The updates on this page apply to Veracode Software Composition Analysis (SCA) in the Commercial Region.
Dec 11, 2023
API to link projects to application profiles
Veracode has released the SCA App-Linking REST API. You can use this API to link a project for SCA agent-based scans to an application profile. The linked application profile receives all libraries, licenses, and discovered vulnerabilities from that project, along with all results from SCA Upload scans. To link a project, use the linkAppProject endpoint. To unlink a project, use the unlinkAppProject endpoint.
SCA Agent Enhancement
Veracode has fixed an issue that prevented the SCA agent from cleaning up local scan directories and added enhancements to the agent that will be used in the future for scanning Java projects.
Dec 4, 2023
SCA Agent Enhancement
Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.
November 21, 2023
SCA Agent Enhancement
Veracode has added several enhancements and fixes to the SCA agent.
November 14, 2023
SCA Agent Enhancement
Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.
November 6, 2023
API to propose and approve mitigations for SCA findings
Veracode has released the SCA Annotations REST API. This API includes the getSCAannotations endpoint to retrieve comments and mitigations applied to findings from SCA upload scans and the createSCAannotations endpoint to annotate SCA upload findings, including adding comments and proposing, accepting, and rejecting mitigations.
The SCA Annotations API specification is available on SwaggerHub.
This API is not part of the Annotations API, which works with findings from Static Analysis and Dynamic Analysis.
October 11, 2023
Exploit Probability (EPSS) Added to Findings API
Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the Findings REST API. Developed by FIRST.org, who also created the Common Vulnerability Scoring System (CVSS), the EPSS model produces a score between 0 and 1 (0 and 100%) that estimates the probability that a software vulnerability will be exploited in the wild. The data also includes the percentile of the current score, which shows the percentage of all vulnerabilities with the same or lower EPSS score. Veracode encourages customers to use EPSS data to prioritize which vulnerabilities to fix first.
Fixed SCA Agent Error
Veracode has fixed an issue that caused a null pointer exception when performing an agent-based scan on some projects.
September 27, 2023
Correction of SCA Fix By Dates in Sandboxes
Veracode has fixed an issue impacting the calculation of Fix By dates in sandbox scans. Previously, SCA used the scan date or the scan promotion date as the date that a component was first found, causing the Fix By date to be pushed out continuously. This fix is not retroactive and only impacts scans completed after Sept 27, 2023.
September 22, 2023
Assign Policies to SCA Agent-Based Scan Workspaces
The new Unified Policy feature allows you to assign policies to workspaces used for SCA agent-based scans. Like the existing agent rules, you can use policies to create issues and break your build based on certain criteria. See more details about applying rules to a policy, assigning policies to agent-based workspaces, and setting default policies.
Veracode will migrate customers from agent rules to Unified Policy in batches and will retire agent rules before April 1, 2024.
August 28, 2023
Agent-Based Scan UI Now Displays CVSS v3
Because the National Vulnerability Database stopped supporting CVSS v2 in July 2022 and most users have moved to v3, the Library and Vulnerability pages of SCA's agent-based scan user interface now display CVSS v3 scores, instead of v2. You must clear the cache in your web browser to see these changes.
To also display CVSS v3 on the workspace Issue pages and the project Issue tab, you must update your agent rules to use CVSS v3.
August 16, 2023
Enhancements to SCA Agent Dependency Graph Traversal
Veracode has improved the performance of the SCA agent by optimizing how it handles dependencies with very complicated and intertwined dependency graphs.
August 8, 2023
Exploit Probability (EPSS) Added to SCA Agent APIs
Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the SCA Agent REST APIs. Developed by FIRST.org, who also created the Common Vulnerability Scoring System (CVSS), the EPSS model produces a score between 0 and 1 (0 and 100%) that estimates the probability that a software vulnerability will be exploited in the wild. The data also includes the percentile of the current score, which shows the percentage of all vulnerabilities with the same or lower EPSS score. Veracode encourages customers to use EPSS data to prioritize which vulnerabilities to fix first.
July 21, 2023
Enhancements to .NET Scanning
Veracode has added the following enhancements to SCA scanning for .NET applications:
- Reduced false positives and false negatives in SCA upload scans by adding support for
deps.jsonandproject.asset.jsonfiles. - Enhanced SCA Agent scans by adding ability to perform
--quickscans on NuGet projects.
