The updates on this page apply to the following Veracode Dynamic Application Security Testing (DAST) features in the Commercial Region:

• Web application scanning
• API scanning
• Discovery scans
• Internal Scanning Management (ISM)

March 28, 2024​

Improved pause and resume scheduling​

You can now schedule an analysis to pause and resume on specific days of the week, during specific periods, or both.

December 19, 2023​

Web application and API scans now support multi-factor authentication​

You can now configure web application scans and API scans to use time-based one-time password (TOTP) seeds for URLs that require multi-factor authentication (MFA). You can also configure TOTP with the REST API.

December 12, 2023​

ISM Endpoint 23.12.1​

• The endpoint now supports Java 21.
• Adds virtual threading functionality to improve performance and stability. Before you can use this functionality, you must upgrade to Java 21.

November 27, 2023​

Free trial of DAST Essentials​

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 15, 2023​

Introducing DAST Essentials​

DAST Essentials is a new Dynamic Application Security Testing (DAST) product that provides rapid and resilient DAST scanning of web applications and REST APIs, a user-friendly interface, and seamless CI/CD pipeline integration. To get started, see the quickstart.

September 25, 2023​

Web application and API scans now support custom cookies​

You can now configure web application scans and API scans to use one or more custom cookies for authentication.

May 9, 2023​

ISM Endpoint 23.5.0​

Added executable scripts that update the JAVA_HOME path for the endpoint.

April 25, 2023​

ISM Endpoint 23.4.2​

• The endpoint now supports environments where the target host is on the same host as the client.
• Source code files now include a copyright header.

February 27, 2023​

Set URL Scan Settings at the Organization Level​

You can now use the Dynamic Analysis REST API to set URL scan settings for all analyses and scans in an organization.

February 17, 2023​

New Manual Resume Feature for Paused Analyses​

Veracode Dynamic Analysis adds a new feature that enables you to manually resume a scheduled analysis from a paused state. This feature is only available upon request. To add this feature to your account, contact Veracode Technical Support.

January 20, 2023​

Renamed URL Scan Status Messages​

Veracode has renamed and changed the descriptions for the following URL scan status messages for Dynamic Analysis. The new names more accurately describe the issues that caused these status messages to appear in the Veracode Platform.

• Killed - Partial Results Available is now Lockout - Partial Results Available.
• Killed - Verifying Partial Results is now Lockout - Verifying Partial Results.

December 19, 2022​

ISM Endpoint 22.12.3​

• Fixed an endpoint issue that caused threads to lock up until the ISM tunnel closes.
• Improved endpoint logging that Veracode Technical Support can use for troubleshooting.

October 18, 2022​

API Scanning Adds Support for Scriptable Request Modification​

Veracode API Scanning adds a new option for using JavaScript to modify an HTTP request, at runtime, when authenticating with a remote host.

October 5, 2022​

New Similarity Threshold for Web Applications​

When configuring an analysis of a web application, you can now set a threshold for ignoring similar web pages during the analysis.

September 7, 2022​

Dynamic Analysis Now Creates Screenshots for Consecutive Login Failures​

The Veracode scan engine now creates a verification screenshot if it is unable to log in to a target application after 50 attempts. The screenshot image shows when and where in the scanning process the failed login attempts occurred. You can use this information for troubleshooting.

August 2, 2022​

New Historical Details for Dynamic Analyses and Scans​

You can now view detailed information about all past occurrences of both a dynamic analysis and its scans.

May 18, 2022​

Re-Enabled Pause and Resume for Scheduled Analyses​

When scheduling a Dynamic Analysis, you can now set it to pause and resume scanning at specific days and times. Veracode disabled this option on October 7, 2021.

April 28, 2022​

New Status Messages for Partial Scan Results​

Dynamic Analysis now provides status messages that indicate when Veracode is verifying partial results and when partial results are available for review. Partial results can occur when a scan stops prematurely due to:

• Errors during scanning
• Users stopping the scan early
• The scan exceeding its configured duration

March 23, 2022​

API Scanning Adds Support for OpenID Connect to OAuth 2.0​

Veracode API Scanning adds a new option to specify an OpenID Connect URL when configuring OAuth 2.0 authentication.

March 10, 2022​

Dynamic Analysis Adds Support for Concurrent Browsers Running Dynamic Analysis Scans​

Veracode Dynamic Analysis now supports concurrent browsers for running multiple Dynamic Analysis scans at the same time. When configuring a web application scan, you can specify up to 12 concurrent browsers.

March 8, 2022​

API Scanning Adds OAuth 2.0 Authentication and Analysis History Options​

Veracode API Scanning includes these changes:

• New option to configure OAuth 2.0 authentication for the API endpoints in your API specifications. You can select to use either the Client Credentials or Password Credentials grant type.
• New Associated Analysis field on the API Specification Details page for a given API specification. This field provides options for viewing, reconfiguring, and rerunning previous scans.

March 3, 2022​

Dynamic Analysis Now Detects Log4j Vulnerability CWE-115​

Veracode Dynamic Analysis can now detect Log4j vulnerability CWE-115 when scanning web applications or API specifications.

February 4, 2022​

Updated Dynamic Analysis Scan Engine​

The Dynamic Analysis scan engine includes these updates:

• Updated Chromium to version 98.0.4758.80
• Log4j security updates
• Improved connectivity when authenticating with Veracode
• Fix for insecure cookies that prevented flaw matching

January 25, 2022​

ISM Endpoint 22.1.10​

• Endpoint upgraded to Log4j 2.17.1 to address security findings.
• Improved thread management for connection stability.
• Advanced memory usage diagnostics.

December 21, 2021​

ISM Endpoint 21.12.13​

• Endpoint upgraded to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.
• Additional libraries upgraded to address security findings.

August 10, 2020​

ISM Endpoint 20.8.5​

• Endpoint now supports not resolving the hostname when accessing the ISM gateway via proxy. This support enables you to only allow the gateway hostname for outbound HTTPS calls.
• Endpoint now supports not resolving the hostname when accessing scanned URLs via proxy. This support simplifies proxy configuration if you do not want to access external sites, such as Okta, during the scan.
• Improved interface for configuring a proxy for the endpoint installer.
• Endpoint installer supports configuring hostname resolution properties.
• Java WebSocket library for the endpoint upgraded to version 1.5.1.
• Endpoint supports specifying non-default network interface via endpoint properties, including the option to see a list of available network interfaces.
• Endpoint process name on Linux includes a Veracode identifier.
• Improved endpoint logging.

March 9, 2020​

ISM Endpoint 20.3.5​

• Endpoint installer supports client-side Java and 32-bit Java.
• Endpoint installer supports proxy gateway-only property.
• Endpoint supports running diagnostics through a DSE tunnel.
• Endpoint supports new advanced diagnostics options.
• Consolidated direct diagnostic options and diagnostics options that run through a DSE tunnel.
• The ISM service from the Windows installer runs under the less privileged LocalService account instead of LocalSystem.
• Proxy configuration in the installer no longer requires web access to veracode.com.
• Resolved issue with property merge in the endpoint installer.
• Improved endpoint memory management and out of memory protection.

The updates on this page apply to the Veracode integrations and APIs in the Commercial Region. All updates in the Commercial Region apply to all regions. For updates specific to the European Region or United States Federal Region, see Integrations - European and US Federal.

For updates relevant to the SCA integrations, see the SCA updates.

April 18, 2024​

Veracode Scan for VS Code 1.8.1​

This update includes the following improvements:

• The timeout limit for Static Analysis scans has increased to 10 minutes.
• Fixed findings no longer appear on the PROBLEMS tab in VS Code.

April 17, 2024​

Veracode Static for Visual Studio (New) 1.12.0​

This update includes the following improvements:

• After you import an XML file of your results into Visual Studio, the View Policy Results pane now shows the correct data paths.
• If you use both the Greenlight extension and the Static Analysis extension in your IDE, you no longer experience conflicts between these extensions.

April 11, 2024​

Veracode SCA Scan for JetBrains 0.8.0​

This update includes a refreshed user experience.

April 10, 2024​

Veracode Workflow App 0.2.0 for GitHub​

This update includes the following improvements:

• For policy and pipeline scans:
  • To turn on policy or pipeline scans, you must now add the analysis_on_platform true flag. By default, this feature is turned off.
  • By default, the analysis_branch flag is now set to your default branch automatically. You can set this flag to a different branch.
  • When you open a pull request (PR) against a branch you are scanning, the integration creates a sandbox scan from the source branch. You can view the scan results under the branch name in the Veracode Platform. When you merge the PR, the integration removes the sandbox scan, and then starts a new policy scan in the target branch. You can view the scan results under the repo name in the Veracode Platform.
  • Mitigated findings from a pipeline scan no longer appear in the list of findings.
• For GitHub Issues:
  • New issues flag to enter a command that runs on-demand scans on a repo issue.
  • New create_issue flag that creates GitHub Issues from Static Analysis findings.
  • New create_code_scanning_alerts flag that creates code scanning alerts from Static Analysis findings. The alerts appear on the GitHub Security page.
• For configuration options:
  • You can now configure an allowlist with in the central repo_list.yml file.
  • You can now override most global configurations by adding custom configurations to a veracode.yml file at the root of your source repo.
  • New use_custom_workflow flag that can use a workflow from the source repo to build the project or artifact you can upload for scanning.
• For error handling:
  • New error messages that display as annotations if API credentials are invalid.
  • New error message when the integration is not able to find a policy name.
• The integration now auto-packages Java projects for more reliable builds and more accurate scan results.

Java API Wrapper 24.4.13.0​

This update includes the following improvements:

• Adds support for the publishedscansonly parameter.
• Minor performance improvements.

April 3, 2024​

Veracode Scan for VS Code 1.8.0​

This update includes the following improvements:

• Adds Veracode Fix support for Kotlin and Scala.
• The Flaw Details tab now renders correctly for .NET projects.
• Minor improvements to packaging support.

April 1, 2024​

Veracode Integration for Jira Server 4.7.0​

You no longer see a NullPointerException error when you run a one-time import, selective import, or automated import.

March 29, 2024​

Veracode Fix updates​

Veracode Fix now provides suggested fixes for Kotlin and Scala.

March 28, 2024​

Veracode Static for Visual Studio (New) 1.11.0​

The integration now successfully verifies your Veracode API credentials.

March 25, 2024​

Veracode Scan for VS Code 1.7.0​

This update includes minor improvements to packaging support.

March 21, 2024​

Veracode Static for Visual Studio (New) 1.10.0​

In the Project Settings Wizard, when you select an application, the list of sandboxes now shows the sandboxes for the selected application only.

March 14, 2024​

Veracode Static for IntelliJ 3.6.0​

This update includes the following changes:

• The Veracode option is now visible on the main menu.
• Adds support for IntelliJ version 2023.3.4.

