAttributeEncode
  • antixsslibrary.dll : Microsoft.Security.Application.AntiXssEncoder.HtmlAttributeEncode
  • antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlAttributeEncode
  • antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlEncode
  • mscorlib.dll : System.Security.SecurityElement.Escape
  • system.dll : System.Net.WebUtility.HtmlEncode
  • system.web.dll : System.Web.HttpServerUtility.HtmlEncode
  • system.web.dll : System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode
  • system.web.dll : System.Web.Util.HttpEncoder.HtmlAttributeEncode
  • system.web.dll : System.Web.Util.HttpEncoder.HtmlEncode
  • system.web.mvc.dll : System.Web.Mvc.HtmlHelper.AttributeEncode
  • system.web.mvc.dll : System.Web.Mvc.HtmlHelper.Encode
  • system.windows.browser.dll : System.Windows.Browser.HttpUtility.HtmlEncode
  • system.windows.dll : System.Net.HttpUtility.HtmlEncode
  • System.Runtime.dll : System.Net.WebUtility.HtmlEncode

These cleansing functions are insufficient for addressing their targeted flaw classes and better alternatives are available.

For more details on why Veracode deprecated support for these functions and how to protect your applications against CRLF injection attacks, see the Veracode Community.

September 11, 2023

Fixed bug causing false positives for CWE-798

In last month’s release, Veracode added improved support for CWE-798 (Use of Hard-coded Credentials) detection. However, a bug in the pattern matching caused a significant number of false positives for some users. Veracode has resolved this issue and the improvement should result in significantly fewer CWE-798 false positives.

August 23, 2023

Updated language and framework support

  • Added Kotlin 1.9 support
  • Added TypeScript 5.x support
  • Added GCC 12 (RHEL 8) support
  • Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation) detection on controller-derived classes
  • Improved support for JavaScript URLSearchParams API
  • Improved support for Spring produces annotation attribute
  • Improved third-party detection for JavaScript
  • Improved third-party detection for Android
  • Improved third-party detection for Java
  • Improved hardcoded password/credential detection (CWE-259 and 798)
  • Improved .NET CWE-80 basic XSS detection
  • Improved JavaScript detection of document elements
  • Improved performance for Vue applications
  • Improved .NET Entity Framework support
  • Added ability to allow third-party PHP software if the entire upload is third-party
  • Improved detection of Java CWE-611 XXE
  • Improved support for Python Django views

July 25, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has added support for Quarkus, a Kubernetes-native Java stack tailored for OpenJDK HotSpot and GraalVM.

Veracode has improved static analysis by adding support for these new versions of supported technologies:

Improved Detection of CWE-259 and CWE-798

Improvements to the detection methods Veracode uses to identify CWE-259 (Use of Hard-coded Password), and CWE-798 (Use of Hard-coded Credentials) vulnerabilities should reduce the number of false positives during static analysis. Improved CWE-259 coverage for Python language submissions.

June 22, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has added support for Micronaut 3.8.x, which is a JVM-based framework you use to build lightweight, modular applications.

Veracode has improved static analysis by enhancing support for Android 12.

Veracode has improved static analysis by adding support for these new versions of supported technologies:

Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) Detection

Improvements to the detection methods utilized to identify CWE-259 and CWE-798 vulnerabilities should reduce the number of false positives found during static analysis.

Additional CWE-693 Coverage for Android

Veracode has added an additional CWE-693 (Protection Mechanism Failure) check for Android applications to ensure that the Play Integrity API is used appropriately.

May 23, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved CWE-89 Coverage for Java and JavaScript/TypeScript

The improved coverage increases the number of potential CWE-89 flaws that Veracode discovers in Java and JavaScript/TypeScript applications, which might affect your scan results.

Added CWE-451 Coverage for Android

Veracode has added CWE-451 (Tapjacking) coverage for Android applications.

May 18, 2023

Pipeline Scan Adds Support for Module Selection

Pipeline Scan adds a new --include parameter. You use this parameter to specify the top-level modules to include during scanning. The scan results now show both the modules that Veracode identified during prescan and the modules included in the scan.

This update is available with Veracode CLI version 23.4.3-0 and Veracode Docker image version 23.4.3.

April 27, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved Static Analysis for Python Language Submissions

Static analysis of Python applications inaccurately reports certain CWE-918 (Server-Side Request Forgery (SSRF)) flaws as CWE-201 (Insertion of Sensitive Information Into Sent Data) flaws. This update recategorizes these incorrectly reported flaws as CWE-918. This update might impact existing flaw matching and you might need to apply new mitigations to these flaws.

After you apply this update, any Python applications that contain CWE-201 flaws and have any of the following policy requirements might fail your security policy:

  • Security Standard rule for Auto-Update CWE Top 25

  • Findings by Severity rule for Medium or higher

  • Minimum Scan Score rule

March 23, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved Static Analysis for WebMethodAttribute use in ASP.NET Classic

Veracode has improved static analysis for WebMethodAttribute use in ASP.NET Classic (non MVC and/or MVC Core) WebForms and WebServices. This will affect the flaws found and associated policy results for customers by reducing the number of FPs found.

February 23, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved COBOL Parser Error Handling

Veracode no longer reports parser errors in standalone copybook files that COBOL files do not include. These files are not relevant for security scanning unless COBOL files reference them.

January 26, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Veracode has improved static analysis by adding support for:

  • Server-side request forgery (SSRF) reporting for JavaScript

Veracode has released a new version of our new iOS packaging tool:

  • Gen IR version 0.2.1: gen-ir

December 15, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Veracode improved static analysis by adding support for these new languages and frameworks:

Veracode has improved static analysis by adding a new iOS packaging tool to support Xcode 14 without the Enable_Bitcode setting:

November 17, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

October 27, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

October 19, 2022

New Packaging Guidance Tool

You can use the new Veracode Packaging Cheat Sheet to generate language-specific packaging guidance for Static Analysis.

October 4, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

August 25, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

August 1, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

June 24, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

April 28, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

March 28, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

February 24, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

Veracode has improved static analysis by adding support for these new versions:

February 3, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

Veracode has improved static analysis by adding support for these new versions:

Veracode Static Analysis Improvements

Veracode has improved accuracy of hard-coded Passwords. You can expect:

  • Fewer false positives where local files are in known valid locations
  • Better identification of sensitive variable names

Veracode has improved modeling for TypeScript support. You can expect:

  • Fewer false positives, and more true positives in TypeScript applications where type information is specified.

October 20, 2021

Veracode European Region now available

The Veracode European Region is now available for new customers. This region, which initially supports Veracode Static Analysis and Veracode Software Composition Analysis, provides European data residency for Veracode customers.

Training updates

· 8 min read

The updates on this page apply to Veracode Security Labs and Veracode eLearning. Updates that apply to specific Veracode regions show a region icon.

Security Labs is only available in the Commercial region.

eLearning is available in all Veracode regions.

May 1, 2024

New Security Labs lessons

OWASP Top 10 2021 labs

  • OWASP 1: Forging User Requests (Python, Flask)

April 29, 2024

eLearning course updates

The following 32 courses now have updated cover pages and optional closed captions:

  • Secure Coding Foundations (7 courses)
  • AppSec Tutorials (11 courses)
  • General Security (9 courses)
  • Mobile Security (4 courses)
  • OWASP Top Ten (2021) (1 course)

April 3, 2024

New Security Labs lessons

OWASP API Security Top 10 labs

  • OWASP API 6: Bad Design Compromises Security (JavaScript)
  • OWASP API 7: Jot Down this Key (JavaScript)
  • OWASP API 7: Secret Admin (JavaScript)
  • OWASP API 7: eXternal Entity Injection (JavaScript)
  • OWASP API 7: XML is Always a Challenge (JavaScript)
  • OWASP API 8: Own the Database (JavaScript)
  • OWASP API 8: Parameterize All the Things (JavaScript)
  • OWASP API 8: Bobby Tables (JavaScript)
  • OWASP API 9: Unprotected Deployments (JavaScript)
  • OWASP API 10: The Importance of Logging and Monitoring (JavaScript)
  • OWASP API 10: Logging in the API Infrastructure (JavaScript)

March 6, 2024

New Security Labs lessons

OWASP API Security Top 10 labs

  • OWASP API 1: One ID to Access All Objects (JavaScript)
  • OWASP API 1: Stronger IDs (JavaScript)
  • OWASP API 2: Really, Really Bad Passwords (JavaScript)
  • OWASP API 2: Terrible Password (JavaScript)
  • OWASP API 3: Bugs in Debug (JavaScript)
  • OWASP API 3: Revealing Schemas (JavaScript)
  • OWASP API 4: Slow Down (JavaScript)
  • OWASP API 4: Brute Force (JavaScript)
  • OWASP API 4: Denial of Service (JavaScript)
  • OWASP API 5: Neglected Endpoints (JavaScript)

February 7, 2024

New Security Labs lessons

OWASP Top 10 2021 labs

  • OWASP 1: Forging User Requests (.NET)

OWASP API Security Top 10 labs

  • OWASP API 10: The Importance of Logging and Monitoring (Java)
  • OWASP API 10: Logging in the API Infrastructure (Java)

January 16, 2024

New Security Labs lesson

OWASP API Security Top 10 labs

  • OWASP API 9: Unprotected Deployments (Java)

December 6, 2023

New Security Labs lessons

OWASP Top 10 2021 labs

  • OWASP 1: Redirect Rodeo (.NET, JavaScript)
  • OWASP 8: Prototype Protection Agency (JavaScript)

OWASP API Security Top 10 labs

  • OWASP API 8: Own the Database (Java)
  • OWASP API 8: Parameterize All the Things (Java)
  • OWASP API 8: Bobby Tables (Java)

November 1, 2023

New Security Labs lessons

OWASP API Security Top 10 labs

  • API 7: Jot Down This Key (Java)
  • API 7: Secret Admin (Java)
  • API 7: eXternal Entity (Java)
  • API 7: XML is Always a Challenge (Java)

May 3, 2023

New Security Labs lessons

OWASP Top 10 2021 labs

New OWASP 10: Get There From Here (Python, Go)

April 5, 2023

New Security Labs lessons

OWASP Top 10 2021 labs

New OWASP 10: Get There From Here (.NET, Flask)

OWASP API Security Top 10 labs

  • API 5: Neglected Endpoints (Java)
  • API 6: Bad Design Compromises Security (Java)
  • API 6: Bad Design Compromises Security (.NET) (revamped!)

March 1, 2023

New Security Labs lessons

Getting Started Labs

New Getting Started - Lesson Zero (Flask, Go, Python)

OWASP Top 10 2021 labs

  • OWASP 1: Broken Access Control - Secrets in the Log (Java)
  • OWASP 4: Making Secure Decisions (Flask, Go, Python)

OWASP API Security Top 10 labs

  • API 4: Slow Down (Java)
  • API 4: Brute Force (Java)
  • API 4: Denial of Service (Java)

February 1, 2023

New Security Labs lessons

OWASP Top 10 2021 labs

  • OWASP 1: Broken Access Control - Loose Lips Sink Servers (Dotnet)
  • Beyond OWASP Top 10: Other Web App Risks - Know Your Limits (Java)

OWASP API Security Top 10 labs

  • API 3: Bugs in Debug (Java)
  • API 3: Revealing Schemas (Java)

January 4, 2023

New Security Labs lessons

OWASP Top 10 2021 labs

New Beyond OWASP Top 10: Other Web App Risks - Do You Remember? (Dotnet)

OWASP API Security Top 10 labs

  • API 2: Really, Really Bad Passwords (Java)
  • API 2: Terrible Password (Java)

December 6, 2022

New Security Labs lessons

OWASP Top 10 2021 labs

  • OWASP 4: Insecure Design - Insecure Decisions (Dotnet, Java)
  • OWASP 4: Making Secure Decisions (Java)

OWASP API Security Top 10 labs

  • API 1: One ID to Access All Objects (Java)
  • API 1: Stronger IDs (Java)

Getting Started Labs

New Getting Started - Lesson Zero (Java, Node)

November 1, 2022

New Security Labs lessons

OWASP Top 10 2021 labs

  • OWASP 1: Broken Access Control - Loose Lips Sink Servers (Node)
  • OWASP 4: Insecure Design - Valid Deficit (Dotnet)

OWASP API Security Top 10 labs

New API 4: Lack of Resources & Rate Limiting - Denial of Service

October 4, 2022

New Security Labs lessons

OWASP Top 10 2021 labs

  • OWASP 4: Insecure Design - Valid Deficit (Node)
  • OWASP 9: Security Logging and Monitoring Failures - Hold the Line (Dotnet, Java)

September 26, 2022

Topic Progress Bar Now Focused on Required Labs

In Security Labs, the progress bar for a topic now shows the completion status for required labs only. If all required labs in a topic are complete, the progress bar shows 100% completion, even when there are incomplete optional labs.

