Skip to main content

Static Analysis updates - Commercial

· 17 min read

The updates on this page apply to Veracode Static Application Security Testing (SAST) in the Commercial Region.

note

Veracode delivers the same Static Analysis language and framework support in both the European Region and the Commercial Region. For language support specific to Veracode Pipeline Scan, see Pipeline Scan Supported Languages.

March 28, 2024

Updated language and framework support

.NET

  • Improved CWE-1174 flaw detection resulting in a reduction in false positives

Android

  • Enhanced Android 14 support

Apex

  • Improved CWE-80 flaw detection resulting in a reduction in false positives

C/C++

  • Improved CWE-190 flaw detection resulting in a reduction in false positives
  • CentOS/RHEL 9 (x64) support

COBOL

  • Improved parsing for COBOL

Go

  • Go 1.22 support

Java

  • Improved CWE-259 flaw detection for Java
  • Improved processing of shaded JAR files

JavaScript

  • Improved processing of large JS files

Kotlin

  • Improved source file name parsing for Kotlin results

PL/SQL

  • Improved scan times for PL/SQL

Python

  • Improved CWE-80 handling for Python resulting in a reduction in false positives

React Native

  • Improved React Native handling of IPA files

T-SQL

  • Improved CWE-89 detection for T-SQL resulting in a reduction in false positives

March 12, 2024

Updated Pipeline Scan language support

Pipeline Scan now supports Ruby on Rails.

February 22, 2024

Updated language and framework support

.NET

  • Enhanced .NET 8 support
  • Improved support for CultureInfo.InvariantCulture
  • Improved CWE-78 flaw detection
  • Improved CWE-117 flaw detection resulting in a reduction in false positives

C/C++

  • Improved CWE-121 flaw detection resulting in a reduction in false positives
  • Improved CWE-125, 129, 134, 170, 190, 191, 195, and 196 flaw detection
  • Improved CWE-477 flaw detection

COBOL

  • Improved flaw analysis for CWE-78, 89, 114, 201, 209, 242, 248, 252, 489, and 798
  • Improved parsing for COBOL
  • Improved scan performance for COBOL
  • Improved scan size calculations

Java

  • Improved CWE-80 fix detection with modern Spring Framework versions
  • Improved generic modeling and modeling of Spring Framework applications, which impacts all CWEs
  • Improved CWE-916 detection
  • Improved Java third-party detection

JavaScript and TypeScript

  • Improved analysis for numeric and boolean datatypes, which impacts all CWEs
  • Improved type detection to prevent false positives for CWE-601 and all other CWEs
  • Detect and ignore webpack-generated files that are concatenated or minified
  • Improved support for fs/promises, which impacts all CWEs

Other languages

  • Improved CWE-259 and 798 flaw detection resulting in a reduction in false positives for all languages
  • Improved analysis of conditionals for all languages
  • Improved CWE-89 flaw detection for Classic ASP
  • Improve support for error_log, which impacts CWE-73, 88, 93 and 117 for PHP

January 25, 2024

Updated language and framework support

.NET

  • Improved third-party detection
  • Enhanced .NET 8 support
  • Improved CWE-80, 89, 404, 501, and 1174 detection

Java

  • Improved flaw detection
  • Improved third-party detection
  • Improved CWE-117, 327, and 749 detection
  • Added ‘jsi’ filetype support

C/C++

  • Improved flaw detection
  • Added openSUSE (x86) version 12 support
  • Improved CWE-121 and 190 detection

Dart

  • Improved flaw detection
  • Improved third-party detection
  • Improved CWE-331 detection

Other languages

  • Improved Android third-party detection
  • Improved JavaScript flaw detection
  • Updated JavaScript third-party detection
  • Improved CWE-99 and 918 detection for Python
  • Improved CWE-259, 798 detection for PHP
  • Improved CWE-252, 259, 311, 522, 614, and 798 detection in iOS
  • Improved CWE-321 detection for all languages
  • Added CWE-639 support for COBOL

January 18, 2024

The Veracode CLI now supports auto-packaging for Veracode Static Analysis

The Veracode CLI now supports Static Analysis auto-packaging for Java, JavaScript, and Python. The package command removes manual packaging steps to streamline your application security tests.

December 27, 2023

New COBOL scanner for Static Analysis

The new COBOL scanner for Veracode Static Analysis includes advanced pattern recognition and static analysis techniques, allowing for more accurate and efficient detection of security vulnerabilities in COBOL code.

The improved detection may result in the identification of additional vulnerabilities and potential threats. The updates may also impact flaw matching for your applications. If you need help resolving these changes, contact Veracode Technical Support.

All COBOL scans now use the upgraded scanner.

More details are available in the Veracode Community.

December 14, 2023

Updated language and framework support

  • Added .NET 8 initial support
  • Added JavaScript / ECMAScript 2023 (ES14) support
  • Added Config support from AWS SDK for Go
  • Enhanced Android 13 support
  • Enhanced Node.js v20 support
  • Added Dart 3.2 and Flutter 3.16 support
  • Improved CWE-327 (Use of Broken or Risky Cryptographic Algorithm) and CWE-352 (Cross-Site Request Forgery (CSRF)) detection for Ruby on Rails
  • Improved CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET
  • Improved CWE-352 (Unchecked Return Value) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
  • Improved accuracy of modeling Python method calls resulting in a reduction in false positives
  • Improved CWE-926 (Improper Export of Android Application Components) detection for Android
  • Improved CWE-321 (Use of Hard-coded Cryptographic Key) detection for all languages
  • Improved CWE-331 (Insufficient Entropy) detection for Java
  • Improved CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')) detection for PHP
  • Improved parsing for PL/SQL
  • Improved Python jsonify cleanser support for flaw class CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
  • Improved support for JavaScript crypto APIs
  • Improved iOS detection of CWE-252 (Unchecked Return Value)
  • Improved support for JavaScript Axios library
  • Improved .NET third-party detection
  • Improved mixed-Java/Kotlin analysis
  • Improved Java third-party detection
  • Improved Android version detection
  • Improved CWE-326 (Inadequate Encryption Strength) accuracy in .NET
  • Improved accuracy for CWE-259 (Use of Hard-coded Password)and CWE-798 (Use of Hard-coded Credentials)
  • Added detection of CWE-489 (Active Debug Code) in Go
  • Improved analysis of JavaScript listeners

November 15, 2023

Updated language and framework support

  • Added Javax to Jakarta transition support
  • Added support for Java Records
  • Added Spring Boot 3 support
  • Added Spring Security 6 support
  • Added Spring Core 6 support
  • Added Android 14 Initial support
  • Added KMS support for AWS SDK for Go
  • Improved flaw detection for Dart apps
  • Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for all languages
  • Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation), CWE-352 (Cross-Site Request Forgery), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
  • Improved third-party detection for Android, C/C++, Dart, and JavaScript
  • Improved CWE-73 (External Control of File Name or Path) detection for Java
  • Improved third-party detection in Java WAR files
  • Improved CWE-252 (Unchecked Return Value), CWE-201(Insertion of Sensitive Information Into Sent Data), and CWE-297 (Improper Validation of Certificate with Host Mismatch) detection for iOS
  • No longer report MemoryStream for CWE-404 in .NET
  • Improved detection for unsupported mobile applications

October 26, 2023

Updated language and framework support

  • Added Dart 3.1 and Flutter 3.13 support
  • Added JDK 21 (LTS) support
  • Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for Kotlin
  • Improved .NET analysis to ignore .NET ClickOnce “.deploy” files
  • Improved third-party detection for Java, JavaScript, PHP, iOS, PL/SQL and C++
  • Improved parsing for PL/SQL
  • Improved CWE-798 (Use of Hard-coded Credentials) detection for PHP
  • Enhanced Python analysis to treat modules consisting of all third-party code as first-party modules
  • Improved Groovy analysis of objects
  • Improved CWE-252 (Unchecked Return Value) detection for iOS
  • Improved JavaScript analysis of objects
  • Improved analysis of iOS apps to reduce CWE-284 (Improper Access Control) false positives
  • Improved CWE-693 (Protection Mechanism Failure), CWE-926 (Improper Export of Android Application Components), CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-798 (Use of Hard-coded Credentials) detection for Android

