This page lists the archived updates for 2021.
View the list below for highlights of previous releases.
December 20, 2021
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding support for:
- Azure Functions used in .NET
- Thymeleaf templates for Spring Boot
Veracode has improved static analysis by adding support for these new versions:
- Initial support of .NET 6.0
- Initial support of Android 12
November 18, 2021
New Veracode Static Analysis Support
Veracode has improved static analysis by adding:
- Full support for JDK 17
- Full support for ColdFusion 2016
October 21, 2021
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for Apex 52.0.
Improved Veracode Static Analysis Support
- Veracode has further improved its accuracy in its detection of hard-coded credentials in applications. You might see a decrease in false positives related to hard-coded credentials.
September 28, 2021
New Veracode Static Analysis Support
Veracode has improved static analysis by adding:
- Initial support for iOS 15
- Full support for .NET 5.0
Improved Veracode Static Analysis Support
- Veracode has improved its detection of hard-coded passwords in applications. You might see an increase in findings related to hard-coded passwords.
August 26, 2021
New Support for GCC 10 on Red Hat Enterprise Linux 8
- Veracode has improved static analysis by adding support for the GCC 10 compiler on Red Hat Enterprise Linux.
Improved Static Analysis Support
Veracode has made several improvements to static analysis, including:
- Prevention of reporting hard-coded credentials for variables related to mock libraries
- Prevention of reporting hard-coded credentials for nonsensitive data in JavaScript dictionaries
- Improved recognition of password keywords in concatenated strings
- Improved heuristics to identify potentially sensitive data
July 22, 2021
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for Angular 12 applications.
Improved Veracode Static Analysis Results
- Veracode has improved static analysis for Node.js 13 and 14 applications.
June 16, 2021
Pipeline Scan Supports Uploading Larger Files
- Veracode Pipeline Scan now supports the analysis of applications up to 200 MB.
June 2, 2021
New Veracode Static Analysis Support
Veracode has improved static analysis by adding support for these new technologies:
- Initial Support of Java 16
- tvOS
Compatibility Updates for iOS and tvOS Application Packager
- Veracode has improved the mobile application packager used for preparing iOS and tvOS applications to support the latest versions of macOS. This update also includes several usability improvements based on user feedback.
New Distribution Method for the Ruby Gem Packager
- Veracode began distributing the Gem file required for preparing Ruby on Rails applications. For the latest updates to the Gem file, retrieve the file from rubygems.org using these Veracode instructions.
May 3, 2021
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for AWS SDK for .NET.
Improved Veracode Static Analysis Results
- Veracode has improved static analysis of Java applications by identifying additional security flaws related to deserialization vulnerabilities.
April 6, 2021
Improved Veracode Static Analysis Support for Android Applications
- Veracode has improved static analysis of Android applications by adding support for Android applications packaged as Android App Bundles (AAB).
April 1, 2021
Deprecated Support for Older Versions of Veracode Pipeline Scan
-
On April 1 2021, Veracode will no longer support versions of pipeline-scan.jar that you have downloaded before September 2020. These versions are 20.9.1 and earlier. To identify the version of the pipeline-scan.jar that you are using, you can run it with the --version option at the command line.
-
To transition to a supported version of the JAR file, replace the version that you are using with the latest one, which you can download here: https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip Veracode also provides Pipeline Scan as a Docker image on ### Docker Hub](https://hub.docker.com/r/veracode/pipeline-scan).
-
Updating to the latest version of pipeline-scan.jar ensures that you are working with the latest version of the Veracode software, which includes many new features and bug fixes.
March 31, 2021
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for Blazor WebAssembly for.NET applications.
Improved Veracode Static Analysis Results
- Veracode has improved static analysis of .NET Core 3.1 applications.
- The Pipeline Scan results now include links to the Veracode Knowledge Base, which provides suggestions for remediating issues.
