2020 updates archive
This page lists the archived updates for 2020.
View the list below for highlights of previous releases.
December 17, 2020
New Veracode Pipeline Scan Support for PHP Applications
- Veracode has improved the Pipeline Scan by adding support for PHP applications.
December 15, 2020
New Support for Languages and Frameworks
Veracode has improved static analysis by adding support for these new versions of supported technologies:
- Android 11
- C++ Support for Red Hat Enterprise Linux 8
- Grails 4
- Java 15
- Slick Library for Scala
Improved Support for Java
- Veracode has improved static analysis of Java applications by adding support for JNDI injection flaws. See the Veracode blog post for details about these types of flaws.
Improved Prescan Warning Messages
-
Veracode has improved its warning messages to notify you when the JavaScript and TypeScript files you submit have parsing errors. Parsing errors can affect the quality of the prescan results.
-
Veracode has also improved the accuracy of warning messages for several other languages and file types.
Simplified Packaging Requirements for iOS Applications
- Veracode has improved the user experience of analyzing iOS applications by simplifying the requirements for packaging.
November 24, 2020
New Support for GCC 8.3 on Red Hat Enterprise Linux 7
- Veracode has improved static analysis by adding support for the GCC 8.3 compiler on Red Hat Enterprise Linux.
October 30, 2020
New Pipeline Scan Support for React Native, Titanium, and Cordova Applications
- Veracode has improved the Pipeline Scan by adding support for React Native, Titanium, and Cordova applications.
October 29, 2020
Improved Veracode Static Analysis Results
Veracode has improved static analysis of these supported technologies:
- Angular templates
- Apache Commons
- AWS SDK for Java
- JavaScript
- Python
New Pipeline Scan Reporting Options:
- Veracode has improved the Pipeline Scan to support reporting a filtered list in JSON format of issues that caused the analysis to fail.
October 21, 2020
Pipeline Scan Supports Custom GitLab Domains
- Veracode has improved the Pipeline Scan to support custom GitLab domains when creating GitLab issues.
October 6, 2020
Improved Pipeline Scan Error Messages and Logging
Veracode has improved pipeline scans to include these enhancements:
- Improved error message content
- Integration with Log4j to log debug messages
October 2, 2020
New Pipeline Scan Support for Python Applications
- Veracode has improved Pipeline Scan to include support for Python applications.
September 26, 2020
Packaging Improvements for .NET Applications
- Veracode has improved the user experience of analyzing .NET applications by adding support for .NET applications submitted as standard NuGet packages.
September 24, 2020
New Pipeline Scan Support
- Veracode has improved Pipeline Scan to include support for Android applications.
New Veracode Static Analysis Support
Veracode has added support for new versions of these technologies:
- Angular 9 and 10
- Visual Studio 2019 for Visual C++
Improved Veracode Static Analysis Support
-
Veracode has improved static analysis of AWS SDK for JavaScript.
-
Veracode has improved static analysis of .NET and JVM-based applications. Veracode reduced the number of prescan warning messages that it sends for components that are common third-party libraries.
September 17, 2020
New Static Analysis Support for iOS 14
- Veracode has improved static analysis by adding initial support for iOS 14.
September 1, 2020
New Veracode Static Analysis Support
Veracode has added static analysis support for these technologies:
- React Native 0.6x
- Ruby on Rails 6
- Jinja2 Template Library for Python
Veracode Static Analysis Recognized Cleansers
As a result of updated security research, Veracode has added several CRLF cleansing functions to the list of supported cleansing functions. Veracode also removed these CRLF functions:
com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscape
com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscapeAllowEntities
com.google.gwt.safehtml.shared.SafeHtmlUtils.fromString
org.springframework.web.util.HtmlUtils.htmlEscape
org.springframework.web.util.HtmlUtils.htmlEscapeDecimal
org.springframework.web.util.HtmlUtils.htmlEscapeHex
org.apache.axis.components.encoding.XMLEncoder.encode
com.liferay.portal.kernel.util.HtmlUtil.escapeAttribute
com.liferay.portal.kernel.util.HtmlUtil.escape
com.liferay.portal.kernel.util.HtmlUtil.escapeHREF
com.liferay.portal.kernel.util.HtmlUtil.escapeXPath
Improved Veracode Static Analysis User Experience
Veracode has improved the user experience of static analysis by providing:
- More consistent naming for the submitted components
- More information added to some prescan error messages
August 7, 2020
New Pipeline Scan REST APIs
- The new Pipeline Scan REST APIs allow you to submit pipeline scans directly using an API.
Pipeline Scan Improvements
Veracode Static Analysis using pipeline scanning includes these enhancements:
- New command parameters for creating GitLab issues and vulnerabilities from scan output:
--gl_issue_generation
--gl_vulnerability_generation
- New GitLab examples added to the pipeline scan README and the Veracode Help Center
July 10, 2020
New Pipeline Scan Support for .NET Applications
- Veracode has added pipeline scan support for .NET applications.
July 1, 2020
New Veracode Static Analysis Support
Veracode has added static analysis support for these technologies:
- AWS SDK for
- Ruby 2.6 and 2.7
- AcuCOBOL-GT 10.3
- Xcode 11.5
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:
- AWS SDK for Python (Boto3).
- Additional security checks for applications built using Java 12, 13, and 14. You may see additional findings for applications as a result of these improvements.
- Additional security checks for applications built using .NET Core 3.1. You may see additional findings for applications as a result of these improvements.
- Additional security checks for applications using Apache Commons libraries. You may see additional findings for applications as a result of these improvements.
- Additional security checks for applications using Go templates. You may see additional findings for applications as a result of these improvements.
- Improved scan coverage for iOS application submissions. Veracode now analyzes all components submitted with an iOS application, including standalone frameworks, extensions, and watchOS extensions. After a prescan, you can select these components from a list of modules.
New Video - Review Static Analysis Flaws
This video shows you how to:
- Access static flaw information in the Triage Flaws view of the Veracode Platform.
- Use the Source Code view to load source code from your local system into the Triage Flaws page so that you can view information about the flaw in the context of your original source.
- Document a proposed mitigation for review.
June 13, 2020
New Veracode Static Analysis Support
Veracode has added static analysis support for these technologies:
- Improved analysis of Go applications by adding support for the Gorilla framework, and improving overall results quality.
- Improved analysis of JavaScript applications using AWS Lambda and other functions by adding support for the AWS SDK.
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:
- Improved static analysis of iOS applications by improving the results of scans, to better focus the results on custom first-party components, instead of third-party libraries.
- Improved static analysis of .NET and Java applications to more accurately report the analysis size of dependent modules. These changes may result in smaller reported sizes for scan submissions.
- Veracode now reads the contents of the go.mod file included in an application submission to more accurately identify which Go components to analyze.
May 13, 2020
Pipeline Scan Improvements
Veracode Static Analysis using pipeline scanning includes these enhancements:
- New command parameters for storing information about the application you are scanning:
--app_id
--development_stage
- New code examples that show how to integrate a pipeline scan with GitHub actions and Azure DevOps. These examples are included in both the pipeline scan Readme file and the Veracode Help Center.
May 4, 2020
New Veracode Static Analysis Support
Veracode now supports static analysis of these libraries for Apex:
- Visualforce
- Lightning
- Aura components for Salesforce
Improved Veracode Static Analysis Support
Veracode now supports static analysis of these technologies:
- Apex version 49.
- Java applications built on Java 14.
- Version 2.6 and 2.7 of the Play framework for Scala. You may see additional findings for Play applications as a result of these improvements.
- Python application analysis improvements, including additional security checks for risks related to certificate management and cryptography settings. You may see additional findings for Python applications as a result of these improvements.
- Updated CWE definitions for flaws that had been reported previously as CWE 100 and 391. MITRE is deprecating these CWEs. MITRE is recategorizing CWE 100 flaws as CWE 1174, and recategorizing CWE 391 flaws as either CWE 252 or CWE 273, depending on the details of the flaw.
Veracode has updated policy rules that included entries for CWE 100 and CWE 391 to include the new CWEs.
After you run the next scan of affected applications, the Veracode Platform reports and analytics reflect the new CWE values. Data for previous scans still include the historical values.
April 23, 2020
Improved Veracode Static Analysis Support with Pipeline Scanning
Veracode static analysis using pipeline scanning now includes these features:
- Support for Scala, Kotlin, and Groovy applications
- Veracode authentication using the API credentials file
- Human user accounts with the required user roles can run pipeline scans
April 14, 2020
New Video - Run a Pipeline Scan in Your CI/CD Environment
- This video shows you how the pipeline scan runs directly within a CI/CD environment.
April 2, 2020
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for AWS Lambda functions for Java, .NET, Node.js, and Python.
###Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:
- Improved results quality for iOS 13 applications
- Support for iOS applications built with Xcode 11.4
Veracode has changed reporting of CWE 404 flaws to be more specific about where they occur, which may result in additional findings. Veracode has also changed the severity of CWE 404 to Informational.
March 16, 2020
Announcing General Availability of Pipeline Scan for Veracode Static Analysis
- Veracode is pleased to announce the general availability release of the pipeline scan, a purpose-built tool for DevOps engineers. The pipeline scan directly embeds into your CI tools and provides fast feedback on flaws after each commit.
February 20, 2020
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for a new version of Visual C++ applications built for Windows 10, Server 2016, and Server 2019.
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these supported technologies:
- Apache Struts 2
- Safe cryptography libraries in PHP
- Apex triggers submitted with the TGR file extension
January 30, 2020
New Veracode Static Analysis Support
Veracode has improved static analysis by adding support for these new versions of supported technologies:
- Java applications built on Java 13
- Initial support for .NET Core 3.1
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these supported technologies:
- APIs and language features specific to .NET Core 3.0, .NET Standard 2.1, and C# 8. You may see additional findings in .NET applications that use these new features.
- log4net, Serilog, and NLog logging technologies in .NET for detecting log injection flaws in .NET applications. You may see additional findings in .NET applications that use these technologies.
- Additional security checks for Android 9 applications. You may see additional findings for Android applications as a result of these improvements.
Dynamic Analysis
View the list below for highlights of previous releases.
November 24, 2020
New Target URL Search Feature
- Veracode Dynamic Analysis now allows you to search for individual URL scans in addition to searching for a specific Dynamic Analysis. This capability enables you to easily identify which scans are associated with a specified URL.
CSP Header Checks
- Veracode Dynamic Analysis now checks for missing or misconfigured script execution policies in Content Security Policy (CSP) headers of web applications.
Expanded Secure Cookie Attributes List
- Veracode Dynamic Analysis has expanded its list of known secure cookie attributes, such as SameSite, Secure, and HttpOnly, that are common to cloud infrastructures. Veracode checks web applications for secure cookie attributes on this list before reporting missing attributes as flaws.
August 10, 2020
New ISM Endpoint Version Available
- An updated Veracode Dynamic Analysis Internal Scanning Management (ISM) endpoint version is now available. Updates include improved proxy configuration, an upgraded Java WebSocket library, and other enhancements. More information is available in the endpoint release history.
July 22, 2020
New Video - Configure Dynamic Analysis Login Settings
- This video describes the different types of authentication that Veracode Dynamic Analysis can require to log in to your application and how to configure your Dynamic Analysis so that Veracode can log in.
June 11, 2020
Crawl Script Support for Comprehensive Scans
- Veracode Dynamic Analysis now supports the use of prerecorded crawl sequences to supplement the default automated crawling capability of the Veracode scan engine. You must use Selenium to record the crawl scripts and save them in SIDE test suite or HTML formats. Dynamic Analysis runs the crawl script during prescan to check for any commands that might fail during the URL scan.
June 8, 2020
Improved Dynamic Analysis Coverage
Veracode has improved the scan engine coverage with:
- Increased coverage for CWE 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).
- Increased reporting for SSL issues and updated description and remediation text. The Dynamic Analysis scan engine now reports the use of Cipher Block Chaining (CBC) ciphers, and key exchange algorithms that do not provide perfect forward secrecy (such as RSA with no EDH).
New Screenshot Verifications and Scan Notes Features
- Veracode Dynamic Analysis now shows additional troubleshooting information on the Prescan Details and Scan Details pages. The new Verification Screenshots section shows screenshots that the Veracode scan engine takes at predetermined points. The Scan Notes section contains observations from the scan engine on issues encountered at runtime or best practices that you can apply to the scan configuration.
Updated Video - Initiate a Dynamic Analysis Prescan
- This video shows you how to submit a Dynamic Analysis for prescan, what the Dynamic Analysis is testing during prescan, and how to tell if your Dynamic Analysis has passed prescan successfully.
May 26, 2020
Enhanced Access Control for ISM Endpoints
- Veracode Dynamic Analysis Internal Scanning Management (ISM) provides new options for granting Veracode support engineers access to your endpoints. You can now allow support access for a specific number of days, up to 30, or allow access indefinitely until you choose to disable it.
May 21, 2020
Client Certificate Authentication Support
- Dynamic Analysis now supports client certificate-based authentication. When you upload your certificate and the associated password, Veracode can log in to websites that require this method of authentication.
