Skip to main content

· 13 min read

March 20, 2023

Veracode SCA Scan for VS Code 0.7.0

This update includes the following improvements:

  • The extension now includes an SCA Agent. After you install the extension, you can install the SCA Agent from within the IDE and start scanning.
  • You can point to a vulnerability in the VULNERABILITIES view to see whether it passes the built-in policy.
  • The Vulnerability Details window now shows the policy for the selected vulnerability.
  • To indicate which vulnerabilities have passed the built-in policy, the VULNERABILITIES view now groups them by Did Not Pass Policy or Passed Policy.

March 8, 2023

Java API Wrapper 23.3.11.0

This version includes the following changes:

March 2, 2023

Veracode Azure DevOps Extension 3.19.0

This update adds support for both of the following YAML property values:

  • ConnectionDetailsSelection='Endpoint'
  • ConnectionDetailsSelection='Service Connection'

March 1, 2023

Veracode Azure DevOps Extension 3.18.0

This update includes the following changes:

  • Changes the YAML property value ConnectionDetailsSelection='Endpoint' to ConnectionDetailsSelection='Service Connection'. When you upgrade to this new extension, you must update your YAML with the new value name.
  • Static Analysis work items now have a Grace Period Expiration field.
  • SCA works items now have a First Found Date field and File Path field for vulnerabilities.
  • The Summary Report now shows a link to the Scan Details page.
  • The extension now fails the build if Development Sandbox scans find SCA vulnerabilities.
  • Builds no longer fail when the Fail build if Upload and scan build steps fails option is cleared, but the application name contains special characters.

February 28, 2023

Veracode Greenlight for IntelliJ Supports IntelliJ v2022.2.3

Veracode Greenlight v1.8.7 adds support for IntelliJ v2022.2.3.

February 22, 2023

Updated Identity REST API

You can now use the Identity REST API to manage Veracode API credentials for API service accounts, also called API users.

February 9, 2023

Updated Veracode SCA Scan for VS Code

Veracode SCA Scan for VS Code version 0.6.0 includes the following updates:

  • Adds a Create a Case link that you can use to send a support case to Veracode Technical Support.
  • Adds a Leave Feedback link that you can use to provide feedback in a survey.
  • Fixes an issue where the extension did not verify undefined or null values.

February 3, 2023

Mandatory Upgrade for Veracode Greenlight for IntelliJ

Veracode Greenlight for IntelliJ version 1.8.6 supports a recent change to the Greenlight API. To continue using this plugin, you must upgrade to this version by February 13, 2023.

February 2, 2023

Mandatory Upgrade for Veracode Greenlight for Eclipse

Veracode Greenlight for Eclipse version 2.9.7 includes these changes:

  • Supports a recent change to the Greenlight API. To continue using this plugin, you must upgrade to this version by February 13, 2023.
  • Fixes a refresh issue that flashes various status messages at the bottom of the Eclipse interface.

February 1, 2023

Updated Java API Wrapper

Veracode Java API Wrapper version 23.1.10.5 adds logic to identify and remove unicode application names from the XML response.

Veracode Mobile Application Packager Has Reached End of Life

Veracode Mobile Application Packager is now End of Life (EOL) and is no longer supported by Veracode Technical Support. To compile and package tvOS or iOS applications that you developed in the Xcode IDE, see the packaging requirements.

January 30, 2023

Mandatory Greenlight Upgrades for Eclipse and IntelliJ

Veracode has made a change to the Greenlight API that will impact the following plugins.

  • Veracode Greenlight for Eclipse version 2.9.6 and earlier
  • Veracode Greenlight for IntelliJ version 1.8.5.2022 and earlier

New versions of these plugins will be available on February 2, 2023 and February 3, 2023, respectively. To continue using these plugins, you must upgrade to the new versions by February 13, 2023.

January 23, 2023

Veracode Integration for Jira Supports Jira Server 9

Veracode Integration for Jira version 4.0.1 adds support for Jira Server 9. This integration no longer supports Jira Server 8.6.0 and earlier.

January 17, 2023

Introducing Veracode SCA Scan for VS Code

Veracode SCA Scan for VS Code version 0.5.0 is a new extension that integrates Software Composition Analysis (SCA) into VS Code. Developers can scan their code to detect security risks in open-source libraries, library dependencies, and licenses. The detailed scan results help developers learn about vulnerabilities, prioritize security fixes, and remediate security issues from within their IDE. Version 0.5.1 only removes an obsolete README.

January 10, 2023

Renaming the ConnectionDetailsSelection='Endpoint' YAML Property

In February 2023, Veracode will release a new Azure DevOps Extension that uses the YAML property value ConnectionDetailsSelection='Service Connection' rather than the current value ConnectionDetailsSelection='Endpoint'. When upgrading to this new extension, you must update your YAML with the new value name.

January 5, 2023

Improved Veracode Azure DevOps Extension

Veracode Azure DevOps Extension version 3.17.0 includes the following improvements:

  • Renamed the Veracode Analysis Center link to Veracode Platform.
  • The extension no longer fails a pipeline build if it has a policy assessment of Conditional Pass, even if the Fail build if application fails security policy checkbox is selected.
  • Fixed a minor error-handling issue when the build artifact directory is empty.
  • The Flaw Import task now fails the build when importing flaws with an unsupported process template and the Fail build if flaw importer build step fails checkbox is selected.

January 3, 2023

Improved Veracode Integration for Jira Cloud

Veracode Integration for Jira Cloud version 4.7.0 now successfully loads the Findings Import page when importing large Jira projects.

December 19, 2022

Improved Veracode Integration for Jira Server

Veracode Integration for Jira Server version 3.38.0 includes the following improvements:

  • Jira tickets from imported Static Analysis flaws now show the detected CWEs with a dash instead of an underscore. This CWE format matches the results in the Veracode Platform. For example, CWE_123 is now CWE-123.
  • Jira tickets from imported SCA vulnerabilities now support the Mitigation Status and Mitigation Status Description fields.

December 15, 2022

Veracode Mobile Application Packager is Deprecated

Veracode Mobile Application Packager is now deprecated and will be obsolete on February 1, 2023.

December 14, 2022

Veracode for VS Code Renamed to Veracode Greenlight for VS Code

Veracode for VS Code version 1.6.0 includes the following updates:

December 13, 2022

Veracode Azure DevOps Extension version 3.16.0 fixes the link on the Veracode Scan Summary tab. The link now opens the scan results in the Veracode Platform instead of the Application page.

December 6, 2022

Updated Veracode Static for Visual Studio

Veracode Static for Visual Studio version 1.7.0 fixes an issue where the extension could not authenticate with Veracode from a European Region instance.

November 16, 2022

Updated Veracode Integration for Jira

Veracode Integration for Jira version 3.37.0 fixes an issue where the plugin ignores all remaining applications after attempting to import findings from an application with COTS enabled.

November 14, 2022

Updated C# API Wrapper

Veracode C# API wrapper version 22.10.8.6 includes these updates:

  • Fixed an error that can occur if the filename of an uploaded file contains certain characters or symbols. For example, ~ ^ ' { }
  • The -debug parameter now logs timestamped messages that identify connectivity issues, error conditions, and the status of various composite actions.

