Skip to main content

SCA updates

· 21 min read

The updates on this page apply to Veracode Software Composition Analysis (SCA). Updates that apply to specific Veracode regions show a region icon.

December 16, 2024

New URL for downloading the SCA agent

This update changes the default URL for downloading files from https://download.sourceclear.com to https://sca-downloads.veracode.com. Both URLs will be available for the next 12 months. After that time, https://download.sourceclear.com will no longer be available.

December 12, 2024

SCA agent enhancement

Veracode added enhancements to the agent to support auto-packaging. These enhancements will not impact SCA agent-based scanning.

November 18, 2024

SCA agent enhancement

Veracode added enhancements to the agent to support auto-packaging. These enhancements will not impact SCA agent-based scanning.

October 16, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET, Go, Python, and iOS projects.

October 4, 2024

SCA agent URL change

The default URL for the Veracode Platform backend API that the SCA agent uses to manage scans for Commercial customers has changed from https://api.sourceclear.io to https://sca-api.veracode.com. Both URLs will continue to work for the next 12 months, at which point the legacy SourceClear URL will be retired.

For more details on the configuration settings that use these URLs, see SCA agent configuration values and SCA agent environment variables.

September 12, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of Python, PHP, and iOS projects.

September 4, 2024

SBOM scanning enhancement

Veracode has added support for scanning SBOM files as part of SCA upload scans.

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of JavaScript projects.

August 27, 2024

SBOM scanning enhancement

Veracode has added support for scanning SBOM files as part of SCA agent-based scans.

August 21, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of Java Maven projects.

August 1, 2024

Fix for agent-based scans of Yarn projects

Fixed an issue that caused SCA agent-based scans to miss transitive dependencies in Yarn 4 projects.

July 23, 2024

Improved handling of circular references

Veracode has improved how SCA upload and agent-based scans handle circular references in NPM projects.

July 16, 2024

SCA agent enhancement

Agent enhancements in preparation for future scanning of .NET projects.

July 15, 2024

Vulnerability side pane added to new SCA homepage (Beta)

You can now access vulnerability details in a side pane on the Vulnerabilities tab of the new Beta version of the SCA homepage.

July 3, 2024

SCA results data export

The SCA Results Export that you can download from the Export Data page in the Veracode Platform now contains 13 months of data instead of 24 months of data.

June 28, 2024

SCA agent enhancement​

Agent enhancements in preparation for future scanning of .NET projects.

June 25, 2024

Vulnerable method support for Java 21, 22, and 23​

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java versions 21, 22, and 23.

June 24, 2024

New component metrics added to SCA agent results

If an SCA agent-based scan detects a component from a GitHub repository, the CLI summary and the JSON file now include metrics about that repository. Metrics include the number of commits, how long the repository has been stagnant, and more.

June 11, 2024

New Component Activity API

Veracode has released a new API to help you understand the health of your components. You can submit library coordinates, and if the library comes from a GitHub repository, the API retrieves metrics about that repository. Metrics include the number of commits, how long the repository has been stagnant, and more. The SCA Component Activity API specification is available on SwaggerHub for more details.

May 30, 2024

Vulnerabilities and Licenses tabs added to new SCA homepage (Beta)

You can now see all vulnerabilities from scans performed after March 27, 2024 from the Vulnerabilities tab of the new Beta version of the new SCA homepage. This tab also includes exploitability information from EPSS, KEV, and exploit-DB. License risks from scans you ran after March 27, 2024, are available from the Licenses tab.

To access the new Beta version of the new SCA homepage, select Scans & Analysis > Software Composition Analysis, then, turn on New SCA Home (Beta).

May 28, 2024

SCA agent enhancement

Agent enhancements in preparation for future scanning of .NET projects.

May 22, 2024

SCA agent enhancement

Agent enhancements in preparation for future scanning of .NET projects.

May 15, 2024

Fix for SCA scans of NPM projects

Veracode has fixed an issue that caused some SCA upload scans and some agent-based scans using the --quick flag to not detect libraries in NPM projects when both the project version in the package.json file was empty and the package-lock.json file used v3 format.

May 8, 2024

Fix for SCA agent-based scans of NPM projects

Veracode has fixed an issue that caused some SCA agent-based scans to identify libraries in NPM projects as transitive dependencies when they are both direct and transitive dependencies.

