Static Analysis updates
The updates on this page apply to Veracode Static Application Security Testing (SAST). Updates that apply to specific Veracode regions show a region icon.
For language support specific to Veracode Pipeline Scan, see Pipeline Scan Supported Languages.
April 24, 2025
Updated language and framework support
.NET
- Improved CWE-117 flaw detection to reduce false positives
- Enhanced detection of SQL injection vulnerabilities
Android
- Improved detection of third-party libraries
Apex
- Improved scan performance
Go
- Enhanced analysis of slices and maps packages
iOS
- Improved CWE-201 flaw detection to reduce false positives
Java
- Added support for JDK 24
- Improved cleanser detection for CWE-117
JavaScript and TypeScript
-
Added support for Angular 19
-
Enhanced support for Angular 18
-
Added support for Azure Functions v4
-
Improved CWE-918 flaw detection
Kotlin
- Enhanced support for Kotlin 2.0
PL/SQL
- Improved scan performance
T-SQL
- Improved parsing of T-SQL code
VB6
- Improved scan performance
Other languages
- Improved detection of CWE-259 and CWE-798 flaws across all languages to reduce false positives
March 27, 2025
Updated language and framework support
.NET
- Enhanced support for .NET 9
- Improved detection of CWE-89 flaws
Apex
- Added support for Apex 61 and 62
COBOL
- Improved parsing of COBOL code
Dart and Flutter
- Added support for Dart 3.7 and Flutter 3.29
Go
- Added support for Go 1.24
Java
- Improved detection of CWE-942 flaws
- Enhanced detection of third-party code
JavaScript and TypeScript
- Enhanced detection of third-party code
Python
- Improved detection of hardcoded passwords and credentials (CWE-259 and CWE-798)
PL/SQL
- Improved parsing of PL/SQL code
T-SQL
- Improved parsing of T-SQL code
Other languages
- Improved detection of CWE-259 and CWE-798 flaws across all languages, reducing false positives
February 27, 2025
Updated language and framework support
C/C++
- Improved flaw detection for exported functions.
iOS
- Improved detection accuracy for taint-based flaws.
JavaScript
- Enhanced support for Angular 18.
PL/SQL
- Enhanced flaw detection for out-of-scope code, reducing false positives.
- Improved detection of flaws in variables initialized with a taint source, which might increase the number of reported flaws.
- Enhanced SQL injection detection.
Ruby on Rails
- Added support for Rails 3.4 and Rails 8.
Other languages
- Improved detection for CWE-259 and CWE-798 flaws, reducing false positives across all languages.
- Enhanced flaw descriptions and remediation details for CWE-284 and CWE-115.
- Updated CWE Top 25 to the 2024 version, impacting all policies with Auto-Update CWE Top 25 as a requirement.
January 27, 2025
Updated language and framework support
.NET
- Improved CWE-1174 flaw detection resulting in a reduction in false positives
Dart and Flutter
- Dart 3.6 and Flutter 3.27 support
Java
- Improved third-party code detection
- Improved cleanser detection for CWE-117
JavaScript and TypeScript
- Improved CWE-80 flaw detection
- Improved third-party code detection
PHP
- Enhanced overall flaw detection for PHP, which may lead to an increase in the number of reported flaws
PL/SQL
- Improved parsing for PL/SQL
T-SQL
- Improved SQL injection detection
- Improved parsing for T-SQL
Other languages
- Improved CWE-259 and 798 flaw detection, resulting in a reduction in false positives for all languages
December 17, 2024
Updated language and framework support
.NET
- .NET 8 MAUI support
Go
- Cobra support
iOS
- Enhanced support for iOS 18
- Improved mobile behavioral detection for iOS 18
- Improved Foundation framework support for iOS 18
- Improved HealthKit framework support for iOS 18
- Improved Swift Memory Management support for iOS 18
Java
- Improved third-party code detection
JavaScript
- Added NestJS 10.3.x support
November 21, 2024
Updated language and framework support
.NET
- Initial support for .NET 9
Go
- Go 1.23 support
iOS
- Improved Contacts framework support
T-SQL
- Improved scan performance
October 31, 2024
Updated language and framework support
.NET
- Improved third-party detection
Java
- Added JDK 23 support
- Improved Spring Security 5 and 6 support
- Improved CWE-352 flaw detection
- Improved CWE-80 flaw detection resulting in a reduction in false positives
- Improved third-party detection
JavaScript
- Improved CWE-80 and CWE-601 flaw detection resulting in a reduction in false positives
- Improved third-party detection
September 26, 2024
Updated language and framework support
.NET
- Improved cleanser detection for CWE-113
Android
- Initial support for Android 15
Go
- Enhanced Go AWS Lambda package support
iOS
- Enhanced support for iOS 17
- Improved CWE-259 and 798 flaw detection, resulting in a reduction in false positives
Java
- Improved handling of detected third-party class files in Uber JAR applications and third-party JAR files in WAR, EAR, and Spring Boot applications. As a result, analysis is more concise and accurate, resulting in both improved scan performance and more accurate findings
- Improved CWE-73 and 327 flaw detection
- Improved third-party detection
PHP
- Added Laravel Blade and Views support
PL/SQL
- Improved SQL parsing support
Ruby on Rails
- Rails 7.2 support
T-SQL
- Improved SQL parsing support
Other languages
- Improved CWE-259 and 798 flaw detection, resulting in a reduction in false positives for all languages
September 16, 2024
Updated language and framework support
iOS
- Initial support for iOS 18
Scan results for any iOS applications built with Xcode versions older than Xcode 15.3 may be degraded. Veracode recommends that iOS applications be built with Xcode 15.3 or later for best results
September 13, 2024
Updated language and framework support
iOS
Veracode has released version 0.5.0 of Gen IR, the iOS packaging tool, to GitHub and Homebrew. It includes the following new features and improvements:
-
Added
PIFSupport
library that integrates the Project Interchange Format (PIF) into Gen IR. This new library allows Veracode to better interact with project models from Xcode and SPM, offering a more structured and publicly documented alternative to PBXProject. With this change, Veracode can now discover and decode the PIF cache, which allows Gen IR to better parse and reason about complex project structures and dependencies between targets in a project. Benefits of this change include:- Simplified project parsing: PIF’s structure is easier to consume and more robust.