September 6, 2022

One New Security Labs Lesson

OWASP Top 10 2021 labs

New OWASP 9: Security Logging and Monitoring Failures - Hold the Line (Node)

August 24, 2022

New Click-Through Tour

August 3, 2022

Three New API Security Labs Lessons

OWASP API Security Top 10 labs

  • New API 9 Improper Assets Management - Unprotected deployments (.NET)
  • New API 10 Insufficient Logging & Monitoring - The Importance of Logging and Monitoring (.NET)
  • New API 10 Insufficient Logging & Monitoring - Logging in the API Infrastructure (.NET)

July 6, 2022

Seven New API Security Labs Lessons and One Updated OWASP Course

OWASP API Security Top 10 labs

  • New API 7 Security Misconfiguration - Jot down this key (.NET)
  • New API 7 Security Misconfiguration - Secret Admins (.NET)
  • New API 7 Security Misconfiguration - eXternal Entity (injection) (.NET)
  • New API 7 Security Misconfiguration - XML is always a Challenge (.NET)
  • New API 8 Injection - Own the database (.NET)
  • New API 8 Injection - Parameterize all the things (.NET)
  • New API 8 Injection - Bobby Tables (.NET)

OWASP Top 10:2021:10 Server-Side Request Forgery

New Get There From Here (Node)

June 30, 2022

Updated One eLearning Learner Level Course and Added Two New AppSec Tutorials

  • Updated the OWASP 2017 course to OWASP 2021 on Learner Level 1
  • Added two new AppSec Tutorials on Learner Level 2

June 1, 2022

The Security Training Team Released Two New API Security Courses and Updated Eight OWASP Courses

OWASP API Security Top 10 labs

  • API5:2019 Neglected endpoints (.NET)
  • API6:2019 Bad Design Compromises Security (.NET)

OWASP Top 10 2021 labs

See the Course Catalog for more details.

  • A01:2021 Broken Access Control
  • A02:2021 Cryptographic Failures
  • A03:2021 Injection
  • A05:2021 Security Misconfiguration
  • A06:2021 Vulnerable and Outdated Components
  • A07:2021 Identification and Authentication Failures
  • A08:2021 Software and Data Integrity Failures
  • A09:2021 Security Logging and Monitoring Failures

May 19, 2022

The Security Training Team Released Three New eLearning Courses and Updated One Course

  • Updated A04: eLearning Secure Architecture and Design
  • OWASP Top 10 2021
  • A10: Server-Side Request Forgery AppSec Tutorial
  • A08: Software and Data Integrity Failures AppSec Tutorial

May 4, 2022

The Security Training Team Released Seven Labs

OWASP API Security Top 10 Labs:

  • API3:2019 Excessive Data Exposure - Bugs in Debug (.NET)
  • API3:2019 Excessive Data Exposure - Revealing Schemas (.NET)
  • API4:2019 Lack of Resources and Rate Limiting - Slow Down (.NET)
  • API4:2019 Lack of Resources and Rate Limiting - Brute Force (.NET)

OWASP Top 10 2021 Labs:

  • A04:2021 Insecure Design - Making Secure Decisions (.NET)
  • A08:2021 Software and Data Integrity Failures - Sleeping With the Enemy (.NET, Node)
  • A10:2021 Server-Side Request Forgery - Get There From Here (Java)

April 6, 2022

Two New Labs

  • OWASP API #1 - Broken Object Level Authorization
  • OWASP API #2 - Broken User Authentication

2021 updates archive

· 27 min read

This page lists the archived updates for 2021.

View the list below for highlights of previous releases.

December 20, 2021

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding support for:

  • Azure Functions used in .NET
  • Thymeleaf templates for Spring Boot

Veracode has improved static analysis by adding support for these new versions:

  • Initial support of .NET 6.0
  • Initial support of Android 12

November 18, 2021

New Veracode Static Analysis Support

Veracode has improved static analysis by adding:

  • Full support for JDK 17
  • Full support for ColdFusion 2016

October 21, 2021

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for Apex 52.0.

Improved Veracode Static Analysis Support

  • Veracode has further improved its accuracy in its detection of hard-coded credentials in applications. You might see a decrease in false positives related to hard-coded credentials.

September 28, 2021

New Veracode Static Analysis Support

Veracode has improved static analysis by adding:

  • Initial support for iOS 15
  • Full support for .NET 5.0

Improved Veracode Static Analysis Support

  • Veracode has improved its detection of hard-coded passwords in applications. You might see an increase in findings related to hard-coded passwords.

August 26, 2021

New Support for GCC 10 on Red Hat Enterprise Linux 8

  • Veracode has improved static analysis by adding support for the GCC 10 compiler on Red Hat Enterprise Linux.

Improved Static Analysis Support

Veracode has made several improvements to static analysis, including:

  • Prevention of reporting hard-coded credentials for variables related to mock libraries
  • Prevention of reporting hard-coded credentials for nonsensitive data in JavaScript dictionaries
  • Improved recognition of password keywords in concatenated strings
  • Improved heuristics to identify potentially sensitive data

July 22, 2021

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for Angular 12 applications.

Improved Veracode Static Analysis Results

  • Veracode has improved static analysis for Node.js 13 and 14 applications.

June 16, 2021

Pipeline Scan Supports Uploading Larger Files

  • Veracode Pipeline Scan now supports the analysis of applications up to 200 MB.

June 2, 2021

New Veracode Static Analysis Support

Veracode has improved static analysis by adding support for these new technologies:

  • Initial Support of Java 16
  • tvOS

Compatibility Updates for iOS and tvOS Application Packager

  • Veracode has improved the mobile application packager used for preparing iOS and tvOS applications to support the latest versions of macOS. This update also includes several usability improvements based on user feedback.

New Distribution Method for the Ruby Gem Packager

  • Veracode began distributing the Gem file required for preparing Ruby on Rails applications. For the latest updates to the Gem file, retrieve the file from rubygems.org using these Veracode instructions.

May 3, 2021

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for AWS SDK for .NET.

Improved Veracode Static Analysis Results

  • Veracode has improved static analysis of Java applications by identifying additional security flaws related to deserialization vulnerabilities.

April 6, 2021

Improved Veracode Static Analysis Support for Android Applications

  • Veracode has improved static analysis of Android applications by adding support for Android applications packaged as Android App Bundles (AAB).

April 1, 2021

Deprecated Support for Older Versions of Veracode Pipeline Scan

  • On April 1 2021, Veracode will no longer support versions of pipeline-scan.jar that you have downloaded before September 2020. These versions are 20.9.1 and earlier. To identify the version of the pipeline-scan.jar that you are using, you can run it with the --version option at the command line.

  • To transition to a supported version of the JAR file, replace the version that you are using with the latest one, which you can download here: https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip Veracode also provides Pipeline Scan as a Docker image on ### Docker Hub](https://hub.docker.com/r/veracode/pipeline-scan).

  • Updating to the latest version of pipeline-scan.jar ensures that you are working with the latest version of the Veracode software, which includes many new features and bug fixes.

March 31, 2021

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for Blazor WebAssembly for.NET applications.

Improved Veracode Static Analysis Results

  • Veracode has improved static analysis of .NET Core 3.1 applications.

Remediation Guidance Added to Pipeline Scan Results

  • The Pipeline Scan results now include links to the Veracode Knowledge Base, which provides suggestions for remediating issues.

March 2, 2021

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding support for these new versions of supported technologies:

  • Transact-SQL 15.x
  • Ember.js 3.x for JavaScript

Veracode has improved static analysis by adding initial support for these versions of supported technologies:

  • .NET 5
  • Kotlin 1.4
  • Groovy 3

Improved Veracode Static Analysis Support for iOS

  • Veracode has provided additional security checks for applications built using iOS 14. You may see additional findings for applications as a result of these improvements.

Improved Results for Cryptography Findings for Java Applications

  • Veracode has improved static analysis of Java applications by updating the list of acceptable cryptography algorithms.

February 4, 2021

New Veracode Static Analysis Support

Veracode has improved static analysis by adding support for these new technologies:

  • C++ applications built with GCC 9 on RedHat 8
  • Koa.js version 2.13
  • Hibernate framework version 5
  • Autofac framework. Static analysis of .NET applications that use Autofac may report additional findings as a result of these improvements.

Improved Veracode Static Analysis Results

Veracode provides these improvements for supported technologies:

  • Additional security checks for applications built using functions specific to Android 10. You may see additional findings for applications as a result of these improvements.
  • Enhanced accuracy of scan results of PHP and Python applications. The scan results now provide more emphasis on custom first-party components rather than third-party libraries.

Improved Prescan Warning Messages

  • Veracode has improved warning messages to identify applications that do not meet Veracode packaging requirements.

  • Veracode has also improved the accuracy of warning messages for several languages and file types by providing more descriptive error resolution recommendations.

Improved Results Consistency for Java Applications

  • Veracode has improved static analysis of Java web applications packaged as WAR and EAR files. Veracode provides more consistent results between subsequent scans and more accurately recognizes first-party components in the applications.

  • You may notice a one-time change to scan results as a result of this improvement.

Improved Results Accuracy Within JSP Files

  • Veracode has improved static analysis of JSP applications to prevent static analysis from reporting duplicate flaws.

January 12, 2021

Compilation Guide Renamed

  • To more accurately describe its contents, the Compilation Guide is now called Veracode Packaging Requirements.

January 7, 2021

Pipeline Scan Integration with Veracode Security Policies

  • Veracode has improved the Pipeline Scan to support the use of policy rules defined in the Veracode Platform. This enhancement allows you to assess applications against consistent rules for pass or fail.

Dynamic Analysis

View the list below for highlights of previous releases.

December 21, 2021

ISM Endpoint Upgraded to Log4j 2.17

  • An updated Veracode Dynamic Analysis Internal Scanning Management (ISM) endpoint version is now available. Updates include an upgrade to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.

November 18, 2021

Introducing Veracode API Scanning

  • Veracode API Scanning is a new scan type for performing a dynamic analysis of common API specification files. You can quickly test the security of your API endpoints and get results. As an extension of the existing Veracode Dynamic Analysis, API Scanning uses the same powerful dynamic analysis scan engine to identify vulnerabilities in both public and private APIs and provide remediation guidance. The remediation guidance helps you secure your APIs before integrating them into applications.

November 10, 2021

Dynamic Analysis Scan Engine Updated

The Veracode Dynamic Analysis scan engine has been upgraded, including:

  • Fixed logic in timing-based attacks to reduce the reporting of false positives.
  • Corrected authentication failures when using browser authentication.
  • The Dynamic Analysis engine is updated to use Chromium version 95.0.4638.69.

October 7, 2021

Dynamic Analysis Pause and Resume Temporarily Disabled

  • Veracode has temporarily disabled the ability to pause or resume Dynamic Analysis scans to fix underlying architectural issues.

Dynamic Analysis Engine Updated to New Chromium Version

  • The Veracode Dynamic Analysis engine is updated to use Chromium version 94.0.4606.71.