Engine JSON Web Token and Obsolete JavaScript Support
- Dynamic Analysis has added security auditing for JSON Web Tokens (JWT) and obsolete JavaScript resources. JWT auditing detects common flaws, including signature vulnerabilities, in sites that use JWT for authentication. Obsolete JavaScript resource detection reports known-vulnerable libraries, such as older versions of jQuery, through signature matching.
Improved Scan Status Details
- Veracode Dynamic Analysis now has improved end-user visibility into scan statuses. Additional status information is available in the status fields and columns of the All Analyses, Dynamic Analysis Summary, and URL Scan Summary pages. You now have more detailed information when scans stop due to network issues or because they exceeded the allocated scan duration time.
Updated Video - Create Login Scripts with Selenium
- This video shows you how to use the Selenium IDE plugin to create a login sequence script that enables Veracode Dynamic Analysis to scan URLs that have form-based authentication.
May 7, 2020
Prescan Workflow Improvements
Veracode has released several improvements to the Dynamic Analysis workflow to enhance these user experiences:
- The prescan option has moved to the Schedule page. In addition, you can now use the new prescan-only option if you want to verify your configuration before submitting the analysis.
- There is a new option on the Schedule page to enable you to save your Dynamic Analysis configuration and continue working on it or submitting it later.
- Icons have replaced the menu in the individual rows of the URLs table, providing greater ease of use when you want to edit the configuration, link to an application, or delete the URL.
April 28, 2020
ISM Notifications Include Endpoint Names
- Emails from Veracode about your ISM endpoints now specify the endpoint names to help with troubleshooting.
April 16, 2020
Scheduling Improvement
- Veracode Dynamic Analysis now provides the ability to select a start date up to 90 days in the future. This enhancement enables you to initiate a one-time scan immediately as well as schedule a recurring, quarterly scan of the same Dynamic Analysis.
Update to Supported Selenium Commands
- Dynamic Analysis now supports these Selenium commands:
keyUp
,keyDown
,keyPress
,assertTextPresent
,waitForElementVisibile
, andclickAt
.
March 31, 2020
Dynamic Analysis User Agent Defaults to Chrome
- When configuring a Dynamic Analysis, if you do not provide a user agent string for a browser of your choice, the user agent value now defaults to the Chrome browser.
March 30, 2020
Auto-Linking Now Available in Dynamic Analysis
- Veracode Dynamic Analysis now supports application auto-linking automation at the organization account level. Auto-linking links a Dynamic Analysis scan to an existing application profile. Auto-linking can also automatically create a new application profile to which Dynamic Analysis can link future scans, if you select that option. Linking a Dynamic Analysis to an application enables you to review the policy evaluation, download PDF results, and access the Veracode Links Report.
March 26, 2020
Screenshot Provided for Login Script Errors
- Veracode Dynamic Analysis now provides troubleshooting information for login script authentication failures. If you have provided a login script, the Prescan Details window links to a screenshot of the associated login errors.
March 17, 2020
Server-Side Request Forgery (SSRF) Attack Support
- Veracode Dynamic Analysis now enables Server-side Request Forgery (SSRF) attacks to find flaws, by default.
Extended Auto-Login Support
- The Veracode Dynamic Analysis scan engine has improved support for multi-page forms and login pages containing iframes.
March 9, 2020
ISM Endpoint Updated with Advanced Diagnostics
- Veracode Dynamic Analysis Internal Scanning Management (ISM) recently released an updated endpoint version with several new features, including advanced diagnostics options. More information is available in the endpoint release history.
Auto-Login Enhancements
- Veracode Dynamic Analysis has streamlined authentication configuration with an enhanced auto-login capability. You should use auto-login to provide a username and password for auto-login, browser-generated logins, and NTLMv2. Auto-login is the default setting. A separate, basic authentication section is available to configure authentication for websites that require two forms of authentication: auto-login and browser-generated authentication. Veracode continues to support Selenium-based login scripts with these changes.
Coverage Improvements
- The latest release of Veracode Dynamic Analysis includes new generic injection techniques in the scan engine and flaw publishing process. Veracode can now detect additional vulnerabilities for CWEs 95, 89, 91, and 74. In addition, SQL Injection, OS Command Injection, Remote File Inclusion (RFI), Server-side Request Forgery (SSRF), XML External Entity (XXE), and Cross-site Scripting (XSS) detection can now attack JSON keys and values in POST bodies by default.
February 21, 2020
New Video - View Dynamic Analysis Results
- This video shows you how to view Dynamic Analysis results.
February 14, 2020
New Video - Create and Run an Unauthenticated Dynamic Analysis
- This video shows you how to create, configure, and schedule an unauthenticated Dynamic Analysis.
Row Selection Persistence
- When you select the number of rows you want to display in the All Dynamic Analyses table, the selection persists even if you navigate away from that table. Your selection persists until you log out.
January 8, 2020
New Auto-Publish Feature
Auto-Publish is now enabled in Veracode Dynamic Analysis to automatically publish some findings, providing quicker results for specific types of vulnerabilities.
- If every vulnerability found in all URL scans in a Dynamic Analysis meets the criteria for auto-publication, Veracode publishes the findings immediately after the analysis completes.
- If one or more vulnerabilities require a review by a Veracode scan engineer, then any findings eligible for auto-publication must wait for that review. Veracode publishes all findings together within 24 hours of when the manual review is complete.
Change to Failed Verification Status
Veracode Dynamic Analysis has updated the status definition that displays when any URL scans fail verification for either a connection or authentication issue.
- When a single URL scan in an analysis fails verification:
- The URL scan status is Verification Failed.
- The Dynamic Analysis status is All Verifications Failed.
- When an analysis with multiple URL scans has one or more of the URL scans fail verification:
- The failed URL scan status is Verification Failed.
- The analysis status is Completed - Partial Results Available.
Application Security Platform
View the list below for highlights of previous releases.
December 7, 2020
Additional SCA Details Available from the Findings REST API
- With the Veracode Findings REST API, you can identify whether Software Composition Analysis findings are from agent-based scans or upload scans and whether they are from a direct or transitive dependency. You can also filter your findings by scan type or dependency type.
November 23, 2020
Updates to the Findings REST API
You can now perform these tasks with the Veracode Findings REST API:
- Retrieve the expiration date of the remediation grace period for findings that violate a security policy.
- Retrieve findings with comments or mitigations added after a specific date, such as the date of your most recent scan.
Healthcheck REST API
- You can use the Veracode Healthcheck REST API to test the availability of Veracode core services.
