Scan open source
Veracode Software Composition Analysis (SCA) helps you build an inventory of your third-party components to identify malicious libraries and vulnerabilities in your open-source libraries and commercial code. SCA scans compile a list of libraries in an application, then identify known vulnerabilities and malicious packages in each library. SCA determines the list of libraries, vulnerabilities, and malicious packages at the time of the scan. However, you can receive notifications about newly announced vulnerabilities and malicious packages that impact your applications without requiring a new scan.
With Veracode SCA integrated with your development tools and workflows, and by using our one-on-one remediation advice, your development teams can develop secure applications and assess the security of web, mobile, desktop, and back-end applications.
Open source scanning methods
Veracode SCA supports two methods of scanning that you can run at different points in the development lifecycle: agent-based scans and scans of uploaded applications. The scan results highlight vulnerabilities and malicious libraries included in your code, and help you take necessary actions to eliminate threats from your applications.
SCA Agent-based Scan
Use SCA Agent-based Scan to scan open source components in local or remote repositories using the Veracode Platform. You can scan repositories or locally cloned projects from a command line or integrate SCA Agent-based Scan into your continuous integration (CI) pipelines, source code management (SCM) repos, and import findings into ticketing systems.
You can extract information about your SCA workspaces using the SCA REST API.
To set up an SCA agent and run a scan using the SCA CLI, see the quickstart.
See the supported languages.
Scan early and frequently in development pipelines
Agent-based scans execute from a command line, and you can incorporate them in any continuous integration pipeline to prevent developers from introducing new vulnerabilities. Depending on the CI tool, they can execute in parallel with other security testing methods for faster throughput.
Prioritize and fix findings
Some functionality for prioritizing and fixing findings is only available through agent-based scans. These features include vulnerable method detection, automated pull requests for upgrading libraries, and dependency graphs with transitive libraries and vulnerabilities.
Docker container scanning
You can use SCA Agent-based Scan to scan Docker containers or images. We recommend scanning your repositories before including them in a Docker image so that fixes to the underlying code are prioritized first.
SCA Upload and Scan
Use SCA Upload and Scan to upload a packaged artifact of your application code to the Veracode Platform for SCA scanning using Upload and Scan. If you have previously used Upload and Scan to perform a Static Analysis of an application, the SCA results for that application are available immediately after you activate your SCA license.
See the supported languages.
Get an overview of your open-source risk
You can upload and scan the artifact of your application, and review the scan results from both the Static Analysis and SCA scans, in the Veracode Platform user interface or by using the Veracode XML APIs. After you upload the artifact, the Veracode Platform scans your open-source components during prescan verification, and the scan results are available after prescan completes.
Assess compliance prior to release
Run policy scans to assess the scan results against security policies and use development sandboxes to scan during testing, outside production environments.
As you prepare to release an application, performing an SCA Upload and Scan allows you to use the robust mitigation, policy evaluation, analytics, and reporting features available in the Veracode Platform.
Supported languages
Veracode Software Composition Analysis (SCA) features are available for several programming languages, which all have specific requirements for performing scans.
See the detailed list of supported tools and languages for SCA Agent-based Scan or SCA Upload and Scan.
C/C+
To assess the security risk of open-source components in your C or C++ code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline.
C#/.NET
To assess the security risk of open-source components in your .NET code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline.
To analyze the open-source risk of your compiled .NET application as part of a Veracode Static Analysis, upload your application binaries to the Veracode Platform. Your application must meet the .NET packaging requirements.
Go
To assess the security risk of open-source components in your Go code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Go repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Go application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the Go packaging requirements.
Java
To assess the security risk of open-source components in your Java code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Plugins are available to automate scanning of Gradle or Maven repositories for Java applications. Sample Java repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Java application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the Java packaging requirements.
JavaScript
To assess the security risk of open-source components in your JavaScript code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample JavaScript repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled JavaScript application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the JavaScript packaging requirements.
PHP
To assess the security risk of open-source components in your PHP code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline.
To analyze the open-source risk of your compiled PHP application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the PHP packaging requirements.
Kotlin
To assess the security risk of open-source components in your Kotlin code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Plugins are available to automate scanning of Gradle or Maven repositories for Kotlin applications. Sample Kotlin repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Kotlin application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the Kotlin packaging requirements.
Objective-C
To assess the security risk of open-source components in your Objective-C code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Objective-C repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Objective-C application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the Objective-C packaging requirements.
Python
To assess the security risk of open-source components in your Python code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Python repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Python application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the Python packaging requirements.
Ruby
To assess the security risk of open-source components in your Ruby code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Ruby repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Ruby application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the Ruby packaging requirements.
Scala
To assess the security risk of open-source components in your Scala code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Scala repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Scala application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the Scala packaging requirements.
Swift
To assess the security risk of open-source components in your Swift code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Swift repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Swift application as part of a Veracode Static Analysis, use SCA Upload and Scan. Your application must meet the Swift packaging requirements.
