Skip to main content

SCA updates - Commercial

· 10 min read

The updates on this page apply to Veracode Software Composition Analysis (SCA) in the Commercial Region.

November 21, 2023

SCA Agent Enhancement

Veracode has added several enhancements and fixes to the SCA agent.

November 14, 2023

SCA Agent Enhancement

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 6, 2023

API to propose and approve mitigations for SCA findings

Veracode has released the SCA Annotations REST API. This API includes the getSCAannotations endpoint to retrieve comments and mitigations applied to findings from SCA upload scans and the createSCAannotations endpoint to annotate SCA upload findings, including adding comments and proposing, accepting, and rejecting mitigations.

The SCA Annotations API specification is available on SwaggerHub.

This API is not part of the Annotations API, which works with findings from Static Analysis and Dynamic Analysis.

October 11, 2023

Exploit Probability (EPSS) Added to Findings API

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the Findings REST API. Developed by FIRST.org, who also created the Common Vulnerability Scoring System (CVSS), the EPSS model produces a score between 0 and 1 (0 and 100%) that estimates the probability that a software vulnerability will be exploited in the wild. The data also includes the percentile of the current score, which shows the percentage of all vulnerabilities with the same or lower EPSS score. Veracode encourages customers to use EPSS data to prioritize which vulnerabilities to fix first.

Fixed SCA Agent Error

Veracode has fixed an issue that caused a null pointer exception when performing an agent-based scan on some projects.

September 27, 2023

Correction of SCA Fix By Dates in Sandboxes

Veracode has fixed an issue impacting the calculation of Fix By dates in sandbox scans. Previously, SCA used the scan date or the scan promotion date as the date that a component was first found, causing the Fix By date to be pushed out continuously. This fix is not retroactive and only impacts scans completed after Sept 27, 2023.

September 22, 2023

Assign Policies to SCA Agent-Based Scan Workspaces

The new Unified Policy feature allows you to assign policies to workspaces used for SCA agent-based scans. Like the existing agent rules, you can use policies to create issues and break your build based on certain criteria. See more details about applying rules to a policy, assigning policies to agent-based workspaces, and setting default policies.

Veracode will migrate customers from agent rules to Unified Policy in batches and will retire agent rules before April 1, 2024.

August 28, 2023

Agent-Based Scan UI Now Displays CVSS v3

Because the National Vulnerability Database stopped supporting CVSS v2 in July 2022 and most users have moved to v3, the Library and Vulnerability pages of SCA's agent-based scan user interface now display CVSS v3 scores, instead of v2. You must clear the cache in your web browser to see these changes.

To also display CVSS v3 on the workspace Issue pages and the project Issue tab, you must update your agent rules to use CVSS v3.

August 16, 2023

Enhancements to SCA Agent Dependency Graph Traversal

Veracode has improved the performance of the SCA agent by optimizing how it handles dependencies with very complicated and intertwined dependency graphs.

August 8, 2023

Exploit Probability (EPSS) Added to SCA Agent APIs

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the SCA Agent REST APIs. Developed by FIRST.org, who also created the Common Vulnerability Scoring System (CVSS), the EPSS model produces a score between 0 and 1 (0 and 100%) that estimates the probability that a software vulnerability will be exploited in the wild. The data also includes the percentile of the current score, which shows the percentage of all vulnerabilities with the same or lower EPSS score. Veracode encourages customers to use EPSS data to prioritize which vulnerabilities to fix first.

July 21, 2023

Enhancements to .NET Scanning

Veracode has added the following enhancements to SCA scanning for .NET applications:

  • Reduced false positives and false negatives in SCA upload scans by adding support for deps.json and project.asset.json files.
  • Enhanced SCA Agent scans by adding ability to perform --quick scans on NuGet projects.

July 28, 2023

API to Retrieve List of SCA Agent Projects Linked to an Application

Veracode has released the getApplicationProjects API to allow users to retrieve a list of SCA agent projects that are linked to a specific application. Users who have rights to call the getApplications API may also call the getApplicationProjects API.