October 29, 2020
Changes to OWASP Mobile Policy Rules
-
Veracode has updated policy rules that include the OWASP Mobile security standard to reflect additional research. OWASP Mobile policy rules now include these CWEs: CWE-77, 78, 80, 252, 287, 319, 345, 404, 415, 416, 601, 614, 676, 693, 757.
-
Applications that contain these flaws may fail OWASP Mobile policy rules as a result of this update. Veracode will apply the update upon rescan of the application.
Improved Notifications for Delayed Scan Results
- Veracode has improved communication about delayed scan results. You now receive email notifications that include additional details and links for the affected scan. Veracode has also improved the Veracode Platform to indicate delayed scans that are under investigation.
October 19, 2020
Applications REST API
- You can now view application data and create, update, and delete applications using the Veracode Applications REST API.
September 30, 2020
Updates to Required Veracode Domains
- Veracode has introduced two URLs to which you must allow access. If you restrict access to public internet sites for your organization, add app.pendo.io and analytics2.veracode.com to your allowlist.
September 26, 2020
Rolling Sandbox Histories
-
Rolling sandbox histories let you limit sandbox data by restricting the number of retained scans for each sandbox to 15. After more than 15 scans, the Veracode Platform deletes the oldest scan, though the data remains available through Veracode Analytics. If enabled, this feature replaces the previous data limitation method of expiring old sandboxes.
-
To request access to rolling sandbox histories, contact Veracode Technical Support.
Updates to Some XML API Deletion Calls
- To improve performance, the
deleteuser.do
,deleteteam.do
,deleteapp.do
, andremovefiles.do
XML API calls now return an HTTP 200 response and a change summary, instead of a list of the items remaining after the deletion.
Shareable Links to Your Analytics Dashboards
- You can now share links to Veracode Analytics dashboards, including Veracode dashboards and dashboards that your organization creates. To access a dashboard link, you must log in to the Veracode Platform and have permission to view the data in the dashboard.
Activity Log Updates
- You can now download a report of the full history of application profile activity, scan activity, and sandbox activity. The activity log in the Veracode Platform now displays activity data for the past 90 days.
Technique Removed from TSRV Format for Accepting Risk
- Veracode has removed Technique from the TSRV standard when you perform the Accept the Risk mitigation action because none of the techniques are relevant to accepting risk. Specifics, Remaining Risk, and Verification are still required fields.
Updates to CWE Top 25 Policy Rules
- The Latest CWE Top 25 policy rule in the Veracode Platform now reflects the 2020 CWE Top 25 standard. Veracode has also updated the 2019 CWE Top 25 policy rule to disallow the children of CWE-94: CWE-91, 95, 98, 185, and 830.
September 17, 2020
Improved Business Units Tab
- On the Administration page in the Veracode Platform, Veracode has improved the usability of the Business Units tab.
September 10, 2020
New Video - Create and Manage API Users in the Veracode Platform
August 29, 2020
All Applications Page Now Available to Mitigation Approver and Delete Scans Roles
- You can now access the All Applications page in the Veracode Platform with the Mitigation Approver or Delete Scans roles. From the All Applications page, you can, then, select an application to approve mitigations or delete scans.
CWE-74 Now Disallowed for the OWASP Security Standard
- Veracode has reclassified CWE-74 "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" as a high severity finding. CWE-74, which Veracode discovers during Dynamic Analysis, is now included on the disallowed CWE IDs list in the latest version of the OWASP security standard. If your organization is using the OWASP 2017 security standard, you may see more findings violating policy or see your application fail policy as a result of this change.
Support for MITRE CWE List Version 4.1
-
Veracode now provides reporting based on CWE version 4.1 definitions, which changes the names and descriptions of a few existing CWE categories. The complete list of changes in CWE version 4.1 is available from the MITRE website. This new version does not impact the CWE mappings for the OWASP, CWE Top 25, or CERT security standards.
-
MITRE is updating their CWE list on a more frequent basis, but Veracode remains committed to staying up-to-date with each new version. As MITRE updates their CWE database, you might notice periodic changes in Veracode reports, such as differences between parent-child relationships or mappings.
August 21, 2020
Findings API Version 2
- The Veracode Findings REST API v2 is now available. With this API, you can access information about open and mitigated findings associated with applications and sandboxes. It supports Static Analysis, Dynamic Analysis, Manual Penetration Testing, and Software Composition Analysis scans.
July 28, 2020
Improved User Activity Report
- An improved user activity report is now available to download as a CSV file, providing easier access to information about user actions.
July 7, 2020
Administrators Can Turn Off Optional Notifications for Their Entire Organization
- Administrators in the Veracode Platform can now turn off all optional notifications for all new and existing users in their organization account. Individual users have the option to turn the notifications back on for their own user account.
June 29, 2020
New Accept the Risk Mitigation Type
- Veracode now allows you to resolve a finding by stating that your business is willing to accept the risk associated with that finding. This mitigation type allows you to track and report the risk while continuing to maintain the mitigation and resolution approval process. Veracode updated the mitigationinfo.xsd file to include this mitigation type.
June 27, 2020
Veracode Policies Now Support 2019 CWE Top 25 Security Standard
- Veracode updated the PCI security standard in the Veracode Platform to include the 2019 CWE Top 25 Security Standard, previously called the SANS Top 25 standard. Applications with findings included in the new standard may fail the PCI policy or PCI standard requirement as a result. Veracode applies the update to applications upon rescan.
June 16, 2020
Veracode Analytics Provides Ignored Issue SCA Data
- Veracode Analytics now supports SCA agent-based scan issue data about ignored issues, including details of when a user ignored an issue and the username for the user who ignored the issue.
June 11, 2020
New Sandbox Attributes Added to Veracode Analytics
- Veracode Analytics now provides attributes for tracking sandbox usage. You can view sandbox expiration dates and determine if the Veracode Platform sandboxes are configured for Veracode to automatically recreate them after expiration.
New Dynamic Analysis Dimensions Available in Veracode Analytics
- Veracode Analytics now provides the Dynamic Analysis fields Path and Vulnerable Parameter, which allow you to better focus and prioritize your remediation efforts.
June 8, 2020
SCA Agent Data Available in Veracode Analytics
- The Software Composition Analysis (SCA) dashboard is updated in Veracode Analytics to reflect recommended charts for tracking your use of SCA agent-based and upload-and-scan workflows. In addition, Veracode Analytics provides two new explores for SCA agent data: SCA Agent Issues and SCA Agent Scans. These explores enable you to create your own charts and dashboards, providing a better understanding of your open-source risk.
