SCA updates
The updates on this page apply to Veracode Software Composition Analysis (SCA). Updates that apply to specific Veracode regions show a region icon.
October 16, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of .NET, Go, Python, and iOS projects.
October 4, 2024
SCA agent URL change
The default URL for the Veracode Platform backend API that the SCA agent uses to manage scans for Commercial customers has changed from https://api.sourceclear.io
to https://sca-api.veracode.com
. Both URLs will continue to work for the next 12 months, at which point the legacy SourceClear URL will be retired.
For more details on the configuration settings that use these URLs, see SCA agent configuration values and SCA agent environment variables.
September 12, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of Python, PHP, and iOS projects.
September 4, 2024
SBOM scanning enhancement
Veracode has added support for scanning SBOM files as part of SCA upload scans.
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of JavaScript projects.
August 27, 2024
SBOM scanning enhancement
Veracode has added support for scanning SBOM files as part of SCA agent-based scans.
August 21, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of Java Maven projects.
August 1, 2024
Fix for agent-based scans of Yarn projects
Fixed an issue that caused SCA agent-based scans to miss transitive dependencies in Yarn 4 projects.
July 23, 2024
Improved handling of circular references
Veracode has improved how SCA upload and agent-based scans handle circular references in NPM projects.
July 16, 2024
SCA agent enhancement
Agent enhancements in preparation for future scanning of .NET projects.
July 15, 2024
Vulnerability side pane added to new SCA homepage (Beta)
You can now access vulnerability details in a side pane on the Vulnerabilities tab of the new Beta version of the SCA homepage.
July 3, 2024
SCA results data export
The SCA Results Export that you can download from the Export Data page in the Veracode Platform now contains 13 months of data instead of 24 months of data.
June 28, 2024
SCA agent enhancement
Agent enhancements in preparation for future scanning of .NET projects.
June 25, 2024
Vulnerable method support for Java 21, 22, and 23
Veracode SCA agent-based scanning now supports vulnerable method analysis for Java versions 21, 22, and 23.
June 24, 2024
New component metrics added to SCA agent results
If an SCA agent-based scan detects a component from a GitHub repository, the CLI summary and the JSON file now include metrics about that repository. Metrics include the number of commits, how long the repository has been stagnant, and more.
June 11, 2024
New Component Activity API
Veracode has released a new API to help you understand the health of your components. You can submit library coordinates, and if the library comes from a GitHub repository, the API retrieves metrics about that repository. Metrics include the number of commits, how long the repository has been stagnant, and more. The SCA Component Activity API specification is available on SwaggerHub for more details.
May 30, 2024
Vulnerabilities and Licenses tabs added to new SCA homepage (Beta)
You can now see all vulnerabilities from scans performed after March 27, 2024 from the Vulnerabilities tab of the new Beta version of the new SCA homepage. This tab also includes exploitability information from EPSS, KEV, and exploit-DB. License risks from scans you ran after March 27, 2024, are available from the Licenses tab.
To access the new Beta version of the new SCA homepage, select Scans & Analysis > Software Composition Analysis, then, turn on New SCA Home (Beta).
May 28, 2024
SCA agent enhancement
Agent enhancements in preparation for future scanning of .NET projects.
May 22, 2024
SCA agent enhancement
Agent enhancements in preparation for future scanning of .NET projects.
May 15, 2024
Fix for SCA scans of NPM projects
Veracode has fixed an issue that caused some SCA upload scans and some agent-based scans using the --quick
flag to not detect libraries in NPM projects when both the project version in the package.json
file was empty and the package-lock.json
file used v3 format.
May 8, 2024
Fix for SCA agent-based scans of NPM projects
Veracode has fixed an issue that caused some SCA agent-based scans to identify libraries in NPM projects as transitive dependencies when they are both direct and transitive dependencies.