September 23, 2021

Dynamic Analysis Engine Updated to New Chromium Version

  • The Veracode Dynamic Analysis engine is updated to use Chromium version 93.0.4577.82.

September 15, 2021

Custom HTTP Headers

  • Veracode Dynamic Analysis now supports custom HTTP headers as an authentication option when configuring a scan. You can configure one or more custom headers with specific names and values for each scan.

August 23, 2021

Dynamic Analysis Scan Engine Updated

The Veracode Dynamic Analysis scan engine has been upgraded, including:

  • Several stability improvements and crash fixes
  • Corrections for a few cases of over-reporting CSRF flaws
  • Security updates
  • Fix for missing some XSS flaws
  • Adjusted payloads for code-injection tests to reduce false negatives

March 30, 2021

Improved Coverage Report and Removed Show Password Option

Veracode Dynamic Analysis includes these changes:

  • Improved the Coverage Report to provide a summary view of both normal and attack traffic that Dynamic Analysis discovered during a scan.
  • Removed the Show password checkbox for all authentication methods from the Veracode Platform page on which you create a Dynamic Analysis. You must now re-enter your credentials after changing a Dynamic Analysis configuration.

March 16, 2021

Updated Engine and New Limit on Discovered Flaws

Veracode Dynamic Analysis includes these changes:

  • Updated the Dynamic Analysis engine to use Chromium version 88.0.4324.182.
  • Set a limit on the number of flaws that Dynamic Analysis can discover during each analysis. If an analysis discovers more than 1000 flaws, it now exits automatically. This scenario is rare and typically indicates an error.

February 23, 2021

Updated Video - Create and Run an Unauthenticated Dynamic Analysis

  • This video shows you how to create, configure, and schedule an unauthenticated Dynamic Analysis.

February 18, 2021

Dynamic Analysis REST API Scan Engine Variables

  • Veracode Dynamic Analysis has a new feature that allows you to centrally manage credentials for login scripts by using variable names and storing the values centrally via the Dynamic Analysis API. This feature enables you to update credentials without having to re-upload your login script, and gives you the ability to separate credentials from your login scripts by using variable names in the files instead of the actual values. In addition, this functionality eliminates having to access the Veracode Platform to access credentials.

January 22, 2021

Changes to Reporting of CWE-829

  • The Veracode Dynamic Analysis engine is improved to no longer map findings concerning missing or misconfigured CSP headers to CWE-829 when responses have no body.

Application Security Platform

View the list below for highlights of previous releases.

December 9, 2021

OWASP Top 10 2021

  • The Auto-Update OWASP requirement available for application security policies now reflects the 2021 version of the OWASP Top 10.

November 5, 2021

New Veracode Documentation URL

Deprecation of Veracode Documentation PDFs

  • Veracode has deprecated the PDF files of publications available on the Veracode Documentation website. By December 2021, you will no longer be able to download these PDFs, but you can create custom PDFs using the print feature in your browser. To create a custom PDF, click Print (printer icon) in a publication title bar or to the right of a topic title, select the topics to include or exclude, then click Print.

September 28, 2021

API Rate Limit Enforcement

  • Veracode is now enforcing API rate limiting to ensure optimal performance and availability of Veracode services.

September 15, 2021

Updated Subprocessor List

  • Veracode has updated the list of subprocessors used to process customer personal information.

August 31, 2021

2021 CWE Top 25 Support

  • The Auto-Update CWE Top 25 policy rule in Veracode security policies now reflects the 2021 CWE Top 25 standard. In a future release, Veracode will add the option to specifically select the 2021 CWE Top 25 standard in policy rules.

CWE 4.5 Support

  • Veracode CWE support now reflects the changes MITRE introduced in version 4.5 of the CWE list.

August 12, 2021

Updated Video - Create a Policy in the Veracode Platform

  • This video shows you how to create a custom policy in the Veracode Platform.

July 20, 2021

Improved Veracode Onboarding Experience

  • Veracode has improved the onboarding experience to help developers and application security managers get started with Veracode. In the Veracode Platform, select Resource Center > Getting Started to open the new Getting Started with Veracode guidance, which provides a walk-through of Veracode products and training offerings.

July 8, 2021

Updated Video - Create a New Application Profile in the Veracode Platform

  • This video shows you how to create a new application profile in the Veracode Platform.

June 29, 2021

Improved Veracode Platform Homepage

  • The homepage in the Veracode Platform is updated to make it easier to perform several common functions, such as generating API credentials.

May 25, 2021

Automatically Update to Latest Version of Security Standards in Policy Rules

  • You can set rules in your application security policies that automatically update to use the most recent version of the supported security standards. With this update, you can require applications to comply with the latest version of security standards, such as OWASP Top 10 or CERT, as soon as Veracode supports them.

2020 CWE Top 25 Standard Available in Policy Rules

  • Veracode now supports using the 2020 version of the CWE Top 25 standard as a requirement in application security policies.

PCI Standard Includes 2020 CWE Top 25 Most Dangerous Software Weaknesses

  • A new version of the PCI security standard, which includes the 2020 CWE Top 25 most dangerous software weaknesses, is now available as a requirement in application security policies.

PCI Report Now Evaluated Against the Auto-Update PCI Standard

  • The PCI report available from the Veracode Platform is now evaluated against the Auto-Update version of the PCI security standard. This update ensures that the report always uses the latest version of the PCI standard.

April 8, 2021

Access the Veracode Community from the Veracode Platform

  • You can now access the Veracode Community directly from the Veracode Platform without logging in to a separate Community account. The Veracode Community provides best practice documentation, new feature previews, and a forum for asking questions about how to most effectively use Veracode products and services.

April 7, 2021

Evaluation Timeframe for Security Policies

You can now include evaluation timeframes in Veracode application security policies to define when findings can impact policy compliance. In your policies, you can:

  • Disallow findings opened after a specific date to ignore technical debt.
  • Disallow findings opened before a specific date to ignore new findings that are out of scope for an audit requirement.

April 6, 2021

End of Browser Support for Legacy Versions of Safari and Android

Veracode no longer supports these legacy versions of Safari and Android because of their use of weak ciphers (TLS 1.2):

  • Safari 6 on iOS 6.0.1

  • Safari 7 on iOS 7.1

  • Safari 8 on iOS 8.4

  • Safari 7 on OS X 10.9

  • Safari 8 on OS X 10.10

  • Android 5.0.0

  • Android 6.0

You cannot access analysiscenter.veracode.com using these browsers.

Administrators Cannot Assign Applications to Teams

  • Administrators in the Veracode Platform can no longer assign applications to teams unless they have another role that grants them permission to edit application profiles. Veracode removed this rarely used functionality to provide a more consistent experience for users.

Allow Access to New URL for Penetration Testing Services

  • Veracode has introduced a new URL for a future feature that will support better reporting of our penetration testing services. If you restrict access to public internet sites for your organization, add pt.analysiscenter.veracode.com to your allowlist.

March 31, 2021

Changes to Email Addresses Require Verification

  • If you update the email address in your Veracode Platform user account, Veracode sends you an email to confirm the new address. You must confirm the email address to complete the update.

March 26, 2021

New Analytics Dimension for Findings and Scans

  • Veracode Analytics provides you with the ability to filter findings and scans based on their archive status. You can use these filters to easily find findings and scans that Veracode deleted as part of the sandbox scan retention process.

March 22, 2021

Improved User Management in The Veracode Platform

  • Veracode has improved the usability of the user management options in the Veracode Platform. Administrators and Team Admins can now search for users by name, email address, username, or API ID.

March 9, 2021

Veracode Analytics Updates to the SCA Findings Dashboard

  • Veracode has updated the SCA Findings dashboard to improve the visualization of data and provide more information on how fixing code libraries impacts findings.

February 9, 2021

New Static Analysis Findings Information in Veracode Analytics

  • Veracode Analytics now provides more details about findings that relate to your Static Analysis scans, including the function name, class path, and most recent line number in which Veracode discovers the findings. This data enables you to recreate a similar view as the Triage Flaw view in the Veracode Platform, but across multiple application profiles.

February 8, 2021

New Security Program Overview Dashboard in Veracode Analytics

  • Veracode Analytics provides a new dashboard that contains data to help you track and understand how your AppSec program is trending, based on your target goals. With this dashboard, you can see current and historical trends for policy compliance, as well as better understand policy compliance behavior. New information available to you includes details such as how an application is meeting compliance over time.

January 26, 2021

Improved User Interface for Managing Applications

  • Veracode has updated the user interface in the Veracode Platform for creating, viewing, updating, and deleting applications to improve usability.

January 19, 2021

Improved Email Notifications for Expiring API Credentials

  • Veracode sends an email notification when your Veracode API credentials are about to expire. The email now displays your API username for quickly identifying the account for which you need to generate new credentials.

Software Composition Analysis

View the list below for highlights of previous releases.

November 12, 2021

SCA Component License Rules in Policies

You can now apply these configurations to the component license rules in your application security polices:

  • Allow or disallow non-OSS licenses
  • Specify how to classify components with multiple licenses
  • Add a blocklist or allowlist of specific licenses

If an application does not pass the component license rule, the Veracode Platform displays the requirement that caused the component to violate policy.

October 28, 2021

Agent-Based Scan Project Table Displays Multiple Languages

  • The Project List table on the Agent-Based Scan page of the Veracode Platform now indicates if projects use multiple programming languages or operating systems. The Language/OS column displays the full list of languages and operating systems in use in the project repository.

October 7, 2021

Extended Support for Maven Libraries

  • Veracode Software Composition Analysis (SCA) has improved the Veracode Vulnerability Database to include library support for Google Maven, Spring Maven, and Cloudera Maven.

September 23, 2021

New API Endpoint for Listing Libraries by Project

  • The Veracode SCA Agent REST API includes a new endpoint for querying libraries by the project ID. This endpoint enables you to view libraries in a specific project in an agent-based scan workspace.

September 22, 2021

Decimal Values for CVSS Scores in Policy Rules

  • Veracode security policies now support using values that include decimals when specifying the allowable CVSS score for vulnerabilities in Veracode Software Composition Analysis (SCA) scans. For example, you can set policies to not allow vulnerabilities with a CVSS score of 6.1 or above.

July 15, 2021

My Workspace

  • My Workspace provides developers a personal testing space for up to three agent-based scan projects without requiring administrative setup or permission configuration. If you currently use Software Composition Analysis (SCA) upload and scan, Veracode recommends using My Workspace to explore the additional features available with agent-based scanning, such as dependency mapping, vulnerable methods, and automated pull requests.

  • My Workspace is available for all Veracode SCA users.

June 21, 2021

New Grace Periods for SCA Policy Rules

  • Veracode supports configuring new grace periods in policy rules for Veracode Software Composition Analysis (SCA) scans. The new grace periods are independent of the grace periods you can configure for Veracode Static Analysis and Dynamic Analysis. You can use this feature to manage the different compliance needs of first-party code and open-source libraries in your security program within the same security policy.

April 6, 2021

License Risk Mitigations

  • License risk mitigations are now available for Veracode Software Composition Analysis (SCA) upload scans. You can use a new set of mitigation actions relevant to licenses to mitigate license risk findings based on your assessment of the license in use.

Improved Visibility into SCA Upload Scans

  • You can now view the status of initialized, in progress, and failed Software Composition Analysis upload scans in the Veracode Platform. If a scan fails, you can restart the SCA scan without restarting the associated Static Analysis.

March 26, 2021

Unified Documentation for Veracode SCA

  • All Help Center documentation for Veracode Software Composition Analysis (SCA), including agent-based scanning and static upload scanning, now appears in a single Veracode Software Composition Analysis section. Additionally, new content is available with information about getting started with Veracode SCA.

  • If you bookmarked any URLs for Veracode SCA Help Center content, this update may impact them.