July 11, 2023

Additional Roles Can Call SBOM APIs

Veracode has expanded the list of roles that are allowed to call the CycloneDX Software Bill of Materials (SBOM) API and the SPDX SBOM API. See the SBOM API instructions for application profiles and agent-based projects for details.

June 28, 2023

SCA Agent CLI Now Displays CVSS v3 Severities

The Vulnerabilities section of the Summary Report that appears in your CLI after an SCA agent-based scan now displays CVSS v3 severities, instead of v2.

The Issues section still displays CVSS v2 severities by default, but you can edit the severity in your agent-based scanning rules to reflect v3. If you have not modified your rules to use CVSS v3, Veracode recommends setting up organization-level rules to avoid having to edit rules on every workspace individually.

June 20, 2023

Support for v3 Format of NPM Lockfiles

Veracode has added support for NPM lockfile format version 3. See Run an Agent-Based Scan for NPM or JavaScript and TypeScript Packaging for details.

May 15, 2023

Fixed Agent Error for Yarn Scans

Veracode has fixed an issue causing SCA agent-based scans of Yarn projects to erroneously fail.

May 9, 2023

Upgraded JRE for SCA Agent

Veracode has upgraded the Java Runtime Environment (JRE) for the SCA agent from version 11 to 17.

Added GNU Privacy Guard to SCA Agent Downloads

Veracode has added GNU Privacy Guard (GPG) signature files to all SCA agent downloads to verify you are downloading a valid version.

May 3, 2023

Fixed Scope Parameter for NPM Scans

Veracode has resolved an issue impacting the scope parameter for SCA agent-based scans of NPM projects.

April 14, 2023

SCA Agent Enhancements

Veracode has added the following enhancements to the SCA agent:

Temporarily Ignore Issues from Agent-Based Scans

You can now specify a date for Veracode to stop ignoring issues from SCA agent-based scans.

April 6, 2023

Enhancements to Go Scanning

Veracode has added the following enhancements to SCA scanning for Go projects:

  • Reduced false positives.
  • Reduced false negatives.
  • Increased scan speed.
  • Fixed an issue that removed component names when agent-based scan results were linked to an application.
  • Fixed an issue that caused indirect dependencies to appear in agent-based scan results as direct libraries instead of transitive libraries.

April 4, 2023

Enhanced SCA Agent Support for Java 17 Features

Veracode SCA has improved agent-based scan support for projects that contain Java 17 features.

April 3, 2023

NVD Severity Ratings for SCA Upload Scans

Veracode Software Composition Analysis (SCA) upload scans now support displaying updated severity ratings that more closely match the National Vulnerability Database (NVD) severity ratings. To enable this feature for your account, contact Veracode Technical Support.

March 16, 2023

New Mitigation Type Available for SCA Upload Scans

You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.

February 3, 2023

Region Flag for Agent-Based Scans

Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.

February 2, 2023

JRE Upgrade for SCA Agent

Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.

January 13, 2023

Improved SCA Support for Python 3

Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.

December 21, 2022

Generate SBOM in SPDX Format

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) in SPDX JSON format from the results of your Veracode SCA upload scans.

December 14, 2022

SCA Support for Android

Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.

September 15, 2022

SCA Support for Go Aliases

Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.

Vulnerable Method Support for Java 17

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.

August 22, 2022

Set SCM URI as Project Name

You can now set the source code management (SCM) URI as your project name using the --uri-as-name option in your Veracode SCA agent-based scans.

July 22, 2022

SBOM API Support for SCA Agent-Based Scans Linked to Application Profiles

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.

June 6, 2022

Generate SBOMs for SCA Agent-Based Scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.

May 9, 2022

SBOM API Support for Promoted Sandbox Scans

You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.

SCA Upload and Scan Table Update

Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.

April 26, 2022

Generate SBOMs for SCA Upload Scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.

January 20, 2022

JSON Output for Agent-Based Scans Includes CVSS v3 Score

Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.