Improved Veracode Greenlight for IntelliJ

Veracode Greenlight for IntelliJ version 1.8.5 adds support for IntelliJ IDEA 2022.2.3.

October 27, 2022

Java API Wrapper Has Improved Error Handling

Veracode Java API Wrapper version 22.10.10.4 now cancels any scans that exceed the upload limit.

October 21, 2022

Veracode Azure DevOps Extension Now Supports Automatic Deletion of Incomplete Scans

Veracode Azure DevOps Extension version 3.15.0 adds options for deleting incomplete scans in your pipeline. When configuring the extension, you can add -deleteincompletescan as an optional argument or add -deleteIncompleteScan as a YAML property.

Updated Veracode Static for Visual Studio

Veracode Static for Visual Studio (New) version 1.6.0 includes these changes:

  • Fixed an issue where web projects inside folders did not publish.
  • Fixed an issue where the scan progress bar in the IDE displayed as incomplete after clicking Custom Workflow.
  • Run Scan button in the IDE is now disabled when the scan status is in a failed state. In the Veracode Platform, you also see a warning message to resolve this issue.

September 29, 2022

Updated Greenlight for Eclipse

Greenlight for Eclipse version 2.9.6 includes minor security and documentation updates.

September 22, 2022

Improved Finding Import Performance for Veracode Integration for Jira Cloud

Veracode Integration for Jira Cloud version 4.6.0 adds a new filter that only imports findings with new scan data, policy changes, or changes to applied mitigations since the last import.

September 13, 2022

Java API Wrapper JavaDoc Update

In Veracode Java API Wrapper version 22.9.10.3 the documentation available in the wrapper installation file now describes the Credentials class.

August 29, 2022

Veracode Azure DevOps Extension Has Improved Flaw Importer Task

Veracode Azure DevOps Extension version 3.14.0 includes the following improvements to the Flaw Importer Task.

  • Uses fewer calls to complete flaw imports.
  • Fixes an issue where flaws without comments did not sync or close.
  • Fixes an issue where development sandbox findings did not import.

August 12, 2022

Veracode TeamCity Plugin Now Supports Automatic Deletion of Incomplete Scans

Veracode TeamCity Plugin version 2.7.0 adds configuration options for deleting incomplete scans.

August 9, 2022

Veracode Integration for Jira Server Now Retries Downloading the Detailed XML Report

Veracode Integration for Jira version 3.36.0 fixes an issue where the integration did not create tickets of imported flaws if it could not retrieve the Detailed XML Report. The integration now attempts to retrieve the Detailed XML Report during the next import cycle.

July 27, 2022

Updated C# API Wrapper

Veracode C# API wrapper version 22.8.8.5 includes these updates:

  • Supports the -debug parameter.
  • Fixes an issue to filter out Dynamic Analysis results.
  • Adds transaction ID header to uploadandscan.

July 20, 2022

Veracode Azure DevOps Extension Now Supports Importing SCA Vulnerabilities as Work Items

Veracode Azure DevOps Extension version 3.13.0 updates the Flaw Importer task to support importing Software Composition Analysis (SCA) vulnerabilities as work items.

July 14, 2022

Veracode Jenkins Plugin Now Supports Automatic Deletion of Incomplete Scans

Veracode Jenkins Plugin version 22.6.18.0 adds configuration options for deleting incomplete scans.

June 27, 2022

Improved Finding Import Performance for Veracode Integration for Jira Server

Veracode Integration for Jira Server version 3.35.0 adds a new filter that only imports findings with new scan data, policy changes, or changes to applied mitigations since the last import.

June 22, 2022

Deprecation of Admin XML APIs

Veracode has deprecated the Admin XML APIs for user and team management. End-of-support for these APIs is scheduled for June 30, 2023. Veracode recommends that you begin updating your automations to use the Identity REST APIs. Also, enabling the Single Sign-on and Just-in-Time Provisioning feature automatically disables the Admin XML APIs for user management. Before enabling this feature, ensure all of your automations are using the Identity APIs.

June 8, 2022

Updated Veracode Static for Visual Studio (New)

Veracode Static for Visual Studio (New) version 1.5.0 includes these changes:

May 18, 2022

Java API Wrapper Updates -deleteincompletescan Parameter with Backward Compatibility

Java API Wrapper version 22.5.10.1 updates the -deleteincompletescan parameter to be backward compatible with Java API wrapper versions earlier than 22.5.10.0, which released on May 4, 2022. After upgrading the wrapper, the parameter value automatically changes from boolean to an integer:

  • If set to true, the value changes to 1.
  • If set to false, the value changes to 0.

May 4, 2022

Java API Wrapper Has Improved -deleteincompletescan Parameter

Java API Wrapper version 22.5.10.0 includes changes to the -deleteincompletescan parameter for deleting incomplete scans when running the uploadandscan action. This parameter now accepts an integer value, rather than boolean, for deleting an incomplete scan based on the scan status.

note

These changes are not backward compatible with the -deleteincompletescan parameter available in earlier versions of the Java API Wrapper. If you currently use this parameter, after upgrading the wrapper you must change the value from boolean to one of the accepted integer values.

April 15, 2022

Introducing New Veracode Static Extensions for Visual Studio 2019 and 2022

Veracode Static for Visual Studio version 1.4.0 is a new extension for adding Static Analysis to Visual Studio 2019 and 2022. The new extension for Visual Studio 2019 provides major improvements compared to our current legacy extension for version 2019, which Veracode continues to support.

The extensions include these features:

  • Improved user experience for developers.
  • Powerful Summary View grid for reviewing and managing findings.
  • Streamlined workflow for building, packaging, and scanning your code.
  • Support for policy and sandbox scans.

An extension for each Visual Studio version is available from the Visual Studio Marketplace.

April 12, 2022

Veracode Greenlight Now Supports the New Visual Studio 2019 and 2022

Veracode Greenlight for Visual Studio version 1.3.184.96 is a new extension for adding Greenlight scanning to the newer versions of Visual Studio 2019 and 2022. An extension for each Visual Studio version is available from the Visual Studio Marketplace.

March 9, 2022

Updated Azure DevOps Extension

Veracode Azure DevOps Extension version 3.10.0 includes these changes:

  • TFS 2017 is no longer supported.
  • TFS 2018 support now requires Azure Pipeline Agent 2.196.2 or later.
  • Flaw Importer task can now import custom fields when using custom process templates.
  • Flaw Importer task can now overwrite the area path in work items when importing flaws.

· 3 min read

March 16, 2023

New Mitigation Type Available for SCA Upload Scans

You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.

February 3, 2023

Region Flag for Agent-Based Scans

Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.

February 2, 2023

JRE Upgrade for SCA Agent

Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.

January 13, 2023

Improved SCA Support for Python 3

Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.

December 14, 2022

SCA Support for Android

Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.

September 15, 2022

SCA Support for Go Aliases

Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.

Vulnerable Method Support for Java 17

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.