Jan 21, 2021

New API Endpoint for Listing Issues by Project

  • The Veracode SCA Agent REST API includes a new endpoint for querying issues by the project ID. This endpoint enables you to view issues specific to a project in an agent-based scan workspace. If the project is a container, the API also lists all issues linked to projects inside the container.

Veracode Integrations

View the list below for highlights of previous releases.

December 10, 2021

Veracode Integration for CA Agile Central/Rally Now End-of-Life

  • The Veracode Integration for CA Agile Central/Rally is now end-of-life and no longer supported. The plugin and documentation are no longer available. To avoid potential security vulnerabilities, Veracode strongly recommends that you uninstall this integration. To integrate with other ticketing systems, visit the Veracode Integrations Hub.

November 22, 2021

Java API Wrapper Now Retries Requests

  • Veracode Java API Wrapper version 21.11.9.0 updates the maxretrycount parameter to now retry requests that fail due to certain error conditions. Previously, this parameter polled for failed build status and only applied to the uploadandscan action.

October 18, 2021

Veracode Greenlight for IntelliJ Supports Additional IntelliJ IDEA Versions

  • Veracode Greenlight for IntelliJ version 1.7.0 adds support for IntelliJ IDEA 2019.3–2021.2.3. If you are using IntelliJ IDEA 2020 or later, you must install JavaFX Runtime for Plugins.

October 8, 2021

Improved Veracode Greenlight for IntelliJ

  • Veracode Greenlight for IntelliJ version 1.6.0 adds support for IntelliJ IDEA 2019.3–2021.1.3. If you are using IntelliJ IDEA 2020 or later, you must install JavaFX Runtime for Plugins.

July 8, 2021

New Video - Use the Jenkins Credentials Binding Plugin to Protect Your Veracode Credentials

This video shows you how to:

  • Use the Jenkins Credentials Binding plugin to bind your Veracode API credentials to environment variables
  • Generate a script containing the bound environment variables
  • Add this script to your Jenkins pipeline script

June 23, 2021

Veracode Integration for Jira Supports the Jira Select List Field Type for Multiple Choices

  • The Veracode Integration for Jira version 3.30.0 adds support for the Select List (multiple choices) field type. You can use this field type to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira Server issues.

May 18, 2021

Veracode Integration for Jira Cloud Supports the Select List Field Types

  • The Veracode Integration for Jira Cloud version 3.7.0 adds support for the Select List (single choice) and Select List (multiple choices) field types. You can use these field types to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira Cloud issues.

April 30, 2021

Veracode Azure DevOps Extension Has Renamed YAML Property and Improved Logging

Veracode Azure DevOps Extension version 3.5.0 includes these changes:

  • For YAML pipelines with the Flaw Importer task, Veracode renamed the optargs property to proxySettings. This new name more accurately identifies the valid values for this property. Ensure you update your pipelines with this new property name.
  • Added logs, with error messages, for invalid or missing values. The errors apply to both standard and YAML pipelines.

April 22, 2021

Java API Wrapper Adds Parameter for Deleting Incomplete Scans Automatically

Veracode Java API Wrapper version v21.2.7.5 includes these changes:

  • New deleteincompletescan parameter for automatically deleting scans that did not complete due to one or more errors.
  • Additional debug logs for troubleshooting upload and scan issues.

April 20, 2021

Veracode Integration for Jira Supports the Select List Field for a Single Choice

  • The Veracode Integration for Jira version 3.29.0 adds support for the Select List (single choice) field type. You can use this field type to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira issues.

March 24, 2021

Veracode Greenlight for VS Code Now Requires the JRE

  • Veracode Greenlight for VS Code version 1.4.0 introduces a change that requires you to install a current version of the Java Runtime Environment (JRE) and set your Java PATH.

March 19, 2021

New Video - Create and Manage API Service Accounts with the Identity API]

This video shows you how to:

  • Create an API service account
  • Create teams
  • Assign user roles and teams to API service accounts
  • Update an API service account

February 23, 2021

Updated Video - Working with Scan Results Using Veracode Static for Visual Studio

  • This video shows you how to download, import, and view Veracode scan results using Veracode Static for Visual Studio. You can also learn how to mitigate findings discovered during the scan in Visual Studio.

Veracode Jenkins Plugin No Longer Encrypts Non-Sensitive Data for Build Jobs

  • Starting with Veracode Jenkins Plugin version 21.2.12.0, the plugin no longer encrypts non-sensitive data stored in the config.xml file for a build job. This change enables you to import jobs between Jenkins instances.

February 5, 2021

Updated Veracode Azure DevOps Extension

Veracode Azure DevOps Extension version 3.4.0 includes these updates:

  • Use YAML to add Veracode analysis to build pipelines.
  • Use YAML to import findings as work items into Azure DevOps.
  • Include mitigation and annotation comments when importing new findings as work items.
  • Set a timeout to fail a build if Veracode analysis does not complete within a specified time.

Developer Training

View the list below for highlights of previous releases.

April 28, 2021

New Video - Access and Navigate the Veracode Security Labs Interface

This video shows you how to:

  • Access and navigate the lab interface
  • Access and interact with the web application, when applicable
  • Communicate with teammates who have completed the lab
  • Save lab progress or restart the lab

New Video - View and Filter Labs in Veracode Security Labs

This video shows you how to:

  • View new, required, and in progress labs
  • Filter labs by programming language

New Video - Edit and Assign Security Labs Roles to Users

  • This video shows you how to edit roles, assign roles to users, and create managers for those roles in Veracode Security Labs.

New Video - Create a Campaign and Assign Content to Roles in Security Labs

  • This video shows you how to create a new campaign and assign content to roles in Veracode Security Labs.

New Video - Customize Lab Content in Veracode Security Labs

Watch this video to learn how to:

  • Customize lab content by modifying or writing your own conclusion
  • Write your own labs using Security Labs as a sandbox
  • Create an example application using your own code

New Video - Add and View Due Dates for Assignments in Veracode Security Labs

Watch this video to learn how to:

  • Add and view a due date for an assignment
  • Enable competition mode as an administrator

New Video - View and Report on User Progress in the Veracode Security Labs Reporting Page

  • This video shows you how to report on user progress in Veracode Security Labs and the API.

April 27, 2021

Automated User Progress Notifications

You can configure automated email notifications to accomplish these tasks for Veracode Security Labs:

  • Inform managers of their team progress in a campaign or assignment
  • Remind users when they have required labs that are incomplete

You can define the schedule and customize the message for each notification type.

April 2, 2021

New Video - Create Users Within Veracode Security Labs or by Using Your Company SSO

  • This video shows you how to create users from within the Security Labs interface.

March 4, 2021

Enable Team-Based Competition in Security Labs

  • You can create Veracode Security Labs campaigns that allows users to collaborate and compete between groups. If you enable competition mode and assign different roles to users, the leader board for the campaign adds the scores by role and displays the collective team totals.

Continuous Learning Paths in Security Labs

  • You can assign Security Labs users to continuous campaigns that automatically provide the next assignment after the user completes the required labs of the previous assignment.

Allow Step Omissions in Security Labs

  • You can configure Security Labs to allow users to skip steps in a lab that they cannot complete. Users do not receive points for skipped steps.

  • This feature only applies to Java OWASP labs.

2020 updates archive

· 51 min read

This page lists the archived updates for 2020.

View the list below for highlights of previous releases.

December 17, 2020

New Veracode Pipeline Scan Support for PHP Applications

  • Veracode has improved the Pipeline Scan by adding support for PHP applications.

December 15, 2020

New Support for Languages and Frameworks

Veracode has improved static analysis by adding support for these new versions of supported technologies:

  • Android 11
  • C++ Support for Red Hat Enterprise Linux 8
  • Grails 4
  • Java 15
  • Slick Library for Scala

Improved Support for Java

  • Veracode has improved static analysis of Java applications by adding support for JNDI injection flaws. See the Veracode blog post for details about these types of flaws.

Improved Prescan Warning Messages

  • Veracode has improved its warning messages to notify you when the JavaScript and TypeScript files you submit have parsing errors. Parsing errors can affect the quality of the prescan results.

  • Veracode has also improved the accuracy of warning messages for several other languages and file types.

Simplified Packaging Requirements for iOS Applications

  • Veracode has improved the user experience of analyzing iOS applications by simplifying the requirements for packaging.

November 24, 2020

New Support for GCC 8.3 on Red Hat Enterprise Linux 7

  • Veracode has improved static analysis by adding support for the GCC 8.3 compiler on Red Hat Enterprise Linux.

October 30, 2020

New Pipeline Scan Support for React Native, Titanium, and Cordova Applications

  • Veracode has improved the Pipeline Scan by adding support for React Native, Titanium, and Cordova applications.

October 29, 2020

Improved Veracode Static Analysis Results

Veracode has improved static analysis of these supported technologies:

  • Angular templates
  • Apache Commons
  • AWS SDK for Java
  • JavaScript
  • Python

New Pipeline Scan Reporting Options:

  • Veracode has improved the Pipeline Scan to support reporting a filtered list in JSON format of issues that caused the analysis to fail.

October 21, 2020

Pipeline Scan Supports Custom GitLab Domains

  • Veracode has improved the Pipeline Scan to support custom GitLab domains when creating GitLab issues.

October 6, 2020

Improved Pipeline Scan Error Messages and Logging

Veracode has improved pipeline scans to include these enhancements:

  • Improved error message content
  • Integration with Log4j to log debug messages

October 2, 2020

New Pipeline Scan Support for Python Applications

  • Veracode has improved Pipeline Scan to include support for Python applications.

September 26, 2020

Packaging Improvements for .NET Applications

  • Veracode has improved the user experience of analyzing .NET applications by adding support for .NET applications submitted as standard NuGet packages.

September 24, 2020

New Pipeline Scan Support

  • Veracode has improved Pipeline Scan to include support for Android applications.

New Veracode Static Analysis Support

Veracode has added support for new versions of these technologies:

  • Angular 9 and 10
  • Visual Studio 2019 for Visual C++

Improved Veracode Static Analysis Support

  • Veracode has improved static analysis of AWS SDK for JavaScript.

  • Veracode has improved static analysis of .NET and JVM-based applications. Veracode reduced the number of prescan warning messages that it sends for components that are common third-party libraries.

September 17, 2020

New Static Analysis Support for iOS 14

  • Veracode has improved static analysis by adding initial support for iOS 14.

September 1, 2020

New Veracode Static Analysis Support

Veracode has added static analysis support for these technologies:

  • React Native 0.6x
  • Ruby on Rails 6
  • Jinja2 Template Library for Python

Veracode Static Analysis Recognized Cleansers

As a result of updated security research, Veracode has added several CRLF cleansing functions to the list of supported cleansing functions. Veracode also removed these CRLF functions:

  • com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscape
  • com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscapeAllowEntities
  • com.google.gwt.safehtml.shared.SafeHtmlUtils.fromString
  • org.springframework.web.util.HtmlUtils.htmlEscape
  • org.springframework.web.util.HtmlUtils.htmlEscapeDecimal
  • org.springframework.web.util.HtmlUtils.htmlEscapeHex
  • org.apache.axis.components.encoding.XMLEncoder.encode
  • com.liferay.portal.kernel.util.HtmlUtil.escapeAttribute
  • com.liferay.portal.kernel.util.HtmlUtil.escape
  • com.liferay.portal.kernel.util.HtmlUtil.escapeHREF
  • com.liferay.portal.kernel.util.HtmlUtil.escapeXPath

Improved Veracode Static Analysis User Experience

Veracode has improved the user experience of static analysis by providing:

  • More consistent naming for the submitted components
  • More information added to some prescan error messages

August 7, 2020

New Pipeline Scan REST APIs

  • The new Pipeline Scan REST APIs allow you to submit pipeline scans directly using an API.

Pipeline Scan Improvements

Veracode Static Analysis using pipeline scanning includes these enhancements:

  • New command parameters for creating GitLab issues and vulnerabilities from scan output:
    • --gl_issue_generation
    • --gl_vulnerability_generation
  • New GitLab examples added to the pipeline scan README and the Veracode Help Center

July 10, 2020

New Pipeline Scan Support for .NET Applications

  • Veracode has added pipeline scan support for .NET applications.

July 1, 2020

New Veracode Static Analysis Support

Veracode has added static analysis support for these technologies:

  • AWS SDK for
  • Ruby 2.6 and 2.7
  • AcuCOBOL-GT 10.3
  • Xcode 11.5

Improved Veracode Static Analysis Support

Veracode has improved static analysis of these technologies:

  • AWS SDK for Python (Boto3).
  • Additional security checks for applications built using Java 12, 13, and 14. You may see additional findings for applications as a result of these improvements.
  • Additional security checks for applications built using .NET Core 3.1. You may see additional findings for applications as a result of these improvements.
  • Additional security checks for applications using Apache Commons libraries. You may see additional findings for applications as a result of these improvements.
  • Additional security checks for applications using Go templates. You may see additional findings for applications as a result of these improvements.
  • Improved scan coverage for iOS application submissions. Veracode now analyzes all components submitted with an iOS application, including standalone frameworks, extensions, and watchOS extensions. After a prescan, you can select these components from a list of modules.

New Video - Review Static Analysis Flaws

This video shows you how to:

  • Access static flaw information in the Triage Flaws view of the Veracode Platform.
  • Use the Source Code view to load source code from your local system into the Triage Flaws page so that you can view information about the flaw in the context of your original source.
  • Document a proposed mitigation for review.

June 13, 2020

New Veracode Static Analysis Support

Veracode has added static analysis support for these technologies:

  • Improved analysis of Go applications by adding support for the Gorilla framework, and improving overall results quality.
  • Improved analysis of JavaScript applications using AWS Lambda and other functions by adding support for the AWS SDK.

Improved Veracode Static Analysis Support

Veracode has improved static analysis of these technologies:

  • Improved static analysis of iOS applications by improving the results of scans, to better focus the results on custom first-party components, instead of third-party libraries.
  • Improved static analysis of .NET and Java applications to more accurately report the analysis size of dependent modules. These changes may result in smaller reported sizes for scan submissions.
  • Veracode now reads the contents of the go.mod file included in an application submission to more accurately identify which Go components to analyze.

May 13, 2020

Pipeline Scan Improvements

Veracode Static Analysis using pipeline scanning includes these enhancements:

  • New command parameters for storing information about the application you are scanning:
    • --app_id
    • --development_stage
  • New code examples that show how to integrate a pipeline scan with GitHub actions and Azure DevOps. These examples are included in both the pipeline scan Readme file and the Veracode Help Center.

May 4, 2020

New Veracode Static Analysis Support

Veracode now supports static analysis of these libraries for Apex:

  • Visualforce
  • Lightning
  • Aura components for Salesforce

Improved Veracode Static Analysis Support

Veracode now supports static analysis of these technologies:

  • Apex version 49.
  • Java applications built on Java 14.
  • Version 2.6 and 2.7 of the Play framework for Scala. You may see additional findings for Play applications as a result of these improvements.
  • Python application analysis improvements, including additional security checks for risks related to certificate management and cryptography settings. You may see additional findings for Python applications as a result of these improvements.
  • Updated CWE definitions for flaws that had been reported previously as CWE 100 and 391. MITRE is deprecating these CWEs. MITRE is recategorizing CWE 100 flaws as CWE 1174, and recategorizing CWE 391 flaws as either CWE 252 or CWE 273, depending on the details of the flaw.

Veracode has updated policy rules that included entries for CWE 100 and CWE 391 to include the new CWEs.

After you run the next scan of affected applications, the Veracode Platform reports and analytics reflect the new CWE values. Data for previous scans still include the historical values.

April 23, 2020

Improved Veracode Static Analysis Support with Pipeline Scanning

Veracode static analysis using pipeline scanning now includes these features:

  • Support for Scala, Kotlin, and Groovy applications
  • Veracode authentication using the API credentials file
  • Human user accounts with the required user roles can run pipeline scans

April 14, 2020

New Video - Run a Pipeline Scan in Your CI/CD Environment

  • This video shows you how the pipeline scan runs directly within a CI/CD environment.

April 2, 2020

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for AWS Lambda functions for Java, .NET, Node.js, and Python.

###Improved Veracode Static Analysis Support

Veracode has improved static analysis of these technologies:

  • Improved results quality for iOS 13 applications
  • Support for iOS applications built with Xcode 11.4

Veracode has changed reporting of CWE 404 flaws to be more specific about where they occur, which may result in additional findings. Veracode has also changed the severity of CWE 404 to Informational.

March 16, 2020

Announcing General Availability of Pipeline Scan for Veracode Static Analysis

  • Veracode is pleased to announce the general availability release of the pipeline scan, a purpose-built tool for DevOps engineers. The pipeline scan directly embeds into your CI tools and provides fast feedback on flaws after each commit.

February 20, 2020

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for a new version of Visual C++ applications built for Windows 10, Server 2016, and Server 2019.

Improved Veracode Static Analysis Support

Veracode has improved static analysis of these supported technologies:

  • Apache Struts 2
  • Safe cryptography libraries in PHP
  • Apex triggers submitted with the TGR file extension

January 30, 2020

New Veracode Static Analysis Support

Veracode has improved static analysis by adding support for these new versions of supported technologies:

  • Java applications built on Java 13
  • Initial support for .NET Core 3.1

Improved Veracode Static Analysis Support

Veracode has improved static analysis of these supported technologies:

  • APIs and language features specific to .NET Core 3.0, .NET Standard 2.1, and C# 8. You may see additional findings in .NET applications that use these new features.
  • log4net, Serilog, and NLog logging technologies in .NET for detecting log injection flaws in .NET applications. You may see additional findings in .NET applications that use these technologies.
  • Additional security checks for Android 9 applications. You may see additional findings for Android applications as a result of these improvements.

Dynamic Analysis

View the list below for highlights of previous releases.

November 24, 2020

New Target URL Search Feature

  • Veracode Dynamic Analysis now allows you to search for individual URL scans in addition to searching for a specific Dynamic Analysis. This capability enables you to easily identify which scans are associated with a specified URL.

CSP Header Checks

  • Veracode Dynamic Analysis now checks for missing or misconfigured script execution policies in Content Security Policy (CSP) headers of web applications.
  • Veracode Dynamic Analysis has expanded its list of known secure cookie attributes, such as SameSite, Secure, and HttpOnly, that are common to cloud infrastructures. Veracode checks web applications for secure cookie attributes on this list before reporting missing attributes as flaws.

August 10, 2020

New ISM Endpoint Version Available

July 22, 2020

New Video - Configure Dynamic Analysis Login Settings

  • This video describes the different types of authentication that Veracode Dynamic Analysis can require to log in to your application and how to configure your Dynamic Analysis so that Veracode can log in.

June 11, 2020

Crawl Script Support for Comprehensive Scans

  • Veracode Dynamic Analysis now supports the use of prerecorded crawl sequences to supplement the default automated crawling capability of the Veracode scan engine. You must use Selenium to record the crawl scripts and save them in SIDE test suite or HTML formats. Dynamic Analysis runs the crawl script during prescan to check for any commands that might fail during the URL scan.

June 8, 2020

Improved Dynamic Analysis Coverage

Veracode has improved the scan engine coverage with:

  • Increased coverage for CWE 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).
  • Increased reporting for SSL issues and updated description and remediation text. The Dynamic Analysis scan engine now reports the use of Cipher Block Chaining (CBC) ciphers, and key exchange algorithms that do not provide perfect forward secrecy (such as RSA with no EDH).

New Screenshot Verifications and Scan Notes Features

  • Veracode Dynamic Analysis now shows additional troubleshooting information on the Prescan Details and Scan Details pages. The new Verification Screenshots section shows screenshots that the Veracode scan engine takes at predetermined points. The Scan Notes section contains observations from the scan engine on issues encountered at runtime or best practices that you can apply to the scan configuration.

Updated Video - Initiate a Dynamic Analysis Prescan

  • This video shows you how to submit a Dynamic Analysis for prescan, what the Dynamic Analysis is testing during prescan, and how to tell if your Dynamic Analysis has passed prescan successfully.

May 26, 2020

Enhanced Access Control for ISM Endpoints

  • Veracode Dynamic Analysis Internal Scanning Management (ISM) provides new options for granting Veracode support engineers access to your endpoints. You can now allow support access for a specific number of days, up to 30, or allow access indefinitely until you choose to disable it.

May 21, 2020

Client Certificate Authentication Support

  • Dynamic Analysis now supports client certificate-based authentication. When you upload your certificate and the associated password, Veracode can log in to websites that require this method of authentication.

Engine JSON Web Token and Obsolete JavaScript Support

  • Dynamic Analysis has added security auditing for JSON Web Tokens (JWT) and obsolete JavaScript resources. JWT auditing detects common flaws, including signature vulnerabilities, in sites that use JWT for authentication. Obsolete JavaScript resource detection reports known-vulnerable libraries, such as older versions of jQuery, through signature matching.

Improved Scan Status Details

  • Veracode Dynamic Analysis now has improved end-user visibility into scan statuses. Additional status information is available in the status fields and columns of the All Analyses, Dynamic Analysis Summary, and URL Scan Summary pages. You now have more detailed information when scans stop due to network issues or because they exceeded the allocated scan duration time.

Updated Video - Create Login Scripts with Selenium

  • This video shows you how to use the Selenium IDE plugin to create a login sequence script that enables Veracode Dynamic Analysis to scan URLs that have form-based authentication.

May 7, 2020

Prescan Workflow Improvements

Veracode has released several improvements to the Dynamic Analysis workflow to enhance these user experiences:

  • The prescan option has moved to the Schedule page. In addition, you can now use the new prescan-only option if you want to verify your configuration before submitting the analysis.
  • There is a new option on the Schedule page to enable you to save your Dynamic Analysis configuration and continue working on it or submitting it later.
  • Icons have replaced the menu in the individual rows of the URLs table, providing greater ease of use when you want to edit the configuration, link to an application, or delete the URL.

April 28, 2020

ISM Notifications Include Endpoint Names

  • Emails from Veracode about your ISM endpoints now specify the endpoint names to help with troubleshooting.

April 16, 2020

Scheduling Improvement

  • Veracode Dynamic Analysis now provides the ability to select a start date up to 90 days in the future. This enhancement enables you to initiate a one-time scan immediately as well as schedule a recurring, quarterly scan of the same Dynamic Analysis.

Update to Supported Selenium Commands

  • Dynamic Analysis now supports these Selenium commands: keyUp, keyDown, keyPress, assertTextPresent, waitForElementVisibile, and clickAt.

March 31, 2020

Dynamic Analysis User Agent Defaults to Chrome

  • When configuring a Dynamic Analysis, if you do not provide a user agent string for a browser of your choice, the user agent value now defaults to the Chrome browser.

March 30, 2020

Auto-Linking Now Available in Dynamic Analysis

  • Veracode Dynamic Analysis now supports application auto-linking automation at the organization account level. Auto-linking links a Dynamic Analysis scan to an existing application profile. Auto-linking can also automatically create a new application profile to which Dynamic Analysis can link future scans, if you select that option. Linking a Dynamic Analysis to an application enables you to review the policy evaluation, download PDF results, and access the Veracode Links Report.

March 26, 2020

Screenshot Provided for Login Script Errors

  • Veracode Dynamic Analysis now provides troubleshooting information for login script authentication failures. If you have provided a login script, the Prescan Details window links to a screenshot of the associated login errors.

March 17, 2020

Server-Side Request Forgery (SSRF) Attack Support

  • Veracode Dynamic Analysis now enables Server-side Request Forgery (SSRF) attacks to find flaws, by default.

Extended Auto-Login Support

  • The Veracode Dynamic Analysis scan engine has improved support for multi-page forms and login pages containing iframes.