March 7, 2024​

Veracode Scan for VS Code 1.6.0​

This update includes the following improvements:

• The debug option now supports Static Analysis scans, Veracode Fix, and the auto-packager, in addition to SCA scans.
• You can now clear all findings.
• Minor performance improvements.

March 4, 2024​

Veracode Integration for Jira Cloud 4.13.2​

This update adds historical diagnostics data about each import to the Monitoring and Troubleshooting page.

February 29, 2024​

Veracode Jenkins Plugin 24.2.23.0​

This update improves security by increasing the minimum supported versions of Jenkins and Java. To install this update, you must have a minimum Jenkins version of 2.414.3 and Java 11.

February 28, 2024​

Veracode SCA Scan for JetBrains 0.7.2​

This update includes the following improvements:

• You can now use a debug option to troubleshoot scan errors.
• Minor performance improvements.

Veracode Greenlight for Visual Studio (New) 1.5.0​

This update includes the following improvements:

• Scans no longer fail with this error message: “The selected file must be in a solution. Open the solution that contains this file and try again.”
• Improved error handling.

February 20, 2024​

Veracode Azure DevOps Extension 3.26.0​

This update includes the following improvements:

• Adds support for the includenewmodules parameter.
• You can now add the following information as tags in work items: scan type, finding severity, due date, and CVE ID (SCA only).
• Work items now show the correct CWE ID.
• The Upload and Scan task no longer fails when you use the environment variable JAVA_TOOL_OPTIONS.

February 15, 2024​

Veracode Scan for VS Code 1.5.0​

This update adds Veracode Fix to Veracode Scan for VS Code. To fix flaws in seconds from within your IDE, you can now apply AI-generated fixes directly to flaws.

February 14, 2024​

Veracode Fix now supports Python and PHP​

Veracode Fix has improved language coverage to include Python and PHP.

January 30, 2024​

Veracode Scan for VS Code 1.4.1​

This update includes the following improvements:

• Fixes a typo in the Views and More Actions menu.
• The Remediation Guidance text in the Flaw Details tab is now visible in light mode.
• Minor performance improvements.

January 29, 2024​

C# API Wrapper 24.1.10.1​

This update adds support for the -includenewmodules parameter.

January 11, 2024​

Veracode Scan for VS Code 1.4.0​

This update adds Static Application Security Testing (SAST) to VS Code. Developers can use SAST to find and fix flaws in their code and use Software Composition Analysis (SCA) to find and fix vulnerabilities in open-source code from within the IDE.

This extension replaces Veracode SCA Scan for VS Code. Greenlight for VS Code is now deprecated and will not be supported after June 2024.

December 12, 2023​

Veracode Azure DevOps Extension 3.25.0​

This update includes the following improvements:

• The Flaw Import task and the Upload and Scan task now successfully fail the build when the Fail build if Upload and Scan build step fails checkbox is selected.
• Adds an option to overwrite the iteration path in work items of imported flaws during the next import.

Veracode Integration for Jira Server 4.5.0​

This update adds historical diagnostics data to the Monitoring and Troubleshooting page.

October 5, 2023​

Veracode Fix now supports JavaScript and TypeScript​

Veracode Fix has improved language coverage to include JavaScript and TypeScript.

December 4, 2023​

Veracode GitHub Workflow App​

Veracode has released the Veracode Workflow App that allows you to scan your GitHub repositories with Static Analysis, Software Composition Analysis (SCA), and Container Security. The app uses template workflows in a centralized location that you can apply to all repositories across your organization.

The functionality of the app includes:

• Automated scans of up to thousands of repositories from one location
• Static, SCA, and Container Security scans start on developer activity from a single workflow
• Automated scanning does not require developers to configure workflows for individual repositories
• Broad language support

You can download the app from the GitHub marketplace. For more information, view the Veracode documentation.

December 1, 2023​

Veracode Static for Visual Studio (New) 1.9.0​

This update includes the following improvements:

• Adds support for TSRV mitigations.
• Adds support for .NET 7.

November 9, 2023​

Veracode SCA Scan for VS Code 1.3.1​

This update includes the following improvements:

• You can now filter out any findings that are of low importance to your organization by selecting a security policy to apply to your project. To use this feature, your account must have the Unified Policy applied.
• The Vulnerability Details window now includes a link to the related CVE.
• You can now use a debug option to troubleshoot scan errors.
• Minor interface changes.

November 1, 2023​

Veracode Integration for Jira Cloud 4.12.0​

This update includes the following changes:

• The Import Automation page now includes an option for you to retry downloading Detailed Reports that failed to download during import.
• If your account is in the European Region and you select a link in a Jira issue to an application profile, the link now opens the Veracode Platform in the European Region.
• User accounts in the European Region now see the correct values for various fields in imported Jira issues.

October 17, 2023​

Veracode SCA Scan for JetBrains 0.7.1​

This update includes minor performance improvements.

October 13, 2023​

Veracode SCA Scan for VS Code 1.2.1​

This update includes minor performance improvements.

October 4, 2023​

Veracode Integration for Jira Server 4.4.0​

This update adds support for Jira Server version 9.11.2.

September 26, 2023​

Veracode Azure DevOps Extension 3.24.0​

This update includes the following changes:

• End of support for Team Foundation Server (TFS).
• Builds no longer fail when the Fail build if flaw importer build step fails option is cleared and the application name contains special characters.

September 6, 2023​

Veracode Greenlight for IntelliJ 1.9.0​

This updates includes minor performance improvements.

August 31, 2023​

Veracode Integration for Jira Server 4.3.0​

This update includes the following improvements:

• The Monitoring and Troubleshooting page now shows details about the last four imports.
• The Monitoring and Troubleshooting page now includes an option for you to retry downloading Detailed Reports that failed to download during import.

August 17, 2023​

Java API Wrapper 23.8.12.0​

You can now send requests to the Identity REST API from within the Java API wrapper.

August 16, 2023​

Veracode Azure DevOps Extension 3.23.0​

This update includes the following improvements:

• You can now add an iteration path to the work item settings in the Flaw Importer task.
• Adds support for Azure DevOps version 2022 RC2.

August 10, 2023​

Veracode SCA Scan for JetBrains 0.7.0​

This update fixes a minor performance issue.

Veracode Integration for Jira Cloud 4.11.0​

This update includes the following improvements:

• If an imported story for an open-source component with vulnerabilities changes projects, the integration now creates subtasks for SCA vulnerabilities in that story under the new project.
• To avoid failed imports, if the integration encounters errors when it searches for linked Veracode fields, it now skips issue creation for any new findings.

August 8, 2023​

Veracode SCA Scan for VS Code 1.2.0​

This update includes the following improvements:

• The Library Details window now shows the parent dependency for the selected transitive dependency.
• Minor performance updates.

July 28, 2023​

Veracode Greenlight for IntelliJ 1.8.8​

This update includes the following improvements:

• Adds support for IntelliJ version 1.8.7.
• Exception errors no longer appear during Greenlight scans at the file or folder level.

July 27, 2023​

Veracode SCA Scan for JetBrains 0.6.1​

Veracode SCA Scan for JetBrains version 0.6.1 adds support for IntelliJ IDEA version 2023.2.

July 21, 2023​

Introducing Veracode SCA Scan for JetBrains​

Veracode SCA Scan for JetBrains version 0.6.0 is a new extension that integrates Software Composition Analysis (SCA) into the IntelliJ IDEA and PyCharm IDEs. Developers can scan their code to detect security risks in open-source libraries, library dependencies, and licenses. The detailed scan results help developers learn about vulnerabilities, prioritize security fixes, and remediate security issues from within their IDE.

July 20, 2023​

Veracode SCA Scan for VS Code 1.1.0​

This update includes the following improvements:

• You can now select a project to scan when you have multiple projects in VS Code.
• The SCAN OVERVIEW view now shows the name of the project you scanned.
• In the extension settings, you can now enable or disable recursive scanning.
• If your API credentials or the local SCA agent are invalid, the SETUP view now opens after you select Start Scanning or Rescan.
• Spaces in the USER_HOME directory no longer result in an error.

July 14, 2023​

Veracode Integration for Jira Server 4.2.0​

This update fixes an issue where IssueCreatorImpl errors on the Monitoring and Troubleshooting page caused unexpected failures.

Veracode Jenkins Plugin 23.7.22.0​

This update includes the following improvements:

• Improves the usability of the option Show Unstable Status for Failed Policy Evaluation.
• Builds that failed after you upgraded to version 23.5.21.0 now complete successfully.
• Adds support for Jenkins version 2.412.

July 6, 2023​

Veracode Static for Visual Studio (New) 1.8.0​

This update includes the following improvements:

• In the Static Findings window, when you double-click a finding, or right-click a finding and select Go to Line, the selected finding now remains selected.
• After you add a new application to a project and scan it, the extension now adds the details about the new application to the file veracode-project-user.json.

Veracode Integration for Jira Server 4.1.0​

This update includes the following improvements:

• The Import Automation now provides an option that attempts to import any flaws that failed to import. If an import fails, the Import Automation no longer uses the last import date of the failed import.
• The Troubleshooting page now provides a diagnostic dashboard that shows details about the latest import, including information about any errors.

June 26, 2023​

Veracode Greenlight for Visual Studio (New) 1.4.0​

This update improves error handling.

June 15, 2023​

Veracode Greenlight for VS Code Adds Support for .NET 7​

See Veracode Greenlight for VS Code.

June 13, 2023​

C# API Wrapper 23.5.8.8​

You can now provide a proxy host, port, and its credentials in an environment variable. The environment variable name must be https_proxy.

June 5, 2023​

Veracode Azure DevOps Extension 3.22.0​

This update includes the following changes:

• The Upload and Scan task now supports the optional parameter scanpollinginterval.
• You can now configure the Flaw Import task to only import findings from Static Analysis and SCA.
• Minor security improvements.

Veracode SCA Scan for VS Code 1.0.0​

This update adds security improvements.

June 1, 2023​

Veracode Jenkins Plugin 23.5.21.0​

This update includes the following changes:

• Adds a Show Unstable Status for Failed Policy Evaluation option. Select this option to show the job status as Unstable if the scan succeeds but fails the security policy.
• Minor security improvements.

May 22, 2023​

Veracode Integration for Jira Cloud 4.10.0​

This update includes the following changes:

• Findings you import with the Import Automation feature now show the date of the last successful import, instead of the last import.
• When you configure a Selective Import and select the left/right arrows to switch between pages, the selected flaws are no longer cleared.
• Minor security fixes.

May 4, 2023​

Veracode Azure DevOps Extension 3.21.0​

This update includes the following changes:

• Adds support for the lifecyclestage parameter as an optional argument in the Upload and Scan task. This parameter is not supported in YAML.
• The scan polling interval for the Upload and Scan task is no longer twice the expected default value of 120 seconds.

April 27, 2023​

Veracode SCA Scan for VS Code 0.8.0​

This update includes the following improvements:

• You can now filter the VULNERABILITIES view based on direct or transitive libraries.
• The Rescan button is now located at the top of the SCAN OVERVIEW view.
• The SCAN OVERVIEW view is no longer empty when the scan does not find vulnerabilities.
• In the Library Details window, the Last published field now shows the months and days since the vendor last published the library or it shows Unknown.

April 19, 2023​

Veracode Jenkins Plugin 23.4.20.0​

This version includes the following updates:

• Adds Dynamic Analysis scan statuses STOPPED_VERIFYING_PARTIAL_RESULTS and STOPPED_PARTIAL_RESULTS_AVAILABLE.
• Fixes an issue where the scan poll interval for upload and scan was twice the expected default value of 120 seconds.

April 13, 2023​

Veracode Integration for Jira Cloud 4.9.0​

The integration now imports findings from scanned applications with COTS (commercial off-the-shelf) enabled.

April 5, 2023​

Java API Wrapper 23.4.11.2​

This update includes the following changes:

• Adds Dynamic Analysis scan statuses STOPPED_VERIFYING_PARTIAL_RESULTS and STOPPED_PARTIAL_RESULTS_AVAILABLE.
• The logs for scanpollinginterval are now consistent with any imposed time delays during polling.
• Adds support for the -includenewmodules parameter.

March 31, 2023​

Veracode Static for Eclipse 3.8.0​

This update adds support for Eclipse IDE version 2023-03.

March 30, 2023​

Veracode Integration for Jira Cloud 4.8.0​

This version includes the following changes:

• Adds additional logs for troubleshooting.
• To ensure your imported flaws are current, the integration re-imports them after you fix any configuration issues.
• On the Selective Import page, the Flaws Per Page and Next Page options no longer show an error message.

March 27, 2023​

Veracode Jenkins Plugin 23.3.19.0​

This version includes the following changes:

• Addresses the low severity information disclosure issues detailed in CVE-2023-25721 and CVE-2023-25722. For more information, go to the Veracode Community.
• Correctly escapes the -ppassword parameter for a proxy password.

Veracode Azure DevOps Extension 3.20.0​

This version addresses the low severity information disclosure issue detailed in CVE-2023-25722. For more information, go to the Veracode Community.

March 20, 2023​

Veracode SCA Scan for VS Code 0.7.0​

This update includes the following improvements:

• The extension now includes an SCA Agent. After you install the extension, you can install the SCA Agent from within the IDE and start scanning.
• You can point to a vulnerability in the VULNERABILITIES view to see whether it passes the built-in policy.
• The Vulnerability Details window now shows the policy for the selected vulnerability.
• To indicate which vulnerabilities have passed the built-in policy, the VULNERABILITIES view now groups them by Did Not Pass Policy and Passed Policy.

March 8, 2023​

Java API Wrapper 23.3.11.0​

This version includes the following changes:

• You can now provide a proxy host, port, and its credentials in an environment variable. The environment variable name must be https_proxy.
• Displays error messages for code 429 if you exceed the request limit.

March 2, 2023​

Veracode Azure DevOps Extension 3.19.0​

This update adds support for both of the following YAML property values:

• ConnectionDetailsSelection='Endpoint'
• ConnectionDetailsSelection='Service Connection'

March 1, 2023​

Veracode Azure DevOps Extension 3.18.0​

This update includes the following changes:

• Changes the YAML property value ConnectionDetailsSelection='Endpoint' to ConnectionDetailsSelection='Service Connection'. When you upgrade to this new extension, you must update your YAML with the new value name.
• Static Analysis work items now have a Grace Period Expiration field.
• SCA works items now have a First Found Date field and File Path field for vulnerabilities.
• The Summary Report now shows a link to the Scan Details page.
• The extension now fails the build if Development Sandbox scans find SCA vulnerabilities.
• Builds no longer fail when the Fail build if Upload and scan build steps fails option is cleared, but the application name contains special characters.

February 28, 2023​

Veracode Greenlight for IntelliJ Supports IntelliJ v2022.2.3​

Veracode Greenlight v1.8.7 adds support for IntelliJ v2022.2.3.

February 22, 2023​

Updated Identity REST API​

You can now use the Identity REST API to manage Veracode API credentials for API service accounts, also called API users.

February 9, 2023​

Updated Veracode SCA Scan for VS Code​

Veracode SCA Scan for VS Code version 0.6.0 includes the following updates:

• Adds a Create a Case link that you can use to send a support case to Veracode Technical Support.
• Adds a Leave Feedback link that you can use to provide feedback in a survey.
• Fixes an issue where the extension did not verify undefined or null values.

February 3, 2023​

Mandatory Upgrade for Veracode Greenlight for IntelliJ​

Veracode Greenlight for IntelliJ version 1.8.6 supports a recent change to the Greenlight API. To continue using this plugin, you must upgrade to this version by February 13, 2023.

February 2, 2023​

Mandatory Upgrade for Veracode Greenlight for Eclipse​

Veracode Greenlight for Eclipse version 2.9.7 includes these changes:

• Supports a recent change to the Greenlight API. To continue using this plugin, you must upgrade to this version by February 13, 2023.
• Fixes a refresh issue that flashes various status messages at the bottom of the Eclipse interface.

February 1, 2023​

Updated Java API Wrapper​

Veracode Java API Wrapper version 23.1.10.5 adds logic to identify and remove unicode application names from the XML response.

Veracode Mobile Application Packager Has Reached End of Life​

Veracode Mobile Application Packager is now End of Life (EOL) and is no longer supported by Veracode Technical Support. To compile and package tvOS or iOS applications that you developed in the Xcode IDE, see the packaging requirements.

January 30, 2023​

Mandatory Greenlight Upgrades for Eclipse and IntelliJ​

Veracode has made a change to the Greenlight API that will impact the following plugins.

• Veracode Greenlight for Eclipse version 2.9.6 and earlier
• Veracode Greenlight for IntelliJ version 1.8.5.2022 and earlier

New versions of these plugins will be available on February 2, 2023 and February 3, 2023, respectively. To continue using these plugins, you must upgrade to the new versions by February 13, 2023.

January 23, 2023​

Veracode Integration for Jira Supports Jira Server 9​

Veracode Integration for Jira version 4.0.1 adds support for Jira Server 9. This integration no longer supports Jira Server 8.6.0 and earlier.

January 17, 2023​

Introducing Veracode SCA Scan for VS Code​

Veracode SCA Scan for VS Code version 0.5.0 is a new extension that integrates Software Composition Analysis (SCA) into VS Code. Developers can scan their code to detect security risks in open-source libraries, library dependencies, and licenses. The detailed scan results help developers learn about vulnerabilities, prioritize security fixes, and remediate security issues from within their IDE. Version 0.5.1 only removes an obsolete README.

January 10, 2023​

Renaming the ConnectionDetailsSelection='Endpoint' YAML Property​

In February 2023, Veracode will release a new Azure DevOps Extension that uses the YAML property value ConnectionDetailsSelection='Service Connection' rather than the current value ConnectionDetailsSelection='Endpoint'. When upgrading to this new extension, you must update your YAML with the new value name.

January 5, 2023​

Improved Veracode Azure DevOps Extension​

Veracode Azure DevOps Extension version 3.17.0 includes the following improvements:

• Renamed the Veracode Analysis Center link to Veracode Platform.
• The extension no longer fails a pipeline build if it has a policy assessment of Conditional Pass, even if the Fail build if application fails security policy checkbox is selected.
• Fixed a minor error-handling issue when the build artifact directory is empty.
• The Flaw Import task now fails the build when importing flaws with an unsupported process template and the Fail build if flaw importer build step fails checkbox is selected.

January 3, 2023​

Improved Veracode Integration for Jira Cloud​

Veracode Integration for Jira Cloud version 4.7.0 now successfully loads the Findings Import page when importing large Jira projects.

December 19, 2022​

Improved Veracode Integration for Jira Server​

Veracode Integration for Jira Server version 3.38.0 includes the following improvements:

• Jira tickets from imported Static Analysis flaws now show the detected CWEs with a dash instead of an underscore. This CWE format matches the results in the Veracode Platform. For example, CWE_123 is now CWE-123.
• Jira tickets from imported SCA vulnerabilities now support the Mitigation Status and Mitigation Status Description fields.

December 15, 2022​

Veracode Mobile Application Packager is Deprecated​

Veracode Mobile Application Packager is now deprecated and will be obsolete on February 1, 2023.

December 14, 2022​

Veracode for VS Code Renamed to Veracode Greenlight for VS Code​

Veracode for VS Code version 1.6.0 includes the following updates:

• Changed the name of the extension to Veracode Greenlight for VS Code.
• Using File > Save on a single file now saves only that file, not all unsaved files.

December 13, 2022​

Veracode Azure DevOps Extension Fixes Link to Veracode Platform​

Veracode Azure DevOps Extension version 3.16.0 fixes the link on the Veracode Scan Summary tab. The link now opens the scan results in the Veracode Platform instead of the Application page.

December 6, 2022​

Updated Veracode Static for Visual Studio​

Veracode Static for Visual Studio version 1.7.0 fixes an issue where the extension could not authenticate with Veracode from a European Region instance.

November 16, 2022​

Updated Veracode Integration for Jira​

Veracode Integration for Jira version 3.37.0 fixes an issue where the plugin ignores all remaining applications after attempting to import findings from an application with COTS enabled.

November 14, 2022​

Updated C# API Wrapper​

Veracode C# API wrapper version 22.10.8.6 includes these updates:

• Fixed an error that can occur if the filename of an uploaded file contains certain characters or symbols. For example, ~ ^ ' { }
• The -debug parameter now logs timestamped messages that identify connectivity issues, error conditions, and the status of various composite actions.

Improved Veracode Greenlight for IntelliJ​

Veracode Greenlight for IntelliJ version 1.8.5 adds support for IntelliJ IDEA 2022.2.3.

October 27, 2022​

Java API Wrapper Has Improved Error Handling​

Veracode Java API Wrapper version 22.10.10.4 now cancels any scans that exceed the upload limit.

October 21, 2022​

Veracode Azure DevOps Extension Now Supports Automatic Deletion of Incomplete Scans​

Veracode Azure DevOps Extension version 3.15.0 adds options for deleting incomplete scans in your pipeline. When configuring the extension, you can add -deleteincompletescan as an optional argument or add -deleteIncompleteScan as a YAML property.

Updated Veracode Static for Visual Studio​

Veracode Static for Visual Studio (New) version 1.6.0 includes these changes:

• Fixed an issue where web projects inside folders did not publish.
• Fixed an issue where the scan progress bar in the IDE displayed as incomplete after clicking Custom Workflow.
• Run Scan button in the IDE is now disabled when the scan status is in a failed state. In the Veracode Platform, you also see a warning message to resolve this issue.

September 29, 2022​

Updated Greenlight for Eclipse​

Greenlight for Eclipse version 2.9.6 includes minor security and documentation updates.