August 22, 2022

Set SCM URI as Project Name

You can now set the source code management (SCM) URI as your project name using the --uri-as-name option in your Veracode SCA agent-based scans.

July 22, 2022

SBOM API Support for SCA Agent-Based Scans Linked to Application Profiles

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.

June 6, 2022

Generate SBOMs for SCA Agent-Based Scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.

May 9, 2022

SBOM API Support for Promoted Sandbox Scans

You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.

SCA Upload and Scan Table Update

Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.

April 26, 2022

Generate SBOMs for SCA Upload Scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.

January 20, 2022

JSON Output for Agent-Based Scans Includes CVSS v3 Score

Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.

· 5 min read

March 1, 2023

New Security Labs Lessons

Getting Started Labs

New Getting Started - Lesson Zero (Flask, Go, Python)

OWASP Top 10 2021 Labs

  • New OWASP 1: Broken Access Control - Secrets in the Log (Java)
  • New OWASP 4: Making Secure Decisions (Flask, Go, Python)

OWASP API Security Top 10 Labs

  • New API 4: Slow Down (Java)
  • New API 4: Brute Force (Java)
  • New API 4: Denial of Service (Java)

February 1, 2023

New Security Labs Lessons

OWASP Top 10 2021 Labs

  • New OWASP 1: Broken Access Control - Loose Lips Sink Servers (Dotnet)
  • New Beyond OWASP Top 10: Other Web App Risks - Know Your Limits (Java)

OWASP API Security Top 10 Labs

  • New API 3: Bugs in Debug (Java)
  • New API 3: Revealing Schemas (Java)

January 4, 2023

New Security Labs Lessons

OWASP Top 10 2021 Labs

New Beyond OWASP Top 10: Other Web App Risks - Do You Remember? (Dotnet)

OWASP API Security Top 10 Labs

  • New API 2: Really, Really Bad Passwords (Java)
  • New API 2: Terrible Password (Java)

December 6, 2022

New Security Labs Lessons

OWASP Top 10 2021 Labs

  • New OWASP 4: Insecure Design - Insecure Decisions (Dotnet, Java)
  • New OWASP 4: Making Secure Decisions (Java)

OWASP API Security Top 10 Labs

  • New API 1: One ID to Access All Objects (Java)
  • New API 1: Stronger IDs (Java)

Getting Started Labs

New Getting Started - Lesson Zero (Java, Node)

November 1, 2022

New Security Labs Lessons

OWASP Top 10 2021 Labs

  • New OWASP 1: Broken Access Control - Loose Lips Sink Servers (Node)
  • New OWASP 4: Insecure Design - Valid Deficit (Dotnet)

OWASP API Security Top 10 Labs

New API 4: Lack of Resources & Rate Limiting - Denial of Service

October 4, 2022

New Security Labs Lessons

OWASP Top 10 2021 Labs

  • New OWASP 4: Insecure Design - Valid Deficit (Node)
  • New OWASP 9: Security Logging and Monitoring Failures - Hold the Line (Dotnet, Java)

September 26, 2022

Topic Progress Bar Now Focused on Required Labs

In Security Labs, the progress bar for a topic now shows the completion status for required labs only. If all required labs in a topic are complete, the progress bar shows 100% completion, even when there are incomplete optional labs.

September 6, 2022

One New Security Labs Lesson

OWASP Top 10 2021 Labs

New OWASP 9: Security Logging and Monitoring Failures - Hold the Line (Node)

August 24, 2022

New Click-Through Tour

August 3, 2022

Three New API Security Labs Lessons

OWASP API Security Top 10 Labs

July 6, 2022

Seven New API Security Labs Lessons and One Updated OWASP Course

OWASP API Security Top 10 Labs

  • New API 7 Security Misconfiguration - Jot down this key (.NET)
  • New API 7 Security Misconfiguration - Secret Admins (.NET)
  • New API 7 Security Misconfiguration - eXternal Entity (injection) (.NET)
  • New API 7 Security Misconfiguration - XML is always a Challenge (.NET)
  • New API 8 Injection - Own the database (.NET)
  • New API 8 Injection - Parameterize all the things (.NET)
  • New API 8 Injection - Bobby Tables (.NET)

OWASP Top 10:2021:10 Server-Side Request Forgery

New Get There From Here (Node)

June 30, 2022

Updated One eLearning Learner Level Course and Added Two New AppSec Tutorials

  • Updated the OWASP 2017 course to OWASP 2021 on Learner Level 1
  • Added two new AppSec Tutorials on Learner Level 2

June 1, 2022

The Security Training Team Released Two New API Security Courses and Updated Eight OWASP Courses

OWASP API Security Top 10 Labs

OWASP Top 10 2021 Labs

See the Course Catalog for more details.

  • A01:2021 Broken Access Control
  • A02:2021 Cryptographic Failures
  • A03:2021 Injection
  • A05:2021 Security Misconfiguration
  • A06:2021 Vulnerable and Outdated Components
  • A07:2021 Identification and Authentication Failures
  • A08:2021 Software and Data Integrity Failures
  • A09:2021 Security Logging and Monitoring Failures

May 19, 2022

The Security Training Team Released Three New eLearning Courses and Updated One Course

  • Updated A04: eLearning Secure Architecture and Design
  • New OWASP Top 10 2021
  • New A10: Server-Side Request Forgery AppSec Tutorial
  • New A08: Software and Data Integrity Failures AppSec Tutorial

May 4, 2022

The Security Training Team Released Seven Labs

OWASP API Security Top 10 Labs:

OWASP Top 10 2021 Labs:

April 6, 2022

Two New Labs

· 4 min read

February 27, 2023

Set URL Scan Settings at the Organization Level

You can now use the Dynamic Analysis REST API to set URL scan settings for all analyses and scans in an organization.

February 17, 2023

New Manual Resume Feature for Paused Analyses

Veracode Dynamic Analysis adds a new feature that enables you to manually resume a scheduled analysis from a paused state. This feature is only available upon request. To add this feature to your account, contact Veracode Technical Support.

January 20, 2023

Renamed URL Scan Status Messages

Veracode has renamed and changed the descriptions for the following URL scan status messages for Dynamic Analysis. The new names more accurately describe the issues that caused these status messages to appear in the Veracode Platform.

  • Killed - Partial Results Available is now Lockout - Partial Results Available.
  • Killed - Verifying Partial Results is now Lockout - Verifying Partial Results.

December 19, 2022

New ISM Endpoint Version Available

Veracode Dynamic Analysis Internal Scanning Management (ISM) endpoint version 22.12.3 improves endpoint logging and fixes an endpoint issue.

October 18, 2022

API Scanning Adds Support for Scriptable Request Modification

Veracode API Scanning adds a new option for using JavaScript to modify an HTTP request, at runtime, when authenticating with a remote host.

October 5, 2022

New Similarity Threshold for Web Applications

When configuring an analysis of a web application, you can now set a threshold for ignoring similar web pages during the analysis.

September 7, 2022

Dynamic Analysis Now Creates Screenshots for Consecutive Login Failures

The Veracode scan engine now creates a verification screenshot if it is unable to log in to a target application after 50 attempts. The screenshot image shows when and where in the scanning process the failed login attempts occurred. You can use this information for troubleshooting.