July 28, 2023
API to Retrieve List of SCA Agent Projects Linked to an Application
Veracode has released the getApplicationProjects API to allow users to retrieve a list of SCA agent projects that are linked to a specific application. Users who have rights to call the getApplications API may also call the getApplicationProjects API.
July 11, 2023
Additional Roles Can Call SBOM APIs
Veracode has expanded the list of roles that are allowed to call the CycloneDX Software Bill of Materials (SBOM) API and the SPDX SBOM API. See the SBOM API instructions for application profiles and agent-based projects for details.
June 28, 2023
SCA Agent CLI Now Displays CVSS v3 Severities
The Vulnerabilities section of the Summary Report that appears in your CLI after an SCA agent-based scan now displays CVSS v3 severities, instead of v2.
The Issues section still displays CVSS v2 severities by default, but you can edit the severity in your agent-based scanning rules to reflect v3. If you have not modified your rules to use CVSS v3, Veracode recommends setting up organization-level rules to avoid having to edit rules on every workspace individually.
June 20, 2023
Support for v3 Format of NPM Lockfiles
Veracode has added support for NPM lockfile format version 3. See Run an Agent-Based Scan for NPM or JavaScript and TypeScript Packaging for details.
May 15, 2023
Fixed Agent Error for Yarn Scans
Veracode has fixed an issue causing SCA agent-based scans of Yarn projects to erroneously fail.
May 9, 2023
Upgraded JRE for SCA Agent
Veracode has upgraded the Java Runtime Environment (JRE) for the SCA agent from version 11 to 17.
Added GNU Privacy Guard to SCA Agent Downloads
Veracode has added GNU Privacy Guard (GPG) signature files to all SCA agent downloads to verify you are downloading a valid version.
May 3, 2023
Fixed Scope Parameter for NPM Scans
Veracode has resolved an issue impacting the scope parameter for SCA agent-based scans of NPM projects.
April 14, 2023
SCA Agent Enhancements
Veracode has added the following enhancements to the SCA agent:
- Support for Gradle version 8.
- The default scope for scans of NPM projects is now production dependencies instead of all dependencies.
Temporarily Ignore Issues from Agent-Based Scans
You can now specify a date for Veracode to stop ignoring issues from SCA agent-based scans.
April 6, 2023
Enhancements to Go Scanning
Veracode has added the following enhancements to SCA scanning for Go projects:
- Reduced false positives.
- Reduced false negatives.
- Increased scan speed.
- Fixed an issue that removed component names when agent-based scan results were linked to an application.
- Fixed an issue that caused indirect dependencies to appear in agent-based scan results as direct libraries instead of transitive libraries.
April 4, 2023
Enhanced SCA Agent Support for Java 17 Features
Veracode SCA has improved agent-based scan support for projects that contain Java 17 features.
April 3, 2023
NVD Severity Ratings for SCA Upload Scans
Veracode Software Composition Analysis (SCA) upload scans now support displaying updated severity ratings that more closely match the National Vulnerability Database (NVD) severity ratings. To enable this feature for your account, contact Veracode Technical Support.
March 16, 2023
New Mitigation Type Available for SCA Upload Scans
You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.
February 3, 2023
Region Flag for Agent-Based Scans
Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.
February 2, 2023
JRE Upgrade for SCA Agent
Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.
January 13, 2023
Improved SCA Support for Python 3
Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.
December 21, 2022
Generate SBOM in SPDX Format
You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) in SPDX JSON format from the results of your Veracode SCA upload scans.
December 14, 2022
SCA Support for Android
Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.
September 15, 2022
SCA Support for Go Aliases
Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.
Vulnerable Method Support for Java 17
Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.
August 22, 2022
Set SCM URI as Project Name
You can now set the source code management (SCM) URI as your project name using the --uri-as-name option in your Veracode SCA agent-based scans.
July 22, 2022
SBOM API Support for SCA Agent-Based Scans Linked to Application Profiles
You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.
June 6, 2022
Generate SBOMs for SCA Agent-Based Scans with the REST API
You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.
May 9, 2022
SBOM API Support for Promoted Sandbox Scans
You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.
SCA Upload and Scan Table Update
Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.
April 26, 2022
Generate SBOMs for SCA Upload Scans with the REST API
You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.
January 20, 2022
JSON Output for Agent-Based Scans Includes CVSS v3 Score
Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.