Skip to main content

SCA updates - Commercial

· 13 min read

The updates on this page apply to Veracode Software Composition Analysis (SCA) in the Commercial Region.

March 27, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 21, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 15, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of Ruby and iOS projects.

March 5, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of iOS projects.

February 29, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET, Go, Java Gradle, and Scala SBT projects.

February 27, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET projects.

February 8, 2024

Vulnerable methods for Go

Veracode SCA agent-based scanning now supports detecting vulnerable methods in Go projects that use Go modules as the package manager.

Gradle scanning enhancement

Veracode SCA agent-based scanning now supports scanning Gradle projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Gradle for more details.

New include_metrics parameter for getWorkspaces API

Veracode has added the include_metrics parameter to the getWorkspaces API. When the parameter is TRUE, there are no changes to the issue count and other metrics that the API includes in the payload. When the parameter is FALSE, the API responds more quickly but provides data only for the following fields: id, name, projects_count, and site_id.

Through March 31st, 2024, the default value for the include_metrics parameter is TRUE. On April 1st, the default will change to FALSE. If you have automation that relies on having issue counts and other metrics, Veracode recommends you adjust the parameter in your API call before April 1st.

January 23, 2024

Maven scanning enhancement

Veracode SCA agent-based scanning now supports scanning Maven projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Maven for more details.

Fix for Python scans

Veracode fixed an issue that caused an error in SCA agent-based scans of Python projects when using a newer version of pipenv.

January 5, 2024

SCA API enhancements

Veracode has fixed an issue that caused the SCA Agent Issues APIs to exclude fixed issues from the payload when the vuln_methods parameter was set to true. This fix applies to scans performed after January 5th, 2024.

Additionally, the getProjectIssues endpoint now supports all of the same parameters as the getWorkspaceIssues endpoint.

January 4, 2024

Veracode Vulnerability Database now includes exploit information

The Veracode Vulnerability Database now includes data from both the Exploit Prediction Scoring System (EPSS) and the Cybersecurity & Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog. To access this data, you must sign in to the Veracode Platform. For more information, see Understanding SCA exploitability information.

December 19, 2023

SCA agent enhancement

The SCA agent can now scan target directories that contain spaces when SRCCLR_NO_GIT is set to 1.

December 18, 2023

APIs now include KEV data

Veracode has added data from the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog to the SCA Agent Issues APIs and the Findings API. See Understanding SCA exploitability information for more details.

December 11, 2023

Veracode has released the SCA App-Linking REST API. You can use this API to link a project for SCA agent-based scans to an application profile. The linked application profile receives all libraries, licenses, and discovered vulnerabilities from that project, along with all results from SCA Upload scans. To link a project, use the linkAppProject endpoint. To unlink a project, use the unlinkAppProject endpoint.

SCA agent enhancement

Veracode has fixed an issue that prevented the SCA agent from cleaning up local scan directories and added enhancements to the agent that will be used in the future for scanning Java projects.

December 4, 2023

SCA agent enhancement

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 21, 2023

SCA agent enhancement

Veracode has added several enhancements and fixes to the SCA agent.

November 14, 2023

SCA agent enhancement

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 6, 2023

API to propose and approve mitigations for SCA findings

Veracode has released the SCA Annotations REST API. This API includes the getSCAannotations endpoint to retrieve comments and mitigations applied to findings from SCA upload scans and the createSCAannotations endpoint to annotate SCA upload findings, including adding comments and proposing, accepting, and rejecting mitigations.

The SCA Annotations API specification is available on SwaggerHub.

This API is not part of the Annotations API, which works with findings from Static Analysis and Dynamic Analysis.

October 11, 2023

Exploit probability (EPSS) added to Findings API

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the Findings REST API. See Understanding SCA exploitability information for more details.

Fixed SCA agent error

Veracode has fixed an issue that caused a null pointer exception when performing an agent-based scan on some projects.

September 27, 2023

Correction of SCA Fix By dates in sandboxes

Veracode has fixed an issue impacting the calculation of Fix By dates in sandbox scans. Previously, SCA used the scan date or the scan promotion date as the date that a component was first found, causing the Fix By date to be pushed out continuously. This fix is not retroactive and only impacts scans completed after Sept 27, 2023.

September 22, 2023

Assign policies to SCA agent-based scan workspaces

The new Unified Policy feature allows you to assign policies to workspaces used for SCA agent-based scans. Like the existing agent rules, you can use policies to create issues and break your build based on certain criteria. See more details about applying rules to a policy, assigning policies to agent-based workspaces, and setting default policies.

Veracode will migrate customers from agent rules to Unified Policy in batches and will retire agent rules before April 1, 2024.

August 28, 2023

Agent-based scan UI now displays CVSS v3

Because the National Vulnerability Database stopped supporting CVSS v2 in July 2022 and most users have moved to v3, the Library and Vulnerability pages of SCA's agent-based scan user interface now display CVSS v3 scores, instead of v2. You must clear the cache in your web browser to see these changes.

