Run an agent-based scan for Maven
You can use agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/veracode/example-java-maven
After you add a srcclr.yml
file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Maven code. Some scan directives are specific to Maven projects.
Before you begin:
- Meet the requirements for the Veracode SCA agent.
- Have access to the Maven repository.
- Include the
pom.xml
file in the directory where you perform scans. - Use Maven 3.1 or later with the executable installed in the local path.
- In your
~/.m2/settings.xml
file, ensure that you properly set up any Nexus servers or authentications to successfully compile code. - Be able to run the
mvn dependency:tree
command from the root of the project where you perform scans.
The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:
mvn compile -Dcheckstyle.skip=true -e -DskipTests \
-DskipITs -Dmaven.test.skip=true --fail-fast --nsu -Denforcer.skip=true
To complete this task:
-
Run the scan command with the Veracode SCA CLI agent pointed to the directory of the NPM repository. For example:
srcclr scan path/to/{project_folder}
noteTo scan code repositories hosted in Git, use the
--url
argument with the CLI agent.To view more verbose output during the scan process, you can add the
--loud
argument:srcclr scan path/to/{project_folder} --loud
Results:
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
Next steps:
After completing the scan, you can view the results.