April 30, 2024
Exploitability data added to JSON file produced by SCA agent
The JSON file produced by SCA agent-based scans now includes the following exploitability data:
- Exploit Prediction Scoring System (EPSS) from FIRST
- Exploit-DB from OffSec
- Known Exploited Vulnerabilities (KEV) catalog from the Cybersecurity & Infrastructure Security Agency (CISA)
April 29, 2024
SCA agent enhancement
This update includes the following improvements for SCA agent-based scans:
- Veracode proxy authentication is more reliable.
- Improved support of projects that use the version 2 format of
yarn.lock
.
April 24, 2024
Fixed SCA agent error
Veracode has fixed an issue that caused some agent-based scans to fail when Maven is not installed locally.
April 23, 2024
Additions to JSON file produced by SCA agent
The JSON file produced by SCA agent-based scans now includes the following enhancements:
- Includes the Common Vulnerability Scoring System (CVSS) vector string for each vulnerability
- Associates each vulnerable method with a specific vulnerability
April 17, 2024
Veracode Vulnerability Database now includes data from Exploit-DB
The Veracode Vulnerability Database now includes data from Exploit-DB. You can view this data using the SCA Agent Issues APIs and the Findings API. For more information, see Understanding SCA exploitability information.
April 16, 2024
Fix for SCA agent update advisor
Veracode has fixed an issue that caused the SCA agent update advisor to not work properly when cloning a repo with https
instead of ssh
.
April 11, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of iOS and .NET projects and fixed a bug caused by libraries with no versions in Go projects.
April 3, 2024
API to scan SBOMs
Veracode has released a REST API for scanning SBOMs. You can use this API to upload and scan an SBOM to identify vulnerabilities associated with the libraries listed in the SBOM. The API can produce a new SBOM that includes results from the scan in CycloneDX or SPDX format. For more information, see SBOM Scan REST API.
April 2, 2024
Reporting changes for ‘conditional pass’ SCA findings
Even though policy status can have three possible values—pass
, fail
, and conditional pass
—several reports and APIs with finding-level policy status fields are limited to only two possible values, such as true
and false
. Veracode has changed how it populates these fields for SCA upload scans to be more consistent with Static Analysis scans.
These changes only affect findings with a conditional pass
status. There is no impact on how Veracode calculates the application-level policy status or how the user interface displays the finding-level policy status. For more details, review the post in the Product Announcement group in the Veracode Community.
April 1, 2024
include_metrics
parameter for getWorkspaces API set to FALSE
by default
The default value for the include_metrics
parameter has changed from TRUE
to FALSE
for the getWorkspaces API. When the parameter is FALSE
, the API responds more quickly but provides data only for the following fields: id
, name
, projects_count
, and site_id
. If you set the parameter to TRUE
, the API also provides data for the following fields: last_scan_date
, library_issues_count
, vulnerability_issues_count
, and total_issues_count
.
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.
March 28, 2024
New SCA homepage (Beta)
A Beta version of the new SCA homepage is now available in the Veracode Platform. To access the new homepage, select Scans & Analysis > Software Composition Analysis. Then, turn on New SCA Home (Beta). This page is built on a new infrastructure that Veracode will use to provide unified results from SCA upload scans and SCA agent-based scans. To see all applications and workspaces that you scanned after March 27, 2024, select the Portfolio tab. To see all discovered components from scans you ran after March 27, 2024, select the Components tab.
March 27, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.
March 21, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of .NET and iOS projects.
March 15, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of Ruby and iOS projects.
March 5, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of iOS projects.
February 29, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of .NET, Go, Java Gradle, and Scala SBT projects.
February 27, 2024
SCA agent enhancement
Veracode added enhancements to the agent that will be used in the future for scanning of .NET projects.
February 8, 2024
Vulnerable methods for Go
Veracode SCA agent-based scanning now supports detecting vulnerable methods in Go projects that use Go modules as the package manager.
Gradle scanning enhancement
Veracode SCA agent-based scanning now supports scanning Gradle projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Gradle for more details.