April 30, 2024

Exploitability data added to JSON file produced by SCA agent

The JSON file produced by SCA agent-based scans now includes the following exploitability data:

April 29, 2024

SCA agent enhancement

This update includes the following improvements for SCA agent-based scans:

  • Veracode proxy authentication is more reliable.
  • Improved support of projects that use the version 2 format of yarn.lock.

April 24, 2024

Fixed SCA agent error

Veracode has fixed an issue that caused some agent-based scans to fail when Maven is not installed locally.

April 23, 2024

Additions to JSON file produced by SCA agent

The JSON file produced by SCA agent-based scans now includes the following enhancements:

  • Includes the Common Vulnerability Scoring System (CVSS) vector string for each vulnerability
  • Associates each vulnerable method with a specific vulnerability

April 17, 2024

Veracode Vulnerability Database now includes data from Exploit-DB

The Veracode Vulnerability Database now includes data from Exploit-DB. You can view this data using the SCA Agent Issues APIs and the Findings API. For more information, see Understanding SCA exploitability information.

April 16, 2024

Fix for SCA agent update advisor

Veracode has fixed an issue that caused the SCA agent update advisor to not work properly when cloning a repo with https instead of ssh.

April 11, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of iOS and .NET projects and fixed a bug caused by libraries with no versions in Go projects.

April 3, 2024

API to scan SBOMs

Veracode has released a REST API for scanning SBOMs. You can use this API to upload and scan an SBOM to identify vulnerabilities associated with the libraries listed in the SBOM. The API can produce a new SBOM that includes results from the scan in CycloneDX or SPDX format. For more information, see SBOM Scan REST API.

April 2, 2024

Reporting changes for ‘conditional pass’ SCA findings

Even though policy status can have three possible values—pass, fail, and conditional pass—several reports and APIs with finding-level policy status fields are limited to only two possible values, such as true and false. Veracode has changed how it populates these fields for SCA upload scans to be more consistent with Static Analysis scans.

These changes only affect findings with a conditional pass status. There is no impact on how Veracode calculates the application-level policy status or how the user interface displays the finding-level policy status. For more details, review the post in the Product Announcement group in the Veracode Community.

April 1, 2024

include_metrics parameter for getWorkspaces API set to FALSE by default

The default value for the include_metrics parameter has changed from TRUE to FALSE for the getWorkspaces API. When the parameter is FALSE, the API responds more quickly but provides data only for the following fields: id, name, projects_count, and site_id. If you set the parameter to TRUE, the API also provides data for the following fields: last_scan_date, library_issues_count, vulnerability_issues_count, and total_issues_count.

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 28, 2024

New SCA homepage (Beta)

A Beta version of the new SCA homepage is now available in the Veracode Platform. To access the new homepage, select Scans & Analysis > Software Composition Analysis. Then, turn on New SCA Home (Beta). This page is built on a new infrastructure that Veracode will use to provide unified results from SCA upload scans and SCA agent-based scans. To see all applications and workspaces that you scanned after March 27, 2024, select the Portfolio tab. To see all discovered components from scans you ran after March 27, 2024, select the Components tab.

March 27, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 21, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.

March 15, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of Ruby and iOS projects.

March 5, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of iOS projects.

February 29, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET, Go, Java Gradle, and Scala SBT projects.

February 27, 2024

SCA agent enhancement

Veracode added enhancements to the agent that will be used in the future for scanning of .NET projects.

February 8, 2024

Vulnerable methods for Go

Veracode SCA agent-based scanning now supports detecting vulnerable methods in Go projects that use Go modules as the package manager.

Gradle scanning enhancement

Veracode SCA agent-based scanning now supports scanning Gradle projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Gradle for more details.

New include_metrics parameter for getWorkspaces API

Veracode has added the include_metrics parameter to the getWorkspaces API. When the parameter is TRUE, there are no changes to the issue count and other metrics that the API includes in the payload. When the parameter is FALSE, the API responds more quickly but provides data only for the following fields: id, name, projects_count, and site_id.

Through March 31st, 2024, the default value for the include_metrics parameter is TRUE. On April 1st, the default will change to FALSE. If you have automation that relies on having issue counts and other metrics, Veracode recommends you adjust the parameter in your API call before April 1st.

January 23, 2024

Maven scanning enhancement

Veracode SCA agent-based scanning now supports scanning Maven projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Maven for more details.