May 28, 2020
Update to Industry Values in Application Profile
-
Veracode has updated the values for industries in application profiles to more accurately reflect the market. Because applications include industry values to help inform the Veracode State of Software Security report, this change affects the createapp.do and updateapp.do XML API calls.
-
If you have a script coded with an expected value for the
industry
field, please update your script to reflect the updated values or use the default value already provided.
May 13, 2020
Analytics Scan Frequency Requirements Data
- Veracode Analytics now provides visibility into scan frequency requirements for an application. These requirements include the frequency mandated by the policy, upcoming scan due dates, and any past due dates.
May 7, 2020
New Team Admin Role
- Veracode has added the new Team Admin user role that an administrator can grant to users. With the Team Admin role, you can create, edit, and delete users within the teams you manage. This new role makes it easier for organizations to manage permissions for a large number of users.
New Mitigation Type
- Veracode has added a new mitigation type to allow you to propose mitigations using the mitigation type Mitigated - Referred to Library Maintainer. You can classify findings related to libraries developed by another development team. Another development team may build libraries in-house, but they may not own the application Veracode is scanning.
April 30, 2020
New Identity REST APIs
- The new Identity REST APIs allow you to manage users, teams, and business units. You can also use these REST APIs to create API service accounts and manage API ID/key credentials.
Updated Greenlight Scans Explore Page
- Veracode has updated the Analytics page Greenlight Scans Explore to reflect the new terminology of IDE scan (formerly known as Greenlight) and to include pipeline scan data.
Updated Applications List View
- The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering. Veracode is gradually releasing this feature as part of each Platform release, so it may not be immediately available to you.
New Secure Coding Foundation eLearning Courses
Veracode eLearning has released a new set of secure coding foundation courses:
- Secure Coding Foundations - Authentication
- Secure Coding Foundations - Authorization
- Secure Coding Foundations - Configuration and Deployment
- Secure Coding Foundations - Data Protection
- Secure Coding Foundations - Information and Error Handling
- Secure Coding Foundations - Trust Boundaries
- Secure Coding Foundations - Validation and Encoding
These courses cover application security practices and associated vulnerabilities.
eLearning User Interface Enhancements
Veracode has improved these eLearning windows:
- Manager window you use to assign learners to a manager
- Curriculum window you use to assign learners to a curriculum
April 21, 2020
Updated Applications List View
- The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering.
March 28, 2020
CWE 4.0 Support
- Veracode CWE support is updated to reflect the latest changes from MITRE in the CWE 4.0 release.
Enable Automatic Re-creation of Existing Sandboxes
- You can now edit existing sandboxes to enable the setting for automatically re-creating the sandbox when it expires.
Due Date Notifications for eLearning Students
- eLearning administrators can now specify when to send email reminders to notify students about the due dates for assigned courses.
New Python and JavaScript eLearning Courses
- Veracode has added secure coding courses for Python and JavaScript to eLearning learner levels.
March 19, 2020
New Grace Period Expiration Date in Analytics
- Veracode Analytics now provides the date when a grace period expires. An expired grace period causes the finding to fail the policy associated with the application. Veracode calculates the date based on the First Found or Last Reopened date, whichever is more recent.
Account Lock Does Not Trigger Email to Administrator
- To prevent redundant notifications, Veracode no longer sends an email to Administrators in the Veracode Platform when users in their organization are locked out of their accounts. This email is now unnecessary because users can unlock their own accounts.
March 3, 2020
Improved Developer Sandbox Scanning and Added Expiration Date
Veracode has made these improvements to developer sandboxes:
- You can now perform up to ten sandbox scans simultaneously for a single application. Before starting additional scans, you must wait for at least one running scan to complete.
- The sandbox list in the application profile now shows all sandboxes in the application that have running scans.
- All sandboxes now have an expiration date. After a sandbox reaches its expiration date, you can no longer perform scans in it. Seven days after the expiration date, the Veracode Platform automatically removes the sandbox. All data about the removed sandbox is available from Veracode Analytics. You can use the re-create option to have the Veracode Platform automatically create a new sandbox with the same name as a previously-removed sandbox.
Applications REST API Adds Policy Compliance Information
- Veracode has improved the Applications REST API to include information about the policy compliance of the application.
Executive Summary in Customizable Report PDF Includes Informational Findings
- The executive summary in the downloadable PDF of the Customizable Report now shows informational findings. The informational findings provide information that can help you ensure your application meets policy compliance.
Email Notifications for eLearning Curriculum Due Date Changes
- eLearning administrators can now send emails to notify students and their managers when the due date for an assigned curriculum changes. They can also send emails to notify managers when a due date on a curriculum has passed and students have not completed the curriculum.
February 21, 2020
New JavaScript eLearning Courses
Veracode eLearning has released a new set of secure coding courses for JavaScript:
- Secure Coding for JavaScript - Authentication & Authorization
- Secure Coding for JavaScript - Configuration and Deployment
- Secure Coding for JavaScript - Data Protection
- Secure Coding for JavaScript - Information and Error Handling
- Secure Coding for JavaScript - Validation and Encoding
These courses cover application security practices and associated vulnerabilities, including the OWASP Top Ten, and secure coding techniques in JavaScript, including using the AngularJS and ReachJS frameworks.
February 19, 2020
Updated Look-and-Feel with New Veracode Branding
- Veracode has updated the look-and-feel of the Veracode Platform with new branding.
January 28, 2020
Updates to Sandbox Functionality
Veracode has implemented these changes to improve the performance of sandbox scans:
- You can delete a sandbox and all of its scans when you promote it to policy.
- You may have a maximum number of sandboxes you can create for each application. The default limit is 25.
Automated Emails for eLearning Curriculum Updates
- Veracode eLearning administrators can turn on automated email notifications to alert eLearning students and managers when the administrator assigns a curriculum to a student.
January 24, 2020
New Video - Create a Custom Policy in the Veracode Platform
- This video shows you how to create a custom policy in the Veracode Platform.
January 13, 2020
SCA Findings Dashboard Available in Analytics
- Veracode Analytics has a new dashboard that provides Software Composition Analysis (SCA) findings on open vulnerabilities, license risk, issue severities, and library data. Veracode Analytics does not currently display findings from agent-based scans.
January 8, 2020
New Video - Review Scan Results
- This video shows you how to view Veracode scan results in the Veracode Platform.
January 2, 2020
SCA Findings Available in Veracode Analytics
-
Veracode Analytics now provides details about Software Composition Analysis (SCA) findings. If you have an SCA subscription, you can view SCA vulnerabilities displayed in the Findings Status & History dashboard and the Resolution and Mitigation Details dashboard.