New include_metrics
parameter for getWorkspaces API
Veracode has added the include_metrics
parameter to the getWorkspaces API. When the parameter is TRUE
, there are no changes to the issue count and other metrics that the API includes in the payload. When the parameter is FALSE
, the API responds more quickly but provides data only for the following fields: id
, name
, projects_count
, and site_id
.
Through March 31st, 2024, the default value for the include_metrics
parameter is TRUE
. On April 1st, the default will change to FALSE
. If you have automation that relies on having issue counts and other metrics, Veracode recommends you adjust the parameter in your API call before April 1st.
January 23, 2024
Maven scanning enhancement
Veracode SCA agent-based scanning now supports scanning Maven projects without access to the plugin on maven.apache.org. See Run an agent-based scan for Maven for more details.
Fix for Python scans
Veracode fixed an issue that caused an error in SCA agent-based scans of Python projects when using a newer version of pipenv
.
January 5, 2024
SCA API enhancements
Veracode has fixed an issue that caused the SCA Agent Issues APIs to exclude fixed issues from the payload when the vuln_methods
parameter was set to true
. This fix applies to scans performed after January 5th, 2024.
Additionally, the getProjectIssues
endpoint now supports all of the same parameters as the getWorkspaceIssues
endpoint.
January 4, 2024
Veracode Vulnerability Database now includes exploit information
The Veracode Vulnerability Database now includes data from both the Exploit Prediction Scoring System (EPSS) and the Cybersecurity & Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) catalog. To access this data, you must sign in to the Veracode Platform. For more information, see Understanding SCA exploitability information.
December 19, 2023
SCA agent enhancement
The SCA agent can now scan target directories that contain spaces when SRCCLR_NO_GIT
is set to 1
.
December 18, 2023
APIs now include KEV data
Veracode has added data from the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog to the SCA Agent Issues APIs and the Findings API. See Understanding SCA exploitability information for more details.
December 11, 2023
API to link projects to application profiles
Veracode has released the SCA App-Linking REST API. You can use this API to link a project for SCA agent-based scans to an application profile. The linked application profile receives all libraries, licenses, and discovered vulnerabilities from that project, along with all results from SCA Upload scans. To link a project, use the linkAppProject
endpoint. To unlink a project, use the unlinkAppProject
endpoint.
SCA agent enhancement
Veracode has fixed an issue that prevented the SCA agent from cleaning up local scan directories and added enhancements to the agent that will be used in the future for scanning Java projects.
December 4, 2023
SCA agent enhancement
Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.
November 21, 2023
SCA agent enhancement
Veracode has added several enhancements and fixes to the SCA agent.
November 14, 2023
SCA agent enhancement
Veracode has added enhancements to the SCA agent that will be used in the future for scanning Java projects.
November 6, 2023
API to propose and approve mitigations for SCA findings
Veracode has released the SCA Annotations REST API. This API includes the getSCAannotations
endpoint to retrieve comments and mitigations applied to findings from SCA upload scans and the createSCAannotations
endpoint to annotate SCA upload findings, including adding comments and proposing, accepting, and rejecting mitigations.
The SCA Annotations API specification is available on SwaggerHub.
This API is not part of the Annotations API, which works with findings from Static Analysis and Dynamic Analysis.
October 11, 2023
Exploit probability (EPSS) added to Findings API
Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the Findings REST API. See Understanding SCA exploitability information for more details.
Fixed SCA agent error
Veracode has fixed an issue that caused a null pointer exception when performing an agent-based scan on some projects.
September 27, 2023
Correction of SCA Fix By dates in sandboxes
Veracode has fixed an issue impacting the calculation of Fix By dates in sandbox scans. Previously, SCA used the scan date or the scan promotion date as the date that a component was first found, causing the Fix By date to be pushed out continuously. This fix is not retroactive and only impacts scans completed after Sept 27, 2023.
