C/C++ SCA agent-based scanning

You can find vulnerabilities in your C/C++ applications using Veracode Software Composition Analysis agent-based scanning. You can run a scan on C/C++ repositories using the agent-based scanning command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Packaging C/C++ applications on Linux and Solaris or Packaging C/C++ applications on Windows.

Veracode SCA agent-based scanning support for native Linux C/C++ libraries is limited to scans of projects compiled with the Make build tool that you complete with the Linux CLI agent or a CI integration.

Agent-based scans can identify additional C/C++ libraries if they appear in supported package managers. See the list of native Linux C/C++ libraries and vulnerabilities that Veracode SCA monitors.

You can use agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-cpp-makefile

Before you begin:

Scanning a repository that uses C/C++ libraries requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:

• Meet the requirements for the Veracode SCA agent
• Have SO files present in the C/C++ repository
• If using Windows or MacOS, have Docker installed

Additionally, your project must include a makefile that has:

• One of these filenames: GNUmakefile, makefile, or Makefile. Veracode SCA searches for these filenames, in this listed order, and identifies the first one it finds to be the project makefile.

• One of these strings: gcc, g++, clang, CMAKE, or CMake.

• A clean target. Veracode SCA uses the clean target to collect findings. To configure a custom clean target for agent-based scanning, add this argument to your project as an environment variable:

  SRCCLR_MAKE_CLEAN_TARGET='{custom_clean_target_name}'

• A first target. Veracode SCA uses the first target to build the project and to rebuild the project after it collects findings. To configure a custom first target for agent-based scanning, add this argument to your project as an environment variable:

  SRCCLR_MAKE_BUILD_TARGET='{custom_build_target_name}'

To complete this task:

1. Run the scan command with the Veracode SCA CLI agent pointed to the directory of the C/C++ repository. For example:

   srcclr scan path/to/{project_folder}
   note

   To scan code repositories hosted in Git, use the --url argument with the CLI agent.

   To view more verbose output during the scan process, you can add the --loud argument:

   srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.