March 2, 2021
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding support for these new versions of supported technologies:
- Transact-SQL 15.x
- Ember.js 3.x for JavaScript
Veracode has improved static analysis by adding initial support for these versions of supported technologies:
- .NET 5
- Kotlin 1.4
- Groovy 3
Improved Veracode Static Analysis Support for iOS
- Veracode has provided additional security checks for applications built using iOS 14. You may see additional findings for applications as a result of these improvements.
Improved Results for Cryptography Findings for Java Applications
- Veracode has improved static analysis of Java applications by updating the list of acceptable cryptography algorithms.
February 4, 2021
New Veracode Static Analysis Support
Veracode has improved static analysis by adding support for these new technologies:
- C++ applications built with GCC 9 on RedHat 8
- Koa.js version 2.13
- Hibernate framework version 5
- Autofac framework. Static analysis of .NET applications that use Autofac may report additional findings as a result of these improvements.
Improved Veracode Static Analysis Results
Veracode provides these improvements for supported technologies:
- Additional security checks for applications built using functions specific to Android 10. You may see additional findings for applications as a result of these improvements.
- Enhanced accuracy of scan results of PHP and Python applications. The scan results now provide more emphasis on custom first-party components rather than third-party libraries.
Improved Prescan Warning Messages
-
Veracode has improved warning messages to identify applications that do not meet Veracode packaging requirements.
-
Veracode has also improved the accuracy of warning messages for several languages and file types by providing more descriptive error resolution recommendations.
Improved Results Consistency for Java Applications
-
Veracode has improved static analysis of Java web applications packaged as WAR and EAR files. Veracode provides more consistent results between subsequent scans and more accurately recognizes first-party components in the applications.
-
You may notice a one-time change to scan results as a result of this improvement.
Improved Results Accuracy Within JSP Files
- Veracode has improved static analysis of JSP applications to prevent static analysis from reporting duplicate flaws.
January 12, 2021
Compilation Guide Renamed
- To more accurately describe its contents, the Compilation Guide is now called Veracode Packaging Requirements.
January 7, 2021
Pipeline Scan Integration with Veracode Security Policies
- Veracode has improved the Pipeline Scan to support the use of policy rules defined in the Veracode Platform. This enhancement allows you to assess applications against consistent rules for pass or fail.
Dynamic Analysis
View the list below for highlights of previous releases.
December 21, 2021
ISM Endpoint Upgraded to Log4j 2.17
- An updated Veracode Dynamic Analysis Internal Scanning Management (ISM) endpoint version is now available. Updates include an upgrade to Log4j 2.17 to address known vulnerabilities CVE-2021-44228 and CVE-2021-45046.
November 18, 2021
Introducing Veracode API Scanning
- Veracode API Scanning is a new scan type for performing a dynamic analysis of common API specification files. You can quickly test the security of your API endpoints and get results. As an extension of the existing Veracode Dynamic Analysis, API Scanning uses the same powerful dynamic analysis scan engine to identify vulnerabilities in both public and private APIs and provide remediation guidance. The remediation guidance helps you secure your APIs before integrating them into applications.
November 10, 2021
Dynamic Analysis Scan Engine Updated
The Veracode Dynamic Analysis scan engine has been upgraded, including:
- Fixed logic in timing-based attacks to reduce the reporting of false positives.
- Corrected authentication failures when using browser authentication.
- The Dynamic Analysis engine is updated to use Chromium version 95.0.4638.69.
October 7, 2021
Dynamic Analysis Pause and Resume Temporarily Disabled
- Veracode has temporarily disabled the ability to pause or resume Dynamic Analysis scans to fix underlying architectural issues.
Dynamic Analysis Engine Updated to New Chromium Version
- The Veracode Dynamic Analysis engine is updated to use Chromium version 94.0.4606.71.
September 23, 2021
Dynamic Analysis Engine Updated to New Chromium Version
- The Veracode Dynamic Analysis engine is updated to use Chromium version 93.0.4577.82.
September 15, 2021
- Veracode Dynamic Analysis now supports custom HTTP headers as an authentication option when configuring a scan. You can configure one or more custom headers with specific names and values for each scan.