-
Veracode Analytics does not currently display findings from agent-based scans.
Software Composition Analysis
View the list below for highlights of previous releases.
December 17, 2020
Container Scanning for Debian
- Veracode Software Composition Analysis now supports agent-based scans of Debian Docker containers. You can scan Debian containers through the command-line interface or as part of your continuous integration pipelines.
October 15, 2020
Set Default Branch to the Most Recently Scanned Branch or Tag
-
You can now set your Veracode Software Composition Analysis projects to automatically update their default branch to be the most recently scanned branch or tag. This enhancement enables the use of tags as default branches and reduces the number of issues that display in the Veracode Platform, by default.
-
Existing projects without a default branch selected in their project settings now use the Use Last Scanned option as the default branch.
October 13, 2020
Vulnerable Method Support for JavaScript
- Veracode Software Composition Analysis supports vulnerable method analysis for agent-based scans of JavaScript applications. This feature helps prioritize your remediation actions by identifying first-party code that calls a function in a JavaScript library that makes the library vulnerable.
October 1, 2020
Container Scanning for Ubuntu
- Veracode Software Composition Analysis now supports agent-based scans of Ubuntu Docker containers. You can scan Ubuntu containers through the command-line interface or as part of your continuous integration pipelines.
September 26, 2020
Grace Periods for SCA Policy Rules
- Veracode Software Composition Analysis now allows you to include grace periods for SCA upload scans in your application security policies. You can define a grace period for all scan types, including SCA, or define a grace period that applies specifically to SCA scans.
July 17, 2020
Default Date Limit Applied to Scan Data in Agent-Based Scan Workspaces
- To improve performance and usability, the scan data for your workspaces is now limited to projects scanned in the last 30 days, by default. You can change the time window of exported projects on the workspace page in the Veracode Platform.
July 7, 2020
Advanced License Risk Management for Agent-Based Scans
- Veracode Software Composition Analysis now provides advanced license risk management capabilities for agent-based scans. You can control the acceptable risk from open-source libraries by adding rules based on Veracode license risk ratings or by rejecting specific licenses.
June 17, 2020
New API Endpoints for Agent Management
- The Veracode SCA Agent REST API includes new endpoints for creating and deleting agents. This update enables you to more effectively scale your agent administration and improve productivity with agent-based scans.
May 28, 2020
Issue Summary for Agent-Based Scans
- Veracode Software Composition Analysis now provides a summary table on each agent-based scan workspace and project page that provides a quick view of the state of your open-source issues.
April 29, 2020
Vulnerability Database Update
-
The Veracode Vulnerability Database is updated to resolve a discrepancy in severity rating compared to the National Vulnerability Database (NVD) for approximately 200 of over 20,000 total vulnerabilities. Veracode has already contacted all organizations that have applications that fail policy as a result of this update.
-
If your Veracode account manager has not contacted you, you do not need to take any action.
April 6, 2020
Alpine Linux Support for Agent-Based Scans
- Veracode Software Composition Analysis (SCA) now supports the Alpine Linux distribution for agent-based scans.
Organization Rules for Agent-Based Scans
- Veracode Software Composition Analysis (SCA) now supports configuring rules for agent-based scans at the organization level. Administrators can apply these rules to all workspaces in an organization to efficiently enforce a common security standard.
April 3, 2020
New API Endpoint for Auditing Agent-Based Scan Events
- The Veracode SCA Agent REST API includes a new endpoint that provides a detailed audit of events for agent-based scans.
March 17, 2020
License Risk Details for Agent-Based Scans
- Veracode Software Composition Analysis (SCA) provides the license risk rating of each open-source license type identified in agent-based scans to help you make informed decisions about acceptable risk.
Gem Support for Containers
- Agent-based scans now support the gem package manager for scanning Docker containers.
March 16, 2020
New Video - Set Up an Agent to Scan with Veracode Software Composition Analysis
This video shows you how to:
- Create a workspace
- Set up an agent
- Start a scan from your command line
- View scan results
February 13, 2020
NPM and Pip Support for Containers
- Agent-based scans now support the NPM and pip package managers for scanning Docker containers.
January 29, 2020
Update to Integrated SCA Upload and Scan
- If you use Veracode Integrated Software Composition Analysis without a Veracode Static Analysis subscription, you can now perform scans using the upload and scan method.
SCA Results Export
- You can now generate and download your latest Software Composition Analysis results from the Export Data page in the Veracode Platform at any time. This report does not include data from agent-based scans.
January 24, 2020
New Video - Upload and Scan with Veracode Software Composition Analysis
- This video shows you how to upload and scan applications with Veracode Software Composition Analysis.
January 15, 2020
Get Teams List with the SCA Agent REST API
- The Veracode SCA Agent REST API for Veracode Agent-Based Scan now supports retrieving a list of the teams in an organization, including filtering by the full or partial team name.
Integrations
View the list below for highlights of previous releases.
December 23, 2020
Updated Video - Build and Upload Files to Scan Using Veracode Static for Visual Studio
- This video shows you how to prepare a build of your application using Veracode Static for Visual Studio and upload the build to a new or existing application profile in your Veracode portfolio.
December 17, 2020
Veracode Static for IntelliJ Supports Mitigation Proposals in TSRV Format
- Veracode Static for IntelliJ version 3.2.1 now supports submitting mitigation proposals using the Technique, Specifics, Remaining Risk, and Verification (TSRV) format. If you have a Mitigation Proposal Review (MPR) subscription, you are required to use the TSRV format when proposing mitigations from within IntelliJ.
December 11, 2020
Veracode Java Wrapper Provides Improved Diagnostic Information
- The Veracode Java wrapper version 20.12.7.3 provides improved debug-level, diagnostic information. You can include the
debug
parameter in your command to show this diagnostic information in the output.
New REST APIs for Findings, Development Sandboxes, and Summary Reports
Veracode now provides these REST APIs:
- Annotations API for commenting on findings and proposing, accepting, and rejecting mitigations. You can combine this API with the Findings API to manage applications.
- Development Sandbox API for creating, updating, and deleting sandboxes. You can combine this API with the Applications API to manage both applications and sandboxes.
- Additional Findings APIs for obtaining detailed findings information for a static analysis or dynamic analysis and generating Summary Reports.