- Enhanced compatibility: improved handling of dependencies and other existing issues.
- Future-proofing: aligns with modern development tools and workflows in Xcode and SwiftPM.
-
Support for projects built or generated with Xcode 16.
If you need to downgrade to the previous version, use a new Homebrew formula:
- If you already have Gen IR installed:
brew install [email protected]
- If you do not have Gen IR installed:
brew install [email protected]
To upgrade your installed Gen IR to the new version, run brew update && brew upgrade
August 26, 2024
Updated language and framework support
.NET
- Improved CWE-316 flaw detection, resulting in a reduction in false positives
Apex
- Enhanced Apex 60 support
- Improved CWE-274 detection
Dart and Flutter
- Dart 3.5 and Flutter 3.24 support
Go
- Go AWS Lambda package support
iOS
- Improved CWE-297 detection in Swift applications
- Improved CWE-323 support for iOS 17 APIs
- Improved third-party detection for NuGet repositories
Java
- Improved third-party detection for Maven repositories
- Improved CWE-259 and 798 flaw detection for Spring Boot applications, resulting in a reduction in false positives
- Improved SQL injection detection
JavaScript
- Angular 17 support
Kotlin
- Kotlin 2.0 support
Scala
- Enhanced Scala 3.4 support
Other languages
- Improved CWE-259 and 798 flaw detection, resulting in a reduction in false positives for all languages
Sept. 20, 2024
Updated Pipeline Scan language support
Pipeline Scan now supports Apex.
Aug. 8, 2024
Updated Pipeline Scan language support
Pipeline Scan now supports COBOL.
July 31, 2024
Improved prescan performance
The Static Analysis prescan processor is updated to improve performance. This update has no impact on your scan results and requires no user action.
July 25, 2024
Updated language and framework support
.NET
- Improved CWE-327 flaw detection
APEX
- Added CWE-274 support for Apex
C/C++
- Improved third-party detection for C/C++
iOS
- Improved CWE-252 and 321 support for iOS 17 APIs
Java
- Skip annotation if every data path has a corresponding cleanser
Python
- Improved flaw detection for Python Lambda
T-SQL
- Improved parsing for T-SQL
July 2, 2024
Updated Pipeline Scan language support
Pipeline Scan now supports iOS.
June 27, 2024
Updated language and framework support
.NET
- Improved CWE-117 and 1174 flaw detection for .NET resulting in a reduction in false positives
Apex
- Improved parsing for Apex
C/C++
- Added Visual Studio 2022 MSVC 14.4x compiler support
- Improved scan performance for C/C++ Linux
COBOL
- Improved parsing for COBOL
- Improved CWE-248 flaw detection for COBOL resulting in a reduction in false positives
Dart and Flutter
- Dart 3.4 and Flutter 3.22 support
iOS
- Improved CWE-201 support for iOS 17 APIs
- Improved third-party detection for iOS resulting in a reduction in false positives
Java
- Improved line number detection for flaws
JavaScript
- Added Next.js 14.x support
- Improved parsing for TypeScript
Ruby on Rails
- Ruby 3.3 and Rails 7.1 support
Other languages
- Improved CWE-201 support for iOS 17 APIs
- Improved CWE-331 support for Android
- Improved CWE-259 and 798 flaw detection for all languages resulting in a reduction in false positives
- Removed CGI-only restriction for Perl
- Improved CWE-80 flaw detection for PHP
- Improved parsing for T-SQL
- Improved CWE-259 flaw detection for Python resulting in a reduction in false positives
May 23, 2024
Updated language and framework support
.NET
- Improved CWE-73, 259, and 798 detection
- Improved third-party detection
- Improved SQL injection detection
APEX
- Apex 57, 58, 59, and 60 support
COBOL
- Stratus VOS COBOL support
Java
- Enhanced JDK 21 and 22 support
- Improved cleanser detection for CWE-78
- Improved CWE-259, 798, and 916 flaw detection resulting in a reduction in false positives
- Improved third-party detection for Maven repositories
Scala
- Scala 3.4 support
Other languages
- Improved CWE-259 and 798 detection for all languages
- Improved CWE-89 detection for T-SQL
- Improved CWE-259, 319, and mobile behavioral scan support for iOS 17 APIs
- Improved parsing for T-SQL
- Improved CWE-80 flaw detection for TypeScript resulting in a reduction in false positives
- Improved SQL injection detection for Python
April 25, 2024
Updated language and framework support
.NET
- Improved third-party detection
COBOL
- You must now submit all COBOL files as separate files in a single archive. Veracode no longer supports uploading individual COBOL files outside of an archive.