August 2, 2022

New Historical Details for Dynamic Analyses and Scans

You can now view detailed information about all past occurrences of both a dynamic analysis and its scans.

May 18, 2022

Re-Enabled Pause and Resume for Scheduled Analyses

When scheduling a Dynamic Analysis, you can now set it to pause and resume scanning at specific days and times. Veracode disabled this option on October 7, 2021.

April 28, 2022

New Status Messages for Partial Scan Results

Dynamic Analysis now provides status messages that indicate when Veracode is verifying partial results and when partial results are available for review. Partial results can occur when a scan stops prematurely due to:

  • Errors during scanning
  • Users stopping the scan early
  • The scan exceeding its configured duration

March 23, 2022

API Scanning Adds Support for OpenID Connect to OAuth 2.0

Veracode API Scanning adds a new option to specify an OpenID Connect URL when configuring OAuth 2.0 authentication.

March 10, 2022

Dynamic Analysis Adds Support for Concurrent Browsers Running Dynamic Analysis Scans

Veracode Dynamic Analysis now supports concurrent browsers for running multiple Dynamic Analysis scans at the same time. When configuring a web application scan, you can specify up to 12 concurrent browsers.

March 8, 2022

API Scanning Adds OAuth 2.0 Authentication and Analysis History Options

Veracode API Scanning includes these changes:

  • New option to configure OAuth 2.0 authentication for the API endpoints in your API specifications. You can select to use either the Client Credentials or Password Credentials grant type.
  • New Associated Analysis field on the API Specification Details page for a given API specification. This field provides options for viewing, reconfiguring, and rerunning previous scans.

March 3, 2022

Dynamic Analysis Now Detects Log4j Vulnerability CWE-115

Veracode Dynamic Analysis can now detect Log4j vulnerability CWE-115 when scanning web applications or API specifications.

February 4, 2022

Updated Dynamic Analysis Scan Engine

The Dynamic Analysis scan engine includes these updates:

  • Updated Chromium to version 98.0.4758.80
  • Log4j security updates
  • Improved connectivity when authenticating with Veracode
  • Fix for insecure cookies that prevented flaw matching

January 25, 2022

ISM Endpoint Upgraded to Log4j 2.17.1

An updated Veracode Dynamic Analysis Internal Scanning Management (ISM) endpoint version is now available. Updates include an upgrade to Log4j 2.17.1 to address known vulnerability CVE-2021-44832 and improvements to connection stability and usage diagnostics.

· 5 min read
note

Veracode delivers the same Static Analysis language and framework support in both the European Region and the Commercial Region.

February 23, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved COBOL Parser Error Handling

Veracode no longer reports parser errors in standalone copybook files that COBOL files do not include. These files are not relevant for security scanning unless COBOL files reference them.

January 26, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Veracode has improved static analysis by adding support for:

  • Server-side request forgery (SSRF) reporting for JavaScript

Veracode has released a new version of our new iOS packaging tool:

December 15, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Veracode improved static analysis by adding support for these new languages and frameworks:

Veracode has improved static analysis by adding a new iOS packaging tool to support Xcode 14 without the Enable_Bitcode setting:

November 17, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

October 27, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

October 19, 2022

New Packaging Guidance Tool

You can use the new Veracode Packaging Cheat Sheet to generate language-specific packaging guidance for Static Analysis.

October 4, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

August 25, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

August 1, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

June 24, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

April 28, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

March 28, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

February 24, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

Veracode has improved static analysis by adding support for these new versions:

February 3, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

Veracode has improved static analysis by adding support for these new versions:

Veracode Static Analysis Improvements

Veracode has improved accuracy of hard-coded Passwords. You can expect:

  • Fewer false positives where local files are in known valid locations
  • Better identification of sensitive variable names

Veracode has improved modeling for TypeScript support. You can expect:

  • Fewer false positives, and more true positives in TypeScript applications where type information is specified.

· One min read

Product Updates provides the latest features, enhancements, and important announcements for Veracode products. Subscribe to all posts with the RSS feed.

To the left, under Updates by Region, the latest posts are at the top of the list.

The update sections are categorized by product area and Veracode Region, such as Commercial (the default). Your Veracode account is in one of these regions. If you do not know the region for your Veracode account, contact the Veracode Administrator for your organization.

Archives

The following sections are archived updates for older releases. Veracode no longer maintains these sections.

· 3 min read

December 30, 2022

Released Veracode Container Security

Veracode Container Security is available. Container Security does the following:

  • Scans for container vulnerabilities
  • Scans for infrastructure as code misconfigurations
  • Scans for improperly stored secrets
  • Helps developers secure their cloud native applications

For more information about Veracode Container Security, contact your Veracode account representative.

July 15, 2022

CWE Top 25 Now Reflects 2022 Version

The Auto-Update CWE Top 25 security standard that you use in Veracode policies now reflects the 2022 CWE Top 25 list.

June 28, 2022

Updated Single Sign-On and Just-In-Time Provisioning

New single sign-on (SSO) and Just-In-Time (JIT) provisioning capabilities in the Veracode Platform improve reliability and supportability and extend the roles that JIT provisioning supports. Before using this feature, you must update your SSO settings in your identity provider.

To begin the process of enabling these capabilities, contact Veracode Support.

May 19, 2022

The Issues Vulnerability Count Measure Changed

Issues Vulnerability Count now includes only issues where the Issue Type is a Vulnerability Issue. In the past, this measure included the count of Vulnerability, License, and Library issues. The calculation of Issues Vulnerability Count is still based on the filters you select.

  • Issues Issue Count: count of issues, regardless of type
  • Issues Vulnerability Count: count of vulnerability issues
  • Issues Libraries with Issues: total number of unique libraries with at least one issue

May 10, 2022

Sandbox Information Available in Unsubmitted Static Scans Data Export

Veracode has added sandbox information to the Unsubmitted Static Scans data export to make it easier to find the incomplete static scans for an application.

May 6, 2022

End of Support for Internet Explorer 11

Veracode will no longer support Microsoft Internet Explorer 11 after June 30, 2022. This change follows the Microsoft updates to its support model for Internet Explorer. Veracode recommends that you switch to a supported browser to avoid issues.

Official Support for Microsoft Edge

The Veracode Docs are updated to confirm that Microsoft Edge is a supported browser.

April 4, 2022

Improved Team Management in the Veracode Platform

Veracode has improved the usability of the team management options on the Administration page in the Veracode Platform.

March 22, 2022

View Applications by Policy Evaluation Date

You can now view the date and time of the most recent event that triggered a policy evaluation for an application in a new field in the Applications REST API and the Applications list in the Veracode Platform. You can use this field to search for applications that have had new scans or approved mitigations since the listed date.

· One min read

October 21, 2022

ISM Available for Dynamic Analysis

Internal Scanning Management (ISM) is now available for Veracode Dynamic Analysis of web applications and API specifications in the European Region.

