Scan for Visual Studio
Veracode Scan for Visual Studio is an extension for Visual Studio 2019 and 2022 that integrates Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Veracode Fix into your Software Development Lifecycle (SDLC).
From within your IDE:
- To detect flaws in your code, run Static Analysis scans.
- To remediate flaws by applying suggested fixes, use Veracode Fix.
- To resolve findings manually, use the provided remediation guidance.
- To detect vulnerabilities in open-source libraries and the risk level of open-source licenses, run SCA agent-based scans.
- To resolve vulnerabilities, use the provided remediation guidance.
When you scan your project, the extension automatically:
- Packages your project code into an artifact, such as ZIP or JAR.
- Uploads the artifact to Veracode for analysis.
- Downloads the results and displays them in your IDE.
Scan results are only available in your IDE. You cannot access the results in the Veracode Platform.
Supported versions
Veracode has tested the following versions of Visual Studio, but the extension might work with other versions.
- Visual Studio 2022: v17.11.4 or later
- Visual Studio 2019: v16.11.40 or later
Supported languages and frameworks
Veracode has tested specific versions of the following languages and frameworks, but the extension might work with other versions.
- For Static Analysis scans, see Pipeline Scan supported languages.
- For SCA scans, see Agent-based scan language support matrix.
- For Fix, see the supported languages.
- For auto-packaging, see supported languages.
About application packaging
Before Veracode can run a Static Analysis on your project, the code must be packaged into a supported artifact, such as ZIP or JAR. When you start a scan, the extension uses an auto-packager to automatically package your project. Then, the extension uploads the artifact to Veracode for scanning.
If the auto-packager is not able to package your application, or you prefer to create the artifact yourself, you can use the Veracode packaging guidance to package your application manually. The default location for manually packaged artifacts is <project root>/.verascan
. At the root of your project, create the .verascan
folder and add your artifact to this folder. When you start a scan, the extension first looks for an artifact in the default location. To store your artifact in a different location, where the extension looks next, configure the Artifact Glob setting.
A packaged artifact must not exceed the total file size limit of 200 MB.
Prerequisites
Before you can install and use Veracode Scan for Visual Studio, you must have:
-
A supported version of Visual Studio and a source project of a supported language or framework. Monorepos are not supported.
-
Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as
SRCCLR_NO_GIT=1
, on your operating system. -
Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The extension uses these addresses to authenticate with Veracode, upload your code for scanning, and download the results. To update your allowlist, you might need to contact your IT team.
-
To generate suggested code fixes and apply them to flaws, you must have a Veracode Fix license, a supported code language, and your account must have the Submitter user role.
-
To use auto-packaging, you must have:
- All required build tools, such as compilers and supported package managers, for the language of your project, installed on your local system.
- All required build tools available on the default command line prompt, which typically uses PATH. If you open a different project that uses different tools, or different versions of the same tools, before you can scan, you must ensure these tools are available on the default command prompt.
-
To see the prerequisites for a scan type, select from the following:
- SAST
- SCA
To run Static Analysis scans and view flaws, you must have:
- An active Static Analysis license.
- One of the following Veracode accounts:
- A human user account with the following user roles: Security Lead or both Creator and Submitter.
- An API service account with the Upload and Scan API or Upload API - Submit Only API role.
- Ensured your application builds successfully. If your project files change between scans, rebuild your project and ensure it builds successfully.
- Enabled one-way communication on port 443.
To run SCA scans and view vulnerabilities, you must have:
- An active Veracode SCA license.
- To be notified when SCA licenses are unavailable, ensure you have a current SSL certificate chain and make the path to the certificate known to the installed SCA agent. If an SCA license is unavailable, the SCA agent uses the certificate to show an error message in your IDE.
- A human user account with the Security Lead, Workspace Administrator, Workspace Editor, or Submitter role. API service accounts are not supported.
- The SCA workspace My Workspace with an available project slot. The plugin can only use My Workspace.
- Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as
SRCCLR_NO_GIT=1
. - Installed a supported package manager.