SCA user roles
This table lists the roles you must have in the Veracode Platform to complete specific actions in Veracode Software Composition Analysis.
| Action | Mitigation Approver | Security Lead | Executive | Creator | Reviewer | Submitter | Workspace Administrator | Workspace Editor |
|---|---|---|---|---|---|---|---|---|
| View the SCA Portfolio Page | X | X | X | X | X | X | X | |
| Create and Delete Applications | X | X | ||||||
| Edit Applications | X | X | ||||||
| Add Teams to Applications | X | X | ||||||
| View All Applications | X | X | ||||||
| View Specific Applications | X | X | X | X | ||||
| Request SCA (Static) Scans | X | X | ||||||
| Propose Mitigations | X | X | ||||||
| Approve Mitigations | X | |||||||
| View the Workspace Portfolio Page | X | X | X | X | X | X | ||
| Create Workspaces | X | X | ||||||
| Delete Workspaces | X | X | X | |||||
| Edit Workspaces | X | X | X | |||||
| Add Teams to Workspaces | X | X | X | |||||
| View All Workspaces | X | X | ||||||
| View Specific Workspaces | X | X | X | X | X | |||
| Manage Projects | X | X | X | |||||
| Link Projects to Applications | X | X | X | |||||
| Manage Agent-Based Scan Rules | X | X | X | |||||
| Manage Integrations | X | |||||||
| Manage Agents | X | X | X | X | ||||
| Ignore and Unignore Issues | X |
About the Veracode Vulnerability Database
The Veracode Vulnerability Database contains all the public CVEs and exclusive vulnerability content that is not available elsewhere. The majority of vulnerabilities in the database are exclusive to Veracode, not CVEs. Veracode's security researchers routinely discover new vulnerabilities in open-source libraries.
You can use the database as a tool to determine if a library is safe prior to adding it to your code. You can also use it to learn important details about a library, such as the license in use and insight into specific vulnerabilities.
The Veracode Vulnerability Database catalogs all the open-source libraries along with their associated vulnerabilities from the following resources.
- Maven Central
- PyPi
- Ruby Gems
- NPM
- Cocoa Pods
- Bower
- Packagist
- GitHub (Go)
- Nuget
- Google Maven
- Spring Maven
- Cloudera Maven
Searching the vulnerability database
You can search the vulnerability database at any time. When viewing a vulnerability in the Veracode Platform, you can select it to learn more about it in the database.
You can also search the vulnerability database to determine if a library is malicious. This helps you take proactive measures to avoid integrating harmful libraries into your projects.
You can use the following keywords filter your search results in the Veracode Vulnerability Database:
| Keyword | Usage | Possible Values | Example |
|---|---|---|---|
type | Restricts results to either libraries or vulnerabilities | library, vulnerability | type: library |
language | Restricts results to the specified language | java, ruby, python, objectivec, go,php | language: go |
released | Filters results to latest library versions or vulnerabilities released since the specified date | yyyy-mm-dd | released: 2017-05-25 |
source | Restricts results to libraries catalogued from the specified source | maven, pypi, gem, npm, bower, cocoapods, packagist | source: bower |
license | Restricts results to libraries with the specified license | apache, mit, bsd, gpl | license: gpl |
severity | Restricts results to vulnerabilities with a severity between the specified range. Requires type: vulnerability. | Two numbers from 0.0 to 10 separated by two periods | severity: 1.2..9.9 |
vulnerable | Restricts results to libraries with vulnerabilities associated with them | true | vulnerable: true |
vulnerable_method | Restricts results to vulnerabilities with vulnerable methods associated with them | true | vulnerable_method: true |
enhanced | Restricts results to vulnerabilities with full write-up details | true | enhanced: true |
Vulnerabilities in the database
Select a vulnerability in the database to review the following information about the selected vulnerability.
Summary
The Summary area provides a breadth of information related to the selected vulnerability, including:
- Technical overview: a paragraph describing the vulnerability.
- Severity CVSS score: relative severity of the vulnerability. A detailed explanation of the CVSS score is available in the CVSS guide.
- Library vulnerability information: the name of the library and a dropdown menu with one or more of the vulnerable version ranges for the library, along with the fixed and latest versions.
Technical info
For Enhanced artifacts, this area provides the full writeup describing the vulnerability with analysis of the issue.
Risk score
This area provides a detailed breakdown of the CVSS score, including the scores for each CVSS vector.
Library fix info
This area provides complete information regarding how to fix a library that contains a vulnerability. You can view the affected library version ranges here in addition to safe versions to use and the code for updating to the safe version. In some cases, multiple libraries are associated with the same vulnerability. This area includes those libraries as well.
References
This area provides external references related to the vulnerability, including blog posts, the GitHub pull request for the fix, and other links with relevant information.
Library signatures
This area allows users to view the coordinates corresponding to the vulnerable libraries that Veracode SCA uses to identify the vulnerability.
Vulnerable methods
You can view the actual vulnerable part of the library. Even if a vulnerable library is in use, Veracode SCA can identify if a vulnerable method is in use. If the specific vulnerable method is not in use, the project might not be subject to a potential exploit.
Libraries in the vulnerability database
Select a library in the vulnerability database to review the following information about the selected library.
Summary
This page shows the history of a given library, organized by either the vulnerability severities or by the version released. With each list of library vulnerabilities and versions, there is a search box for narrowing down the list of vulnerabilities or versions.
Versions
You can use the Versions page to see vulnerability, license, and library evidence information sorted by library version. You can filter the list to only show library versions that include vulnerabilities.
REST APIs
You can use the Veracode REST APIs to perform tasks for SCA Upload and Scan and SCA Agent-based Scan.
For Veracode SCA agent-based scans, you can:
- Create workspaces, create agents, review findings, and more with the SCA REST API.
- Review findings with the Findings REST API.
For SCA Upload and Scan, you can:
- Review findings with the Findings REST API.
- Generate a software bill of materials (SBOM) with the SCA REST API.
Veracode SCA legal disclaimer
Veracode, Inc. (“Veracode”) does not provide legal advice. Please be aware that your use of the Veracode solution does not serve as a substitute for your compliance with any applicable laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, or executive order (collectively, (“Laws”))) or any contractual obligations with any third parties. You are responsible for consulting an independent legal counsel regarding any such Laws or contractual obligations. Use of the Veracode solution does not serve as a substitute for your own assessment of business risks associated with the software licenses identified by Veracode.