C/C++
- GCC 12 and 13 (RHEL 9) support
- openSUSE Leap version 15 support
- Improved CWE-121 and 454 detection
Dart and Flutter
- Dart 3.3 and Flutter 3.19 support
Java
- JDK 22 support
- Improved CWE-259 and 798 flaw detection for Spring Boot applications, resulting in a reduction in false positives
- Improved Generic modeling, which impacts all CWEs
JavaScript
- JavaScript cleansers for CWE-80, 93, 113, and 117
- Improved CWE-73 detection, resulting in a reduction in false positives
PHP
- PHP 8.2 and 8.3 support
Other languages
- Improved CWE-259 and 798 flaw detection, resulting in a reduction in false positives for all languages
- Improved CWE-416 detection in iOS
- Improved third-party detection in Android
March 28, 2024
Updated language and framework support
.NET
- Improved CWE-1174 flaw detection resulting in a reduction in false positives
Android
- Enhanced Android 14 support
Apex
- Improved CWE-80 flaw detection resulting in a reduction in false positives
C/C++
- Improved CWE-190 flaw detection resulting in a reduction in false positives
- CentOS/RHEL 9 (x64) support
COBOL
- Improved parsing for COBOL
Go
- Go 1.22 support
Java
- Improved CWE-259 flaw detection for Java
- Improved processing of shaded JAR files
JavaScript
- Improved processing of large JS files
Kotlin
- Improved source file name parsing for Kotlin results
PL/SQL
- Improved scan times for PL/SQL
Python
- Improved CWE-80 handling for Python resulting in a reduction in false positives
React Native
- Improved React Native handling of IPA files
T-SQL
- Improved CWE-89 detection for T-SQL resulting in a reduction in false positives
March 12, 2024
Updated Pipeline Scan language support
Pipeline Scan now supports Ruby on Rails.
February 22, 2024
Updated language and framework support
.NET
- Enhanced .NET 8 support
- Improved support for
CultureInfo.InvariantCulture
- Improved CWE-78 flaw detection
- Improved CWE-117 flaw detection resulting in a reduction in false positives
C/C++
- Improved CWE-121 flaw detection resulting in a reduction in false positives
- Improved CWE-125, 129, 134, 170, 190, 191, 195, and 196 flaw detection
- Improved CWE-477 flaw detection
COBOL
- Improved flaw analysis for CWE-78, 89, 114, 201, 209, 242, 248, 252, 489, and 798
- Improved parsing for COBOL
- Improved scan performance for COBOL
- Improved scan size calculations
Java
- Improved CWE-80 fix detection with modern Spring Framework versions
- Improved generic modeling and modeling of Spring Framework applications, which impacts all CWEs
- Improved CWE-916 detection
- Improved Java third-party detection
JavaScript and TypeScript
- Improved analysis for numeric and boolean datatypes, which impacts all CWEs
- Improved type detection to prevent false positives for CWE-601 and all other CWEs
- Detect and ignore webpack-generated files that are concatenated or minified
- Improved support for
fs/promises
, which impacts all CWEs
Other languages
- Improved CWE-259 and 798 flaw detection resulting in a reduction in false positives for all languages
- Improved analysis of conditionals for all languages
- Improved CWE-89 flaw detection for Classic ASP
- Improve support for
error_log
, which impacts CWE-73, 88, 93 and 117 for PHP
January 25, 2024
Updated language and framework support
.NET
- Improved third-party detection
- Enhanced .NET 8 support
- Improved CWE-80, 89, 404, 501, and 1174 detection
Java
- Improved flaw detection
- Improved third-party detection
- Improved CWE-117, 327, and 749 detection
- Added ‘jsi’ filetype support
C/C++
- Improved flaw detection
- Added openSUSE (x86) version 12 support
- Improved CWE-121 and 190 detection
Dart
- Improved flaw detection
- Improved third-party detection
- Improved CWE-331 detection
Other languages
- Improved Android third-party detection
- Improved JavaScript flaw detection
- Updated JavaScript third-party detection
- Improved CWE-99 and 918 detection for Python
- Improved CWE-259, 798 detection for PHP
- Improved CWE-252, 259, 311, 522, 614, and 798 detection in iOS
- Improved CWE-321 detection for all languages
- Added CWE-639 support for COBOL
January 18, 2024
The Veracode CLI now supports auto-packaging for Veracode Static Analysis
The Veracode CLI now supports Static Analysis auto-packaging for Java, JavaScript, and Python. The package
command removes manual packaging steps to streamline your application security tests.
Previous updates
2023 updates
2023 updates
December 27, 2023
New COBOL scanner for Static Analysis
The new COBOL scanner for Veracode Static Analysis includes advanced pattern recognition and static analysis techniques, allowing for more accurate and efficient detection of security vulnerabilities in COBOL code.
The improved detection may result in the identification of additional vulnerabilities and potential threats. The updates may also impact flaw matching for your applications. If you need help resolving these changes, contact Veracode Technical Support.
All COBOL scans now use the upgraded scanner.
More details are available in the Veracode Community.
December 14, 2023
Updated language and framework support
- Added .NET 8 initial support
- Added JavaScript / ECMAScript 2023 (ES14) support
- Added Config support from AWS SDK for Go
- Enhanced Android 13 support
- Enhanced Node.js v20 support
- Added Dart 3.2 and Flutter 3.16 support
- Improved CWE-327 (Use of Broken or Risky Cryptographic Algorithm) and CWE-352 (Cross-Site Request Forgery (CSRF)) detection for Ruby on Rails
- Improved CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET
- Improved CWE-352 (Unchecked Return Value) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
- Improved accuracy of modeling Python method calls resulting in a reduction in false positives
- Improved CWE-926 (Improper Export of Android Application Components) detection for Android
- Improved CWE-321 (Use of Hard-coded Cryptographic Key) detection for all languages
- Improved CWE-331 (Insufficient Entropy) detection for Java
- Improved CWE-601 (URL Redirection to Untrusted Site ('Open Redirect')) detection for PHP
- Improved parsing for PL/SQL
- Improved Python
jsonify
cleanser support for flaw class CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) - Improved support for JavaScript crypto APIs
- Improved iOS detection of CWE-252 (Unchecked Return Value)
- Improved support for JavaScript Axios library
- Improved .NET third-party detection
- Improved mixed-Java/Kotlin analysis
- Improved Java third-party detection
- Improved Android version detection
- Improved CWE-326 (Inadequate Encryption Strength) accuracy in .NET
- Improved accuracy for CWE-259 (Use of Hard-coded Password)and CWE-798 (Use of Hard-coded Credentials)
- Added detection of CWE-489 (Active Debug Code) in Go
- Improved analysis of JavaScript listeners
November 15, 2023
Updated language and framework support
- Added Javax to Jakarta transition support
- Added support for Java Records
- Added Spring Boot 3 support
- Added Spring Security 6 support
- Added Spring Core 6 support
- Added Android 14 Initial support
- Added KMS support for AWS SDK for Go
- Improved flaw detection for Dart apps
- Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for all languages
- Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation), CWE-352 (Cross-Site Request Forgery), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) detection for .NET
- Improved third-party detection for Android, C/C++, Dart, and JavaScript
- Improved CWE-73 (External Control of File Name or Path) detection for Java
- Improved third-party detection in Java WAR files
- Improved CWE-252 (Unchecked Return Value), CWE-201(Insertion of Sensitive Information Into Sent Data), and CWE-297 (Improper Validation of Certificate with Host Mismatch) detection for iOS
- No longer report MemoryStream for CWE-404 in .NET
- Improved detection for unsupported mobile applications
October 26, 2023
Updated language and framework support
- Added Dart 3.1 and Flutter 3.13 support
- Added JDK 21 (LTS) support
- Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) detection for Kotlin
- Improved .NET analysis to ignore .NET ClickOnce “.deploy” files
- Improved third-party detection for Java, JavaScript, PHP, iOS, PL/SQL and C++
- Improved parsing for PL/SQL
- Improved CWE-798 (Use of Hard-coded Credentials) detection for PHP
- Enhanced Python analysis to treat modules consisting of all third-party code as first-party modules
- Improved Groovy analysis of objects
- Improved CWE-252 (Unchecked Return Value) detection for iOS
- Improved JavaScript analysis of objects
- Improved analysis of iOS apps to reduce CWE-284 (Improper Access Control) false positives
- Improved CWE-693 (Protection Mechanism Failure), CWE-926 (Improper Export of Android Application Components), CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-798 (Use of Hard-coded Credentials) detection for Android
October 2, 2023
Updated language and framework support
- Added iOS 17 initial support
- Added Go 1.21 support
- Added PHP Laravel 10 support
- Added .NET Minimal API support
- Enhanced .NET 7 support
- Enhanced Groovy 3 support
- Enhanced AWS SDK for Go support
- Enhanced Android 13 support
- Improved third-party detection for JavaScript
- Improved CWE-80 detection for Vue.js
- Improved CWE-259 detection for all languages
- Improved CWE-89 detection for Transact-SQL
- Improved third-party detection for C++
- Improved symmetric-key parsing rules for Transact-SQL
- Improved attribute idiomatic transformation support for Jakarta
- Improved CWE-693 detection for Android
- Improved scan performance for Micronaut framework
- Improved Node.js modeling to reduce false positives
- Improved handling of explicitly typed generic function calls in Go
- Improved data path quality for JavaScript
- Improved reporting of CWE-352 and CWE-915 in .NET to consolidate flaws reported on the same line and file as separate flaws into one flaw
- Added CWE-566 (Authorization Bypass Through User-Controlled SQL Primary Key) detection for .NET applications
Deprecated support for some .NET cleansing functions
Veracode has deprecated support of .NET cleansers for the following functions for flaw classes CWE-93, CWE-113, and CWE-117:
- antixsslibrary.dll : Microsoft.Security.Application.AntiXss.HtmlAttributeEncode
- antixsslibrary.dll : Microsoft.Security.Application.AntiXssEncoder.HtmlAttributeEncode
- antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlAttributeEncode
- antixsslibrary.dll : Microsoft.Security.Application.Encoder.HtmlEncode
- mscorlib.dll : System.Security.SecurityElement.Escape
- system.dll : System.Net.WebUtility.HtmlEncode
- system.web.dll : System.Web.HttpServerUtility.HtmlEncode
- system.web.dll : System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode
- system.web.dll : System.Web.Util.HttpEncoder.HtmlAttributeEncode
- system.web.dll : System.Web.Util.HttpEncoder.HtmlEncode
- system.web.mvc.dll : System.Web.Mvc.HtmlHelper.AttributeEncode
- system.web.mvc.dll : System.Web.Mvc.HtmlHelper.Encode
- system.windows.browser.dll : System.Windows.Browser.HttpUtility.HtmlEncode
- system.windows.dll : System.Net.HttpUtility.HtmlEncode
- System.Runtime.dll : System.Net.WebUtility.HtmlEncode
These cleansing functions are insufficient for addressing their targeted flaw classes and better alternatives are available.
For more details on why Veracode deprecated support for these functions and how to protect your applications against CRLF injection attacks, see the Veracode Community.
September 11, 2023
Fixed bug causing false positives for CWE-798
In last month’s release, Veracode added improved support for CWE-798 (Use of Hard-coded Credentials) detection. However, a bug in the pattern matching caused a significant number of false positives for some users. Veracode has resolved this issue and the improvement should result in significantly fewer CWE-798 false positives.
August 23, 2023
Updated language and framework support
- Added Kotlin 1.9 support
- Added TypeScript 5.x support
- Added GCC 12 (RHEL 8) support
- Improved CWE-1174 (ASP.NET Misconfiguration: Improper Model Validation) detection on controller-derived classes
- Improved support for JavaScript URLSearchParams API
- Improved support for Spring
produces
annotation attribute - Improved third-party detection for JavaScript
- Improved third-party detection for Android
- Improved third-party detection for Java
- Improved hardcoded password/credential detection (CWE-259 and 798)
- Improved .NET CWE-80 basic XSS detection
- Improved JavaScript detection of document elements
- Improved performance for Vue applications
- Improved .NET Entity Framework support
- Added ability to allow third-party PHP software if the entire upload is third-party
- Improved detection of Java CWE-611 XXE
- Improved support for Python Django views
July 25, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has added support for Quarkus, a Kubernetes-native Java stack tailored for OpenJDK HotSpot and GraalVM.
Veracode has improved static analysis by adding support for these new versions of supported technologies:
Improved Detection of CWE-259 and CWE-798
Improvements to the detection methods Veracode uses to identify CWE-259 (Use of Hard-coded Password), and CWE-798 (Use of Hard-coded Credentials) vulnerabilities should reduce the number of false positives during static analysis. Improved CWE-259 coverage for Python language submissions.
June 22, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has added support for Micronaut 3.8.x, which is a JVM-based framework you use to build lightweight, modular applications.
Veracode has improved static analysis by enhancing support for Android 12.
Veracode has improved static analysis by adding support for these new versions of supported technologies:
Improved CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials) Detection
Improvements to the detection methods utilized to identify CWE-259 and CWE-798 vulnerabilities should reduce the number of false positives found during static analysis.
Additional CWE-693 Coverage for Android
Veracode has added an additional CWE-693 (Protection Mechanism Failure) check for Android applications to ensure that the Play Integrity API is used appropriately.
May 23, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
Improved CWE-89 Coverage for Java and JavaScript/TypeScript
The improved coverage increases the number of potential CWE-89 flaws that Veracode discovers in Java and JavaScript/TypeScript applications, which might affect your scan results.
Added CWE-451 Coverage for Android
Veracode has added CWE-451 (Tapjacking) coverage for Android applications.
May 18, 2023
Pipeline Scan Adds Support for Module Selection
Pipeline Scan adds a new --include
parameter. You use this parameter to specify the top-level modules to include during scanning. The scan results now show both the modules that Veracode identified during prescan and the modules included in the scan.
This update is available with Veracode CLI version 23.4.3-0 and Veracode Docker image version 23.4.3.
April 27, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Support for JDK 20
- Enhanced support for .NET 7
- Enhanced support for Python SQLAlchemy
- Enhanced support for React Native 0.7x
- Support for AWS SDK for Go v2
Improved Static Analysis for Python Language Submissions
Static analysis of Python applications inaccurately reports certain CWE-918 (Server-Side Request Forgery (SSRF)) flaws as CWE-201 (Insertion of Sensitive Information Into Sent Data) flaws. This update recategorizes these incorrectly reported flaws as CWE-918. This update might impact existing flaw matching and you might need to apply new mitigations to these flaws.
After you apply this update, any Python applications that contain CWE-201 flaws and have any of the following policy requirements might fail your security policy:
-
Security Standard rule for Auto-Update CWE Top 25
-
Findings by Severity rule for Medium or higher
-
Minimum Scan Score rule
March 23, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Support for Vue 3.x
- Support for React Native 0.7x
- Enhanced support for Python Flask 2.x
Improved Static Analysis for WebMethodAttribute use in ASP.NET Classic
Veracode has improved static analysis for WebMethodAttribute
use in ASP.NET Classic (non MVC and/or MVC Core) WebForms and WebServices. This will affect the flaws found and associated policy results for customers by reducing the number of FPs found.
February 23, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Support for Go 1.20
- Support for Angular 14 & 15
- Support for React 18
- Support for Dart 2.17, 2.18, 2.19 and Flutter 3.0, 3.3, 3.7
Improved COBOL Parser Error Handling
Veracode no longer reports parser errors in standalone copybook files that COBOL files do not include. These files are not relevant for security scanning unless COBOL files reference them.
January 26, 2023
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Initial Support for .NET 7
Veracode has improved static analysis by adding support for:
- Server-side request forgery (SSRF) reporting for JavaScript
Veracode has released a new version of our new iOS packaging tool:
- Gen IR version 0.2.1: gen-ir
2022 updates
2022 updates
December 15, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these new versions of supported technologies:
- Support for Node.js 18
- Support for PHP Laravel 6-9
- Initial Support for Kotlin 1.7
- Initial Support for Android 13
- Support for Python Flask 2.x
- Support for Go 1.18-1.19
- Support for React Native 0.67
Veracode improved static analysis by adding support for these new languages and frameworks:
- Support for Dart and Flutter
- Support for .NET MAUI
Veracode has improved static analysis by adding a new iOS packaging tool to support Xcode 14 without the Enable_Bitcode
setting:
- New iOS packaging tool: gen-ir
- Updated documentation: iOS and tvOS Application Packaging
November 17, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these languages and frameworks:
- Support for JDK 19
- Support for Azure Functions v4 for .NET
October 27, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these languages and frameworks:
- Support for Visual C++ 14.3.x for Visual Studio 2022
- Support for Azure Functions for Python
October 19, 2022
New Packaging Guidance Tool
You can use the new Veracode Packaging Cheat Sheet to generate language-specific packaging guidance for Static Analysis.
October 4, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode improved static analysis by adding support for these languages and frameworks:
- Support for JDK 18
- Full support for .NET 6
- Initial support for iOS 16
- Enhanced support for Golang Gorilla
- Enhanced support for React and React Router
August 25, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Full support for PHP Symfony 5.x
- Initial support for PHP Symfony 6.x
- Support for PL/SQL for Oracle 19c and 21c
August 1, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Initial support for Rails 7.0 and Ruby 3.x
- Full support for iOS 15
- Initial support for PHP Symfony
June 24, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Initial support of Ruby on Rails 6.1
April 28, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Initial support of PHP 8 and 8.1
- Support of Python Flask 1.1
March 28, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Support for Django 3.x
- Support for Android Jetpack
- Support for Go Gin-Gonic
- Support of Azure DevOps functions for JavaScript and TypeScript
February 24, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Full support of Xamarin platform versions and Xamarin.Essentials namespace
- Initial support of Azure Functions for Java
Veracode has improved static analysis by adding support for these new versions:
- Full support of Go 1.17
- Initial support of Angular 13
- Initial support of GCC 11
- Initial support of PHP 7.4
February 3, 2022
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding:
- Full support of Android 11
Veracode has improved static analysis by adding support for these new versions:
- Initial support of Kotlin 1.5
- Initial support of Kotlin 1.6
Veracode Static Analysis Improvements
Veracode has improved accuracy of hard-coded Passwords. You can expect:
- Fewer false positives where local files are in known valid locations
- Better identification of sensitive variable names
Veracode has improved modeling for TypeScript support. You can expect:
- Fewer false positives, and more true positives in TypeScript applications where type information is specified.
2021 updates
2021 updates
December 20, 2021
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding support for:
- Azure Functions used in .NET
- Thymeleaf templates for Spring Boot
Veracode has improved static analysis by adding support for these new versions:
- Initial support of .NET 6.0
- Initial support of Android 12
November 18, 2021
New Veracode Static Analysis Support
Veracode has improved static analysis by adding:
- Full support for JDK 17
- Full support for ColdFusion 2016
October 21, 2021
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for Apex 52.0.
Improved Veracode Static Analysis Support
- Veracode has further improved its accuracy in its detection of hard-coded credentials in applications. You might see a decrease in false positives related to hard-coded credentials.
October 20, 2021
Veracode European Region now available
The Veracode European Region is now available for new customers. This region, which initially supports Veracode Static Analysis and Veracode Software Composition Analysis, provides European data residency for Veracode customers.
September 28, 2021
New Veracode Static Analysis Support
Veracode has improved static analysis by adding:
- Initial support for iOS 15
- Full support for .NET 5.0
Improved Veracode Static Analysis Support
- Veracode has improved its detection of hard-coded passwords in applications. You might see an increase in findings related to hard-coded passwords.
August 26, 2021
New Support for GCC 10 on Red Hat Enterprise Linux 8
- Veracode has improved static analysis by adding support for the GCC 10 compiler on Red Hat Enterprise Linux.
Improved Static Analysis Support
Veracode has made several improvements to static analysis, including:
- Prevention of reporting hard-coded credentials for variables related to mock libraries
- Prevention of reporting hard-coded credentials for nonsensitive data in JavaScript dictionaries
- Improved recognition of password keywords in concatenated strings
- Improved heuristics to identify potentially sensitive data
July 22, 2021
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for Angular 12 applications.
Improved Veracode Static Analysis Results
- Veracode has improved static analysis for Node.js 13 and 14 applications.
June 16, 2021
Pipeline Scan Supports Uploading Larger Files
- Veracode Pipeline Scan now supports the analysis of applications up to 200 MB.
June 2, 2021
New Veracode Static Analysis Support
Veracode has improved static analysis by adding support for these new technologies:
- Initial Support of Java 16
- tvOS
Compatibility Updates for iOS and tvOS Application Packager
- Veracode has improved the mobile application packager used for preparing iOS and tvOS applications to support the latest versions of macOS. This update also includes several usability improvements based on user feedback.
New Distribution Method for the Ruby Gem Packager
- Veracode began distributing the Gem file required for preparing Ruby on Rails applications. For the latest updates to the Gem file, retrieve the file from rubygems.org using these Veracode instructions.
May 3, 2021
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for AWS SDK for .NET.
Improved Veracode Static Analysis Results
- Veracode has improved static analysis of Java applications by identifying additional security flaws related to deserialization vulnerabilities.
April 6, 2021
Improved Veracode Static Analysis Support for Android Applications
- Veracode has improved static analysis of Android applications by adding support for Android applications packaged as Android App Bundles (AAB).
April 1, 2021
Deprecated Support for Older Versions of Veracode Pipeline Scan
-
On April 1 2021, Veracode will no longer support versions of pipeline-scan.jar that you have downloaded before September 2020. These versions are 20.9.1 and earlier. To identify the version of the pipeline-scan.jar that you are using, you can run it with the --version option at the command line.
-
To transition to a supported version of the JAR file, replace the version that you are using with the latest one, which you can download here: https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip Veracode also provides Pipeline Scan as a Docker image on ##### Docker Hub](https://hub.docker.com/r/veracode/pipeline-scan).
-
Updating to the latest version of pipeline-scan.jar ensures that you are working with the latest version of the Veracode software, which includes many new features and bug fixes.
March 31, 2021
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for Blazor WebAssembly for.NET applications.
Improved Veracode Static Analysis Results
- Veracode has improved static analysis of .NET Core 3.1 applications.
Remediation Guidance Added to Pipeline Scan Results
- The Pipeline Scan results now include links to the Veracode Knowledge Base, which provides suggestions for remediating issues.
March 2, 2021
New Veracode Static Analysis Support for Languages and Frameworks
Veracode has improved static analysis by adding support for these new versions of supported technologies:
- Transact-SQL 15.x
- Ember.js 3.x for JavaScript
Veracode has improved static analysis by adding initial support for these versions of supported technologies:
- .NET 5
- Kotlin 1.4
- Groovy 3
Improved Veracode Static Analysis Support for iOS
- Veracode has provided additional security checks for applications built using iOS 14. You may see additional findings for applications as a result of these improvements.
Improved Results for Cryptography Findings for Java Applications
- Veracode has improved static analysis of Java applications by updating the list of acceptable cryptography algorithms.
February 4, 2021
New Veracode Static Analysis Support
Veracode has improved static analysis by adding support for these new technologies:
- C++ applications built with GCC 9 on RedHat 8
- Koa.js version 2.13
- Hibernate framework version 5
- Autofac framework. Static analysis of .NET applications that use Autofac may report additional findings as a result of these improvements.
Improved Veracode Static Analysis Results
Veracode provides these improvements for supported technologies:
- Additional security checks for applications built using functions specific to Android 10. You may see additional findings for applications as a result of these improvements.
- Enhanced accuracy of scan results of PHP and Python applications. The scan results now provide more emphasis on custom first-party components rather than third-party libraries.
Improved Prescan Warning Messages
-
Veracode has improved warning messages to identify applications that do not meet Veracode packaging requirements.
-
Veracode has also improved the accuracy of warning messages for several languages and file types by providing more descriptive error resolution recommendations.
Improved Results Consistency for Java Applications
-
Veracode has improved static analysis of Java web applications packaged as WAR and EAR files. Veracode provides more consistent results between subsequent scans and more accurately recognizes first-party components in the applications.
-
You may notice a one-time change to scan results as a result of this improvement.
Improved Results Accuracy Within JSP Files
- Veracode has improved static analysis of JSP applications to prevent static analysis from reporting duplicate flaws.
January 12, 2021
Compilation Guide Renamed
- To more accurately describe its contents, the Compilation Guide is now called Veracode Packaging Requirements.
January 7, 2021
Pipeline Scan Integration with Veracode Security Policies
- Veracode has improved the Pipeline Scan to support the use of policy rules defined in the Veracode Platform. This enhancement allows you to assess applications against consistent rules for pass or fail.
2020 updates
2020 updates
December 17, 2020
New Veracode Pipeline Scan Support for PHP Applications
- Veracode has improved the Pipeline Scan by adding support for PHP applications.
December 15, 2020
New Support for Languages and Frameworks
Veracode has improved static analysis by adding support for these new versions of supported technologies:
- Android 11
- C++ Support for Red Hat Enterprise Linux 8
- Grails 4
- Java 15
- Slick Library for Scala
Improved Support for Java
- Veracode has improved static analysis of Java applications by adding support for JNDI injection flaws. See the Veracode blog post for details about these types of flaws.
Improved Prescan Warning Messages
-
Veracode has improved its warning messages to notify you when the JavaScript and TypeScript files you submit have parsing errors. Parsing errors can affect the quality of the prescan results.
-
Veracode has also improved the accuracy of warning messages for several other languages and file types.
Simplified Packaging Requirements for iOS Applications
- Veracode has improved the user experience of analyzing iOS applications by simplifying the requirements for packaging.
November 24, 2020
New Support for GCC 8.3 on Red Hat Enterprise Linux 7
- Veracode has improved static analysis by adding support for the GCC 8.3 compiler on Red Hat Enterprise Linux.
October 30, 2020
New Pipeline Scan Support for React Native, Titanium, and Cordova Applications
- Veracode has improved the Pipeline Scan by adding support for React Native, Titanium, and Cordova applications.
October 29, 2020
Improved Veracode Static Analysis Results
Veracode has improved static analysis of these supported technologies:
- Angular templates
- Apache Commons
- AWS SDK for Java
- JavaScript
- Python
New Pipeline Scan Reporting Options:
- Veracode has improved the Pipeline Scan to support reporting a filtered list in JSON format of issues that caused the analysis to fail.
October 21, 2020
Pipeline Scan Supports Custom GitLab Domains
- Veracode has improved the Pipeline Scan to support custom GitLab domains when creating GitLab issues.
October 6, 2020
Improved Pipeline Scan Error Messages and Logging
Veracode has improved pipeline scans to include these enhancements:
- Improved error message content
- Integration with Log4j to log debug messages
October 2, 2020
New Pipeline Scan Support for Python Applications
- Veracode has improved Pipeline Scan to include support for Python applications.
September 26, 2020
Packaging Improvements for .NET Applications
- Veracode has improved the user experience of analyzing .NET applications by adding support for .NET applications submitted as standard NuGet packages.
September 24, 2020
New Pipeline Scan Support
- Veracode has improved Pipeline Scan to include support for Android applications.
New Veracode Static Analysis Support
Veracode has added support for new versions of these technologies:
- Angular 9 and 10
- Visual Studio 2019 for Visual C++
Improved Veracode Static Analysis Support
-
Veracode has improved static analysis of AWS SDK for JavaScript.
-
Veracode has improved static analysis of .NET and JVM-based applications. Veracode reduced the number of prescan warning messages that it sends for components that are common third-party libraries.
September 17, 2020
New Static Analysis Support for iOS 14
- Veracode has improved static analysis by adding initial support for iOS 14.
September 1, 2020
New Veracode Static Analysis Support
Veracode has added static analysis support for these technologies:
- React Native 0.6x
- Ruby on Rails 6
- Jinja2 Template Library for Python
Veracode Static Analysis Recognized Cleansers
As a result of updated security research, Veracode has added several CRLF cleansing functions to the list of supported cleansing functions. Veracode also removed these CRLF functions:
com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscape
com.google.gwt.safehtml.shared.SafeHtmlUtils.htmlEscapeAllowEntities
com.google.gwt.safehtml.shared.SafeHtmlUtils.fromString
org.springframework.web.util.HtmlUtils.htmlEscape
org.springframework.web.util.HtmlUtils.htmlEscapeDecimal
org.springframework.web.util.HtmlUtils.htmlEscapeHex
org.apache.axis.components.encoding.XMLEncoder.encode
com.liferay.portal.kernel.util.HtmlUtil.escapeAttribute
com.liferay.portal.kernel.util.HtmlUtil.escape
com.liferay.portal.kernel.util.HtmlUtil.escapeHREF
com.liferay.portal.kernel.util.HtmlUtil.escapeXPath
Improved Veracode Static Analysis User Experience
Veracode has improved the user experience of static analysis by providing:
- More consistent naming for the submitted components
- More information added to some prescan error messages
August 7, 2020
New Pipeline Scan REST APIs
- The new Pipeline Scan REST APIs allow you to submit pipeline scans directly using an API.
Pipeline Scan Improvements
Veracode Static Analysis using pipeline scanning includes these enhancements:
- New command parameters for creating GitLab issues and vulnerabilities from scan output:
--gl_issue_generation
--gl_vulnerability_generation
- New GitLab examples added to the pipeline scan README and the Veracode Help Center
July 10, 2020
New Pipeline Scan Support for .NET Applications
- Veracode has added pipeline scan support for .NET applications.
July 1, 2020
New Veracode Static Analysis Support
Veracode has added static analysis support for these technologies:
- AWS SDK for
- Ruby 2.6 and 2.7
- AcuCOBOL-GT 10.3
- Xcode 11.5
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:
- AWS SDK for Python (Boto3).
- Additional security checks for applications built using Java 12, 13, and 14. You may see additional findings for applications as a result of these improvements.
- Additional security checks for applications built using .NET Core 3.1. You may see additional findings for applications as a result of these improvements.
- Additional security checks for applications using Apache Commons libraries. You may see additional findings for applications as a result of these improvements.
- Additional security checks for applications using Go templates. You may see additional findings for applications as a result of these improvements.
- Improved scan coverage for iOS application submissions. Veracode now analyzes all components submitted with an iOS application, including standalone frameworks, extensions, and watchOS extensions. After a prescan, you can select these components from a list of modules.
New Video - Review Static Analysis Flaws
This video shows you how to:
- Access static flaw information in the Triage Flaws view of the Veracode Platform.
- Use the Source Code view to load source code from your local system into the Triage Flaws page so that you can view information about the flaw in the context of your original source.
- Document a proposed mitigation for review.
June 13, 2020
New Veracode Static Analysis Support
Veracode has added static analysis support for these technologies:
- Improved analysis of Go applications by adding support for the Gorilla framework, and improving overall results quality.
- Improved analysis of JavaScript applications using AWS Lambda and other functions by adding support for the AWS SDK.
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:
- Improved static analysis of iOS applications by improving the results of scans, to better focus the results on custom first-party components, instead of third-party libraries.
- Improved static analysis of .NET and Java applications to more accurately report the analysis size of dependent modules. These changes may result in smaller reported sizes for scan submissions.
- Veracode now reads the contents of the go.mod file included in an application submission to more accurately identify which Go components to analyze.
May 13, 2020
Pipeline Scan Improvements
Veracode Static Analysis using pipeline scanning includes these enhancements:
- New command parameters for storing information about the application you are scanning:
--app_id
--development_stage
- New code examples that show how to integrate a pipeline scan with GitHub actions and Azure DevOps. These examples are included in both the pipeline scan Readme file and the Veracode Help Center.
May 4, 2020
New Veracode Static Analysis Support
Veracode now supports static analysis of these libraries for Apex:
- Visualforce
- Lightning
- Aura components for Salesforce
Improved Veracode Static Analysis Support
Veracode now supports static analysis of these technologies:
- Apex version 49.
- Java applications built on Java 14.
- Version 2.6 and 2.7 of the Play framework for Scala. You may see additional findings for Play applications as a result of these improvements.
- Python application analysis improvements, including additional security checks for risks related to certificate management and cryptography settings. You may see additional findings for Python applications as a result of these improvements.
- Updated CWE definitions for flaws that had been reported previously as CWE 100 and 391. MITRE is deprecating these CWEs. MITRE is recategorizing CWE 100 flaws as CWE 1174, and recategorizing CWE 391 flaws as either CWE 252 or CWE 273, depending on the details of the flaw.
Veracode has updated policy rules that included entries for CWE 100 and CWE 391 to include the new CWEs.
After you run the next scan of affected applications, the Veracode Platform reports and analytics reflect the new CWE values. Data for previous scans still include the historical values.
April 23, 2020
Improved Veracode Static Analysis Support with Pipeline Scanning
Veracode static analysis using pipeline scanning now includes these features:
- Support for Scala, Kotlin, and Groovy applications
- Veracode authentication using the API credentials file
- Human user accounts with the required user roles can run pipeline scans
April 14, 2020
New Video - Run a Pipeline Scan in Your CI/CD Environment
- This video shows you how the pipeline scan runs directly within a CI/CD environment.
April 2, 2020
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for AWS Lambda functions for Java, .NET, Node.js, and Python.
#####Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:
- Improved results quality for iOS 13 applications
- Support for iOS applications built with Xcode 11.4
Veracode has changed reporting of CWE 404 flaws to be more specific about where they occur, which may result in additional findings. Veracode has also changed the severity of CWE 404 to Informational.
March 16, 2020
Announcing General Availability of Pipeline Scan for Veracode Static Analysis
- Veracode is pleased to announce the general availability release of the pipeline scan, a purpose-built tool for DevOps engineers. The pipeline scan directly embeds into your CI tools and provides fast feedback on flaws after each commit.
February 20, 2020
New Veracode Static Analysis Support
- Veracode has improved static analysis by adding support for a new version of Visual C++ applications built for Windows 10, Server 2016, and Server 2019.
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these supported technologies:
- Apache Struts 2
- Safe cryptography libraries in PHP
- Apex triggers submitted with the TGR file extension
January 30, 2020
New Veracode Static Analysis Support
Veracode has improved static analysis by adding support for these new versions of supported technologies:
- Java applications built on Java 13
- Initial support for .NET Core 3.1
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these supported technologies:
- APIs and language features specific to .NET Core 3.0, .NET Standard 2.1, and C# 8. You may see additional findings in .NET applications that use these new features.
- log4net, Serilog, and NLog logging technologies in .NET for detecting log injection flaws in .NET applications. You may see additional findings in .NET applications that use these technologies.
- Additional security checks for Android 9 applications. You may see additional findings for Android applications as a result of these improvements.