August 23, 2021
Dynamic Analysis Scan Engine Updated
The Veracode Dynamic Analysis scan engine has been upgraded, including:
- Several stability improvements and crash fixes
- Corrections for a few cases of over-reporting CSRF flaws
- Security updates
- Fix for missing some XSS flaws
- Adjusted payloads for code-injection tests to reduce false negatives
March 30, 2021
Improved Coverage Report and Removed Show Password Option
Veracode Dynamic Analysis includes these changes:
- Improved the Coverage Report to provide a summary view of both normal and attack traffic that Dynamic Analysis discovered during a scan.
- Removed the Show password checkbox for all authentication methods from the Veracode Platform page on which you create a Dynamic Analysis. You must now re-enter your credentials after changing a Dynamic Analysis configuration.
March 16, 2021
Updated Engine and New Limit on Discovered Flaws
Veracode Dynamic Analysis includes these changes:
- Updated the Dynamic Analysis engine to use Chromium version 88.0.4324.182.
- Set a limit on the number of flaws that Dynamic Analysis can discover during each analysis. If an analysis discovers more than 1000 flaws, it now exits automatically. This scenario is rare and typically indicates an error.
February 23, 2021
Updated Video - Create and Run an Unauthenticated Dynamic Analysis
- This video shows you how to create, configure, and schedule an unauthenticated Dynamic Analysis.
February 18, 2021
Dynamic Analysis REST API Scan Engine Variables
- Veracode Dynamic Analysis has a new feature that allows you to centrally manage credentials for login scripts by using variable names and storing the values centrally via the Dynamic Analysis API. This feature enables you to update credentials without having to re-upload your login script, and gives you the ability to separate credentials from your login scripts by using variable names in the files instead of the actual values. In addition, this functionality eliminates having to access the Veracode Platform to access credentials.
January 22, 2021
Changes to Reporting of CWE-829
- The Veracode Dynamic Analysis engine is improved to no longer map findings concerning missing or misconfigured CSP headers to CWE-829 when responses have no body.
Application Security Platform
View the list below for highlights of previous releases.
December 9, 2021
OWASP Top 10 2021
- The Auto-Update OWASP requirement available for application security policies now reflects the 2021 version of the OWASP Top 10.
November 5, 2021
New Veracode Documentation URL
Deprecation of Veracode Documentation PDFs
- Veracode has deprecated the PDF files of publications available on the Veracode Documentation website. By December 2021, you will no longer be able to download these PDFs, but you can create custom PDFs using the print feature in your browser. To create a custom PDF, click Print (printer icon) in a publication title bar or to the right of a topic title, select the topics to include or exclude, then click Print.
September 28, 2021
API Rate Limit Enforcement
- Veracode is now enforcing API rate limiting to ensure optimal performance and availability of Veracode services.
September 15, 2021
Updated Subprocessor List
- Veracode has updated the list of subprocessors used to process customer personal information.
August 31, 2021
2021 CWE Top 25 Support
- The Auto-Update CWE Top 25 policy rule in Veracode security policies now reflects the 2021 CWE Top 25 standard. In a future release, Veracode will add the option to specifically select the 2021 CWE Top 25 standard in policy rules.
CWE 4.5 Support
- Veracode CWE support now reflects the changes MITRE introduced in version 4.5 of the CWE list.
August 12, 2021
- This video shows you how to create a custom policy in the Veracode Platform.
July 20, 2021
Improved Veracode Onboarding Experience
- Veracode has improved the onboarding experience to help developers and application security managers get started with Veracode. In the Veracode Platform, select Resource Center > Getting Started to open the new Getting Started with Veracode guidance, which provides a walk-through of Veracode products and training offerings.
July 8, 2021
- This video shows you how to create a new application profile in the Veracode Platform.
June 29, 2021
Improved Veracode Platform Homepage
- The homepage in the Veracode Platform is updated to make it easier to perform several common functions, such as generating API credentials.
May 25, 2021
Automatically Update to Latest Version of Security Standards in Policy Rules
- You can set rules in your application security policies that automatically update to use the most recent version of the supported security standards. With this update, you can require applications to comply with the latest version of security standards, such as OWASP Top 10 or CERT, as soon as Veracode supports them.