March 9, 2020

ISM Endpoint Updated with Advanced Diagnostics

Auto-Login Enhancements

  • Veracode Dynamic Analysis has streamlined authentication configuration with an enhanced auto-login capability. You should use auto-login to provide a username and password for auto-login, browser-generated logins, and NTLMv2. Auto-login is the default setting. A separate, basic authentication section is available to configure authentication for websites that require two forms of authentication: auto-login and browser-generated authentication. Veracode continues to support Selenium-based login scripts with these changes.

Coverage Improvements

  • The latest release of Veracode Dynamic Analysis includes new generic injection techniques in the scan engine and flaw publishing process. Veracode can now detect additional vulnerabilities for CWEs 95, 89, 91, and 74. In addition, SQL Injection, OS Command Injection, Remote File Inclusion (RFI), Server-side Request Forgery (SSRF), XML External Entity (XXE), and Cross-site Scripting (XSS) detection can now attack JSON keys and values in POST bodies by default.

February 21, 2020

New Video - View Dynamic Analysis Results

  • This video shows you how to view Dynamic Analysis results.

February 14, 2020

New Video - Create and Run an Unauthenticated Dynamic Analysis

  • This video shows you how to create, configure, and schedule an unauthenticated Dynamic Analysis.

Row Selection Persistence

  • When you select the number of rows you want to display in the All Dynamic Analyses table, the selection persists even if you navigate away from that table. Your selection persists until you log out.

January 8, 2020

New Auto-Publish Feature

Auto-Publish is now enabled in Veracode Dynamic Analysis to automatically publish some findings, providing quicker results for specific types of vulnerabilities.

  • If every vulnerability found in all URL scans in a Dynamic Analysis meets the criteria for auto-publication, Veracode publishes the findings immediately after the analysis completes.
  • If one or more vulnerabilities require a review by a Veracode scan engineer, then any findings eligible for auto-publication must wait for that review. Veracode publishes all findings together within 24 hours of when the manual review is complete.

Change to Failed Verification Status

Veracode Dynamic Analysis has updated the status definition that displays when any URL scans fail verification for either a connection or authentication issue.

  • When a single URL scan in an analysis fails verification:
    • The URL scan status is Verification Failed.
    • The Dynamic Analysis status is All Verifications Failed.
  • When an analysis with multiple URL scans has one or more of the URL scans fail verification:
    • The failed URL scan status is Verification Failed.
    • The analysis status is Completed - Partial Results Available.

Application Security Platform

View the list below for highlights of previous releases.

December 7, 2020

Additional SCA Details Available from the Findings REST API

  • With the Veracode Findings REST API, you can identify whether Software Composition Analysis findings are from agent-based scans or upload scans and whether they are from a direct or transitive dependency. You can also filter your findings by scan type or dependency type.

November 23, 2020

Updates to the Findings REST API

You can now perform these tasks with the Veracode Findings REST API:

  • Retrieve the expiration date of the remediation grace period for findings that violate a security policy.
  • Retrieve findings with comments or mitigations added after a specific date, such as the date of your most recent scan.

Healthcheck REST API

  • You can use the Veracode Healthcheck REST API to test the availability of Veracode core services.

October 29, 2020

Changes to OWASP Mobile Policy Rules

  • Veracode has updated policy rules that include the OWASP Mobile security standard to reflect additional research. OWASP Mobile policy rules now include these CWEs: CWE-77, 78, 80, 252, 287, 319, 345, 404, 415, 416, 601, 614, 676, 693, 757.

  • Applications that contain these flaws may fail OWASP Mobile policy rules as a result of this update. Veracode will apply the update upon rescan of the application.

Improved Notifications for Delayed Scan Results

  • Veracode has improved communication about delayed scan results. You now receive email notifications that include additional details and links for the affected scan. Veracode has also improved the Veracode Platform to indicate delayed scans that are under investigation.

October 19, 2020

Applications REST API

  • You can now view application data and create, update, and delete applications using the Veracode Applications REST API.

September 30, 2020

Updates to Required Veracode Domains

September 26, 2020

Rolling Sandbox Histories

  • Rolling sandbox histories let you limit sandbox data by restricting the number of retained scans for each sandbox to 15. After more than 15 scans, the Veracode Platform deletes the oldest scan, though the data remains available through Veracode Analytics. If enabled, this feature replaces the previous data limitation method of expiring old sandboxes.

  • To request access to rolling sandbox histories, contact Veracode Technical Support.

Updates to Some XML API Deletion Calls

  • To improve performance, the deleteuser.do, deleteteam.do, deleteapp.do, and removefiles.do XML API calls now return an HTTP 200 response and a change summary, instead of a list of the items remaining after the deletion.
  • You can now share links to Veracode Analytics dashboards, including Veracode dashboards and dashboards that your organization creates. To access a dashboard link, you must log in to the Veracode Platform and have permission to view the data in the dashboard.

Activity Log Updates

  • You can now download a report of the full history of application profile activity, scan activity, and sandbox activity. The activity log in the Veracode Platform now displays activity data for the past 90 days.

Technique Removed from TSRV Format for Accepting Risk

  • Veracode has removed Technique from the TSRV standard when you perform the Accept the Risk mitigation action because none of the techniques are relevant to accepting risk. Specifics, Remaining Risk, and Verification are still required fields.

Updates to CWE Top 25 Policy Rules

  • The Latest CWE Top 25 policy rule in the Veracode Platform now reflects the 2020 CWE Top 25 standard. Veracode has also updated the 2019 CWE Top 25 policy rule to disallow the children of CWE-94: CWE-91, 95, 98, 185, and 830.

September 17, 2020

Improved Business Units Tab

  • On the Administration page in the Veracode Platform, Veracode has improved the usability of the Business Units tab.

September 10, 2020

New Video - Create and Manage API Users in the Veracode Platform

August 29, 2020

All Applications Page Now Available to Mitigation Approver and Delete Scans Roles

  • You can now access the All Applications page in the Veracode Platform with the Mitigation Approver or Delete Scans roles. From the All Applications page, you can, then, select an application to approve mitigations or delete scans.

CWE-74 Now Disallowed for the OWASP Security Standard

  • Veracode has reclassified CWE-74 "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" as a high severity finding. CWE-74, which Veracode discovers during Dynamic Analysis, is now included on the disallowed CWE IDs list in the latest version of the OWASP security standard. If your organization is using the OWASP 2017 security standard, you may see more findings violating policy or see your application fail policy as a result of this change.

Support for MITRE CWE List Version 4.1

  • Veracode now provides reporting based on CWE version 4.1 definitions, which changes the names and descriptions of a few existing CWE categories. The complete list of changes in CWE version 4.1 is available from the MITRE website. This new version does not impact the CWE mappings for the OWASP, CWE Top 25, or CERT security standards.

  • MITRE is updating their CWE list on a more frequent basis, but Veracode remains committed to staying up-to-date with each new version. As MITRE updates their CWE database, you might notice periodic changes in Veracode reports, such as differences between parent-child relationships or mappings.

August 21, 2020

Findings API Version 2

  • The Veracode Findings REST API v2 is now available. With this API, you can access information about open and mitigated findings associated with applications and sandboxes. It supports Static Analysis, Dynamic Analysis, Manual Penetration Testing, and Software Composition Analysis scans.

July 28, 2020

Improved User Activity Report

  • An improved user activity report is now available to download as a CSV file, providing easier access to information about user actions.

July 7, 2020

Administrators Can Turn Off Optional Notifications for Their Entire Organization

  • Administrators in the Veracode Platform can now turn off all optional notifications for all new and existing users in their organization account. Individual users have the option to turn the notifications back on for their own user account.

June 29, 2020

New Accept the Risk Mitigation Type

  • Veracode now allows you to resolve a finding by stating that your business is willing to accept the risk associated with that finding. This mitigation type allows you to track and report the risk while continuing to maintain the mitigation and resolution approval process. Veracode updated the mitigationinfo.xsd file to include this mitigation type.

June 27, 2020

Veracode Policies Now Support 2019 CWE Top 25 Security Standard

  • Veracode updated the PCI security standard in the Veracode Platform to include the 2019 CWE Top 25 Security Standard, previously called the SANS Top 25 standard. Applications with findings included in the new standard may fail the PCI policy or PCI standard requirement as a result. Veracode applies the update to applications upon rescan.

June 16, 2020

Veracode Analytics Provides Ignored Issue SCA Data

  • Veracode Analytics now supports SCA agent-based scan issue data about ignored issues, including details of when a user ignored an issue and the username for the user who ignored the issue.

June 11, 2020

New Sandbox Attributes Added to Veracode Analytics

  • Veracode Analytics now provides attributes for tracking sandbox usage. You can view sandbox expiration dates and determine if the Veracode Platform sandboxes are configured for Veracode to automatically recreate them after expiration.

New Dynamic Analysis Dimensions Available in Veracode Analytics

  • Veracode Analytics now provides the Dynamic Analysis fields Path and Vulnerable Parameter, which allow you to better focus and prioritize your remediation efforts.

June 8, 2020

SCA Agent Data Available in Veracode Analytics

  • The Software Composition Analysis (SCA) dashboard is updated in Veracode Analytics to reflect recommended charts for tracking your use of SCA agent-based and upload-and-scan workflows. In addition, Veracode Analytics provides two new explores for SCA agent data: SCA Agent Issues and SCA Agent Scans. These explores enable you to create your own charts and dashboards, providing a better understanding of your open-source risk.

May 28, 2020

Update to Industry Values in Application Profile

  • Veracode has updated the values for industries in application profiles to more accurately reflect the market. Because applications include industry values to help inform the Veracode State of Software Security report, this change affects the createapp.do and updateapp.do XML API calls.

  • If you have a script coded with an expected value for the industry field, please update your script to reflect the updated values or use the default value already provided.

May 13, 2020

Analytics Scan Frequency Requirements Data

  • Veracode Analytics now provides visibility into scan frequency requirements for an application. These requirements include the frequency mandated by the policy, upcoming scan due dates, and any past due dates.

May 7, 2020

New Team Admin Role

  • Veracode has added the new Team Admin user role that an administrator can grant to users. With the Team Admin role, you can create, edit, and delete users within the teams you manage. This new role makes it easier for organizations to manage permissions for a large number of users.

New Mitigation Type

  • Veracode has added a new mitigation type to allow you to propose mitigations using the mitigation type Mitigated - Referred to Library Maintainer. You can classify findings related to libraries developed by another development team. Another development team may build libraries in-house, but they may not own the application Veracode is scanning.

April 30, 2020

New Identity REST APIs

  • The new Identity REST APIs allow you to manage users, teams, and business units. You can also use these REST APIs to create API service accounts and manage API ID/key credentials.

Updated Greenlight Scans Explore Page

  • Veracode has updated the Analytics page Greenlight Scans Explore to reflect the new terminology of IDE scan (formerly known as Greenlight) and to include pipeline scan data.

Updated Applications List View

  • The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering. Veracode is gradually releasing this feature as part of each Platform release, so it may not be immediately available to you.

New Secure Coding Foundation eLearning Courses

Veracode eLearning has released a new set of secure coding foundation courses:

  • Secure Coding Foundations - Authentication
  • Secure Coding Foundations - Authorization
  • Secure Coding Foundations - Configuration and Deployment
  • Secure Coding Foundations - Data Protection
  • Secure Coding Foundations - Information and Error Handling
  • Secure Coding Foundations - Trust Boundaries
  • Secure Coding Foundations - Validation and Encoding

These courses cover application security practices and associated vulnerabilities.

eLearning User Interface Enhancements

Veracode has improved these eLearning windows:

  • Manager window you use to assign learners to a manager
  • Curriculum window you use to assign learners to a curriculum

April 21, 2020

Updated Applications List View

  • The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering.

March 28, 2020

CWE 4.0 Support

  • Veracode CWE support is updated to reflect the latest changes from MITRE in the CWE 4.0 release.