September 22, 2023
Assign policies to SCA agent-based scan workspaces
The new Unified Policy feature allows you to assign policies to workspaces used for SCA agent-based scans. Like the existing agent rules, you can use policies to create issues and break your build based on certain criteria. See more details about applying rules to a policy, assigning policies to agent-based workspaces, and setting default policies.
Veracode will migrate customers from agent rules to Unified Policy in batches and will retire agent rules before April 1, 2024.
August 28, 2023
Agent-based scan UI now displays CVSS v3
Because the National Vulnerability Database stopped supporting CVSS v2 in July 2022 and most users have moved to v3, the Library and Vulnerability pages of SCA's agent-based scan user interface now display CVSS v3 scores, instead of v2. You must clear the cache in your web browser to see these changes.
To also display CVSS v3 on the workspace Issue pages and the project Issue tab, you must update your agent rules to use CVSS v3.
August 16, 2023
Enhancements to SCA agent dependency graph traversal
Veracode has improved the performance of the SCA agent by optimizing how it handles dependencies with very complicated and intertwined dependency graphs.
August 8, 2023
Exploit probability (EPSS) added to SCA Agent APIs
Veracode has added data from the Exploit Prediction Scoring System (EPSS) to the SCA Agent REST APIs. See Understanding SCA Exploitability Information for more details.
July 21, 2023
Enhancements to .NET scanning
Veracode has added the following enhancements to SCA scanning for .NET applications:
- Reduced false positives and false negatives in SCA upload scans by adding support for
deps.json
andproject.asset.json
files. - Enhanced SCA Agent scans by adding ability to perform
--quick
scans on NuGet projects.
July 28, 2023
API to retrieve list of SCA agent projects linked to an application
Veracode has released the getApplicationProjects API to allow users to retrieve a list of SCA agent projects that are linked to a specific application. Users who have rights to call the getApplications API may also call the getApplicationProjects API.
July 11, 2023
Additional roles can call SBOM APIs
Veracode has expanded the list of roles that are allowed to call the CycloneDX Software Bill of Materials (SBOM) API and the SPDX SBOM API. See the SBOM API instructions for application profiles and agent-based projects for details.
June 28, 2023
SCA agent CLI now displays CVSS v3 severities
The Vulnerabilities section of the Summary Report that appears in your CLI after an SCA agent-based scan now displays CVSS v3 severities, instead of v2.
The Issues section still displays CVSS v2 severities by default, but you can edit the severity in your agent-based scanning rules to reflect v3. If you have not modified your rules to use CVSS v3, Veracode recommends setting up organization-level rules to avoid having to edit rules on every workspace individually.
June 20, 2023
Support for v3 format of NPM lockfiles
Veracode has added support for NPM lockfile format version 3. See Run an Agent-Based Scan for NPM or JavaScript and TypeScript Packaging for details.
May 15, 2023
Fixed agent error for Yarn scans
Veracode has fixed an issue causing SCA agent-based scans of Yarn projects to erroneously fail.
May 9, 2023
Upgraded JRE for SCA agent
Veracode has upgraded the Java Runtime Environment (JRE) for the SCA agent from version 11 to 17.
Added GNU Privacy Guard to SCA agent downloads
Veracode has added GNU Privacy Guard (GPG) signature files to all SCA agent downloads to verify you are downloading a valid version.
May 3, 2023
Fixed scope parameter for NPM scans
Veracode has resolved an issue impacting the scope
parameter for SCA agent-based scans of NPM projects.
April 14, 2023
SCA agent enhancements
Veracode has added the following enhancements to the SCA agent:
- Support for Gradle version 8.
- The default scope for scans of NPM projects is now production dependencies instead of all dependencies.
Temporarily ignore issues from agent-based scans
You can now specify a date for Veracode to stop ignoring issues from SCA agent-based scans.
April 6, 2023
Enhancements to Go scanning
Veracode has added the following enhancements to SCA scanning for Go projects:
- Reduced false positives.