October 2, 2023

Updated language and framework support

  • Added iOS 17 initial support
  • Added Go 1.21 support
  • Added PHP Laravel 10 support
  • Added .NET Minimal API support
  • Enhanced .NET 7 support
  • Enhanced Groovy 3 support
  • Enhanced AWS SDK for Go support
  • Enhanced Android 13 support
  • Improved third-party detection for JavaScript
  • Improved CWE-80 detection for Vue.js
  • Improved CWE-259 detection for all languages
  • Improved CWE-89 detection for Transact-SQL
  • Improved third-party detection for C++
  • Improved symmetric-key parsing rules for Transact-SQL
  • Improved attribute idiomatic transformation support for Jakarta
  • Improved CWE-693 detection for Android
  • Improved scan performance for Micronaut framework
  • Improved Node.js modeling to reduce false positives
  • Improved handling of explicitly typed generic function calls in Go
  • Improved data path quality for JavaScript
  • Improved reporting of CWE-352 and CWE-915 in .NET to consolidate flaws reported on the same line and file as separate flaws into one flaw
  • Added CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET applications

Deprecated support for some .NET cleansing functions

Veracode has deprecated support of .NET cleansers for the following functions for flaw classes CWE-93, CWE-113, and CWE-117:

  • antixsslibrary.dll : Microsoft.Security.Application.AntiXss.HtmlAttributeEncode
  • antixsslibrary.dll : Microsoft.Security.Application.AntiXssEncoder.HtmlAttributeEncode
  • antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlAttributeEncode
  • antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlEncode
  • mscorlib.dll : System.Security.SecurityElement.Escape
  • system.dll : System.Net.WebUtility.HtmlEncode
  • system.web.dll : System.Web.HttpServerUtility.HtmlEncode
  • system.web.dll : System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode
  • system.web.dll : System.Web.Util.HttpEncoder.HtmlAttributeEncode
  • system.web.dll : System.Web.Util.HttpEncoder.HtmlEncode
  • system.web.mvc.dll : System.Web.Mvc.HtmlHelper.AttributeEncode
  • system.web.mvc.dll : System.Web.Mvc.HtmlHelper.Encode
  • system.windows.browser.dll : System.Windows.Browser.HttpUtility.HtmlEncode
  • system.windows.dll : System.Net.HttpUtility.HtmlEncode
  • System.Runtime.dll : System.Net.WebUtility.HtmlEncode

These cleansing functions are insufficient for addressing their targeted flaw classes and better alternatives are available.

For more details on why Veracode deprecated support for these functions and how to protect your applications against CRLF injection attacks, see the Veracode Community.

September 11, 2023

Fixed bug causing false positives for CWE-798

In last month’s release, Veracode added improved support for CWE-798 (Use of Hard-coded Credentials) detection. However, a bug in the pattern matching caused a significant number of false positives for some users. Veracode has resolved this issue and the improvement should result in significantly fewer CWE-798 false positives.

August 23, 2023

Updated language and framework support

  • Added Kotlin 1.9 support
  • Added TypeScript 5.x support
  • Added GCC 12 (RHEL 8) support
  • Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation) detection on controller-derived classes
  • Improved support for JavaScript URLSearchParams API
  • Improved support for Spring produces annotation attribute
  • Improved third-party detection for JavaScript
  • Improved third-party detection for Android
  • Improved third-party detection for Java
  • Improved hardcoded password/credential detection (CWE-259 and 798)
  • Improved .NET CWE-80 basic XSS detection
  • Improved JavaScript detection of document elements
  • Improved performance for Vue applications
  • Improved .NET Entity Framework support
  • Added ability to allow third-party PHP software if the entire upload is third-party
  • Improved detection of Java CWE-611 XXE
  • Improved support for Python Django views

July 25, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has added support for Quarkus, a Kubernetes-native Java stack tailored for OpenJDK HotSpot and GraalVM.