Enable Automatic Re-creation of Existing Sandboxes

  • You can now edit existing sandboxes to enable the setting for automatically re-creating the sandbox when it expires.

Due Date Notifications for eLearning Students

  • eLearning administrators can now specify when to send email reminders to notify students about the due dates for assigned courses.

New Python and JavaScript eLearning Courses

  • Veracode has added secure coding courses for Python and JavaScript to eLearning learner levels.

March 19, 2020

New Grace Period Expiration Date in Analytics

  • Veracode Analytics now provides the date when a grace period expires. An expired grace period causes the finding to fail the policy associated with the application. Veracode calculates the date based on the First Found or Last Reopened date, whichever is more recent.

Account Lock Does Not Trigger Email to Administrator

  • To prevent redundant notifications, Veracode no longer sends an email to Administrators in the Veracode Platform when users in their organization are locked out of their accounts. This email is now unnecessary because users can unlock their own accounts.

March 3, 2020

Improved Developer Sandbox Scanning and Added Expiration Date

Veracode has made these improvements to developer sandboxes:

  • You can now perform up to ten sandbox scans simultaneously for a single application. Before starting additional scans, you must wait for at least one running scan to complete.
  • The sandbox list in the application profile now shows all sandboxes in the application that have running scans.
  • All sandboxes now have an expiration date. After a sandbox reaches its expiration date, you can no longer perform scans in it. Seven days after the expiration date, the Veracode Platform automatically removes the sandbox. All data about the removed sandbox is available from Veracode Analytics. You can use the re-create option to have the Veracode Platform automatically create a new sandbox with the same name as a previously-removed sandbox.

Applications REST API Adds Policy Compliance Information

  • Veracode has improved the Applications REST API to include information about the policy compliance of the application.

Executive Summary in Customizable Report PDF Includes Informational Findings

  • The executive summary in the downloadable PDF of the Customizable Report now shows informational findings. The informational findings provide information that can help you ensure your application meets policy compliance.

Email Notifications for eLearning Curriculum Due Date Changes

  • eLearning administrators can now send emails to notify students and their managers when the due date for an assigned curriculum changes. They can also send emails to notify managers when a due date on a curriculum has passed and students have not completed the curriculum.

February 21, 2020

New JavaScript eLearning Courses

Veracode eLearning has released a new set of secure coding courses for JavaScript:

  • Secure Coding for JavaScript - Authentication & Authorization
  • Secure Coding for JavaScript - Configuration and Deployment
  • Secure Coding for JavaScript - Data Protection
  • Secure Coding for JavaScript - Information and Error Handling
  • Secure Coding for JavaScript - Validation and Encoding

These courses cover application security practices and associated vulnerabilities, including the OWASP Top Ten, and secure coding techniques in JavaScript, including using the AngularJS and ReachJS frameworks.

February 19, 2020

Updated Look-and-Feel with New Veracode Branding

  • Veracode has updated the look-and-feel of the Veracode Platform with new branding.

January 28, 2020

Updates to Sandbox Functionality

Veracode has implemented these changes to improve the performance of sandbox scans:

  • You can delete a sandbox and all of its scans when you promote it to policy.
  • You may have a maximum number of sandboxes you can create for each application. The default limit is 25.

Automated Emails for eLearning Curriculum Updates

  • Veracode eLearning administrators can turn on automated email notifications to alert eLearning students and managers when the administrator assigns a curriculum to a student.

January 24, 2020

New Video - Create a Custom Policy in the Veracode Platform

  • This video shows you how to create a custom policy in the Veracode Platform.

January 13, 2020

SCA Findings Dashboard Available in Analytics

  • Veracode Analytics has a new dashboard that provides Software Composition Analysis (SCA) findings on open vulnerabilities, license risk, issue severities, and library data. Veracode Analytics does not currently display findings from agent-based scans.

January 8, 2020

New Video - Review Scan Results

  • This video shows you how to view Veracode scan results in the Veracode Platform.

January 2, 2020

SCA Findings Available in Veracode Analytics

  • Veracode Analytics now provides details about Software Composition Analysis (SCA) findings. If you have an SCA subscription, you can view SCA vulnerabilities displayed in the Findings Status & History dashboard and the Resolution and Mitigation Details dashboard.

  • Veracode Analytics does not currently display findings from agent-based scans.

Software Composition Analysis

View the list below for highlights of previous releases.

December 17, 2020

Container Scanning for Debian

  • Veracode Software Composition Analysis now supports agent-based scans of Debian Docker containers. You can scan Debian containers through the command-line interface or as part of your continuous integration pipelines.

October 15, 2020

Set Default Branch to the Most Recently Scanned Branch or Tag

  • You can now set your Veracode Software Composition Analysis projects to automatically update their default branch to be the most recently scanned branch or tag. This enhancement enables the use of tags as default branches and reduces the number of issues that display in the Veracode Platform, by default.

  • Existing projects without a default branch selected in their project settings now use the Use Last Scanned option as the default branch.

October 13, 2020

Vulnerable Method Support for JavaScript

  • Veracode Software Composition Analysis supports vulnerable method analysis for agent-based scans of JavaScript applications. This feature helps prioritize your remediation actions by identifying first-party code that calls a function in a JavaScript library that makes the library vulnerable.

October 1, 2020

Container Scanning for Ubuntu

  • Veracode Software Composition Analysis now supports agent-based scans of Ubuntu Docker containers. You can scan Ubuntu containers through the command-line interface or as part of your continuous integration pipelines.

September 26, 2020

Grace Periods for SCA Policy Rules

  • Veracode Software Composition Analysis now allows you to include grace periods for SCA upload scans in your application security policies. You can define a grace period for all scan types, including SCA, or define a grace period that applies specifically to SCA scans.

July 17, 2020

Default Date Limit Applied to Scan Data in Agent-Based Scan Workspaces

  • To improve performance and usability, the scan data for your workspaces is now limited to projects scanned in the last 30 days, by default. You can change the time window of exported projects on the workspace page in the Veracode Platform.

July 7, 2020

Advanced License Risk Management for Agent-Based Scans

  • Veracode Software Composition Analysis now provides advanced license risk management capabilities for agent-based scans. You can control the acceptable risk from open-source libraries by adding rules based on Veracode license risk ratings or by rejecting specific licenses.

June 17, 2020

New API Endpoints for Agent Management

  • The Veracode SCA Agent REST API includes new endpoints for creating and deleting agents. This update enables you to more effectively scale your agent administration and improve productivity with agent-based scans.

May 28, 2020

Issue Summary for Agent-Based Scans

  • Veracode Software Composition Analysis now provides a summary table on each agent-based scan workspace and project page that provides a quick view of the state of your open-source issues.

April 29, 2020

Vulnerability Database Update

  • The Veracode Vulnerability Database is updated to resolve a discrepancy in severity rating compared to the National Vulnerability Database (NVD) for approximately 200 of over 20,000 total vulnerabilities. Veracode has already contacted all organizations that have applications that fail policy as a result of this update.

  • If your Veracode account manager has not contacted you, you do not need to take any action.

April 6, 2020

Alpine Linux Support for Agent-Based Scans

  • Veracode Software Composition Analysis (SCA) now supports the Alpine Linux distribution for agent-based scans.

Organization Rules for Agent-Based Scans

  • Veracode Software Composition Analysis (SCA) now supports configuring rules for agent-based scans at the organization level. Administrators can apply these rules to all workspaces in an organization to efficiently enforce a common security standard.

April 3, 2020

New API Endpoint for Auditing Agent-Based Scan Events

  • The Veracode SCA Agent REST API includes a new endpoint that provides a detailed audit of events for agent-based scans.

March 17, 2020

License Risk Details for Agent-Based Scans

  • Veracode Software Composition Analysis (SCA) provides the license risk rating of each open-source license type identified in agent-based scans to help you make informed decisions about acceptable risk.

Gem Support for Containers

  • Agent-based scans now support the gem package manager for scanning Docker containers.

March 16, 2020

New Video - Set Up an Agent to Scan with Veracode Software Composition Analysis

This video shows you how to:

  • Create a workspace
  • Set up an agent
  • Start a scan from your command line
  • View scan results

February 13, 2020

NPM and Pip Support for Containers

  • Agent-based scans now support the NPM and pip package managers for scanning Docker containers.

January 29, 2020

Update to Integrated SCA Upload and Scan

  • If you use Veracode Integrated Software Composition Analysis without a Veracode Static Analysis subscription, you can now perform scans using the upload and scan method.

SCA Results Export

  • You can now generate and download your latest Software Composition Analysis results from the Export Data page in the Veracode Platform at any time. This report does not include data from agent-based scans.

January 24, 2020

New Video - Upload and Scan with Veracode Software Composition Analysis

  • This video shows you how to upload and scan applications with Veracode Software Composition Analysis.

January 15, 2020

Get Teams List with the SCA Agent REST API

  • The Veracode SCA Agent REST API for Veracode Agent-Based Scan now supports retrieving a list of the teams in an organization, including filtering by the full or partial team name.

Integrations

View the list below for highlights of previous releases.

December 23, 2020

Updated Video - Build and Upload Files to Scan Using Veracode Static for Visual Studio

  • This video shows you how to prepare a build of your application using Veracode Static for Visual Studio and upload the build to a new or existing application profile in your Veracode portfolio.

December 17, 2020

Veracode Static for IntelliJ Supports Mitigation Proposals in TSRV Format

  • Veracode Static for IntelliJ version 3.2.1 now supports submitting mitigation proposals using the Technique, Specifics, Remaining Risk, and Verification (TSRV) format. If you have a Mitigation Proposal Review (MPR) subscription, you are required to use the TSRV format when proposing mitigations from within IntelliJ.

December 11, 2020

Veracode Java Wrapper Provides Improved Diagnostic Information

  • The Veracode Java wrapper version 20.12.7.3 provides improved debug-level, diagnostic information. You can include the debug parameter in your command to show this diagnostic information in the output.

New REST APIs for Findings, Development Sandboxes, and Summary Reports

Veracode now provides these REST APIs:

  • Annotations API for commenting on findings and proposing, accepting, and rejecting mitigations. You can combine this API with the Findings API to manage applications.
  • Development Sandbox API for creating, updating, and deleting sandboxes. You can combine this API with the Applications API to manage both applications and sandboxes.
  • Additional Findings APIs for obtaining detailed findings information for a static analysis or dynamic analysis and generating Summary Reports.

December 9, 2020

New Video - Reviewing Findings in Veracode Greenlight for VS Code

This video shows you how to:

  • Link findings in source code
  • Filter Veracode findings
  • Ignore findings in Veracode Greenlight for VS Code results
  • Stop ignoring findings in Veracode Greenlight for VS Code results

November 19, 2020

Docker Hub Images for the Java API Wrapper, the Python Authentication Library, and the Pipeline Scan

Veracode now provides these products as container images on Docker Hub:

  • Java API wrapper
  • Python authentication library to enable HMAC for Veracode APIs
  • Pipeline Scan

Veracode Static for Eclipse Now Supports Mitigation Proposals in TSRV Format

  • Veracode Static for Eclipse version 3.5.0 now supports submitting mitigation proposals using the Technique, Specifics, Remaining Risk, and Verification (TSRV) format. If you have a Mitigation Proposal Review (MPR) subscription, you are required to use the TSRV format when proposing mitigations from within Eclipse.

Veracode Integration for Jira Cloud Improves Findings Import Options

The Veracode Integration for Jira Cloud version 3.5.0 includes these improvements:

  • Uses mapped custom fields in the Veracode Platform when assigning issues of imported findings. If Veracode custom fields are not mapped to Jira fields, Jira Cloud assigns the issues to the default assignee for the Jira project.
  • Adds the ability to map Jira Cloud fields to Veracode Platform fields for SCA components and SCA vulnerabilities.