Fix for Python scans

Veracode fixed an issue that caused an error in SCA agent-based scans of Python projects when using a newer version of pipenv.

January 5, 2024

SCA API enhancements

Veracode has fixed an issue that caused the SCA Agent Issues APIs to exclude fixed issues from the payload when the vuln_methods parameter was set to true. This fix applies to scans performed after January 5th, 2024.

Additionally, the getProjectIssues endpoint now supports all of the same parameters as the getWorkspaceIssues endpoint.

January 4, 2024

Veracode Vulnerability Database now includes exploit information

The Veracode Vulnerability Database now includes data from both the Exploit Prediction Scoring System (EPSS) and the Cybersecurity & Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog. To access this data, you must sign in to the Veracode Platform. For more information, see Understanding SCA exploitability information.

December 19, 2023

SCA agent enhancement

The SCA agent can now scan target directories that contain spaces when SRCCLR_NO_GIT is set to 1.

December 18, 2023

APIs now include KEV data

Veracode has added data from the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog to the SCA Agent Issues APIs and the Findings API. See Understanding SCA exploitability information for more details.

December 11, 2023

Veracode has released the SCA App-Linking REST API. You can use this API to link a project for SCA agent-based scans to an application profile. The linked application profile receives all libraries, licenses, and discovered vulnerabilities from that project, along with all results from SCA Upload scans. To link a project, use the linkAppProject endpoint. To unlink a project, use the unlinkAppProject endpoint.

SCA agent enhancement

Veracode has fixed an issue that prevented the SCA agent from cleaning up local scan directories and added enhancements to the agent that will be used in the future for scanning Java projects.

December 4, 2023

SCA agent enhancement

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 21, 2023

SCA agent enhancement

Veracode has added several enhancements and fixes to the SCA agent.

November 14, 2023

SCA agent enhancement

Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.

November 6, 2023

API to propose and approve mitigations for SCA findings

Veracode has released the SCA Annotations REST API. This API includes the getSCAannotations endpoint to retrieve comments and mitigations applied to findings from SCA upload scans and the createSCAannotations endpoint to annotate SCA upload findings, including adding comments and proposing, accepting, and rejecting mitigations.

The SCA Annotations API specification is available on SwaggerHub.

This API is not part of the Annotations API, which works with findings from Static Analysis and Dynamic Analysis.

October 11, 2023

Exploit probability (EPSS) added to Findings API

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the Findings REST API. See Understanding SCA exploitability information for more details.

Fixed SCA agent error

Veracode has fixed an issue that caused a null pointer exception when performing an agent-based scan on some projects.

September 27, 2023

Correction of SCA Fix By dates in sandboxes

Veracode has fixed an issue impacting the calculation of Fix By dates in sandbox scans. Previously, SCA used the scan date or the scan promotion date as the date that a component was first found, causing the Fix By date to be pushed out continuously. This fix is not retroactive and only impacts scans completed after Sept 27, 2023.

September 22, 2023

Assign policies to SCA agent-based scan workspaces

The new Unified Policy feature allows you to assign policies to workspaces used for SCA agent-based scans. Like the existing agent rules, you can use policies to create issues and break your build based on certain criteria. See more details about applying rules to a policy, assigning policies to agent-based workspaces, and setting default policies.

Veracode will migrate customers from agent rules to Unified Policy in batches and will retire agent rules before April 1, 2024.

August 28, 2023

Agent-based scan UI now displays CVSS v3

Because the National Vulnerability Database stopped supporting CVSS v2 in July 2022 and most users have moved to v3, the Library and Vulnerability pages of SCA's agent-based scan user interface now display CVSS v3 scores, instead of v2. You must clear the cache in your web browser to see these changes.

To also display CVSS v3 on the workspace Issue pages and the project Issue tab, you must update your agent rules to use CVSS v3.

August 16, 2023

Enhancements to SCA agent dependency graph traversal

Veracode has improved the performance of the SCA agent by optimizing how it handles dependencies with very complicated and intertwined dependency graphs.

August 8, 2023

Exploit probability (EPSS) added to SCA Agent APIs

Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the SCA Agent REST APIs. See Understanding SCA Exploitability Information for more details.

July 21, 2023

Enhancements to .NET scanning

Veracode has added the following enhancements to SCA scanning for .NET applications:

  • Reduced false positives and false negatives in SCA upload scans by adding support for deps.json and project.asset.json files.
  • Enhanced SCA Agent scans by adding ability to perform --quick scans on NuGet projects.

July 28, 2023

API to retrieve list of SCA agent projects linked to an application

Veracode has released the getApplicationProjects API to allow users to retrieve a list of SCA agent projects that are linked to a specific application. Users who have rights to call the getApplications API may also call the getApplicationProjects API.

July 11, 2023

Additional roles can call SBOM APIs

Veracode has expanded the list of roles that are allowed to call the CycloneDX Software Bill of Materials (SBOM) API and the SPDX SBOM API. See the SBOM API instructions for application profiles and agent-based projects for details.

June 28, 2023

SCA agent CLI now displays CVSS v3 severities

The Vulnerabilities section of the Summary Report that appears in your CLI after an SCA agent-based scan now displays CVSS v3 severities, instead of v2.

The Issues section still displays CVSS v2 severities by default, but you can edit the severity in your agent-based scanning rules to reflect v3. If you have not modified your rules to use CVSS v3, Veracode recommends setting up organization-level rules to avoid having to edit rules on every workspace individually.

June 20, 2023

Support for v3 format of NPM lockfiles

Veracode has added support for NPM lockfile format version 3. See Run an Agent-Based Scan for NPM or JavaScript and TypeScript Packaging for details.

May 15, 2023

Fixed agent error for Yarn scans

Veracode has fixed an issue causing SCA agent-based scans of Yarn projects to erroneously fail.

May 9, 2023

Upgraded JRE for SCA agent

Veracode has upgraded the Java Runtime Environment (JRE) for the SCA agent from version 11 to 17.

Added GNU Privacy Guard to SCA agent downloads

Veracode has added GNU Privacy Guard (GPG) signature files to all SCA agent downloads to verify you are downloading a valid version.

May 3, 2023

Fixed scope parameter for NPM scans

Veracode has resolved an issue impacting the scope parameter for SCA agent-based scans of NPM projects.

April 14, 2023

SCA agent enhancements

Veracode has added the following enhancements to the SCA agent:

  • Support for Gradle version 8.
  • The default scope for scans of NPM projects is now production dependencies instead of all dependencies.

Temporarily ignore issues from agent-based scans

You can now specify a date for Veracode to stop ignoring issues from SCA agent-based scans.

April 6, 2023

Enhancements to Go scanning

Veracode has added the following enhancements to SCA scanning for Go projects:

  • Reduced false positives.
  • Reduced false negatives.
  • Increased scan speed.
  • Fixed an issue that removed component names when agent-based scan results were linked to an application.
  • Fixed an issue that caused indirect dependencies to appear in agent-based scan results as direct libraries instead of transitive libraries.

April 4, 2023

Enhanced SCA agent support for Java 17 features

Veracode SCA has improved agent-based scan support for projects that contain Java 17 features.

April 3, 2023

NVD severity ratings for SCA upload scans

Veracode Software Composition Analysis (SCA) upload scans now support displaying updated severity ratings that more closely match the National Vulnerability Database (NVD) severity ratings. To enable this feature for your account, contact Veracode Technical Support.

March 16, 2023

New mitigation type available for SCA upload scans

You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.

February 3, 2023

Region flag for agent-based scans

Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.

February 2, 2023

JRE upgrade for SCA agent

Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.

January 13, 2023

Improved SCA support for Python 3

Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.

December 21, 2022

Generate SBOM in SPDX format

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) in SPDX JSON format from the results of your Veracode SCA upload scans.

December 14, 2022

SCA support for Android

Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.

September 15, 2022

SCA support for Go aliases

Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.

Vulnerable method support for Java 17

Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.

August 22, 2022

Set SCM URI as project name

You can now set the source code management (SCM) URI as your project name using the --uri-as-name option in your Veracode SCA agent-based scans.

July 22, 2022

SBOM API support for SCA agent-based scans linked to application profiles

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.

June 6, 2022

Generate SBOMs for SCA agent-based scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.

May 9, 2022

SBOM API support for promoted sandbox scans

You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.

SCA upload and scan table update

Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.

April 26, 2022

Generate SBOMs for SCA upload scans with the REST API

You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.

January 20, 2022

JSON output for agent-based scans includes CVSS v3 score

Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.

October 20, 2021

Veracode European Region now available

The Veracode European Region is now available for new customers. This region, which initially supports Veracode Static Analysis and Veracode Software Composition Analysis, provides European data residency for Veracode customers.