December 9, 2020
New Video - Reviewing Findings in Veracode Greenlight for VS Code
This video shows you how to:
- Link findings in source code
- Filter Veracode findings
- Ignore findings in Veracode Greenlight for VS Code results
- Stop ignoring findings in Veracode Greenlight for VS Code results
November 19, 2020
Docker Hub Images for the Java API Wrapper, the Python Authentication Library, and the Pipeline Scan
Veracode now provides these products as container images on Docker Hub:
- Java API wrapper
- Python authentication library to enable HMAC for Veracode APIs
- Pipeline Scan
Veracode Static for Eclipse Now Supports Mitigation Proposals in TSRV Format
- Veracode Static for Eclipse version 3.5.0 now supports submitting mitigation proposals using the Technique, Specifics, Remaining Risk, and Verification (TSRV) format. If you have a Mitigation Proposal Review (MPR) subscription, you are required to use the TSRV format when proposing mitigations from within Eclipse.
Veracode Integration for Jira Cloud Improves Findings Import Options
The Veracode Integration for Jira Cloud version 3.5.0 includes these improvements:
- Uses mapped custom fields in the Veracode Platform when assigning issues of imported findings. If Veracode custom fields are not mapped to Jira fields, Jira Cloud assigns the issues to the default assignee for the Jira project.
- Adds the ability to map Jira Cloud fields to Veracode Platform fields for SCA components and SCA vulnerabilities.
October 6, 2020
Install Veracode Greenlight for VS Code to Run Greenlight Scans
- This video shows you how to how to install the Veracode Greenlight for VS Code extension. The Veracode Greenlight for VS Code extension is available from the Visual Studio Marketplace.
October 1, 2020
Veracode Static for IntelliJ Supports the Veracode API Credentials File
- Veracode Static for IntelliJ version 3.2.0 allows you to store your Veracode API credentials securely in an external file.
September 30, 2020
Introducing Veracode for GitHub
- Veracode for GitHub enables you to use GitHub Actions for performing static analysis of your application source code from within GitHub. Veracode provides preconfigured GitHub Actions for uploading your code to Veracode for static analysis or running a pipeline scan from within your GitHub development workflow.
September 24, 2020
Veracode Static for Eclipse Supports the Veracode API Credentials File
- Veracode Static for Eclipse version 3.4.1 allows you to store your Veracode API credentials securely in an external file.
September 11, 2020
Veracode Integration for Jira Cloud Adds Description Field Override Option
- The Veracode Integration for Jira Cloud version 3.4.0 adds the global option for overriding the Description field in Jira issues. When importing findings as issues into Jira Cloud, this option replaces any content in the issue Description field with your provided text.
September 10, 2020
Veracode Greenlight for Eclipse Free Trial Option Removed
- Veracode Greenlight for Eclipse version 2.8.8 removes the free trial option from the Eclipse plugin. Veracode no longer provides a free trial of Greenlight for the Eclipse IDE.
August 29, 2020
Changes to deletesandbox.do
and deletebuild.do
XML API Calls
- To improve the performance of the
deletebuild.do
anddeletesandbox.do
XML API calls, these calls now return an HTTP 200 response and a summary of the deleted items, instead of a list of items remaining after deletion. These calls also use new schema files.
August 13, 2020
Veracode Integration for Jira Adds Description Field Override Option
- The Veracode Integration for Jira version 3.25.0 adds the global option for overriding the Description field in Jira issues. When importing findings as issues into Jira Server, this option replaces any content in the issue Description field with your provided text.
August 12, 2020
New Video - Configure the Veracode API Credentials file on Windows
- This video shows you how to generate Veracode API credentials in the Veracode Platform and configure a Veracode API credentials file for storing your Veracode API credentials on Windows.
New Video - Configure the Veracode API Credentials File on macOS and Linux
- This video shows you how to generate Veracode API credentials in the Veracode Platform and configure a Veracode API credentials file for storing your Veracode API credentials on macOS and Linux.
July 28, 2020
Veracode C# API Wrapper Supports the Veracode API Credentials File
- The Veracode C# API wrapper version 20.7.8.0 now supports the Veracode API credentials file for storing your API credentials securely in an external file. If your API credentials file contains multiple credentials, you can use the new
-credprofile
parameter to specify the profile to use for Veracode authentication. The existing-vid
and-vkey
parameters, for specifying your API credentials at the command line, are now optional.
July 23, 2020
Veracode Java API Wrapper Supports the Veracode API Credentials File
- The Veracode Java API wrapper version 20.7.7.0 now supports the Veracode API credentials file for storing your API credentials securely in an external file. If your API credentials file contains multiple credentials, you can use the new
-credprofile
parameter to specify the profile to use for Veracode authentication. The existing-vid
and-vkey
parameters, for specifying your API credentials at the command line, are now optional.
June 25, 2020
Introducing Veracode for AWS CodeStar
- Veracode for AWS CodeStar version 1.0.0 enables you to add Veracode Static Analysis and Veracode Software Composition Analysis (SCA) as a build stage in your AWS CodePipeline. You can review the results of each analysis in the Veracode Platform.
Veracode Integration for Jira Improves Issue Assignment of Imported Findings
- The Veracode Integration for Jira version 3.24.0 can now use mapped custom fields in the Veracode Platform when assigning issues of imported findings. If Veracode custom fields are not mapped to Jira fields, Jira Server assigns the issues to the default assignee for the Jira project.
June 16, 2020
Veracode Jenkins Plugin Now Open Source and on Jenkins Marketplace
- The Veracode Jenkins Plugin version 20.6.10.0 is an open-source plugin that Veracode is distributing with an MIT license. You can download the plugin from both the Jenkins Marketplace and the Plugin Manager within Jenkins. The plugin source code is available from GitHub.
June 10, 2020
Introducing Veracode for Artifactory
The new Veracode for Artifactory version 1.3.0 allows you to perform security scanning of your application artifacts from within Artifactory. This release includes these features:
- Static analysis of your application artifacts from within Artifactory using manual scans, scheduled scans, or event-triggered scans.
- Support for Artifactory High Availability (HA) clusters.
- Python script to automate tagging artifacts with the required properties for static analysis.
May 29, 2020
Veracode Integration for Jira Cloud Adds Findings Import Options
The Veracode Integration for Jira Cloud version 3.3.0 adds these new options for importing findings from Veracode to Jira Cloud:
- Automatically assign imported findings to a Jira Cloud epic or link them to a related issue.
- Map string, number, and date/time data types from Veracode fields to text, number, and date/time field types in Jira Cloud. The integration imports the values from the Veracode fields to fields in Jira Cloud issues.
May 28, 2020
Veracode Greenlight for IntelliJ Supports IntelliJ 2020.1
- Veracode Greenlight for IntelliJ version 1.5.3 adds support for IntelliJ IDEA Ultimate and Community 2020.1. This release also allows you to store your Veracode API credentials in an external file.