September 22, 2022​

Improved Finding Import Performance for Veracode Integration for Jira Cloud​

Veracode Integration for Jira Cloud version 4.6.0 adds a new filter that only imports findings with new scan data, policy changes, or changes to applied mitigations since the last import.

September 13, 2022​

Java API Wrapper JavaDoc Update​

In Veracode Java API Wrapper version 22.9.10.3 the documentation available in the wrapper installation file now describes the Credentials class.

August 29, 2022​

Veracode Azure DevOps Extension Has Improved Flaw Importer Task​

Veracode Azure DevOps Extension version 3.14.0 includes the following improvements to the Flaw Importer Task.

• Uses fewer calls to complete flaw imports.
• Fixes an issue where flaws without comments did not sync or close.
• Fixes an issue where development sandbox findings did not import.

August 12, 2022​

Veracode TeamCity Plugin Now Supports Automatic Deletion of Incomplete Scans​

Veracode TeamCity Plugin version 2.7.0 adds configuration options for deleting incomplete scans.

August 9, 2022​

Veracode Integration for Jira Server Now Retries Downloading the Detailed XML Report​

Veracode Integration for Jira version 3.36.0 fixes an issue where the integration did not create tickets of imported flaws if it could not retrieve the Detailed XML Report. The integration now attempts to retrieve the Detailed XML Report during the next import cycle.

July 27, 2022​

Updated C# API Wrapper​

Veracode C# API wrapper version 22.8.8.5 includes these updates:

• Supports the -debug parameter.
• Fixes an issue to filter out Dynamic Analysis results.
• Adds transaction ID header to uploadandscan.

July 20, 2022​

Veracode Azure DevOps Extension Now Supports Importing SCA Vulnerabilities as Work Items​

Veracode Azure DevOps Extension version 3.13.0 updates the Flaw Importer task to support importing Software Composition Analysis (SCA) vulnerabilities as work items.

July 14, 2022​

Veracode Jenkins Plugin Now Supports Automatic Deletion of Incomplete Scans​

Veracode Jenkins Plugin version 22.6.18.0 adds configuration options for deleting incomplete scans.

June 27, 2022​

Improved Finding Import Performance for Veracode Integration for Jira Server​

Veracode Integration for Jira Server version 3.35.0 adds a new filter that only imports findings with new scan data, policy changes, or changes to applied mitigations since the last import.

June 22, 2022​

Deprecation of Admin XML APIs​

Veracode has deprecated the Admin XML APIs for user and team management. End-of-support for these APIs is scheduled for June 30, 2023. Veracode recommends that you begin updating your automations to use the Identity REST APIs. Also, enabling the Single Sign-on and Just-in-Time Provisioning feature automatically disables the Admin XML APIs for user management. Before enabling this feature, ensure all of your automations are using the Identity APIs.

June 8, 2022​

Updated Veracode Static for Visual Studio (New)​

Veracode Static for Visual Studio (New) version 1.5.0 includes these changes:

• Change the scan name from the name that Veracode generates and assigns during scanning.
• Import and review XML scan results from Veracode Detailed Reports.

May 18, 2022​

Java API Wrapper Updates -deleteincompletescan Parameter with Backward Compatibility​

Java API Wrapper version 22.5.10.1 updates the -deleteincompletescan parameter to be backward compatible with Java API wrapper versions earlier than 22.5.10.0, which released on May 4, 2022. After upgrading the wrapper, the parameter value automatically changes from boolean to an integer:

• If set to true, the value changes to 1.
• If set to false, the value changes to 0.

May 4, 2022​

Java API Wrapper Has Improved -deleteincompletescan Parameter​

Java API Wrapper version 22.5.10.0 includes changes to the -deleteincompletescan parameter for deleting incomplete scans when running the uploadandscan action. This parameter now accepts an integer value, rather than boolean, for deleting an incomplete scan based on the scan status.

April 15, 2022​

Introducing New Veracode Static Extensions for Visual Studio 2019 and 2022​

Veracode Static for Visual Studio version 1.4.0 is a new extension for adding Static Analysis to Visual Studio 2019 and 2022. The new extension for Visual Studio 2019 provides major improvements compared to our current legacy extension for version 2019, which Veracode continues to support.

The extensions include these features:

• Improved user experience for developers.
• Powerful Summary View grid for reviewing and managing findings.
• Streamlined workflow for building, packaging, and scanning your code.
• Support for policy and sandbox scans.

An extension for each Visual Studio version is available from the Visual Studio Marketplace.

April 12, 2022​

Veracode Greenlight Now Supports the New Visual Studio 2019 and 2022​

Veracode Greenlight for Visual Studio version 1.3.184.96 is a new extension for adding Greenlight scanning to the newer versions of Visual Studio 2019 and 2022. An extension for each Visual Studio version is available from the Visual Studio Marketplace.

March 9, 2022​

Updated Azure DevOps Extension​

Veracode Azure DevOps Extension version 3.10.0 includes these changes:

• TFS 2017 is no longer supported.
• TFS 2018 support now requires Azure Pipeline Agent 2.196.2 or later.
• Flaw Importer task can now import custom fields when using custom process templates.
• Flaw Importer task can now overwrite the area path in work items when importing flaws.

The updates on this page apply to the Veracode CLI in the Commercial Region.

April 15, 2024​

Veracode CLI 2.16.0​

This update includes the following improvements:

• The veracode package command now supports iOS, in addition to existing support for Java, JavaScript, .NET, Python, PHP, Scala, Kotlin, Go, and Ruby on Rails. You use this command to auto-package your applications for Static Analysis and Software Composition Analysis (SCA) upload scans.
• The packaged artifacts use a Veracode approved filename format.
• Improved error messaging.
• The veracode package command output now displays the installed CLI version.

March 29, 2024​

Fix flaws in multiple files in a directory​

The veracode fix command now provides suggested fixes for a directory of source files, in addition to a single source file. You can fix flaws in multiple files as a batch, without having to rescan your code each time you apply a fix.

March 27, 2024​

Veracode CLI 2.14.0​

The veracode package command now supports application packaging for the following languages:

• .NET
• Go
• Kotlin
• PHP
• Ruby on Rails
• Scala

February 5, 2024​

New commands for reporting on repository contributors​

The Veracode CLI now includes the following commands:

• veracode repository add: create an Excel file that lists all accessible repositories from which to import contributing developers.
• veracode repository report: create a report that lists all contributing developers for each repository.

January 18, 2024​

The Veracode CLI now supports auto-packaging for Veracode Static Analysis​

The Veracode CLI now supports Static Analysis auto-packaging for Java, JavaScript, and Python. The package command removes manual packaging steps to streamline your application security tests.

January 9, 2024​

Install the CLI on Windows with a PowerShell script​

You can now install the Veracode CLI on Windows with a PowerShell script.

October 26, 2023​

The Veracode CLI now supports Windows​

You can now install the Veracode CLI on Windows with Chocolatey.

June 28, 2023​

Introducing Veracode Fix​

The veracode fix command is a new generative AI feature of the Veracode CLI. It uses the results from a Veracode Pipeline Scan to generate suggested code fixes that you can apply to flaws in your application source code. This feature is currently only available in the Commercial Region. To get started, see the quickstart.

December 30, 2022​

Released Veracode Container Security​

Veracode Container Security is available. Container Security is a feature of the Veracode CLI that does the following:

• Scans for container vulnerabilities
• Scans for infrastructure as code misconfigurations
• Scans for improperly stored secrets
• Helps developers secure their cloud native applications

For more information about Veracode Container Security, contact your Veracode account representative.

The updates on this page apply to Veracode Software Composition Analysis (SCA) in the Commercial Region.

April 11, 2024​

SCA agent enhancement​

Veracode added enhancements to the agent that will be used in the future for scanning of iOS and .NET projects and fixed a bug caused by libraries with no versions in Go projects.

April 3, 2024​

API to scan SBOMs​

Veracode has released a REST API for scanning SBOMs. You can use this API to upload and scan an SBOM to identify vulnerabilities and license risks associated with the libraries listed in the SBOM. The API can produce a new SBOM that includes results from the scan in CycloneDX or SPDX format.

April 2, 2024​

Reporting changes for ‘conditional pass’ SCA findings​

Even though policy status can have three possible values—pass, fail, and conditional pass—several reports and APIs with finding-level policy status fields are limited to only two possible values, such as true and false. Veracode has changed how it populates these fields for SCA upload scans to be more consistent with Static Analysis scans.

These changes only affect findings with a conditional pass status. There is no impact on how Veracode calculates the application-level policy status or how the user interface displays the finding-level policy status. For more details, review the post in the Product Announcement group in the Veracode Community.

April 1, 2024​

include_metrics parameter for getWorkspaces API set to FALSE by default​

The default value for the include_metrics parameter has changed from TRUE to FALSE for the getWorkspaces API. When the parameter is FALSE, the API responds more quickly but provides data only for the following fields: id, name, projects_count, and site_id. If you set the parameter to TRUE, the API also provides data for the following fields: last_scan_date, library_issues_count, vulnerability_issues_count, and total_issues_count.

SCA agent enhancement​

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 28, 2024​

New SCA homepage (Beta)​

A Beta version of the new SCA homepage is now avilable in the Veracode Platform. To access the new homepage, select Scans & Analysis > Software Composition Analysis. Then, turn on New SCA Home (Beta). This page is built on a new infrastructure that Veracode will use to provide unified results from SCA upload scans and SCA agent-based scans. To see all applications and workspaces that you scanned after March 27, 2024, select the Portfolio tab. To see all discovered components from scans you ran after March 27, 2024, select the Components tab.

March 27, 2024​

SCA agent enhancement​

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 21, 2024​

SCA agent enhancement​

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 15, 2024​

SCA agent enhancement​

Veracode added enhancements to the agent that will be used in the future for scanning of Ruby and iOS projects.

March 5, 2024​

SCA agent enhancement​

Veracode added enhancements to the agent that will be used in the future for scanning of iOS projects.

February 29, 2024​

SCA agent enhancement​

Veracode added enhancements to the agent that will be used in the future for scanning of .NET, Go, Java Gradle, and Scala SBT projects.

February 27, 2024​

SCA agent enhancement​

Veracode added enhancements to the agent that will be used in the future for scanning of .NET projects.

February 8, 2024​

Vulnerable methods for Go​

Veracode SCA agent-based scanning now supports detecting vulnerable methods in Go projects that use Go modules as the package manager.

Gradle scanning enhancement​

Veracode SCA agent-based scanning now supports scanning Gradle projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Gradle for more details.

New include_metrics parameter for getWorkspaces API​

Veracode has added the include_metrics parameter to the getWorkspaces API. When the parameter is TRUE, there are no changes to the issue count and other metrics that the API includes in the payload. When the parameter is FALSE, the API responds more quickly but provides data only for the following fields: id, name, projects_count, and site_id.

Through March 31st, 2024, the default value for the include_metrics parameter is TRUE. On April 1st, the default will change to FALSE. If you have automation that relies on having issue counts and other metrics, Veracode recommends you adjust the parameter in your API call before April 1st.

January 23, 2024​

Maven scanning enhancement​

Veracode SCA agent-based scanning now supports scanning Maven projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Maven for more details.

Fix for Python scans​

Veracode fixed an issue that caused an error in SCA agent-based scans of Python projects when using a newer version of pipenv.

January 5, 2024​

SCA API enhancements​

Veracode has fixed an issue that caused the SCA Agent Issues APIs to exclude fixed issues from the payload when the vuln_methods parameter was set to true. This fix applies to scans performed after January 5th, 2024.

Additionally, the getProjectIssues endpoint now supports all of the same parameters as the getWorkspaceIssues endpoint.

January 4, 2024​

Veracode Vulnerability Database now includes exploit information​

The Veracode Vulnerability Database now includes data from both the Exploit Prediction Scoring System (EPSS) and the Cybersecurity & Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog. To access this data, you must sign in to the Veracode Platform. For more information, see Understanding SCA exploitability information.

December 19, 2023​

SCA agent enhancement​

The SCA agent can now scan target directories that contain spaces when SRCCLR_NO_GIT is set to 1.

December 18, 2023​

APIs now include KEV data​

Veracode has added data from the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog to the SCA Agent Issues APIs and the Findings API. See Understanding SCA exploitability information for more details.

December 11, 2023​

API to link projects to application profiles​

Veracode has released the SCA App-Linking REST API. You can use this API to link a project for SCA agent-based scans to an application profile. The linked application profile receives all libraries, licenses, and discovered vulnerabilities from that project, along with all results from SCA Upload scans. To link a project, use the linkAppProject endpoint. To unlink a project, use the unlinkAppProject endpoint.

SCA agent enhancement​

Veracode has fixed an issue that prevented the SCA agent from cleaning up local scan directories and added enhancements to the agent that will be used in the future for scanning Java projects.

December 4, 2023​

SCA agent enhancement​

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 21, 2023​

SCA agent enhancement​

Veracode has added several enhancements and fixes to the SCA agent.

November 14, 2023​

SCA agent enhancement​

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 6, 2023​

API to propose and approve mitigations for SCA findings​

Veracode has released the SCA Annotations REST API. This API includes the getSCAannotations endpoint to retrieve comments and mitigations applied to findings from SCA upload scans and the createSCAannotations endpoint to annotate SCA upload findings, including adding comments and proposing, accepting, and rejecting mitigations.

The SCA Annotations API specification is available on SwaggerHub.

This API is not part of the Annotations API, which works with findings from Static Analysis and Dynamic Analysis.

October 11, 2023​

Exploit probability (EPSS) added to Findings API​

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the Findings REST API. See Understanding SCA exploitability information for more details.

Fixed SCA agent error​

Veracode has fixed an issue that caused a null pointer exception when performing an agent-based scan on some projects.

September 27, 2023​

Correction of SCA Fix By dates in sandboxes​

Veracode has fixed an issue impacting the calculation of Fix By dates in sandbox scans. Previously, SCA used the scan date or the scan promotion date as the date that a component was first found, causing the Fix By date to be pushed out continuously. This fix is not retroactive and only impacts scans completed after Sept 27, 2023.

September 22, 2023​

Assign policies to SCA agent-based scan workspaces​

The new Unified Policy feature allows you to assign policies to workspaces used for SCA agent-based scans. Like the existing agent rules, you can use policies to create issues and break your build based on certain criteria. See more details about applying rules to a policy, assigning policies to agent-based workspaces, and setting default policies.

Veracode will migrate customers from agent rules to Unified Policy in batches and will retire agent rules before April 1, 2024.

August 28, 2023​

Agent-based scan UI now displays CVSS v3​

Because the National Vulnerability Database stopped supporting CVSS v2 in July 2022 and most users have moved to v3, the Library and Vulnerability pages of SCA's agent-based scan user interface now display CVSS v3 scores, instead of v2. You must clear the cache in your web browser to see these changes.

To also display CVSS v3 on the workspace Issue pages and the project Issue tab, you must update your agent rules to use CVSS v3.

August 16, 2023​

Enhancements to SCA agent dependency graph traversal​

Veracode has improved the performance of the SCA agent by optimizing how it handles dependencies with very complicated and intertwined dependency graphs.

August 8, 2023​

Exploit probability (EPSS) added to SCA Agent APIs​

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the SCA Agent REST APIs. See Understanding SCA Exploitability Information for more details.

July 21, 2023​

Enhancements to .NET scanning​

Veracode has added the following enhancements to SCA scanning for .NET applications:

• Reduced false positives and false negatives in SCA upload scans by adding support for deps.json and project.asset.json files.
• Enhanced SCA Agent scans by adding ability to perform --quick scans on NuGet projects.

July 28, 2023​

API to retrieve list of SCA agent projects linked to an application​

Veracode has released the getApplicationProjects API to allow users to retrieve a list of SCA agent projects that are linked to a specific application. Users who have rights to call the getApplications API may also call the getApplicationProjects API.

July 11, 2023​

Additional roles can call SBOM APIs​

Veracode has expanded the list of roles that are allowed to call the CycloneDX Software Bill of Materials (SBOM) API and the SPDX SBOM API. See the SBOM API instructions for application profiles and agent-based projects for details.

June 28, 2023​

SCA agent CLI now displays CVSS v3 severities​

The Vulnerabilities section of the Summary Report that appears in your CLI after an SCA agent-based scan now displays CVSS v3 severities, instead of v2.

The Issues section still displays CVSS v2 severities by default, but you can edit the severity in your agent-based scanning rules to reflect v3. If you have not modified your rules to use CVSS v3, Veracode recommends setting up organization-level rules to avoid having to edit rules on every workspace individually.

June 20, 2023​

Support for v3 format of NPM lockfiles​

Veracode has added support for NPM lockfile format version 3. See Run an Agent-Based Scan for NPM or JavaScript and TypeScript Packaging for details.

May 15, 2023​

Fixed agent error for Yarn scans​

Veracode has fixed an issue causing SCA agent-based scans of Yarn projects to erroneously fail.

May 9, 2023​

Upgraded JRE for SCA agent​

Veracode has upgraded the Java Runtime Environment (JRE) for the SCA agent from version 11 to 17.

Added GNU Privacy Guard to SCA agent downloads​

Veracode has added GNU Privacy Guard (GPG) signature files to all SCA agent downloads to verify you are downloading a valid version.

May 3, 2023​

Fixed scope parameter for NPM scans​

Veracode has resolved an issue impacting the scope parameter for SCA agent-based scans of NPM projects.

April 14, 2023​

SCA agent enhancements​

Veracode has added the following enhancements to the SCA agent:

• Support for Gradle version 8.
• The default scope for scans of NPM projects is now production dependencies instead of all dependencies.

Temporarily ignore issues from agent-based scans​

You can now specify a date for Veracode to stop ignoring issues from SCA agent-based scans.

April 6, 2023​

Enhancements to Go scanning​

Veracode has added the following enhancements to SCA scanning for Go projects:

• Reduced false positives.
• Reduced false negatives.
• Increased scan speed.
• Fixed an issue that removed component names when agent-based scan results were linked to an application.
• Fixed an issue that caused indirect dependencies to appear in agent-based scan results as direct libraries instead of transitive libraries.

April 4, 2023​

Enhanced SCA agent support for Java 17 features​

Veracode SCA has improved agent-based scan support for projects that contain Java 17 features.

April 3, 2023​

NVD severity ratings for SCA upload scans​

Veracode Software Composition Analysis (SCA) upload scans now support displaying updated severity ratings that more closely match the National Vulnerability Database (NVD) severity ratings. To enable this feature for your account, contact Veracode Technical Support.

March 16, 2023​

New mitigation type available for SCA upload scans​

You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.

February 3, 2023​

Region flag for agent-based scans​

Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.

February 2, 2023​

JRE upgrade for SCA agent​

Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.

January 13, 2023​

Improved SCA support for Python 3​

Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.

December 21, 2022​

Generate SBOM in SPDX format​

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) in SPDX JSON format from the results of your Veracode SCA upload scans.

December 14, 2022​

SCA support for Android​

Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.

September 15, 2022​

SCA support for Go aliases​

Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.

Vulnerable method support for Java 17​

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.

August 22, 2022​

Set SCM URI as project name​

You can now set the source code management (SCM) URI as your project name using the --uri-as-name option in your Veracode SCA agent-based scans.

July 22, 2022​

SBOM API support for SCA agent-based scans linked to application profiles​

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.

June 6, 2022​

Generate SBOMs for SCA agent-based scans with the REST API​

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.

May 9, 2022​

SBOM API support for promoted sandbox scans​

You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.

SCA upload and scan table update​

Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.

April 26, 2022​

Generate SBOMs for SCA upload scans with the REST API​

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.

January 20, 2022​

JSON output for agent-based scans includes CVSS v3 score​

Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.

The updates on this page apply to the Veracode Platform in the European Region.

April 10, 2024​

Add a Git repository to application metadata​

You can now add the URL of a Git repository to the application profile metadata using the Applications REST API and the Veracode Platform.

November 27, 2023​

Free trial of DAST Essentials​

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

October 16, 2023​

New Veracode Analytics fields available in European Region​

The new Second Party Component and Fixable (Yes / No) fields in the Veracode Analytics Findings explore are now available in the European Region.

September 29, 2022​

New Application Security Platform features available in European Region​

The following features are now available in the European Region.

• CWE Top 25 now reflects 2022 version
• Issue vulnerability count update in Analytics
• Sandbox Information Available in Unsubmitted Scans Report

May 10, 2022​

SCA dashboards available in Analytics​

Data from Veracode Software Composition Analysis (SCA) agent-based scans and upload scans is now available in Veracode Analytics for the European Region. The predefined Veracode dashboards, including the SCA Findings dashboard, now contain SCA scan data. You can also use the Findings, SCA Agent-Based Scans, and SCA Agent-Based Scan Issues data explores for custom reporting.

May 3, 2022​

Support cases and scheduled consultations now available​

You can now raise a support case and schedule a consultation from the Veracode Platform in the European Region.

Veracode Platform services updated to current versions​

Applications and policies for the European Region now run on the current versions in the Veracode Platform.

The updates on this page apply to the Veracode Platform in the Commercial Region.

April 4, 2024​

Veracode Analytics updates​

The Veracode Analytics Findings explore includes the following improvements:

• Updated the Policy Rule Passed (Yes / No) field to match the new policy logic changes to findings from a Software Compsition Analysis (SCA). If SCA findings violate policy, but are within the grace period, the Veracode Platform does not report them as not passing policy, or "No".
• Added a new Findings Policy Status field that you can use to tag findings that violate policy and are within grace period as Conditional Pass.
• The SCA Agent-Based Scan Issues page now provides data about the projects and workspaces that generated the issues.