July 28, 2022

Dynamic Analysis Available for European Region

Veracode Dynamic Analysis is now available in the European Region. If you have a Veracode Dynamic Analysis subscription, you can now perform dynamic analysis security testing and API testing against public facing web applications and APIs.

· One min read
note

Veracode delivers the same Static Analysis language and framework support to both the European Region and the Commercial Region. For information about static language and framework updates, see Veracode Static Analysis Release Notes.

October 20, 2021

Veracode European Region Now Available

The Veracode European Region is now available for new customers. This region, which initially supports Veracode Static Analysis and Veracode Software Composition Analysis, provides European data residency for Veracode customers.

· One min read

September 29, 2022

New Application Security Platform Features Available in European Region

The following features are now available in the European Region.

May 10, 2022

SCA Dashboards Available in Analytics

Data from Veracode Software Composition Analysis (SCA) agent-based scans and upload scans is now available in Veracode Analytics for the European Region. The predefined Veracode dashboards, including the SCA Findings dashboard, now contain SCA scan data. You can also use the Findings, SCA Agent-Based Scans, and SCA Agent-Based Scan Issues data explores for custom reporting.

May 3, 2022

Support Cases and Scheduled Consultations Now Available

You can now raise a support case and schedule a consultation from the Veracode Platform in the European Region.

Veracode Platform Services Updated to Current Versions

Applications and policies for the European Region now run on the current versions in the Veracode Platform.

· 27 min read

This section lists the archived updates for 2021.

Static Analysis

View the list below for highlights of previous releases.

December 20, 2021

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding support for:

  • Azure Functions used in .NET
  • Thymeleaf templates for Spring Boot

Veracode has improved static analysis by adding support for these new versions:

  • Initial support of .NET 6.0
  • Initial support of Android 12

November 18, 2021

New Veracode Static Analysis Support

Veracode has improved static analysis by adding:

  • Full support for JDK 17
  • Full support for ColdFusion 2016

October 21, 2021

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for Apex 52.0.

Improved Veracode Static Analysis Support

  • Veracode has further improved its accuracy in its detection of hard-coded credentials in applications. You might see a decrease in false positives related to hard-coded credentials.

September 28, 2021

New Veracode Static Analysis Support

Veracode has improved static analysis by adding:

  • Initial support for iOS 15
  • Full support for .NET 5.0

Improved Veracode Static Analysis Support

  • Veracode has improved its detection of hard-coded passwords in applications. You might see an increase in findings related to hard-coded passwords.

August 26, 2021

New Support for GCC 10 on Red Hat Enterprise Linux 8

  • Veracode has improved static analysis by adding support for the GCC 10 compiler on Red Hat Enterprise Linux.

Improved Static Analysis Support

Veracode has made several improvements to static analysis, including:

  • Prevention of reporting hard-coded credentials for variables related to mock libraries
  • Prevention of reporting hard-coded credentials for nonsensitive data in JavaScript dictionaries
  • Improved recognition of password keywords in concatenated strings
  • Improved heuristics to identify potentially sensitive data

July 22, 2021

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for Angular 12 applications.

Improved Veracode Static Analysis Results

  • Veracode has improved static analysis for Node.js 13 and 14 applications.

June 16, 2021

Pipeline Scan Supports Uploading Larger Files

  • Veracode Pipeline Scan now supports the analysis of applications up to 200 MB.

June 2, 2021

New Veracode Static Analysis Support

Veracode has improved static analysis by adding support for these new technologies:

  • Initial Support of Java 16
  • tvOS

Compatibility Updates for iOS and tvOS Application Packager

  • Veracode has improved the mobile application packager used for preparing iOS and tvOS applications to support the latest versions of macOS. This update also includes several usability improvements based on user feedback.

New Distribution Method for the Ruby Gem Packager

  • Veracode began distributing the Gem file required for preparing Ruby on Rails applications. For the latest updates to the Gem file, retrieve the file from rubygems.org using these Veracode instructions.

May 3, 2021

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for AWS SDK for .NET.

Improved Veracode Static Analysis Results

  • Veracode has improved static analysis of Java applications by identifying additional security flaws related to deserialization vulnerabilities.

April 6, 2021

Improved Veracode Static Analysis Support for Android Applications

  • Veracode has improved static analysis of Android applications by adding support for Android applications packaged as Android App Bundles (AAB).

April 1, 2021

Deprecated Support for Older Versions of Veracode Pipeline Scan

  • On April 1 2021, Veracode will no longer support versions of pipeline-scan.jar that you have downloaded before September 2020. These versions are 20.9.1 and earlier. To identify the version of the pipeline-scan.jar that you are using, you can run it with the --version option at the command line.

  • To transition to a supported version of the JAR file, replace the version that you are using with the latest one, which you can download here: https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip Veracode also provides Pipeline Scan as a Docker image on ### Docker Hub](https://hub.docker.com/r/veracode/pipeline-scan).

  • Updating to the latest version of pipeline-scan.jar ensures that you are working with the latest version of the Veracode software, which includes many new features and bug fixes.

March 31, 2021

New Veracode Static Analysis Support

  • Veracode has improved static analysis by adding support for Blazor WebAssembly for.NET applications.

Improved Veracode Static Analysis Results

  • Veracode has improved static analysis of .NET Core 3.1 applications.

Remediation Guidance Added to Pipeline Scan Results

  • The Pipeline Scan results now include links to the Veracode Knowledge Base, which provides suggestions for remediating issues.

March 2, 2021

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding support for these new versions of supported technologies:

  • Transact-SQL 15.x
  • Ember.js 3.x for JavaScript

Veracode has improved static analysis by adding initial support for these versions of supported technologies:

  • .NET 5
  • Kotlin 1.4
  • Groovy 3

Improved Veracode Static Analysis Support for iOS

  • Veracode has provided additional security checks for applications built using iOS 14. You may see additional findings for applications as a result of these improvements.

Improved Results for Cryptography Findings for Java Applications

  • Veracode has improved static analysis of Java applications by updating the list of acceptable cryptography algorithms.

February 4, 2021

New Veracode Static Analysis Support

Veracode has improved static analysis by adding support for these new technologies:

  • C++ applications built with GCC 9 on RedHat 8
  • Koa.js version 2.13
  • Hibernate framework version 5
  • Autofac framework. Static analysis of .NET applications that use Autofac may report additional findings as a result of these improvements.

Improved Veracode Static Analysis Results

Veracode provides these improvements for supported technologies:

  • Additional security checks for applications built using functions specific to Android 10. You may see additional findings for applications as a result of these improvements.
  • Enhanced accuracy of scan results of PHP and Python applications. The scan results now provide more emphasis on custom first-party components rather than third-party libraries.

Improved Prescan Warning Messages

  • Veracode has improved warning messages to identify applications that do not meet Veracode packaging requirements.

  • Veracode has also improved the accuracy of warning messages for several languages and file types by providing more descriptive error resolution recommendations.

Improved Results Consistency for Java Applications

  • Veracode has improved static analysis of Java web applications packaged as WAR and EAR files. Veracode provides more consistent results between subsequent scans and more accurately recognizes first-party components in the applications.