To also display CVSS v3 on the workspace Issue pages and the project Issue tab, you must update your agent rules to use CVSS v3.

August 16, 2023

Enhancements to SCA agent dependency graph traversal

Veracode has improved the performance of the SCA agent by optimizing how it handles dependencies with very complicated and intertwined dependency graphs.

August 8, 2023

Exploit probability (EPSS) added to SCA Agent APIs

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the SCA Agent REST APIs. See Understanding SCA Exploitability Information for more details.

July 21, 2023

Enhancements to .NET scanning

Veracode has added the following enhancements to SCA scanning for .NET applications:

  • Reduced false positives and false negatives in SCA upload scans by adding support for deps.json and project.asset.json files.
  • Enhanced SCA Agent scans by adding ability to perform --quick scans on NuGet projects.

July 28, 2023

API to retrieve list of SCA agent projects linked to an application

Veracode has released the getApplicationProjects API to allow users to retrieve a list of SCA agent projects that are linked to a specific application. Users who have rights to call the getApplications API may also call the getApplicationProjects API.

July 11, 2023

Additional roles can call SBOM APIs

Veracode has expanded the list of roles that are allowed to call the CycloneDX Software Bill of Materials (SBOM) API and the SPDX SBOM API. See the SBOM API instructions for application profiles and agent-based projects for details.

June 28, 2023

SCA agent CLI now displays CVSS v3 severities

The Vulnerabilities section of the Summary Report that appears in your CLI after an SCA agent-based scan now displays CVSS v3 severities, instead of v2.

The Issues section still displays CVSS v2 severities by default, but you can edit the severity in your agent-based scanning rules to reflect v3. If you have not modified your rules to use CVSS v3, Veracode recommends setting up organization-level rules to avoid having to edit rules on every workspace individually.

June 20, 2023

Support for v3 format of NPM lockfiles

Veracode has added support for NPM lockfile format version 3. See Run an Agent-Based Scan for NPM or JavaScript and TypeScript Packaging for details.

May 15, 2023

Fixed agent error for Yarn scans

Veracode has fixed an issue causing SCA agent-based scans of Yarn projects to erroneously fail.

May 9, 2023

Upgraded JRE for SCA agent

Veracode has upgraded the Java Runtime Environment (JRE) for the SCA agent from version 11 to 17.

Added GNU Privacy Guard to SCA agent downloads

Veracode has added GNU Privacy Guard (GPG) signature files to all SCA agent downloads to verify you are downloading a valid version.

May 3, 2023

Fixed scope parameter for NPM scans

Veracode has resolved an issue impacting the scope parameter for SCA agent-based scans of NPM projects.

April 14, 2023

SCA agent enhancements

Veracode has added the following enhancements to the SCA agent:

  • Support for Gradle version 8.
  • The default scope for scans of NPM projects is now production dependencies instead of all dependencies.

Temporarily ignore issues from agent-based scans

You can now specify a date for Veracode to stop ignoring issues from SCA agent-based scans.

April 6, 2023

Enhancements to Go scanning

Veracode has added the following enhancements to SCA scanning for Go projects:

  • Reduced false positives.
  • Reduced false negatives.
  • Increased scan speed.
  • Fixed an issue that removed component names when agent-based scan results were linked to an application.
  • Fixed an issue that caused indirect dependencies to appear in agent-based scan results as direct libraries instead of transitive libraries.

April 4, 2023

Enhanced SCA agent support for Java 17 features

Veracode SCA has improved agent-based scan support for projects that contain Java 17 features.

April 3, 2023

NVD severity ratings for SCA upload scans

Veracode Software Composition Analysis (SCA) upload scans now support displaying updated severity ratings that more closely match the National Vulnerability Database (NVD) severity ratings. To enable this feature for your account, contact Veracode Technical Support.

March 16, 2023

New mitigation type available for SCA upload scans

You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.

February 3, 2023

Region flag for agent-based scans

Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.

February 2, 2023

JRE upgrade for SCA agent

Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.

January 13, 2023

Improved SCA support for Python 3

Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.

December 21, 2022

Generate SBOM in SPDX format

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) in SPDX JSON format from the results of your Veracode SCA upload scans.

December 14, 2022

SCA support for Android

Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.

September 15, 2022

SCA support for Go aliases

Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.

Vulnerable method support for Java 17

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.

August 22, 2022

Set SCM URI as project name

You can now set the source code management (SCM) URI as your project name using the --uri-as-name option in your Veracode SCA agent-based scans.

July 22, 2022

SBOM API support for SCA agent-based scans linked to application profiles

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.

June 6, 2022

Generate SBOMs for SCA agent-based scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.

May 9, 2022

SBOM API support for promoted sandbox scans

You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.

SCA upload and scan table update

Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.

April 26, 2022

Generate SBOMs for SCA upload scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.

January 20, 2022

JSON output for agent-based scans includes CVSS v3 score

Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.