April 3, 2024​

Learning paths and improved docs search​

The Veracode Documentation has the following improvements:

• New Learning paths provide a sequence of videos and documentation that walk you through using Veracode products. For example, the steps show you how to prepare applications for scanning, run a Static Analysis or Dynamic Analysis in the Veracode Platform, and then review the results. By following these paths, new users can onboard and experienced users can gain a deeper understanding of Veracode products, features, and best practices.
• New search experience that helps you more easily search across all documentation and filter the results.

March 26, 2024​

Add Git repository to application metadata​

You can now specify the URL of a Git repository in the application profile metadata using the Applications REST API and the Veracode Platform.

November 27, 2023​

Free trial of DAST Essentials​

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

October 17, 2023​

New Veracode Analytics fields available​

The new Second Party Component and Fixable (Yes / No) fields in the Veracode Analytics Findings explore are now available.

July 19, 2023​

Upgrade to Looker 22.20​

Veracode has upgraded Analytics to use version 22.20 of the Looker platform. All existing dashboards now reflect the new Looker experience.

This upgrade introduces a known issue that prevents you from scrolling in the Timeline visualization. Additionally, you may experience an issue that automatically enables the Row Totals column in some pivot tables, which can cause rows to be double counted in stacked visualizations. To fix this issue, edit the dashboard and visualization, clear the Row Totals option, and save your changes.

Updated Security Program Overview Dashboard​

The default number of applications displayed in the What is my policy compliance over time? section of the Security Program Overview dashboard in Veracode Analytics has decreased from 100 to 25.

To view additional applications, customize the visualization and adjust the Application Rank by Published Date Descending filter.

July 15, 2022​

CWE Top 25 Now Reflects 2022 Version​

The Auto-Update CWE Top 25 security standard that you use in Veracode policies now reflects the 2022 CWE Top 25 list.

June 28, 2022​

Updated Single Sign-On and Just-In-Time Provisioning​

New single sign-on (SSO) and Just-In-Time (JIT) provisioning capabilities in the Veracode Platform improve reliability and supportability and extend the roles that JIT provisioning supports. Before using this feature, you must update your SSO settings in your identity provider.

To begin the process of enabling these capabilities, contact Veracode Support.

May 19, 2022​

The Issues Vulnerability Count Measure Changed​

Issues Vulnerability Count now includes only issues where the Issue Type is a Vulnerability Issue. In the past, this measure included the count of Vulnerability, License, and Library issues. The calculation of Issues Vulnerability Count is still based on the filters you select.

• Issues Issue Count: count of issues, regardless of type
• Issues Vulnerability Count: count of vulnerability issues
• Issues Libraries with Issues: total number of unique libraries with at least one issue

May 10, 2022​

Sandbox Information Available in Unsubmitted Static Scans Data Export​

Veracode has added sandbox information to the Unsubmitted Static Scans data export to make it easier to find the incomplete static scans for an application.

May 6, 2022​

End of Support for Internet Explorer 11​

Veracode will no longer support Microsoft Internet Explorer 11 after June 30, 2022. This change follows the Microsoft updates to its support model for Internet Explorer. Veracode recommends that you switch to a supported browser to avoid issues.

Official Support for Microsoft Edge​

The Veracode Docs are updated to confirm that Microsoft Edge is a supported browser.

April 4, 2022​

Improved Team Management in the Veracode Platform​

Veracode has improved the usability of the team management options on the Administration page in the Veracode Platform.

March 22, 2022​

View Applications by Policy Evaluation Date​

You can now view the date and time of the most recent event that triggered a policy evaluation for an application in a new field in the Applications REST API and the Applications list in the Veracode Platform. You can use this field to search for applications that have had new scans or approved mitigations since the listed date.

The updates on this page apply to Veracode Security Labs and Veracode eLearning. Security Labs is only supported in the Commercial Region. eLearning is supported in all Veracode regions.

April 3, 2024​

New Security Labs lessons

OWASP API Security Top 10 labs​

• OWASP API 6: Bad Design Compromises Security (JavaScript)
• OWASP API 7: Jot Down this Key (JavaScript)
• OWASP API 7: Secret Admin (JavaScript)
• OWASP API 7: eXternal Entity Injection (JavaScript)
• OWASP API 7: XML is Always a Challenge (JavaScript)
• OWASP API 8: Own the Database (JavaScript)
• OWASP API 8: Parameterize All the Things (JavaScript)
• OWASP API 8: Bobby Tables (JavaScript)
• OWASP API 9: Unprotected Deployments (JavaScript)
• OWASP API 10: The Importance of Logging and Monitoring (JavaScript)
• OWASP API 10: Logging in the API Infrastructure (JavaScript)

March 6, 2024​

New Security Labs lessons

OWASP API Security Top 10 labs​

• OWASP API 1: One ID to Access All Objects (JavaScript)
• OWASP API 1: Stronger IDs (JavaScript)
• OWASP API 2: Really, Really Bad Passwords (JavaScript)
• OWASP API 2: Terrible Password (JavaScript)
• OWASP API 3: Bugs in Debug (JavaScript)
• OWASP API 3: Revealing Schemas (JavaScript)
• OWASP API 4: Slow Down (JavaScript)
• OWASP API 4: Brute Force (JavaScript)
• OWASP API 4: Denial of Service (JavaScript)
• OWASP API 5: Neglected Endpoints (JavaScript)

February 7, 2024​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 1: Forging User Requests (.NET)

OWASP API Security Top 10 labs​

• OWASP API 10: The Importance of Logging and Monitoring (Java)
• OWASP API 10: Logging in the API Infrastructure (Java)

January 16, 2024​

New Security Labs lesson

OWASP API Security Top 10 labs​

• OWASP API 9: Unprotected Deployments (Java)

December 6, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 1: Redirect Rodeo (.NET, JavaScript)
• OWASP 8: Prototype Protection Agency (JavaScript)

OWASP API Security Top 10 labs​

• OWASP API 8: Own the Database (Java)
• OWASP API 8: Parameterize All the Things (Java)
• OWASP API 8: Bobby Tables (Java)

November 1, 2023​

New Security Labs lessons

OWASP API Security Top 10 labs​

• API 7: Jot Down This Key (Java)
• API 7: Secret Admin (Java)
• API 7: eXternal Entity (Java)
• API 7: XML is Always a Challenge (Java)

May 3, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

New OWASP 10: Get There From Here (Python, Go)

April 5, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

New OWASP 10: Get There From Here (.NET, Flask)

OWASP API Security Top 10 labs​

• API 5: Neglected Endpoints (Java)
• API 6: Bad Design Compromises Security (Java)
• API 6: Bad Design Compromises Security (.NET) (revamped!)

March 1, 2023​

New Security Labs lessons

Getting Started Labs​

New Getting Started - Lesson Zero (Flask, Go, Python)

OWASP Top 10 2021 labs​

• OWASP 1: Broken Access Control - Secrets in the Log (Java)
• OWASP 4: Making Secure Decisions (Flask, Go, Python)

OWASP API Security Top 10 labs​

• API 4: Slow Down (Java)
• API 4: Brute Force (Java)
• API 4: Denial of Service (Java)

February 1, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 1: Broken Access Control - Loose Lips Sink Servers (Dotnet)
• Beyond OWASP Top 10: Other Web App Risks - Know Your Limits (Java)

OWASP API Security Top 10 labs​

• API 3: Bugs in Debug (Java)
• API 3: Revealing Schemas (Java)

January 4, 2023​

New Security Labs lessons

OWASP Top 10 2021 labs​

New Beyond OWASP Top 10: Other Web App Risks - Do You Remember? (Dotnet)

OWASP API Security Top 10 labs​

• API 2: Really, Really Bad Passwords (Java)
• API 2: Terrible Password (Java)

December 6, 2022​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 4: Insecure Design - Insecure Decisions (Dotnet, Java)
• OWASP 4: Making Secure Decisions (Java)

OWASP API Security Top 10 labs​

• API 1: One ID to Access All Objects (Java)
• API 1: Stronger IDs (Java)

Getting Started Labs​

New Getting Started - Lesson Zero (Java, Node)

November 1, 2022​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 1: Broken Access Control - Loose Lips Sink Servers (Node)
• OWASP 4: Insecure Design - Valid Deficit (Dotnet)

OWASP API Security Top 10 labs​

New API 4: Lack of Resources & Rate Limiting - Denial of Service

October 4, 2022​

New Security Labs lessons

OWASP Top 10 2021 labs​

• OWASP 4: Insecure Design - Valid Deficit (Node)
• OWASP 9: Security Logging and Monitoring Failures - Hold the Line (Dotnet, Java)

September 26, 2022​

Topic Progress Bar Now Focused on Required Labs​

In Security Labs, the progress bar for a topic now shows the completion status for required labs only. If all required labs in a topic are complete, the progress bar shows 100% completion, even when there are incomplete optional labs.

September 6, 2022​

One New Security Labs Lesson

OWASP Top 10 2021 labs​

New OWASP 9: Security Logging and Monitoring Failures - Hold the Line (Node)

August 24, 2022​

New Click-Through Tour​

• After an administrator assigns a user the Manager role, they are given a one-time option to take a tour about the actions managers can do in Security Labs.
• You can also read new documentation on manager permissions.

August 3, 2022​

Three New API Security Labs Lessons

OWASP API Security Top 10 labs​

• New API 9 Improper Assets Management - Unprotected deployments (.NET)
• New API 10 Insufficient Logging & Monitoring - The Importance of Logging and Monitoring (.NET)
• New API 10 Insufficient Logging & Monitoring - Logging in the API Infrastructure (.NET)

July 6, 2022​

Seven New API Security Labs Lessons and One Updated OWASP Course

OWASP API Security Top 10 labs​

• New API 7 Security Misconfiguration - Jot down this key (.NET)
• New API 7 Security Misconfiguration - Secret Admins (.NET)
• New API 7 Security Misconfiguration - eXternal Entity (injection) (.NET)
• New API 7 Security Misconfiguration - XML is always a Challenge (.NET)
• New API 8 Injection - Own the database (.NET)
• New API 8 Injection - Parameterize all the things (.NET)
• New API 8 Injection - Bobby Tables (.NET)

OWASP Top 10:2021:10 Server-Side Request Forgery​

New Get There From Here (Node)

June 30, 2022​

Updated One eLearning Learner Level Course and Added Two New AppSec Tutorials​

• Updated the OWASP 2017 course to OWASP 2021 on Learner Level 1
• Added two new AppSec Tutorials on Learner Level 2

June 1, 2022​

The Security Training Team Released Two New API Security Courses and Updated Eight OWASP Courses

OWASP API Security Top 10 labs​

• API5:2019 Neglected endpoints (.NET)
• API6:2019 Bad Design Compromises Security (.NET)

OWASP Top 10 2021 labs​

See the Course Catalog for more details.

• A01:2021 Broken Access Control
• A02:2021 Cryptographic Failures
• A03:2021 Injection
• A05:2021 Security Misconfiguration
• A06:2021 Vulnerable and Outdated Components
• A07:2021 Identification and Authentication Failures
• A08:2021 Software and Data Integrity Failures
• A09:2021 Security Logging and Monitoring Failures

May 19, 2022​

The Security Training Team Released Three New eLearning Courses and Updated One Course​

• Updated A04: eLearning Secure Architecture and Design
• OWASP Top 10 2021
• A10: Server-Side Request Forgery AppSec Tutorial
• A08: Software and Data Integrity Failures AppSec Tutorial

May 4, 2022​

The Security Training Team Released Seven Labs​

OWASP API Security Top 10 Labs:

• API3:2019 Excessive Data Exposure - Bugs in Debug (.NET)
• API3:2019 Excessive Data Exposure - Revealing Schemas (.NET)
• API4:2019 Lack of Resources and Rate Limiting - Slow Down (.NET)
• API4:2019 Lack of Resources and Rate Limiting - Brute Force (.NET)

OWASP Top 10 2021 Labs:

• A04:2021 Insecure Design - Making Secure Decisions (.NET)
• A08:2021 Software and Data Integrity Failures - Sleeping With the Enemy (.NET, Node)
• A10:2021 Server-Side Request Forgery - Get There From Here (Java)

April 6, 2022​

Two New Labs​

• OWASP API #1 - Broken Object Level Authorization
• OWASP API #2 - Broken User Authentication

The updates on this page apply to Veracode Static Application Security Testing (SAST) in the Commercial Region.

March 28, 2024​

Updated language and framework support​

.NET​

• Improved CWE-1174 flaw detection resulting in a reduction in false positives

Android​

• Enhanced Android 14 support

Apex​

• Improved CWE-80 flaw detection resulting in a reduction in false positives

C/C++​

• Improved CWE-190 flaw detection resulting in a reduction in false positives
• CentOS/RHEL 9 (x64) support

COBOL​

• Improved parsing for COBOL

Go​

• Go 1.22 support

Java​

• Improved CWE-259 flaw detection for Java
• Improved processing of shaded JAR files

JavaScript​

• Improved processing of large JS files

Kotlin​

• Improved source file name parsing for Kotlin results

PL/SQL​

• Improved scan times for PL/SQL

Python​

• Improved CWE-80 handling for Python resulting in a reduction in false positives

React Native​

• Improved React Native handling of IPA files

T-SQL​

• Improved CWE-89 detection for T-SQL resulting in a reduction in false positives

March 12, 2024​

Updated Pipeline Scan language support​

Pipeline Scan now supports Ruby on Rails.

February 22, 2024​

Updated language and framework support​

.NET​

• Enhanced .NET 8 support
• Improved support for CultureInfo.InvariantCulture
• Improved CWE-78 flaw detection
• Improved CWE-117 flaw detection resulting in a reduction in false positives

C/C++​

• Improved CWE-121 flaw detection resulting in a reduction in false positives
• Improved CWE-125, 129, 134, 170, 190, 191, 195, and 196 flaw detection
• Improved CWE-477 flaw detection

COBOL​

• Improved flaw analysis for CWE-78, 89, 114, 201, 209, 242, 248, 252, 489, and 798
• Improved parsing for COBOL
• Improved scan performance for COBOL
• Improved scan size calculations

Java​

• Improved CWE-80 fix detection with modern Spring Framework versions
• Improved generic modeling and modeling of Spring Framework applications, which impacts all CWEs
• Improved CWE-916 detection
• Improved Java third-party detection

JavaScript and TypeScript​

• Improved analysis for numeric and boolean datatypes, which impacts all CWEs
• Improved type detection to prevent false positives for CWE-601 and all other CWEs
• Detect and ignore webpack-generated files that are concatenated or minified
• Improved support for fs/promises, which impacts all CWEs

Other languages​

• Improved CWE-259 and 798 flaw detection resulting in a reduction in false positives for all languages
• Improved analysis of conditionals for all languages
• Improved CWE-89 flaw detection for Classic ASP
• Improve support for error_log, which impacts CWE-73, 88, 93 and 117 for PHP

January 25, 2024​

Updated language and framework support​

.NET​

• Improved third-party detection
• Enhanced .NET 8 support
• Improved CWE-80, 89, 404, 501, and 1174 detection

Java​

• Improved flaw detection
• Improved third-party detection
• Improved CWE-117, 327, and 749 detection
• Added ‘jsi’ filetype support

C/C++​

• Improved flaw detection
• Added openSUSE (x86) version 12 support
• Improved CWE-121 and 190 detection

Dart​

• Improved flaw detection
• Improved third-party detection
• Improved CWE-331 detection

Other languages​

• Improved Android third-party detection
• Improved JavaScript flaw detection
• Updated JavaScript third-party detection
• Improved CWE-99 and 918 detection for Python
• Improved CWE-259, 798 detection for PHP
• Improved CWE-252, 259, 311, 522, 614, and 798 detection in iOS
• Improved CWE-321 detection for all languages
• Added CWE-639 support for COBOL

January 18, 2024​

The Veracode CLI now supports auto-packaging for Veracode Static Analysis​

The Veracode CLI now supports Static Analysis auto-packaging for Java, JavaScript, and Python. The package command removes manual packaging steps to streamline your application security tests.

December 27, 2023​

New COBOL scanner for Static Analysis​

The new COBOL scanner for Veracode Static Analysis includes advanced pattern recognition and static analysis techniques, allowing for more accurate and efficient detection of security vulnerabilities in COBOL code.

The improved detection may result in the identification of additional vulnerabilities and potential threats. The updates may also impact flaw matching for your applications. If you need help resolving these changes, contact Veracode Technical Support.

All COBOL scans now use the upgraded scanner.

More details are available in the Veracode Community.

December 14, 2023​

Updated language and framework support​

• Added .NET 8 initial support
• Added JavaScript / ECMAScript 2023 (ES14) support
• Added Config support from AWS SDK for Go
• Enhanced Android 13 support
• Enhanced Node.js v20 support
• Added Dart 3.2 and Flutter 3.16 support
• Improved CWE-327 (Use of Broken or Risky Cryptographic Algorithm) and CWE-352 (Cross-Site Request Forgery (CSRF)) detection for Ruby on Rails
• Improved CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET
• Improved CWE-352 (Unchecked Return Value) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
• Improved accuracy of modeling Python method calls resulting in a reduction in false positives
• Improved CWE-926 (Improper Export of Android Application Components) detection for Android
• Improved CWE-321 (Use of Hard-coded Cryptographic Key) detection for all languages
• Improved CWE-331 (Insufficient Entropy) detection for Java
• Improved CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')) detection for PHP
• Improved parsing for PL/SQL
• Improved Python jsonify cleanser support for flaw class CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
• Improved support for JavaScript crypto APIs
• Improved iOS detection of CWE-252 (Unchecked Return Value)
• Improved support for JavaScript Axios library
• Improved .NET third-party detection
• Improved mixed-Java/Kotlin analysis
• Improved Java third-party detection
• Improved Android version detection
• Improved CWE-326 (Inadequate Encryption Strength) accuracy in .NET
• Improved accuracy for CWE-259 (Use of Hard-coded Password)and CWE-798 (Use of Hard-coded Credentials)
• Added detection of CWE-489 (Active Debug Code) in Go
• Improved analysis of JavaScript listeners

November 15, 2023​

Updated language and framework support​

• Added Javax to Jakarta transition support
• Added support for Java Records
• Added Spring Boot 3 support
• Added Spring Security 6 support
• Added Spring Core 6 support
• Added Android 14 Initial support
• Added KMS support for AWS SDK for Go
• Improved flaw detection for Dart apps
• Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for all languages
• Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation), CWE-352 (Cross-Site Request Forgery), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
• Improved third-party detection for Android, C/C++, Dart, and JavaScript
• Improved CWE-73 (External Control of File Name or Path) detection for Java
• Improved third-party detection in Java WAR files
• Improved CWE-252 (Unchecked Return Value), CWE-201(Insertion of Sensitive Information Into Sent Data), and CWE-297 (Improper Validation of Certificate with Host Mismatch) detection for iOS
• No longer report MemoryStream for CWE-404 in .NET
• Improved detection for unsupported mobile applications

October 26, 2023​

Updated language and framework support​

• Added Dart 3.1 and Flutter 3.13 support
• Added JDK 21 (LTS) support
• Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for Kotlin
• Improved .NET analysis to ignore .NET ClickOnce “.deploy” files
• Improved third-party detection for Java, JavaScript, PHP, iOS, PL/SQL and C++
• Improved parsing for PL/SQL
• Improved CWE-798 (Use of Hard-coded Credentials) detection for PHP
• Enhanced Python analysis to treat modules consisting of all third-party code as first-party modules
• Improved Groovy analysis of objects
• Improved CWE-252 (Unchecked Return Value) detection for iOS
• Improved JavaScript analysis of objects
• Improved analysis of iOS apps to reduce CWE-284 (Improper Access Control) false positives
• Improved CWE-693 (Protection Mechanism Failure), CWE-926 (Improper Export of Android Application Components), CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-798 (Use of Hard-coded Credentials) detection for Android

October 2, 2023​

Updated language and framework support​

• Added iOS 17 initial support
• Added Go 1.21 support
• Added PHP Laravel 10 support
• Added .NET Minimal API support
• Enhanced .NET 7 support
• Enhanced Groovy 3 support
• Enhanced AWS SDK for Go support
• Enhanced Android 13 support
• Improved third-party detection for JavaScript
• Improved CWE-80 detection for Vue.js
• Improved CWE-259 detection for all languages
• Improved CWE-89 detection for Transact-SQL
• Improved third-party detection for C++
• Improved symmetric-key parsing rules for Transact-SQL
• Improved attribute idiomatic transformation support for Jakarta
• Improved CWE-693 detection for Android
• Improved scan performance for Micronaut framework
• Improved Node.js modeling to reduce false positives
• Improved handling of explicitly typed generic function calls in Go
• Improved data path quality for JavaScript
• Improved reporting of CWE-352 and CWE-915 in .NET to consolidate flaws reported on the same line and file as separate flaws into one flaw
• Added CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET applications

Deprecated support for some .NET cleansing functions​

Veracode has deprecated support of .NET cleansers for the following functions for flaw classes CWE-93, CWE-113, and CWE-117:

• antixsslibrary.dll : Microsoft.Security.Application.AntiXss.HtmlAttributeEncode
• antixsslibrary.dll : Microsoft.Security.Application.AntiXssEncoder.HtmlAttributeEncode
• antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlAttributeEncode
• antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlEncode
• mscorlib.dll : System.Security.SecurityElement.Escape
• system.dll : System.Net.WebUtility.HtmlEncode
• system.web.dll : System.Web.HttpServerUtility.HtmlEncode
• system.web.dll : System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode
• system.web.dll : System.Web.Util.HttpEncoder.HtmlAttributeEncode
• system.web.dll : System.Web.Util.HttpEncoder.HtmlEncode
• system.web.mvc.dll : System.Web.Mvc.HtmlHelper.AttributeEncode
• system.web.mvc.dll : System.Web.Mvc.HtmlHelper.Encode
• system.windows.browser.dll : System.Windows.Browser.HttpUtility.HtmlEncode
• system.windows.dll : System.Net.HttpUtility.HtmlEncode
• System.Runtime.dll : System.Net.WebUtility.HtmlEncode

These cleansing functions are insufficient for addressing their targeted flaw classes and better alternatives are available.