Veracode has improved static analysis by adding support for these new versions of supported technologies:

Improved Detection of CWE-259 and CWE-798

Improvements to the detection methods Veracode uses to identify CWE-259 (Use of Hard-coded Password), and CWE-798 (Use of Hard-coded Credentials) vulnerabilities should reduce the number of false positives during static analysis. Improved CWE-259 coverage for Python language submissions.

June 22, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has added support for Micronaut 3.8.x, which is a JVM-based framework you use to build lightweight, modular applications.

Veracode has improved static analysis by enhancing support for Android 12.

Veracode has improved static analysis by adding support for these new versions of supported technologies:

Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) Detection

Improvements to the detection methods utilized to identify CWE-259 and CWE-798 vulnerabilities should reduce the number of false positives found during static analysis.

Additional CWE-693 Coverage for Android

Veracode has added an additional CWE-693 (Protection Mechanism Failure) check for Android applications to ensure that the Play Integrity API is used appropriately.

May 23, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved CWE-89 Coverage for Java and JavaScript/TypeScript

The improved coverage increases the number of potential CWE-89 flaws that Veracode discovers in Java and JavaScript/TypeScript applications, which might affect your scan results.

Added CWE-451 Coverage for Android

Veracode has added CWE-451 (Tapjacking) coverage for Android applications.

May 18, 2023

Pipeline Scan Adds Support for Module Selection

Pipeline Scan adds a new --include parameter. You use this parameter to specify the top-level modules to include during scanning. The scan results now show both the modules that Veracode identified during prescan and the modules included in the scan.

This update is available with Veracode CLI version 23.4.3-0 and Veracode Docker image version 23.4.3.

April 27, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved Static Analysis for Python Language Submissions

Static analysis of Python applications inaccurately reports certain CWE-918 (Server-Side Request Forgery (SSRF)) flaws as CWE-201 (Insertion of Sensitive Information Into Sent Data) flaws. This update recategorizes these incorrectly reported flaws as CWE-918. This update might impact existing flaw matching and you might need to apply new mitigations to these flaws.

After you apply this update, any Python applications that contain CWE-201 flaws and have any of the following policy requirements might fail your security policy:

  • Security Standard rule for Auto-Update CWE Top 25

  • Findings by Severity rule for Medium or higher

  • Minimum Scan Score rule

March 23, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved Static Analysis for WebMethodAttribute use in ASP.NET Classic

Veracode has improved static analysis for WebMethodAttribute use in ASP.NET Classic (non MVC and/or MVC Core) WebForms and WebServices. This will affect the flaws found and associated policy results for customers by reducing the number of FPs found.

February 23, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Improved COBOL Parser Error Handling

Veracode no longer reports parser errors in standalone copybook files that COBOL files do not include. These files are not relevant for security scanning unless COBOL files reference them.

January 26, 2023

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Veracode has improved static analysis by adding support for:

  • Server-side request forgery (SSRF) reporting for JavaScript

Veracode has released a new version of our new iOS packaging tool:

  • Gen IR version 0.2.1: gen-ir

December 15, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these new versions of supported technologies:

Veracode improved static analysis by adding support for these new languages and frameworks:

Veracode has improved static analysis by adding a new iOS packaging tool to support Xcode 14 without the Enable_Bitcode setting:

November 17, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

October 27, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

October 19, 2022

New Packaging Guidance Tool

You can use the new Veracode Packaging Cheat Sheet to generate language-specific packaging guidance for Static Analysis.

October 4, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode improved static analysis by adding support for these languages and frameworks:

August 25, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

August 1, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

June 24, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

April 28, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

March 28, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

February 24, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

Veracode has improved static analysis by adding support for these new versions:

February 3, 2022

New Veracode Static Analysis Support for Languages and Frameworks

Veracode has improved static analysis by adding:

Veracode has improved static analysis by adding support for these new versions:

Veracode Static Analysis Improvements

Veracode has improved accuracy of hard-coded Passwords. You can expect:

  • Fewer false positives where local files are in known valid locations
  • Better identification of sensitive variable names

Veracode has improved modeling for TypeScript support. You can expect:

  • Fewer false positives, and more true positives in TypeScript applications where type information is specified.