2020 CWE Top 25 Standard Available in Policy Rules
- Veracode now supports using the 2020 version of the CWE Top 25 standard as a requirement in application security policies.
PCI Standard Includes 2020 CWE Top 25 Most Dangerous Software Weaknesses
- A new version of the PCI security standard, which includes the 2020 CWE Top 25 most dangerous software weaknesses, is now available as a requirement in application security policies.
PCI Report Now Evaluated Against the Auto-Update PCI Standard
- The PCI report available from the Veracode Platform is now evaluated against the Auto-Update version of the PCI security standard. This update ensures that the report always uses the latest version of the PCI standard.
April 8, 2021
- You can now access the Veracode Community directly from the Veracode Platform without logging in to a separate Community account. The Veracode Community provides best practice documentation, new feature previews, and a forum for asking questions about how to most effectively use Veracode products and services.
April 7, 2021
Evaluation Timeframe for Security Policies
You can now include evaluation timeframes in Veracode application security policies to define when findings can impact policy compliance. In your policies, you can:
- Disallow findings opened after a specific date to ignore technical debt.
- Disallow findings opened before a specific date to ignore new findings that are out of scope for an audit requirement.
April 6, 2021
End of Browser Support for Legacy Versions of Safari and Android
Veracode no longer supports these legacy versions of Safari and Android because of their use of weak ciphers (TLS 1.2):
-
Safari 6 on iOS 6.0.1
-
Safari 7 on iOS 7.1
-
Safari 8 on iOS 8.4
-
Safari 7 on OS X 10.9
-
Safari 8 on OS X 10.10
-
Android 5.0.0
-
Android 6.0
You cannot access analysiscenter.veracode.com using these browsers.
Administrators Cannot Assign Applications to Teams
- Administrators in the Veracode Platform can no longer assign applications to teams unless they have another role that grants them permission to edit application profiles. Veracode removed this rarely used functionality to provide a more consistent experience for users.
Allow Access to New URL for Penetration Testing Services
- Veracode has introduced a new URL for a future feature that will support better reporting of our penetration testing services. If you restrict access to public internet sites for your organization, add pt.analysiscenter.veracode.com to your allowlist.
March 31, 2021
Changes to Email Addresses Require Verification
- If you update the email address in your Veracode Platform user account, Veracode sends you an email to confirm the new address. You must confirm the email address to complete the update.
March 26, 2021
New Analytics Dimension for Findings and Scans
- Veracode Analytics provides you with the ability to filter findings and scans based on their archive status. You can use these filters to easily find findings and scans that Veracode deleted as part of the sandbox scan retention process.
March 22, 2021
- Veracode has improved the usability of the user management options in the Veracode Platform. Administrators and Team Admins can now search for users by name, email address, username, or API ID.
March 9, 2021
Veracode Analytics Updates to the SCA Findings Dashboard
- Veracode has updated the SCA Findings dashboard to improve the visualization of data and provide more information on how fixing code libraries impacts findings.
February 9, 2021
- Veracode Analytics now provides more details about findings that relate to your Static Analysis scans, including the function name, class path, and most recent line number in which Veracode discovers the findings. This data enables you to recreate a similar view as the Triage Flaw view in the Veracode Platform, but across multiple application profiles.
February 8, 2021
New Security Program Overview Dashboard in Veracode Analytics
- Veracode Analytics provides a new dashboard that contains data to help you track and understand how your AppSec program is trending, based on your target goals. With this dashboard, you can see current and historical trends for policy compliance, as well as better understand policy compliance behavior. New information available to you includes details such as how an application is meeting compliance over time.
January 26, 2021
Improved User Interface for Managing Applications
- Veracode has updated the user interface in the Veracode Platform for creating, viewing, updating, and deleting applications to improve usability.
January 19, 2021
Improved Email Notifications for Expiring API Credentials
- Veracode sends an email notification when your Veracode API credentials are about to expire. The email now displays your API username for quickly identifying the account for which you need to generate new credentials.
Software Composition Analysis
View the list below for highlights of previous releases.