- If your open-source libraries are stored in an internal repository that rejects traffic from your proxy, contact Veracode Technical Support.
Create an API credentials file
Before you can use the extension, you must generate API credentials in the Veracode Platform and store them in a local credentials file. The extension uses the API credentials to authenticate with Veracode.
Install the extension
Install the extension from the Visual Studio Marketplace.
You can only install the extension on one machine. If you install the extension on multiple machines, it might fail to authenticate with Veracode.
Before you begin:
Ensure you meet the prerequisites.
To complete this task:
-
In Visual Studio, select Extensions > Manage Extensions. Alternatively, go to the Visual Studio Marketplace.
-
Search for
veracode
. -
Locate and install Veracode Scan for Visual Studio 2019 or Veracode Scan for Visual Studio 2022.
-
Restart Visual Studio.
-
On the toolbar, select Open Veracode Scan . Alternatively, select Extensions > Veracode Scan. The Veracode Scan window opens. The extension automatically detects your API credentials file and attempts to authenticate with Veracode.
-
On the Getting Started tab, under Authenticate with Veracode, review the Status.
-
If authentication is successful, the Status shows
Authenticated
. Continue to Step 7. -
If authentication failed, the Status shows
Not Authenticated
. Complete one or both of the following, then select Test Authentication.a. Ensure your API credentials file is configured correctly and the file is in the required location.
b. Ensure your API credentials are valid. If your credentials are invalid or expired, generate new credentials and replace the invalid credentials in your credentials file with your new credentials.
-
-
To install a local agent, under Install Local Agent, select Install Agent. The extension uses this agent to communicate with Veracode. This agent is specific to the extension and does not affect any other local Veracode agents.
-
Select Close. The Getting Started window will not open on subsequent scans. The installation is complete.
Configure the extension
Optionally, provide the location of a custom artifact containing the code you want to scan. By default, when you start a scan the extension uses auto-packaging to automatically package your code into a supported artifact.
To complete this task:
-
Select Tools > Options.
-
In the Options window, select Veracode Scan > Settings.
-
Configure the following options:
- Artifact Glob: enter a glob pattern that defines the path and filename for a packaged artifact that you created manually or placed in a custom location. The path must be relative to your project root directory.
- HTTP Proxy SSL Certificate: enter the path to your SSL certificate file, such as a PEM file. To obtain this path, contact your IT team. This option is required if you configure the HTTP Proxy URL option.
- HTTP Proxy URL: to authenticate with Veracode through a proxy, enter the URL for your proxy server, then add your proxy credentials. Alternatively, you can add the URL as an environment variable. This setting overrides the URL defined in an environment variable.
- Recursive Scan: to have each scan run recursively on all folders in your project, select Enable SCA recursive scan. This option is selected by default.
-
For Artifact Glob, enter a glob pattern that defines the path and filename for a packaged artifact that you created manually or placed in a custom location. The path must be relative to your project root directory.
-
Select OK.
Add proxy credentials
If your organization requires you to authenticate with Veracode through a proxy server, add your proxy credentials to the extension. The extension only supports Basic authentication.
To complete this task:
-
Select Tools > Options.
-
In the Options window, select Veracode Scan > Settings.
-
For HTTP Proxy SSL Certificate, enter the path to your SSL certificate file. For example, a PEM file. To obtain this path, contact your IT team.
-
For HTTP Proxy URL, enter the URL for your proxy server. If you do not know the proxy server URL, contact your IT team.
Alternatively, to add the proxy server URL to an environment variable, create the following environment variable on your local system. The HTTP Proxy URL option overrides the environment variable.
- For Variable name, enter
https_proxy
orveracode_https_proxy
. - For Variable value, enter the URL for your proxy server.
- For Variable name, enter
-
In the Finding Details window, enter your proxy username and password. You only see the fields for proxy username and password if you have credentials for the proxy URL you entered.
-
Select Add Credentials. The extension authenticates with Veracode.
Scan your project
To analyze the security risk of your code, scan your project. Because each scan uses the data paths in your project files to detect flaws in lines of code, it does not scan your code as you type. To detect flaws in new or changed lines of code, you must rescan your project.
A Veracode account is limited to six scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.
Before you begin:
Ensure you meet the prerequisites.
To complete this task:
- Open a supported project or solution.
- On the toolbar, select Open Veracode Scan . The Veracode Scan window opens.
- Select Scan and Review > Scan project.
- Wait for the scan to complete. When the scan is complete, the results appear in the following views: Scan Overview and Flaws In My Code.
Review the scan overview
After you scan your project, the Scan Overview shows the total number of flaws from the Static Analysis scan. To view the following information about the scan, select the dropdown .
- The scan completion time and date.
- The name of the scanned project and the scan duration.
- All flaws categorized by severity.
Working with flaws
To review, fix, or ignore discovered flaws, use the Flaws In My Code view.
Review flaws
Learn about the discovered flaws and their severity, and get remediation guidance that can help you fix them.
Before you begin:
Ensure you have scanned your project.
To complete this task:
- In the Veracode Scan window, select Scan and Review.
- In the Flaws In My Code view, review the list of flaws. Each flaw shows the Common Weakness Enumeration (CWE) ID and name, sorted by severity. The flaws with the highest severity are at the top of the list. If there are suggested fixes from Veracode Fix, a green banner shows the total number of available fixes and all flaws to which you can apply fixes show a green star .
- Optionally, to only show flaws with specific severities or flaws with available fixes, select the filter to filter the flaws. Then, select one or more severities or Has fix.
- To view a detailed description of a flaw and the remediation actions you can take to fix it, select Flaw details. The Finding Details tab opens.
- To view a flaw within a source file, select a flaw. The source file opens in a tab and the line of code where the flaw exists is highlighted blue.
Filter flaws
To control which flaws are listed in the Flaws In My Code view, you can filter them by severity.
Before you begin:
Ensure you have scanned your project.
To complete this task:
-
In the Veracode Scan window, select Scan and Review.
-
In the Flaws In My Code view, select the filter .
-
From the dropdown menu, select from the following filters:
- Severity filters: hide or show flaws based on their severity.
- Fix filter: to only show flaws with suggested fixes that you can apply or flaws that have fixes applied , select Has fix.
The list of flaws updates automatically and the selected filters show a checkmark .
-
To remove filters, select one or more filters that show a checkmark.
Fix flaws
To fix discovered flaws, you can apply suggested fixes from Veracode Fix or follow the remediation guidance available in your IDE. If the scan results do not include the path to a flaw, Veracode Fix does not provide suggested fixes for that flaw.
Before you begin:
Ensure you have scanned your project.
To complete this task:
-
In the Veracode Scan window, select Scan and Review.
-
In the Flaws In My Code view, expand a flaw you want to fix.
-
Optionally, to only show flaws with specific severities or flaws with available fixes, select the filter to filter the flaws.
-
To open the source file that contains the flaw, select the flaw. In the source file, the line of code where the flaw exists is highlighted blue. A line of code can contain multiple flaws.
-
In the Flaws In My Code view, expand a flaw and select Flaw details. The Finding Details tab opens with a detailed description of the flaw and options for you to fix it.
-
To fix the selected flaw, select from the following tabs. You only see the Veracode Fix tab if Fix supports the CWE ID for the selected flaw.
- Veracode Fix: to apply the top suggested fix for this flaw, select Apply Fix. In the source file that contains the flaw, the code where the flaw exists is highlighted orange, and the code with the suggested fix that will replace the code that contains the flaw is highlighted green. To apply other suggested fixes, select Fix Option, select a fix, then select Apply Fix. After you apply a suggested fix, a notification message opens with details about the applied fix. In the Flaws In My Code view, the severity and fix icons change to gray . If you fix a flaw manually, the severity icon does not change to gray.
- Remediation Guidance: to fix this flaw manually, follow the remediation guidance. To see the path that the scanner followed to locate this flaw: under Data Paths, expand a path. Then, select the Step link for the source file and code line number you want to view.
noteIf you use Veracode Fix, each time you open a flaw in the Finding Details tab and select Veracode Fix, it regenerates the suggested fix options. To avoid losing a suggested fix that you might want to apply later, consider copying the suggested fix code to a text file outside your IDE.
-
Rebuild your project and check that it builds successfully. When you update code to remediate a flaw manually or you apply a suggested fix from Veracode Fix, the code changes might break your build. For example, the code change might reference a library that is not in your project.
-
To confirm that a flaw is fixed, rescan your project and check that the flaw is no longer listed in the Flaws In My Code view.
Working with vulnerabilities
To review and fix the discovered vulnerabilities, use the Vulnerabilities In My Libraries view.
Review and fix vulnerabilities
The Vulnerabilities In My Libraries view lists all open-source libraries with one or more vulnerabilities.
Before you begin:
Ensure you have scanned your project.
To complete this task:
- In the Veracode Scan window, select Scan and Review. The Vulnerabilities in My Libraries view lists all detected libraries with vulnerabilities. The libraries with the most and highest-risk vulnerabilities are at the top of the list.
- Optionally, to only list libraries with vulnerabilities of specific severities, select the filter to filter the vulnerabilities.
- To see the vulnerabilities for a library, expand a library.
- To see additional information about the library you expanded, select View library details. The Finding Details tab opens and shows information about the library, such as its total vulnerability count with severities, the latest version available, the known safe version, and its usage.
- To return to the Vulnerabilities In My Libraries view, select Scan and Review.
- Under the library you expanded, select a vulnerability. The Finding Details tab opens and shows the CVSS score of this vulnerability, all libraries in your project with this vulnerability, a link to view it in the Veracode Vulnerability Database, and the recommended fix.
- To fix the vulnerability, under The Fix, follow the remediation steps. For example, if a library in an NPM project has a vulnerability, you might need to upgrade, or downgrade, the library in the
package.json
file to a safe version. - To ensure that any libraries you changed are compatible with your project, rebuild your project and check that it builds successfully.
- To confirm that a vulnerability is fixed, rescan your project and check that the affected library, or the specific vulnerability you fixed, is no longer listed in the Vulnerabilities In My Libraries view.
Filter vulnerabilities
To control which vulnerabilities are listed in the Vulnerabilities In My Libraries view, you can filter them by severity.
Before you begin:
Ensure you have scanned your project.
To complete this task:
-
In the Vulnerabilities In My Libraries view, select the filter .
-
From the dropdown menu, select one or more filters:
- Severity: hide or show vulnerabilities based on their risk level.
- Usage: hide or show vulnerabilities based on their usage.
The list of vulnerabilities updates automatically and the selected filters show a checkmark .
-
To remove filters, select one or more filters that show a checkmark.
Review open-source licenses
You can review a list of all open-source licenses, the libraries that use these licenses, and the license risk level. Your organization uses this information when deciding whether it needs to change a license to a safe version.
Before you begin:
Ensure you have scanned your project.
To complete this task:
- In the Veracode Scan window, select Scan and Review.
- To see the names, versions, and risk level of each license, scroll through the list of licenses in the Library Licenses view. The licenses with the highest risk level are at the top of the list.
- To see the libraries that use a license, expand a license.
Clear all results
Remove all findings from all views and the extension.
Before you begin:
Ensure you have scanned your project.
To complete this task:
You cannot undo this action or recover the cleared findings. To see results, rescan your project.
In the Veracode Scan window, select Scan and Review > Clear all results.
Troubleshooting
To generate a log file for all scans, Veracode Fix, and the auto-packager, turn on debugging. You can use these logs to troubleshoot issues.
When turned on, the debug option does not persist. You must turn it on before each scan.
To complete this task:
Select Extensions > Veracode Scan > Enable Debug. The Enable Debug menu item shows a checkmark.
The log files are stored on your local machine in .veracode/ide_agent/vstudio/
. To remove these files, you must delete them manually.
To turn off debugging, select Extensions > Veracode Scan > Enable Debug to remove the checkmark.
If you need additional help, contact Veracode Technical Support.