  • You may notice a one-time change to scan results as a result of this improvement.

Improved Results Accuracy Within JSP Files

  • Veracode has improved static analysis of JSP applications to prevent static analysis from reporting duplicate flaws.

January 12, 2021

Compilation Guide Renamed

  • To more accurately describe its contents, the Compilation Guide is now called Veracode Packaging Requirements.

January 7, 2021

Pipeline Scan Integration with Veracode Security Policies

  • Veracode has improved the Pipeline Scan to support the use of policy rules defined in the Veracode Platform. This enhancement allows you to assess applications against consistent rules for pass or fail.

Dynamic Analysis

View the list below for highlights of previous releases.

December 21, 2021

ISM Endpoint Upgraded to Log4j 2.17

  • An updated Veracode Dynamic Analysis Internal Scanning Management (ISM) endpoint version is now available. Updates include an upgrade to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.

November 18, 2021

Introducing Veracode API Scanning

  • Veracode API Scanning is a new scan type for performing a dynamic analysis of common API specification files. You can quickly test the security of your API endpoints and get results. As an extension of the existing Veracode Dynamic Analysis, API Scanning uses the same powerful dynamic analysis scan engine to identify vulnerabilities in both public and private APIs and provide remediation guidance. The remediation guidance helps you secure your APIs before integrating them into applications.

November 10, 2021

Dynamic Analysis Scan Engine Updated

The Veracode Dynamic Analysis scan engine has been upgraded, including:

  • Fixed logic in timing-based attacks to reduce the reporting of false positives.
  • Corrected authentication failures when using browser authentication.
  • The Dynamic Analysis engine is updated to use Chromium version 95.0.4638.69.

October 7, 2021

Dynamic Analysis Pause and Resume Temporarily Disabled

  • Veracode has temporarily disabled the ability to pause or resume Dynamic Analysis scans to fix underlying architectural issues.

Dynamic Analysis Engine Updated to New Chromium Version

  • The Veracode Dynamic Analysis engine is updated to use Chromium version 94.0.4606.71.

September 23, 2021

Dynamic Analysis Engine Updated to New Chromium Version

  • The Veracode Dynamic Analysis engine is updated to use Chromium version 93.0.4577.82.

September 15, 2021

Custom HTTP Headers

  • Veracode Dynamic Analysis now supports custom HTTP headers as an authentication option when configuring a scan. You can configure one or more custom headers with specific names and values for each scan.

August 23, 2021

Dynamic Analysis Scan Engine Updated

The Veracode Dynamic Analysis scan engine has been upgraded, including:

  • Several stability improvements and crash fixes
  • Corrections for a few cases of over-reporting CSRF flaws
  • Security updates
  • Fix for missing some XSS flaws
  • Adjusted payloads for code-injection tests to reduce false negatives

March 30, 2021

Improved Coverage Report and Removed Show Password Option

Veracode Dynamic Analysis includes these changes:

  • Improved the Coverage Report to provide a summary view of both normal and attack traffic that Dynamic Analysis discovered during a scan.
  • Removed the Show password checkbox for all authentication methods from the Veracode Platform page on which you create a Dynamic Analysis. You must now re-enter your credentials after changing a Dynamic Analysis configuration.

March 16, 2021

Updated Engine and New Limit on Discovered Flaws

Veracode Dynamic Analysis includes these changes:

  • Updated the Dynamic Analysis engine to use Chromium version 88.0.4324.182.
  • Set a limit on the number of flaws that Dynamic Analysis can discover during each analysis. If an analysis discovers more than 1000 flaws, it now exits automatically. This scenario is rare and typically indicates an error.

February 23, 2021

Updated Video - Create and Run an Unauthenticated Dynamic Analysis

  • This video shows you how to create, configure, and schedule an unauthenticated Dynamic Analysis.

February 18, 2021

Dynamic Analysis REST API Scan Engine Variables

  • Veracode Dynamic Analysis has a new feature that allows you to centrally manage credentials for login scripts by using variable names and storing the values centrally via the Dynamic Analysis API. This feature enables you to update credentials without having to re-upload your login script, and gives you the ability to separate credentials from your login scripts by using variable names in the files instead of the actual values. In addition, this functionality eliminates having to access the Veracode Platform to access credentials.

January 22, 2021

Changes to Reporting of CWE-829

  • The Veracode Dynamic Analysis engine is improved to no longer map findings concerning missing or misconfigured CSP headers to CWE-829 when responses have no body.

Application Security Platform

View the list below for highlights of previous releases.

December 9, 2021

OWASP Top 10 2021

  • The Auto-Update OWASP requirement available for application security policies now reflects the 2021 version of the OWASP Top 10.

November 5, 2021

New Veracode Documentation URL

Deprecation of Veracode Documentation PDFs

  • Veracode has deprecated the PDF files of publications available on the Veracode Documentation website. By December 2021, you will no longer be able to download these PDFs, but you can create custom PDFs using the print feature in your browser. To create a custom PDF, click Print (printer icon) in a publication title bar or to the right of a topic title, select the topics to include or exclude, then click Print.

September 28, 2021

API Rate Limit Enforcement

  • Veracode is now enforcing API rate limiting to ensure optimal performance and availability of Veracode services.

September 15, 2021

Updated Subprocessor List

  • Veracode has updated the list of subprocessors used to process customer personal information.

August 31, 2021

2021 CWE Top 25 Support

  • The Auto-Update CWE Top 25 policy rule in Veracode security policies now reflects the 2021 CWE Top 25 standard. In a future release, Veracode will add the option to specifically select the 2021 CWE Top 25 standard in policy rules.

CWE 4.5 Support

  • Veracode CWE support now reflects the changes MITRE introduced in version 4.5 of the CWE list.

August 12, 2021

Updated Video - Create a Policy in the Veracode Platform

  • This video shows you how to create a custom policy in the Veracode Platform.

July 20, 2021

Improved Veracode Onboarding Experience

  • Veracode has improved the onboarding experience to help developers and application security managers get started with Veracode. In the Veracode Platform, select Resource Center > Getting Started to open the new Getting Started with Veracode guidance, which provides a walk-through of Veracode products and training offerings.

July 8, 2021

Updated Video - Create a New Application Profile in the Veracode Platform

  • This video shows you how to create a new application profile in the Veracode Platform.

June 29, 2021

Improved Veracode Platform Homepage

  • The homepage in the Veracode Platform is updated to make it easier to perform several common functions, such as generating API credentials.

May 25, 2021

Automatically Update to Latest Version of Security Standards in Policy Rules

  • You can set rules in your application security policies that automatically update to use the most recent version of the supported security standards. With this update, you can require applications to comply with the latest version of security standards, such as OWASP Top 10 or CERT, as soon as Veracode supports them.

2020 CWE Top 25 Standard Available in Policy Rules

  • Veracode now supports using the 2020 version of the CWE Top 25 standard as a requirement in application security policies.

PCI Standard Includes 2020 CWE Top 25 Most Dangerous Software Weaknesses

  • A new version of the PCI security standard, which includes the 2020 CWE Top 25 most dangerous software weaknesses, is now available as a requirement in application security policies.