May 21, 2020
Veracode Greenlight for Eclipse Supports Eclipse 2020-03
- Veracode Greenlight for Eclipse version 2.8.7 adds support for Eclipse 2020-03 and allows you to store your Veracode API credentials in an external file.
May 19, 2020
Veracode Azure DevOps Extension Adds New Scan Summary for Multi-Stage Pipelines
- The Veracode Azure DevOps Extension version 3.1.0 shows scan results in a new Veracode Scan Summary tab to support multi-stage pipelines.
May 7, 2020
Veracode Integration for Jira Adds Findings Import Options
The Veracode Integration for Jira version 3.23.0 adds these new options for importing findings from Veracode to Jira Server or Jira Data Center:
- Automatically assign imported findings to a Jira epic or link them to a related issue.
- Map string, number, and date/time data types from Veracode fields to text, number, and date/time field types in Jira. The integration imports the values from the Veracode fields to fields in Jira issues.
April 10, 2020
Veracode Integration for Jira Supports Jira Server 8.7.x
- The Veracode Integration for Jira version 3.22.1 adds support for Jira Server and Jira Data Center 8.7.x.
Updated Video - Install Veracode Static for Visual Studio
This video shows you how to:
- Install Veracode Static for Visual Studio
- Generate API credentials in the Veracode Platform
- Configure an API credentials file for storing your API credentials
March 24, 2020
Veracode Azure DevOps Extension Removes Basic Authentication
- The Veracode Azure DevOps Extension version 3.0.0 removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.
February 21, 2020
Veracode Greenlight for Eclipse Supports Eclipse IDE 2019-12
- Veracode Greenlight for Eclipse version 2.8.6 adds support for Eclipse IDE 2019-12 (4.14).
February 14, 2020
Veracode Greenlight for IntelliJ Supports IntelliJ IDEA 2019.3
- Veracode Greenlight for IntelliJ version 1.5.1 adds support for IntelliJ IDEA Ultimate and Community 2019.3.
February 12, 2020
Veracode Jenkins Plugin Removes Basic Authentication
- The Veracode Jenkins Plugin version 20.2.6.1 removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.
January 31, 2020
Veracode Static for Eclipse Supports Eclipse 2019-09
-
Veracode Static for Eclipse version 3.4.0 replaces the Veracode Eclipse Plugin. This version adds support for Eclipse 2019-09. It also adds support for Java Runtime Environment (JRE) 11 and 13.
-
You can no longer use basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.
January 24, 2020
Veracode Static for IntelliJ Supports IntelliJ IDEA 2019.3
-
Veracode Static for IntelliJ version 3.0.0 replaces the Veracode IntelliJ Plugin. This version supports IntelliJ IDEA Ultimate and Community 2017.x to 2019.3. It also adds support for Java Runtime Environment (JRE) 11 and 13.
-
You can no longer use basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.
January 23, 2020
Updated Veracode Integration for Jira
The Veracode Integration for Jira version 3.22.0 includes these updates:
- Removes support for basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.
- Enhances Jira logging, so that you can more easily read the logs.
- Improves the performance of importing findings from the Veracode Platform to Jira using custom fields.
January 17, 2020
Veracode Static for Visual Studio Supports Visual Studio 2019
-
Veracode Static for Visual Studio version 4.0.0.1 replaces the Veracode for Visual Studio Extension. This version supports Visual Studio 2015, 2017, and 2019. In Visual Studio 2015 and 2017, the name of the top-level Veracode menu is now Veracode Static. In Visual Studio 2019, the Veracode Static menu appears under the Extensions menu.
-
You are required to configure an API credentials file, which you use to provide your Veracode API ID and key credentials to Veracode Static for Visual Studio.
January 8, 2020
Updated Veracode Integration for Jira Cloud
The Veracode Integration for Jira Cloud version 3.2.0 includes these updates:
- Adds a new Veracode Integration Severity Mappings page in the Jira Cloud interface for mapping severities from the Veracode Platform to your customized priorities in Jira Cloud.
- On the Veracode Integration Field Mapping page in the Jira Cloud interface, the Veracode Platform column adds these new options:
- A Description (overwrite) option to have the content from a selected Veracode Platform field overwrite the Description field in Jira Cloud upon import. If the selected Veracode Platform field is empty, the mapping erases the contents of the Description field in Jira Cloud.
- An option for mapping Veracode SCA component paths.
- Removes basic authentication. Basic authentication consists of only a username and password. You must now use Veracode API ID and key authentication. Any custom integration scripts must also include HMAC signing.
Developer Training
View the list below for highlights of previous releases.
November 23, 2020
Auto-Extend for eLearning Enabled by Default
- The default setting for new Veracode eLearning course track assignments is to automatically extend when their subscription periods end.
Improved eLearning Performance
- Veracode has increased the loading speed of the My Team's Courses page in Veracode eLearning.
October 29, 2020
Improvements to eLearning
Veracode has made these improvements to eLearning:
- eLearning administrators can now assign a learner to multiple eLearning curricula.
- Veracode added seven new Secure Coding Foundation courses to learner level 1. Learners who previously completed level 1 must take the newly-added courses to complete this level. Because each level depends on the previous level, these levels show as incomplete until the learner completes them.
- The eLearning report for learners now includes a Date Started column.
- The eLearning settings have been removed from the Admin > Manage Users page. All eLearning administration actions are now available from the Admin > eLearning page. This page provides a centralized location where you can use filtering options and perform all actions on one or more learners.
- The eLearning fields have been removed from the SAML Self-Registration page.
August 29, 2020
Improvements to Security Labs
Veracode has made these improvements to Security Labs:
- Integration with the Veracode Platform. By default, if you have the Security Labs User role, Veracode automatically creates your Security Labs account in the Platform. If you have the Administrator role, you automatically have administrator permissions within Security Labs.
- New Assignment Creation wizard. When creating a new set of lab assignments on the Assign Content page, you can now get suggested lab assignments based on a focus. For example, Beginner/Intermediate/Advanced, PCI Training, Backend/Frontend, or Competition.
- New Scala labs for the OWASP Top 10. These labs use the Play framework.
June 27, 2020
Enhancements to eLearning Curriculum Creation
- Veracode has improved the user interface for creating an eLearning curriculum to make it easier for administrators to identify courses to add to a curriculum. The new user interface now includes the length and description of each course. When selecting courses, the administrator can also use a checkbox to make courses required.
June 2, 2020
Bulk Actions for eLearning Administrators
- Veracode eLearning administrators can now apply actions, including assigning learners to tracks or curricula and enabling automatic track extensions, to multiple users at once. This enhancement simplifies the process of onboarding and managing eLearning users.