November 12, 2021
SCA Component License Rules in Policies
You can now apply these configurations to the component license rules in your application security polices:
- Allow or disallow non-OSS licenses
- Specify how to classify components with multiple licenses
- Add a blocklist or allowlist of specific licenses
If an application does not pass the component license rule, the Veracode Platform displays the requirement that caused the component to violate policy.
October 28, 2021
Agent-Based Scan Project Table Displays Multiple Languages
- The Project List table on the Agent-Based Scan page of the Veracode Platform now indicates if projects use multiple programming languages or operating systems. The Language/OS column displays the full list of languages and operating systems in use in the project repository.
October 7, 2021
Extended Support for Maven Libraries
- Veracode Software Composition Analysis (SCA) has improved the Veracode Vulnerability Database to include library support for Google Maven, Spring Maven, and Cloudera Maven.
September 23, 2021
New API Endpoint for Listing Libraries by Project
- The Veracode SCA Agent REST API includes a new endpoint for querying libraries by the project ID. This endpoint enables you to view libraries in a specific project in an agent-based scan workspace.
September 22, 2021
Decimal Values for CVSS Scores in Policy Rules
- Veracode security policies now support using values that include decimals when specifying the allowable CVSS score for vulnerabilities in Veracode Software Composition Analysis (SCA) scans. For example, you can set policies to not allow vulnerabilities with a CVSS score of 6.1 or above.
July 15, 2021
My Workspace
-
My Workspace provides developers a personal testing space for up to three agent-based scan projects without requiring administrative setup or permission configuration. If you currently use Software Composition Analysis (SCA) upload and scan, Veracode recommends using My Workspace to explore the additional features available with agent-based scanning, such as dependency mapping, vulnerable methods, and automated pull requests.
-
My Workspace is available for all Veracode SCA users.
June 21, 2021
New Grace Periods for SCA Policy Rules
- Veracode supports configuring new grace periods in policy rules for Veracode Software Composition Analysis (SCA) scans. The new grace periods are independent of the grace periods you can configure for Veracode Static Analysis and Dynamic Analysis. You can use this feature to manage the different compliance needs of first-party code and open-source libraries in your security program within the same security policy.
April 6, 2021
License Risk Mitigations
- License risk mitigations are now available for Veracode Software Composition Analysis (SCA) upload scans. You can use a new set of mitigation actions relevant to licenses to mitigate license risk findings based on your assessment of the license in use.
Improved Visibility into SCA Upload Scans
- You can now view the status of initialized, in progress, and failed Software Composition Analysis upload scans in the Veracode Platform. If a scan fails, you can restart the SCA scan without restarting the associated Static Analysis.
March 26, 2021
Unified Documentation for Veracode SCA
-
All Help Center documentation for Veracode Software Composition Analysis (SCA), including agent-based scanning and static upload scanning, now appears in a single Veracode Software Composition Analysis section. Additionally, new content is available with information about getting started with Veracode SCA.
-
If you bookmarked any URLs for Veracode SCA Help Center content, this update may impact them.
Jan 21, 2021
New API Endpoint for Listing Issues by Project
- The Veracode SCA Agent REST API includes a new endpoint for querying issues by the project ID. This endpoint enables you to view issues specific to a project in an agent-based scan workspace. If the project is a container, the API also lists all issues linked to projects inside the container.
Veracode Integrations
View the list below for highlights of previous releases.
December 10, 2021
Veracode Integration for CA Agile Central/Rally Now End-of-Life
- The Veracode Integration for CA Agile Central/Rally is now end-of-life and no longer supported. The plugin and documentation are no longer available. To avoid potential security vulnerabilities, Veracode strongly recommends that you uninstall this integration. To integrate with other ticketing systems, visit the Veracode Integrations Hub.
November 22, 2021
Java API Wrapper Now Retries Requests
- Veracode Java API Wrapper version 21.11.9.0 updates the
maxretrycount
parameter to now retry requests that fail due to certain error conditions. Previously, this parameter polled for failed build status and only applied to the uploadandscan
action.
October 18, 2021