PCI Report Now Evaluated Against the Auto-Update PCI Standard

  • The PCI report available from the Veracode Platform is now evaluated against the Auto-Update version of the PCI security standard. This update ensures that the report always uses the latest version of the PCI standard.

April 8, 2021

Access the Veracode Community from the Veracode Platform

  • You can now access the Veracode Community directly from the Veracode Platform without logging in to a separate Community account. The Veracode Community provides best practice documentation, new feature previews, and a forum for asking questions about how to most effectively use Veracode products and services.

April 7, 2021

Evaluation Timeframe for Security Policies

You can now include evaluation timeframes in Veracode application security policies to define when findings can impact policy compliance. In your policies, you can:

  • Disallow findings opened after a specific date to ignore technical debt.
  • Disallow findings opened before a specific date to ignore new findings that are out of scope for an audit requirement.

April 6, 2021

End of Browser Support for Legacy Versions of Safari and Android

Veracode no longer supports these legacy versions of Safari and Android because of their use of weak ciphers (TLS 1.2):

  • Safari 6 on iOS 6.0.1

  • Safari 7 on iOS 7.1

  • Safari 8 on iOS 8.4

  • Safari 7 on OS X 10.9

  • Safari 8 on OS X 10.10

  • Android 5.0.0

  • Android 6.0

You cannot access analysiscenter.veracode.com using these browsers.

Administrators Cannot Assign Applications to Teams

  • Administrators in the Veracode Platform can no longer assign applications to teams unless they have another role that grants them permission to edit application profiles. Veracode removed this rarely used functionality to provide a more consistent experience for users.

Allow Access to New URL for Penetration Testing Services

  • Veracode has introduced a new URL for a future feature that will support better reporting of our penetration testing services. If you restrict access to public internet sites for your organization, add pt.analysiscenter.veracode.com to your allowlist.

March 31, 2021

Changes to Email Addresses Require Verification

  • If you update the email address in your Veracode Platform user account, Veracode sends you an email to confirm the new address. You must confirm the email address to complete the update.

March 26, 2021

New Analytics Dimension for Findings and Scans

  • Veracode Analytics provides you with the ability to filter findings and scans based on their archive status. You can use these filters to easily find findings and scans that Veracode deleted as part of the sandbox scan retention process.

March 22, 2021

Improved User Management in The Veracode Platform

  • Veracode has improved the usability of the user management options in the Veracode Platform. Administrators and Team Admins can now search for users by name, email address, username, or API ID.

March 9, 2021

Veracode Analytics Updates to the SCA Findings Dashboard

  • Veracode has updated the SCA Findings dashboard to improve the visualization of data and provide more information on how fixing code libraries impacts findings.

February 9, 2021

New Static Analysis Findings Information in Veracode Analytics

  • Veracode Analytics now provides more details about findings that relate to your Static Analysis scans, including the function name, class path, and most recent line number in which Veracode discovers the findings. This data enables you to recreate a similar view as the Triage Flaw view in the Veracode Platform, but across multiple application profiles.

February 8, 2021

New Security Program Overview Dashboard in Veracode Analytics

  • Veracode Analytics provides a new dashboard that contains data to help you track and understand how your AppSec program is trending, based on your target goals. With this dashboard, you can see current and historical trends for policy compliance, as well as better understand policy compliance behavior. New information available to you includes details such as how an application is meeting compliance over time.

January 26, 2021

Improved User Interface for Managing Applications

  • Veracode has updated the user interface in the Veracode Platform for creating, viewing, updating, and deleting applications to improve usability.

January 19, 2021

Improved Email Notifications for Expiring API Credentials

  • Veracode sends an email notification when your Veracode API credentials are about to expire. The email now displays your API username for quickly identifying the account for which you need to generate new credentials.

Software Composition Analysis

View the list below for highlights of previous releases.

November 12, 2021

SCA Component License Rules in Policies

You can now apply these configurations to the component license rules in your application security polices:

  • Allow or disallow non-OSS licenses
  • Specify how to classify components with multiple licenses
  • Add a blocklist or allowlist of specific licenses

If an application does not pass the component license rule, the Veracode Platform displays the requirement that caused the component to violate policy.

October 28, 2021

Agent-Based Scan Project Table Displays Multiple Languages

  • The Project List table on the Agent-Based Scan page of the Veracode Platform now indicates if projects use multiple programming languages or operating systems. The Language/OS column displays the full list of languages and operating systems in use in the project repository.

October 7, 2021

Extended Support for Maven Libraries

  • Veracode Software Composition Analysis (SCA) has improved the Veracode Vulnerability Database to include library support for Google Maven, Spring Maven, and Cloudera Maven.

September 23, 2021

New API Endpoint for Listing Libraries by Project

  • The Veracode SCA Agent REST API includes a new endpoint for querying libraries by the project ID. This endpoint enables you to view libraries in a specific project in an agent-based scan workspace.

September 22, 2021

Decimal Values for CVSS Scores in Policy Rules

  • Veracode security policies now support using values that include decimals when specifying the allowable CVSS score for vulnerabilities in Veracode Software Composition Analysis (SCA) scans. For example, you can set policies to not allow vulnerabilities with a CVSS score of 6.1 or above.

July 15, 2021

My Workspace

  • My Workspace provides developers a personal testing space for up to three agent-based scan projects without requiring administrative setup or permission configuration. If you currently use Software Composition Analysis (SCA) upload and scan, Veracode recommends using My Workspace to explore the additional features available with agent-based scanning, such as dependency mapping, vulnerable methods, and automated pull requests.

  • My Workspace is available for all Veracode SCA users.

June 21, 2021

New Grace Periods for SCA Policy Rules

  • Veracode supports configuring new grace periods in policy rules for Veracode Software Composition Analysis (SCA) scans. The new grace periods are independent of the grace periods you can configure for Veracode Static Analysis and Dynamic Analysis. You can use this feature to manage the different compliance needs of first-party code and open-source libraries in your security program within the same security policy.

April 6, 2021

License Risk Mitigations

  • License risk mitigations are now available for Veracode Software Composition Analysis (SCA) upload scans. You can use a new set of mitigation actions relevant to licenses to mitigate license risk findings based on your assessment of the license in use.

Improved Visibility into SCA Upload Scans

  • You can now view the status of initialized, in progress, and failed Software Composition Analysis upload scans in the Veracode Platform. If a scan fails, you can restart the SCA scan without restarting the associated Static Analysis.

March 26, 2021

Unified Documentation for Veracode SCA

  • All Help Center documentation for Veracode Software Composition Analysis (SCA), including agent-based scanning and static upload scanning, now appears in a single Veracode Software Composition Analysis section. Additionally, new content is available with information about getting started with Veracode SCA.

  • If you bookmarked any URLs for Veracode SCA Help Center content, this update may impact them.

Jan 21, 2021

New API Endpoint for Listing Issues by Project

  • The Veracode SCA Agent REST API includes a new endpoint for querying issues by the project ID. This endpoint enables you to view issues specific to a project in an agent-based scan workspace. If the project is a container, the API also lists all issues linked to projects inside the container.

