The updates on this page apply to Veracode Static Application Security Testing (SAST) in the Commercial Region.
Veracode delivers the same Static Analysis language and framework support in both the European Region and the Commercial Region. For language support specific to Veracode Pipeline Scan, see Pipeline Scan Supported Languages.
September 11, 2023
Fixed bug causing false positives for CWE-798
In last month’s release, Veracode added improved support for CWE-798 (Use of Hard-coded Credentials) detection. However, a bug in the pattern matching caused a significant number of false positives for some users. Veracode has resolved this issue and the improvement should result in significantly fewer CWE-798 false positives.
August 23, 2023
Updated language and framework support
- Added Kotlin 1.9 support
- Added TypeScript 5.x support
- Added GCC 12 (RHEL 8) support
- Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation) detection on controller-derived classes
- Improved support for JavaScript URLSearchParams API
- Improved support for Spring
produces
annotation attribute - Improved third-party detection for JavaScript
- Improved third-party detection for Android
- Improved third-party detection for Java
- Improved hardcoded password/credential detection (CWE-259 and 798)
- Improved .NET CWE-80 basic XSS detection
- Improved JavaScript detection of document elements
- Improved performance for Vue applications
- Improved .NET Entity Framework support
- Added ability to allow third-party PHP software if the entire upload is third-party
- Improved detection of Java CWE-611 XXE
- Improved support for Python Django views
July 25, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has added support for Quarkus, a Kubernetes-native Java stack tailored for OpenJDK HotSpot and GraalVM.
Veracode has improved static analysis by adding support for these new versions of supported technologies:
Improved Detection of CWE-259 and CWE-798
Improvements to the detection methods Veracode uses to identify CWE-259 (Use of Hard-coded Password), and CWE-798 (Use of Hard-coded Credentials) vulnerabilities should reduce the number of false positives during static analysis. Improved CWE-259 coverage for Python language submissions.
June 22, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has added support for Micronaut 3.8.x, which is a JVM-based framework you use to build lightweight, modular applications.
Veracode has improved static analysis by enhancing support for Android 12.
Veracode has improved static analysis by adding support for these new versions of supported technologies:
Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) Detection
Improvements to the detection methods utilized to identify CWE-259 and CWE-798 vulnerabilities should reduce the number of false positives found during static analysis.
Additional CWE-693 Coverage for Android
Veracode has added an additional CWE-693 (Protection Mechanism Failure) check for Android applications to ensure that the Play Integrity API is used appropriately.
May 23, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
Improved CWE-89 Coverage for Java and JavaScript/TypeScript
The improved coverage increases the number of potential CWE-89 flaws that Veracode discovers in Java and JavaScript/TypeScript applications, which might affect your scan results.
Added CWE-451 Coverage for Android
Veracode has added CWE-451 (Tapjacking) coverage for Android applications.
May 18, 2023
Pipeline Scan Adds Support for Module Selection
Pipeline Scan adds a new --include
parameter. You use this parameter to specify the top-level modules to include during scanning. The scan results now show both the modules that Veracode identified during prescan and the modules included in the scan.
This update is available with Veracode CLI version 23.4.3-0 and Veracode Docker image version 23.4.3.
April 27, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Support for JDK 20
- Enhanced support for .NET 7
- Enhanced support for Python SQLAlchemy
- Enhanced support for React Native 0.7x
- Support for AWS SDK for Go v2
Improved Static Analysis for Python Language Submissions
Static analysis of Python applications inaccurately reports certain CWE-918 (Server-Side Request Forgery (SSRF)) flaws as CWE-201 (Insertion of Sensitive Information Into Sent Data) flaws. This update recategorizes these incorrectly reported flaws as CWE-918. This update might impact existing flaw matching and you might need to apply new mitigations to these flaws.
After you apply this update, any Python applications that contain CWE-201 flaws and have any of the following policy requirements might fail your security policy:
Security Standard rule for Auto-Update CWE Top 25
Findings by Severity rule for Medium or higher
Minimum Scan Score rule
March 23, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Support for Vue 3.x
- Support for React Native 0.7x
- Enhanced support for Python Flask 2.x
Improved Static Analysis for WebMethodAttribute use in ASP.NET Classic
Veracode has improved static analysis for WebMethodAttribute
use in ASP.NET Classic (non MVC and/or MVC Core) WebForms and WebServices. This will affect the flaws found and associated policy results for customers by reducing the number of FPs found.
February 23, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Support for Go 1.20
- Support for Angular 14 & 15
- Support for React 18
- Support for Dart 2.17, 2.18, 2.19 and Flutter 3.0, 3.3, 3.7
Improved COBOL Parser Error Handling
Veracode no longer reports parser errors in standalone copybook files that COBOL files do not include. These files are not relevant for security scanning unless COBOL files reference them.
January 26, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Initial Support for .NET 7
Veracode has improved static analysis by adding support for:
- Server-side request forgery (SSRF) reporting for JavaScript
Veracode has released a new version of our new iOS packaging tool:
- Gen IR version 0.2.1: gen-ir
December 15, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Support for Node.js 18
- Support for PHP Laravel 6-9
- Initial Support for Kotlin 1.7
- Initial Support for Android 13
- Support for Python Flask 2.x
- Support for Go 1.18-1.19
- Support for React Native 0.67
Veracode improved static analysis by adding support for these new languages and frameworks:
- Support for Dart and Flutter
- Support for .NET MAUI
Veracode has improved static analysis by adding a new iOS packaging tool to support Xcode 14 without the Enable_Bitcode
setting:
- New iOS packaging tool: gen-ir
- Updated documentation: iOS and tvOS Application Packaging
November 17, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these languages and frameworks:
- Support for JDK 19
- Support for Azure Functions v4 for .NET
October 27, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these languages and frameworks:
- Support for Visual C++ 14.3.x for Visual Studio 2022
- Support for Azure Functions for Python
October 19, 2022
New Packaging Guidance Tool
You can use the new Veracode Packaging Cheat Sheet to generate language-specific packaging guidance for Static Analysis.
October 4, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these languages and frameworks:
- Support for JDK 18
- Full support for .NET 6
- Initial support for iOS 16
- Enhanced support for Golang Gorilla
- Enhanced support for React and React Router
August 25, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Full support for PHP Symfony 5.x
- Initial support for PHP Symfony 6.x
- Support for PL/SQL for Oracle 19c and 21c
August 1, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Initial support for Rails 7.0 and Ruby 3.x
- Full support for iOS 15
- Initial support for PHP Symfony
June 24, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Initial support of Ruby on Rails 6.1
April 28, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Initial support of PHP 8 and 8.1
- Support of Python Flask 1.1
March 28, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Support for Django 3.x
- Support for Android Jetpack
- Support for Go Gin-Gonic
- Support of Azure DevOps functions for JavaScript and TypeScript
February 24, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Full support of Xamarin platform versions and Xamarin.Essentials namespace
- Initial support of Azure Functions for Java
Veracode has improved static analysis by adding support for these new versions:
- Full support of Go 1.17
- Initial support of Angular 13
- Initial support of GCC 11
- Initial support of PHP 7.4
February 3, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Full support of Android 11
Veracode has improved static analysis by adding support for these new versions:
- Initial support of Kotlin 1.5
- Initial support of Kotlin 1.6
Veracode Static Analysis Improvements
Veracode has improved accuracy of hard-coded Passwords. You can expect:
- Fewer false positives where local files are in known valid locations
- Better identification of sensitive variable names
Veracode has improved modeling for TypeScript support. You can expect:
- Fewer false positives, and more true positives in TypeScript applications where type information is specified.