October 6, 2020

Install Veracode Greenlight for VS Code to Run Greenlight Scans

  • This video shows you how to how to install the Veracode Greenlight for VS Code extension. The Veracode Greenlight for VS Code extension is available from the Visual Studio Marketplace.

October 1, 2020

Veracode Static for IntelliJ Supports the Veracode API Credentials File

  • Veracode Static for IntelliJ version 3.2.0 allows you to store your Veracode API credentials securely in an external file.

September 30, 2020

Introducing Veracode for GitHub

  • Veracode for GitHub enables you to use GitHub Actions for performing static analysis of your application source code from within GitHub. Veracode provides preconfigured GitHub Actions for uploading your code to Veracode for static analysis or running a pipeline scan from within your GitHub development workflow.

September 24, 2020

Veracode Static for Eclipse Supports the Veracode API Credentials File

  • Veracode Static for Eclipse version 3.4.1 allows you to store your Veracode API credentials securely in an external file.

September 11, 2020

Veracode Integration for Jira Cloud Adds Description Field Override Option

  • The Veracode Integration for Jira Cloud version 3.4.0 adds the global option for overriding the Description field in Jira issues. When importing findings as issues into Jira Cloud, this option replaces any content in the issue Description field with your provided text.

September 10, 2020

Veracode Greenlight for Eclipse Free Trial Option Removed

  • Veracode Greenlight for Eclipse version 2.8.8 removes the free trial option from the Eclipse plugin. Veracode no longer provides a free trial of Greenlight for the Eclipse IDE.

August 29, 2020

Changes to deletesandbox.do and deletebuild.do XML API Calls

  • To improve the performance of the deletebuild.do and deletesandbox.do XML API calls, these calls now return an HTTP 200 response and a summary of the deleted items, instead of a list of items remaining after deletion. These calls also use new schema files.

August 13, 2020

Veracode Integration for Jira Adds Description Field Override Option

  • The Veracode Integration for Jira version 3.25.0 adds the global option for overriding the Description field in Jira issues. When importing findings as issues into Jira Server, this option replaces any content in the issue Description field with your provided text.

August 12, 2020

New Video - Configure the Veracode API Credentials file on Windows

  • This video shows you how to generate Veracode API credentials in the Veracode Platform and configure a Veracode API credentials file for storing your Veracode API credentials on Windows.

New Video - Configure the Veracode API Credentials File on macOS and Linux

  • This video shows you how to generate Veracode API credentials in the Veracode Platform and configure a Veracode API credentials file for storing your Veracode API credentials on macOS and Linux.

July 28, 2020

Veracode C# API Wrapper Supports the Veracode API Credentials File

  • The Veracode C# API wrapper version 20.7.8.0 now supports the Veracode API credentials file for storing your API credentials securely in an external file. If your API credentials file contains multiple credentials, you can use the new -credprofile parameter to specify the profile to use for Veracode authentication. The existing -vid and -vkey parameters, for specifying your API credentials at the command line, are now optional.

July 23, 2020

Veracode Java API Wrapper Supports the Veracode API Credentials File

  • The Veracode Java API wrapper version 20.7.7.0 now supports the Veracode API credentials file for storing your API credentials securely in an external file. If your API credentials file contains multiple credentials, you can use the new -credprofile parameter to specify the profile to use for Veracode authentication. The existing -vid and -vkey parameters, for specifying your API credentials at the command line, are now optional.

June 25, 2020

Introducing Veracode for AWS CodeStar

  • Veracode for AWS CodeStar version 1.0.0 enables you to add Veracode Static Analysis and Veracode Software Composition Analysis (SCA) as a build stage in your AWS CodePipeline. You can review the results of each analysis in the Veracode Platform.

Veracode Integration for Jira Improves Issue Assignment of Imported Findings

  • The Veracode Integration for Jira version 3.24.0 can now use mapped custom fields in the Veracode Platform when assigning issues of imported findings. If Veracode custom fields are not mapped to Jira fields, Jira Server assigns the issues to the default assignee for the Jira project.

June 16, 2020

Veracode Jenkins Plugin Now Open Source and on Jenkins Marketplace

  • The Veracode Jenkins Plugin version 20.6.10.0 is an open-source plugin that Veracode is distributing with an MIT license. You can download the plugin from both the Jenkins Marketplace and the Plugin Manager within Jenkins. The plugin source code is available from GitHub.

June 10, 2020

Introducing Veracode for Artifactory

The new Veracode for Artifactory version 1.3.0 allows you to perform security scanning of your application artifacts from within Artifactory. This release includes these features:

  • Static analysis of your application artifacts from within Artifactory using manual scans, scheduled scans, or event-triggered scans.
  • Support for Artifactory High Availability (HA) clusters.
  • Python script to automate tagging artifacts with the required properties for static analysis.

May 29, 2020

Veracode Integration for Jira Cloud Adds Findings Import Options

The Veracode Integration for Jira Cloud version 3.3.0 adds these new options for importing findings from Veracode to Jira Cloud:

  • Automatically assign imported findings to a Jira Cloud epic or link them to a related issue.
  • Map string, number, and date/time data types from Veracode fields to text, number, and date/time field types in Jira Cloud. The integration imports the values from the Veracode fields to fields in Jira Cloud issues.

May 28, 2020

Veracode Greenlight for IntelliJ Supports IntelliJ 2020.1

  • Veracode Greenlight for IntelliJ version 1.5.3 adds support for IntelliJ IDEA Ultimate and Community 2020.1. This release also allows you to store your Veracode API credentials in an external file.

May 21, 2020

Veracode Greenlight for Eclipse Supports Eclipse 2020-03

  • Veracode Greenlight for Eclipse version 2.8.7 adds support for Eclipse 2020-03 and allows you to store your Veracode API credentials in an external file.

May 19, 2020

Veracode Azure DevOps Extension Adds New Scan Summary for Multi-Stage Pipelines

  • The Veracode Azure DevOps Extension version 3.1.0 shows scan results in a new Veracode Scan Summary tab to support multi-stage pipelines.

May 7, 2020

Veracode Integration for Jira Adds Findings Import Options

The Veracode Integration for Jira version 3.23.0 adds these new options for importing findings from Veracode to Jira Server or Jira Data Center:

  • Automatically assign imported findings to a Jira epic or link them to a related issue.
  • Map string, number, and date/time data types from Veracode fields to text, number, and date/time field types in Jira. The integration imports the values from the Veracode fields to fields in Jira issues.

April 10, 2020

Veracode Integration for Jira Supports Jira Server 8.7.x

  • The Veracode Integration for Jira version 3.22.1 adds support for Jira Server and Jira Data Center 8.7.x.

Updated Video - Install Veracode Static for Visual Studio

This video shows you how to:

  • Install Veracode Static for Visual Studio
  • Generate API credentials in the Veracode Platform
  • Configure an API credentials file for storing your API credentials

March 24, 2020

Veracode Azure DevOps Extension Removes Basic Authentication

  • The Veracode Azure DevOps Extension version 3.0.0 removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

February 21, 2020

Veracode Greenlight for Eclipse Supports Eclipse IDE 2019-12

  • Veracode Greenlight for Eclipse version 2.8.6 adds support for Eclipse IDE 2019-12 (4.14).

February 14, 2020

Veracode Greenlight for IntelliJ Supports IntelliJ IDEA 2019.3

  • Veracode Greenlight for IntelliJ version 1.5.1 adds support for IntelliJ IDEA Ultimate and Community 2019.3.

February 12, 2020

Veracode Jenkins Plugin Removes Basic Authentication

  • The Veracode Jenkins Plugin version 20.2.6.1 removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

January 31, 2020

Veracode Static for Eclipse Supports Eclipse 2019-09

  • Veracode Static for Eclipse version 3.4.0 replaces the Veracode Eclipse Plugin. This version adds support for Eclipse 2019-09. It also adds support for Java Runtime Environment (JRE) 11 and 13.

  • You can no longer use basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

January 24, 2020

Veracode Static for IntelliJ Supports IntelliJ IDEA 2019.3

  • Veracode Static for IntelliJ version 3.0.0 replaces the Veracode IntelliJ Plugin. This version supports IntelliJ IDEA Ultimate and Community 2017.x to 2019.3. It also adds support for Java Runtime Environment (JRE) 11 and 13.

  • You can no longer use basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

January 23, 2020

Updated Veracode Integration for Jira

The Veracode Integration for Jira version 3.22.0 includes these updates:

  • Removes support for basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.
  • Enhances Jira logging, so that you can more easily read the logs.
  • Improves the performance of importing findings from the Veracode Platform to Jira using custom fields.

January 17, 2020

Veracode Static for Visual Studio Supports Visual Studio 2019

  • Veracode Static for Visual Studio version 4.0.0.1 replaces the Veracode for Visual Studio Extension. This version supports Visual Studio 2015, 2017, and 2019. In Visual Studio 2015 and 2017, the name of the top-level Veracode menu is now Veracode Static. In Visual Studio 2019, the Veracode Static menu appears under the Extensions menu.

  • You are required to configure an API credentials file, which you use to provide your Veracode API ID and key credentials to Veracode Static for Visual Studio.

January 8, 2020

Updated Veracode Integration for Jira Cloud

The Veracode Integration for Jira Cloud version 3.2.0 includes these updates:

  • Adds a new Veracode Integration Severity Mappings page in the Jira Cloud interface for mapping severities from the Veracode Platform to your customized priorities in Jira Cloud.
  • On the Veracode Integration Field Mapping page in the Jira Cloud interface, the Veracode Platform column adds these new options:
    • A Description (overwrite) option to have the content from a selected Veracode Platform field overwrite the Description field in Jira Cloud upon import. If the selected Veracode Platform field is empty, the mapping erases the contents of the Description field in Jira Cloud.
    • An option for mapping Veracode SCA component paths.
  • Removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.

Developer Training

View the list below for highlights of previous releases.

November 23, 2020

Auto-Extend for eLearning Enabled by Default

  • The default setting for new Veracode eLearning course track assignments is to automatically extend when their subscription periods end.

Improved eLearning Performance

  • Veracode has increased the loading speed of the My Team's Courses page in Veracode eLearning.

October 29, 2020

Improvements to eLearning

Veracode has made these improvements to eLearning:

  • eLearning administrators can now assign a learner to multiple eLearning curricula.
  • Veracode added seven new Secure Coding Foundation courses to learner level 1. Learners who previously completed level 1 must take the newly-added courses to complete this level. Because each level depends on the previous level, these levels show as incomplete until the learner completes them.
  • The eLearning report for learners now includes a Date Started column.
  • The eLearning settings have been removed from the Admin > Manage Users page. All eLearning administration actions are now available from the Admin > eLearning page. This page provides a centralized location where you can use filtering options and perform all actions on one or more learners.
  • The eLearning fields have been removed from the SAML Self-Registration page.

August 29, 2020

Improvements to Security Labs

Veracode has made these improvements to Security Labs:

  • Integration with the Veracode Platform. By default, if you have the Security Labs User role, Veracode automatically creates your Security Labs account in the Platform. If you have the Administrator role, you automatically have administrator permissions within Security Labs.
  • New Assignment Creation wizard. When creating a new set of lab assignments on the Assign Content page, you can now get suggested lab assignments based on a focus. For example, Beginner/Intermediate/Advanced, PCI Training, Backend/Frontend, or Competition.
  • New Scala labs for the OWASP Top 10. These labs use the Play framework.

June 27, 2020

Enhancements to eLearning Curriculum Creation

  • Veracode has improved the user interface for creating an eLearning curriculum to make it easier for administrators to identify courses to add to a curriculum. The new user interface now includes the length and description of each course. When selecting courses, the administrator can also use a checkbox to make courses required.

June 2, 2020

Bulk Actions for eLearning Administrators

  • Veracode eLearning administrators can now apply actions, including assigning learners to tracks or curricula and enabling automatic track extensions, to multiple users at once. This enhancement simplifies the process of onboarding and managing eLearning users.