Veracode Integrations

View the list below for highlights of previous releases.

December 10, 2021

Veracode Integration for CA Agile Central/Rally Now End-of-Life

  • The Veracode Integration for CA Agile Central/Rally is now end-of-life and no longer supported. The plugin and documentation are no longer available. To avoid potential security vulnerabilities, Veracode strongly recommends that you uninstall this integration. To integrate with other ticketing systems, visit the Veracode Integrations Hub.

November 22, 2021

Java API Wrapper Now Retries Requests

  • Veracode Java API Wrapper version 21.11.9.0 updates the maxretrycount parameter to now retry requests that fail due to certain error conditions. Previously, this parameter polled for failed build status and only applied to the uploadandscan action.

October 18, 2021

Veracode Greenlight for IntelliJ Supports Additional IntelliJ IDEA Versions

  • Veracode Greenlight for IntelliJ version 1.7.0 adds support for IntelliJ IDEA 2019.3–2021.2.3. If you are using IntelliJ IDEA 2020 or later, you must install JavaFX Runtime for Plugins.

October 8, 2021

Improved Veracode Greenlight for IntelliJ

  • Veracode Greenlight for IntelliJ version 1.6.0 adds support for IntelliJ IDEA 2019.3–2021.1.3. If you are using IntelliJ IDEA 2020 or later, you must install JavaFX Runtime for Plugins.

July 8, 2021

New Video - Use the Jenkins Credentials Binding Plugin to Protect Your Veracode Credentials

This video shows you how to:

  • Use the Jenkins Credentials Binding plugin to bind your Veracode API credentials to environment variables
  • Generate a script containing the bound environment variables
  • Add this script to your Jenkins pipeline script

June 23, 2021

Veracode Integration for Jira Supports the Jira Select List Field Type for Multiple Choices

  • The Veracode Integration for Jira version 3.30.0 adds support for the Select List (multiple choices) field type. You can use this field type to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira Server issues.

May 18, 2021

Veracode Integration for Jira Cloud Supports the Select List Field Types

  • The Veracode Integration for Jira Cloud version 3.7.0 adds support for the Select List (single choice) and Select List (multiple choices) field types. You can use these field types to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira Cloud issues.

April 30, 2021

Veracode Azure DevOps Extension Has Renamed YAML Property and Improved Logging

Veracode Azure DevOps Extension version 3.5.0 includes these changes:

  • For YAML pipelines with the Flaw Importer task, Veracode renamed the optargs property to proxySettings. This new name more accurately identifies the valid values for this property. Ensure you update your pipelines with this new property name.
  • Added logs, with error messages, for invalid or missing values. The errors apply to both standard and YAML pipelines.

April 22, 2021

Java API Wrapper Adds Parameter for Deleting Incomplete Scans Automatically

Veracode Java API Wrapper version v21.2.7.5 includes these changes:

  • New deleteincompletescan parameter for automatically deleting scans that did not complete due to one or more errors.
  • Additional debug logs for troubleshooting upload and scan issues.

April 20, 2021

Veracode Integration for Jira Supports the Select List Field for a Single Choice

  • The Veracode Integration for Jira version 3.29.0 adds support for the Select List (single choice) field type. You can use this field type to map data from Veracode custom fields or a Veracode Detailed XML report to standard or custom fields in Jira issues.

March 24, 2021

Veracode Greenlight for VS Code Now Requires the JRE

  • Veracode Greenlight for VS Code version 1.4.0 introduces a change that requires you to install a current version of the Java Runtime Environment (JRE) and set your Java PATH.

March 19, 2021

New Video - Create and Manage API Service Accounts with the Identity API]

This video shows you how to:

  • Create an API service account
  • Create teams
  • Assign user roles and teams to API service accounts
  • Update an API service account

February 23, 2021

Updated Video - Working with Scan Results Using Veracode Static for Visual Studio

  • This video shows you how to download, import, and view Veracode scan results using Veracode Static for Visual Studio. You can also learn how to mitigate findings discovered during the scan in Visual Studio.

Veracode Jenkins Plugin No Longer Encrypts Non-Sensitive Data for Build Jobs

  • Starting with Veracode Jenkins Plugin version 21.2.12.0, the plugin no longer encrypts non-sensitive data stored in the config.xml file for a build job. This change enables you to import jobs between Jenkins instances.

February 5, 2021

Updated Veracode Azure DevOps Extension

Veracode Azure DevOps Extension version 3.4.0 includes these updates:

  • Use YAML to add Veracode analysis to build pipelines.
  • Use YAML to import findings as work items into Azure DevOps.
  • Include mitigation and annotation comments when importing new findings as work items.
  • Set a timeout to fail a build if Veracode analysis does not complete within a specified time.

Developer Training

View the list below for highlights of previous releases.

April 28, 2021

New Video - Access and Navigate the Veracode Security Labs Interface

This video shows you how to:

  • Access and navigate the lab interface
  • Access and interact with the web application, when applicable
  • Communicate with teammates who have completed the lab
  • Save lab progress or restart the lab

New Video - View and Filter Labs in Veracode Security Labs

This video shows you how to:

  • View new, required, and in progress labs
  • Filter labs by programming language

New Video - Edit and Assign Security Labs Roles to Users

  • This video shows you how to edit roles, assign roles to users, and create managers for those roles in Veracode Security Labs.

New Video - Create a Campaign and Assign Content to Roles in Security Labs

  • This video shows you how to create a new campaign and assign content to roles in Veracode Security Labs.

New Video - Customize Lab Content in Veracode Security Labs

Watch this video to learn how to:

  • Customize lab content by modifying or writing your own conclusion
  • Write your own labs using Security Labs as a sandbox
  • Create an example application using your own code

New Video - Add and View Due Dates for Assignments in Veracode Security Labs

Watch this video to learn how to:

  • Add and view a due date for an assignment
  • Enable competition mode as an administrator

New Video - View and Report on User Progress in the Veracode Security Labs Reporting Page

  • This video shows you how to report on user progress in Veracode Security Labs and the API.

April 27, 2021

Automated User Progress Notifications

You can configure automated email notifications to accomplish these tasks for Veracode Security Labs:

  • Inform managers of their team progress in a campaign or assignment
  • Remind users when they have required labs that are incomplete

You can define the schedule and customize the message for each notification type.

April 2, 2021

New Video - Create Users Within Veracode Security Labs or by Using Your Company SSO

  • This video shows you how to create users from within the Security Labs interface.

March 4, 2021

Enable Team-Based Competition in Security Labs

  • You can create Veracode Security Labs campaigns that allows users to collaborate and compete between groups. If you enable competition mode and assign different roles to users, the leader board for the campaign adds the scores by role and displays the collective team totals.

Continuous Learning Paths in Security Labs

  • You can assign Security Labs users to continuous campaigns that automatically provide the next assignment after the user completes the required labs of the previous assignment.

Allow Step Omissions in Security Labs

  • You can configure Security Labs to allow users to skip steps in a lab that they cannot complete. Users do not receive points for skipped steps.

  • This feature only applies to Java OWASP labs.