- Reduced false negatives.
- Increased scan speed.
- Fixed an issue that removed component names when agent-based scan results were linked to an application.
- Fixed an issue that caused indirect dependencies to appear in agent-based scan results as direct libraries instead of transitive libraries.
April 4, 2023
Enhanced SCA agent support for Java 17 features
Veracode SCA has improved agent-based scan support for projects that contain Java 17 features.
April 3, 2023
NVD severity ratings for SCA upload scans
Veracode Software Composition Analysis (SCA) upload scans now support displaying updated severity ratings that more closely match the National Vulnerability Database (NVD) severity ratings. To enable this feature for your account, contact Veracode Technical Support.
March 16, 2023
New mitigation type available for SCA upload scans
You can now choose to accept the risk of specific vulnerabilities and licenses as part of your mitigation process for Veracode SCA upload scans. This mitigation type is already available for Veracode Static Analysis and Dynamic Analysis.
February 3, 2023
Region flag for agent-based scans
Veracode SCA agent-based scans now provide a region flag that you can use to configure accounts in the European Region and United States Federal Region.
February 2, 2023
JRE upgrade for SCA agent
Veracode has upgraded the Java Runtime Environment (JRE) that is bundled with the Software Composition Analysis (SCA) agent.
January 13, 2023
Improved SCA support for Python 3
Veracode Software Composition Analysis (SCA) agent-based scans now more effectively locate local Python 3 installations.
December 21, 2022
Generate SBOM in SPDX format
You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) in SPDX JSON format from the results of your Veracode SCA upload scans.
December 14, 2022
SCA support for Android
Veracode Software Composition Analysis (SCA) now supports scanning Android projects. This support includes AAR files for agent-based scans and APK and AAB files for upload scans.
September 15, 2022
SCA support for Go aliases
Veracode Software Composition Analysis (SCA) now supports aliases in Go projects. This support includes agent-based and upload scans.
Vulnerable method support for Java 17
Veracode SCA agent-based scanning now supports vulnerable method analysis for Java 17.
August 22, 2022
Set SCM URI as project name
You can now set the source code management (SCM) URI as your project name using the --uri-as-name
option in your Veracode SCA agent-based scans.
July 22, 2022
SBOM API support for SCA agent-based scans linked to application profiles
You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans that you have linked to an application profile. The API generates an SBOM in CycloneDX JSON format.
June 6, 2022
Generate SBOMs for SCA agent-based scans with the REST API
You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA agent-based scans. The API generates an SBOM in CycloneDX JSON format.
May 9, 2022
SBOM API support for promoted sandbox scans
You can now generate a software bill of materials (SBOM) for Veracode SCA upload scans that have been promoted from sandbox to policy scans. The Veracode SCA Agent REST API includes promoted sandbox scan results when it returns a CycloneDX SBOM for an application.
SCA upload and scan table update
Veracode has removed the Number of Known Vulnerabilities by Severity column from the Applications table on the Upload and Scan page in the Veracode Platform. This update significantly reduces load times for the page. You can still view the number of known vulnerabilities by severity for each application in the application profile.
April 26, 2022
Generate SBOMs for SCA upload scans with the REST API
You can now use the Veracode SCA Agent REST API to create a software bill of materials (SBOM) from the results of your Veracode SCA upload scans. The API generates an SBOM in CycloneDX JSON format.
January 20, 2022
JSON output for agent-based scans includes CVSS v3 score
Veracode Software Composition Analysis (SCA) now provides the CVSS version 3 score in the JSON CLI output of your agent-based scan results. To use this feature, you must upgrade your Veracode SCA agent to version 3.7.77 or later.
October 20, 2021
Veracode European Region now available
The Veracode European Region is now available for new customers. This region, which initially supports Veracode Static Analysis and Veracode Software Composition Analysis, provides European data residency for Veracode customers.