For more details on why Veracode deprecated support for these functions and how to protect your applications against CRLF injection attacks, see the Veracode Community.

September 11, 2023​

Fixed bug causing false positives for CWE-798​

In last month’s release, Veracode added improved support for CWE-798 (Use of Hard-coded Credentials) detection. However, a bug in the pattern matching caused a significant number of false positives for some users. Veracode has resolved this issue and the improvement should result in significantly fewer CWE-798 false positives.

August 23, 2023​

Updated language and framework support​

• Added Kotlin 1.9 support
• Added TypeScript 5.x support
• Added GCC 12 (RHEL 8) support
• Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation) detection on controller-derived classes
• Improved support for JavaScript URLSearchParams API
• Improved support for Spring produces annotation attribute
• Improved third-party detection for JavaScript
• Improved third-party detection for Android
• Improved third-party detection for Java
• Improved hardcoded password/credential detection (CWE-259 and 798)
• Improved .NET CWE-80 basic XSS detection
• Improved JavaScript detection of document elements
• Improved performance for Vue applications
• Improved .NET Entity Framework support
• Added ability to allow third-party PHP software if the entire upload is third-party
• Improved detection of Java CWE-611 XXE
• Improved support for Python Django views

July 25, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has added support for Quarkus, a Kubernetes-native Java stack tailored for OpenJDK HotSpot and GraalVM.

Veracode has improved static analysis by adding support for these new versions of supported technologies:

• Dart 3
• Angular 16

Improved Detection of CWE-259 and CWE-798​

Improvements to the detection methods Veracode uses to identify CWE-259 (Use of Hard-coded Password), and CWE-798 (Use of Hard-coded Credentials) vulnerabilities should reduce the number of false positives during static analysis. Improved CWE-259 coverage for Python language submissions.

June 22, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has added support for Micronaut 3.8.x, which is a JVM-based framework you use to build lightweight, modular applications.

Veracode has improved static analysis by enhancing support for Android 12.

Veracode has improved static analysis by adding support for these new versions of supported technologies:

• Ruby 3.2
• Kotlin 1.8
• Python Django 4.x

Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) Detection​

Improvements to the detection methods utilized to identify CWE-259 and CWE-798 vulnerabilities should reduce the number of false positives found during static analysis.

Additional CWE-693 Coverage for Android​

Veracode has added an additional CWE-693 (Protection Mechanism Failure) check for Android applications to ensure that the Play Integrity API is used appropriately.

May 23, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Full support for iOS 16
• Enhanced support for Java 20

Improved CWE-89 Coverage for Java and JavaScript/TypeScript​

The improved coverage increases the number of potential CWE-89 flaws that Veracode discovers in Java and JavaScript/TypeScript applications, which might affect your scan results.

Added CWE-451 Coverage for Android​

Veracode has added CWE-451 (Tapjacking) coverage for Android applications.

May 18, 2023​

Pipeline Scan Adds Support for Module Selection​

Pipeline Scan adds a new --include parameter. You use this parameter to specify the top-level modules to include during scanning. The scan results now show both the modules that Veracode identified during prescan and the modules included in the scan.

This update is available with Veracode CLI version 23.4.3-0 and Veracode Docker image version 23.4.3.

April 27, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Support for JDK 20
• Enhanced support for .NET 7
• Enhanced support for Python SQLAlchemy
• Enhanced support for React Native 0.7x
• Support for AWS SDK for Go v2

Improved Static Analysis for Python Language Submissions​

Static analysis of Python applications inaccurately reports certain CWE-918 (Server-Side Request Forgery (SSRF)) flaws as CWE-201 (Insertion of Sensitive Information Into Sent Data) flaws. This update recategorizes these incorrectly reported flaws as CWE-918. This update might impact existing flaw matching and you might need to apply new mitigations to these flaws.

After you apply this update, any Python applications that contain CWE-201 flaws and have any of the following policy requirements might fail your security policy:

• Security Standard rule for Auto-Update CWE Top 25

• Findings by Severity rule for Medium or higher

• Minimum Scan Score rule

March 23, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Support for Vue 3.x
• Support for React Native 0.7x
• Enhanced support for Python Flask 2.x

Improved Static Analysis for WebMethodAttribute use in ASP.NET Classic​

Veracode has improved static analysis for WebMethodAttribute use in ASP.NET Classic (non MVC and/or MVC Core) WebForms and WebServices. This will affect the flaws found and associated policy results for customers by reducing the number of FPs found.

February 23, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Support for Go 1.20
• Support for Angular 14 & 15
• Support for React 18
• Support for Dart 2.17, 2.18, 2.19 and Flutter 3.0, 3.3, 3.7

Improved COBOL Parser Error Handling​

Veracode no longer reports parser errors in standalone copybook files that COBOL files do not include. These files are not relevant for security scanning unless COBOL files reference them.

January 26, 2023​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Initial Support for .NET 7

Veracode has improved static analysis by adding support for:

• Server-side request forgery (SSRF) reporting for JavaScript

Veracode has released a new version of our new iOS packaging tool:

• Gen IR version 0.2.1: gen-ir

December 15, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these new versions of supported technologies:

• Support for Node.js 18
• Support for PHP Laravel 6-9
• Initial Support for Kotlin 1.7
• Initial Support for Android 13
• Support for Python Flask 2.x
• Support for Go 1.18-1.19
• Support for React Native 0.67

Veracode improved static analysis by adding support for these new languages and frameworks:

• Support for Dart and Flutter
• Support for .NET MAUI

Veracode has improved static analysis by adding a new iOS packaging tool to support Xcode 14 without the Enable_Bitcode setting:

• New iOS packaging tool: gen-ir
• Updated documentation: iOS and tvOS Application Packaging

November 17, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these languages and frameworks:

• Support for JDK 19
• Support for Azure Functions v4 for .NET

October 27, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these languages and frameworks:

• Support for Visual C++ 14.3.x for Visual Studio 2022
• Support for Azure Functions for Python

October 19, 2022​

New Packaging Guidance Tool​

You can use the new Veracode Packaging Cheat Sheet to generate language-specific packaging guidance for Static Analysis.

October 4, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode improved static analysis by adding support for these languages and frameworks:

• Support for JDK 18
• Full support for .NET 6
• Initial support for iOS 16
• Enhanced support for Golang Gorilla
• Enhanced support for React and React Router

August 25, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Full support for PHP Symfony 5.x
• Initial support for PHP Symfony 6.x
• Support for PL/SQL for Oracle 19c and 21c

August 1, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Initial support for Rails 7.0 and Ruby 3.x
• Full support for iOS 15
• Initial support for PHP Symfony

June 24, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Initial support of Ruby on Rails 6.1

April 28, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Initial support of PHP 8 and 8.1
• Support of Python Flask 1.1

March 28, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Support for Django 3.x
• Support for Android Jetpack
• Support for Go Gin-Gonic
• Support of Azure DevOps functions for JavaScript and TypeScript

February 24, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Full support of Xamarin platform versions and Xamarin.Essentials namespace
• Initial support of Azure Functions for Java

Veracode has improved static analysis by adding support for these new versions:

• Full support of Go 1.17
• Initial support of Angular 13
• Initial support of GCC 11
• Initial support of PHP 7.4

February 3, 2022​

New Veracode Static Analysis Support for Languages and Frameworks​

Veracode has improved static analysis by adding:

• Full support of Android 11

Veracode has improved static analysis by adding support for these new versions:

• Initial support of Kotlin 1.5
• Initial support of Kotlin 1.6

Veracode Static Analysis Improvements​

Veracode has improved accuracy of hard-coded Passwords. You can expect:

• Fewer false positives where local files are in known valid locations
• Better identification of sensitive variable names

Veracode has improved modeling for TypeScript support. You can expect:

• Fewer false positives, and more true positives in TypeScript applications where type information is specified.

The updates on this page apply specifically to Veracode accounts in the European Region or US Federal Region. For integrations updates that apply to accounts in all regions, see Integrations updates - Commercial.

The Veracode integrations and APIs, except for Veracode Greenlight, support all Veracode regions. Greenlight is not supported in the European Region.

For SCA integrations, see the SCA updates.

February 23, 2024​

Veracode Integration for Jira Server 4.6.0​

With this update, when you select links in Jira tickets that open application profiles located in the European Region or US Federal Region, the links no longer open in the Commercial instance of the Veracode Platform.

The updates on this page apply to the Veracode Dynamic Analysis Security Testing (DAST) features in the European Region:

• Dynamic Analysis
• API scanning
• Internal Scanning Management (ISM)

Discovery Scans is not supported in the European Region.

November 27, 2023​

Free trial of DAST Essentials​

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 15, 2023​

Introducing DAST Essentials​

DAST Essentials is a new Dynamic Application Security Testing (DAST) product that provides rapid and resilient DAST scanning of web applications and REST APIs, a user-friendly interface, and seamless CI/CD pipeline integration. To get started, see the quickstart.

October 21, 2022​

ISM available for Dynamic Analysis​

Internal Scanning Management (ISM) is now available for Veracode Dynamic Analysis of web applications and API specifications in the European Region.

July 28, 2022​

Dynamic Analysis available for European Region​

Veracode Dynamic Analysis is now available in the European Region. If you have a Veracode Dynamic Analysis subscription, you can now perform dynamic analysis security testing and API testing against public facing web applications and APIs.

The updates on this page apply to the Veracode CLI in the European Region. For updates in the Commercial Region, see CLI updates - Commercial.

October 5, 2023​

Veracode Fix is now available in the European Region​

Veracode Fix is now fully supported in the European Region.

Review the product updates for the latest features, enhancements, important announcements, and release notes for Veracode products and services. Subscribe to all posts with the RSS feed.

To the left, under Updates by region, the latest posts are at the top of the list.

The update sections are categorized by product area and Veracode region, such as Commercial (the default). Your Veracode account is in one of these regions. If you do not know the region for your account, contact the Veracode Administrator for your organization.

Downloads​

To download the latest Veracode integrations, see Integrate with Veracode or go to Community Integrations.

Archives​

The following sections are archived updates for older releases. Veracode no longer maintains these sections.

• 2021 updates archive - Commercial
• 2020 updates archive - Commercial