Skip to main content

veracode fix

Generates code fixes and, optionally, applies them to flaws in an application source file. To get started, see the quickstart.

Your system must have Git installed.

Syntax

./veracode fix <source_file> [flags]

Arguments

ArgumentDescription
source_fileLocation of the application source file that contains flaws you want to fix.

Flags

FlagDescription
-r, --results <results_file>Optional. Specifies the location of the results file, in JSON format, from a Pipeline Scan. Default is results.json in the current folder. The results file must contain the stack dump data for each flaw. Fix uses the stack dump data to correlate the flaws to your source code. To add the stack dump data to the results, ensure your Pipeline Scan command includes the parameter --emit_stack_dump true, -esd true.
-i, --issue-id <issue_ID>Optional. Specifies the numeric ID of an issue in results_file that you want to fix in source_file. If you include this flag, Fix does not return a list of issues.
-a, --applyOptional. Applies the top-ranked fix to a flaw in source_file or to a specific flaw you entered for issue_ID. If you include this flag, Fix does not return a list of fixes. To revert a fix, use a version control system, such as Git.
-v, --verboseOptional. Displays verbose output.

Examples

To analyze a Java source file using a results file with the default filename and location, run:

./veracode fix my_java_application/commands/IgnoreCommand.java

To analyze a Java source file using a results file in a custom location, run:

./veracode fix my_java_application/commands/IgnoreCommand.java --results my_results/results.json

To automatically apply a fix to a specific issue in a Java file using a results file in a custom location, run:

./veracode fix my_java_application/commands/IgnoreCommand.java --results my_results/results.json --issue-id 1234 --apply

How Veracode Fix Works

Veracode Fix uses a combination of your application source_file and the Static Analysis results in results_file from a Pipeline Scan of your application. It identifies flaws in the source code and suggests fixes you can apply to mitigate the flaws. Fix uses a machine learning (ML) model that continually trains on thousands of samples of vulnerable code with suggested code patches. These patches come from real-world code that contains the appropriate fix for a security issue. Veracode continually curates these patches against its data set of Static Analysis flaws and against flaws in real-world code.

Fix does the following:

  1. Uploads a copy of your source file and results file to the Veracode remediation service.
  2. Uses the ML model to compare the code in your source file to its code samples.
  3. Returns a list of issues, which are the flaws you can fix. Each issue has a unique ID and shows the Common Weakness Enumeration (CWE) ID, a brief description of the flaw, and the line of code where the flaw exists.
  4. After you specify the issue you want to fix, Fix matches the patch in the code sample to your code and returns a list of suggested fixes.
  5. After you specify the fix you want to apply, Fix applies the patch by rewriting the code that contains the flaw.
  6. Discards the copy of your source file, so that it is no longer available to Veracode.

After you apply a fix for a routine injection flaw, such as CRLF injection, cross-site scripting (XSS), or SQL injection, Veracode recommends that you test your code before committing it. For other flaw categories, you might need to perform other tasks. For example, if Veracode recommends that you update a hashing algorithm to a version that is more cryptographically secure, such as moving from MD5 to SHA, you must update any instances of hashed data. If the hashed data is part of an interface, you must also update the definition for that interface, including all parties that use that definition.

Compilation Errors

Fix attempts to verify that all suggested fixes are compilable, but you might apply a fix that is incompatible with your application. For example, a fix might use an import statement that adds a new library to your application, so that the applied fix can use a supported cleansing function. Fix does not attempt to update your package manager file, such as pom.xml. If your application fails to compile, review your code to see if the applied fix added an import statement and, if it did, add the library to your package manager file.

If your application fails to build after applying a fix, and fixing the package manager file does not resolve the problem, please contact Veracode Technical Support.

How Veracode Fix Helps Developers

Veracode data shows that organizations are not keeping up with their security debt, with the “half life”, which is the expected time to remediate 50% of the open findings in a given codebase, growing nearly 50% over the last five years. Developers often lack the training, experience, and tools to find and fix security findings in their code. For example, a 2022 PulseMeter report by Techstrong Research showed that 73% of developers are required to write secure code, but lack adequate tools and knowledge. Many developers are required to fix security issues that they did not create, in code they did not write. Development teams rarely get to work on greenfield code. Typically, they must update existing code bases that are full of latent security findings, and their organization expects them to be responsible for the overall security of the application. Their organization might also hold them accountable for addressing the security debt.

Technical Support

If you need help, contact Veracode Technical Support or visit the Community.

Supported Languages

  • Java
  • C#
  • JavaScript and TypeScript

Supported CWEs

Fix supports the following CWEs for each supported language. For the complete list of CWEs that each Veracode scan type supports, see Veracode and the CWE.

Java

  • 73: External Control of File Name or Path
  • 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (HTML Injection)
  • 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
  • 113: Improper Neutralization of CRLF Sequences in HTTP Headers
  • 117: Improper Output Neutralization for Logs
  • 327: Use of a Broken or Risky Cryptographic Algorithm
  • 331: Insufficient Entropy
  • 382: J2EE Misconfiguration: Error Handling Enabled
  • 470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
  • 597: Use of Wrong Operator in String Comparison
  • 601: URL Redirection to Untrusted Site ('Open Redirect')

C#

  • 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (HTML Injection)
  • 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
  • 201: Information Exposure Through Sent Data
  • 209: Information Exposure Through an Error Message
  • 259: Use of Hard-coded Password
  • 352: Cross-Site Request Forgery (CSRF)
  • 404: Improper Resource Shutdown or Release
  • 601: URL Redirection to Untrusted Site ('Open Redirect')
  • 611: Improper Restriction of XML External Entity Reference
  • 798: Use of Hard-coded Credentials

JavaScript and TypeScript

  • 73: External Control of File Name or Path
  • 78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (HTML Injection)
  • 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
  • 113: Improper Neutralization of CRLF Sequences in HTTP Headers
  • 117: Improper Output Neutralization for Logs
  • 327: Use of a Broken or Risky Cryptographic Algorithm
  • 611: Improper Restriction of XML External Entity Reference
  • 614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute