Troubleshooting Veracode APIs and Integrations

Veracode Integrations Security and Troubleshooting

This section helps you remedy common problems and understand how better to use the Veracode XML APIs and integrations.

API Issue Solution
Any API or Wrapper I received a HTTP 401 or Access Denied error. I do not have access to the APIs or I am unsure what kind of access I need.
Any API I cannot log in to Veracode when using the APIs.
  • Veracode APIs and integrations require access to analysiscenter.veracode.com and api.veracode.com. Contact your IT team to ensure these domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.
  • Verify that your IP address is in the list or range of addresses in the Allowed IP Addresses field of your user account login settings. If the IP range is set incorrectly, edit the Allowed IP Addresses field to include the IP address of the location of your login.
Any API The scan stopped after prescan. To determine why a scan that started from an API failed after prescan, review the response code returned from the beginscan.do API call. When your script calls beginscan.do, the API returns a status code that confirms the scan successfully started, or provides an error message to explain why the scan did not start.
Any API I received cURL error 35. If you receive the cURL error 35: "Unknown SSL protocol error in connection to ...", you need to update your version of cURL. Alternatively, you can pass the option -3, which forces cURL to use SSL version 3 when negotiating with a remote SSL server.
Any Wrapper I receive a message that displays missing mandatory parameters. Provide all mandatory parameters in your call. If you do not provide all mandatory parameters, the wrapper returns the missing mandatory parameters in your console.
Any Wrapper I cannot connect to Veracode through my proxy. If your organization uses a proxy for outbound connections, provide this information to the wrapper to successfully connect to Veracode.
Any Integration I have received one of these messages:
  • Received fatal alert: handshake_failure
  • Peer not authenticated error
  • System.Net.WebException was unhandled. Message=The request was aborted: Could not create SSL/TLS secure channel
  • OpenSSL::SSL::SSLError: Received fatal alert: handshake_failure
  • The underlying connection was closed: An unexpected error occurred on a send.
  • Could not create SSL/TLS secure channel
If you are using an integration that attempts to connect over TLS 1.0 or 1.1, you may receive one of these error messages. See Using TLS with Veracode Integrations.
Archer API Invalid IP address range. Ensure that you are attempting to connect from an IP address that is allowed by the IP address restrictions for the login you are using. Veracode APIs and integrations require access to analysiscenter.veracode.com and api.veracode.com. Contact your IT team to ensure these domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.
Archer API Invalid login type. Ensure that you are providing credentials for an API class login with the Archer API role.
Archer API Invalid or null token. Each login account is limited to using five tokens at a time to download Archer reports. The last five of generated tokens are valid. All tokens expire after 30 days whether used or not. Using invalid tokens returns HTTP status code 403.
Archer API Incorrect date format. The date format used by the  date_from  and  date_to  fields is dd-mm-yyyy, meaning, date then month and year.
Archer API The report not ready. If you try to call  downloadarcherreport.do  before  generatearcherreport.do  has completed, you receive HTTP status code 204 to indicate no content is available. Try to download the report at a later time. After an excessively long time, if the Veracode Platform does not return the report, contact Veracode Technical Support.
Archer API The results file is too large. When attempting to fetch the Archer feed for a large number of applications at once, the Veracode Platform may return HTTP status code 500. It is best in these cases to fetch the data using the optional arguments for the Archer API to limit the scope of the data being pulled, for example using scan_type or a date range. Once all the historical data is in place, use one of the  period  arguments ( yesterdaylast_week , or  last_month ) to pull data on a scheduled basis.

Alternatively, you can use the asynchronous calls, downloadarcherreport.html and generatearcherreport.html.

Veracode Integration for CA Agile Central I receive this message: java.io.IOException: HTTP/1.1 404 Could not determine Web Services Version from 'v2.0https:'. Enter the project ID as a number only. Agile Central Rally project URLs in the browser may include letters. For example, if the project URL is https://rally1.rallydev.com/#/278365550456d/dashboard, then the project ID is 278365550456.
Dynamic Analysis API I need to open a support case with Veracode Technical Support. Provide this information to Veracode Technical Support:
  • API call you are trying to make
  • Response error code. For example, 201 or 401.
  • Response body from the call
  • Description of the error you receive
  • The username and API ID for the account
  • API ID
  • Whether the API call is programmatic or by an application like Postman. If an application is calling the API, then provide the name of the application.
Eclipse Plugin I experience a PKIX path building failure when installing the plugin from Eclipse. Add the following lines to the eclipse.ini file in your Eclipse installation directory:
-vmargs
--Djavax.net.ssl.trustStore="path for cacerts"
--Djavax.net.ssl.trustAnchors="path for cacerts"
Eclipse Plugin I cannot install Veracode Static for Eclipse for a new integration.
  1. Ensure you install the latest version of the plugin.
  2. Meet Veracode Static for Eclipse prerequisites.
  3. Ensure your Java version is 1.8 or later.
  4. Provide this information to Veracode Technical Support:
    • Eclipse version. You can find the Eclipse version in Help > Eclipse.
    • Veracode Static for Eclipse plugin version.
    • Screenshots of your errors.
    • Eclipse IDE log. You can find the IDE log in Help > Installation Details > Configuration > View Error Log.
    • The workspace log file in Window > Show View > PDE Runtime > Error Log.
    • Proxy settings screenshot if the issue is with your proxy.
    • Whether this is a user account or API service account.
    • If you are using an API ID and key.
    • The user roles, team membership, and the application name.
IntelliJ Plugin I cannot install Veracode Static for IntelliJ for a new integration.
  1. Ensure you installed the latest version of the plugin. You can check this in Settings > Preferences window > Ctrl+Alt+S > Appearance and Behavior > System Settings > Updates > Check Now.
  2. Meet Veracode Static for IntelliJ prerequisites.
  3. Ensure your Java version is 1.8 or later.
  4. Provide this information to Veracode Technical Support:
    • Logs and Diagnostics Data in a ZIP file.
    • Screenshots of your errors.
    • Whether this is a user account or API service account.
    • If you are using an API ID and key.
    • The user roles, team membership, and the application name.
Jenkins Plugin I receive one of these messages:
  • An app_id could not be located for application profile
  • Access denied
  • Check the Veracode user role for the logged-in account to verify that you have a role with permissions to create an application profile, such as Upload API for API service accounts or Creator for user accounts.
  • Confirm that the Veracode application profile for the specified application name is visible by the specific teams who have access to this application and its scan results.
Jenkins Plugin The following message appears in the console output: The policy status 'Did Not Pass' is not passing. Unable to continue. This message indicates that you selected the Wait for scan to complete checkbox in your job configuration and the scan failed to pass your policy. If you want builds for scans that fail policy to complete, you must deselect that checkbox.
Jenkins Plugin The test connection action fails. There is no success message.
  • Verify that your Jenkins server has Internet connectivity.
  • Check outside of the Jenkins plugin environment to verify if the server the Jenkins tool is running on has internet connectivity. To determine connectivity, download and run the Veracode Java API wrapper on the same machine the Jenkins tools are running on to test for internet connectivity.
  • Verify the proxy settings to see if a proxy is required.
  • If a proxy is not required, you can test for an external Internet connection with a cURL command and running, for example, the getapplist.do command.
  • Veracode APIs and integrations require access to analysiscenter.veracode.com and api.veracode.com. Contact your IT team to ensure these domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.
Jenkins Plugin This message appears in the console output: Unknown vid and vid key. See step 23.
Jenkins Plugin or Java API Wrapper The following message appears: Requested array size exceeds VM limit. This error indicates you are attempting to upload an archive that is too large for the current limit (in GB). Check the content and size of the files or archives you are uploading to verify you are using the correct files.
Jenkins Plugin or Java API Wrapper

The following message appears:

[16.01.11 14:28:39] java/net/HttpURLConnection.setFixedLengthStreamingMode(J)V Build step Upload and Scan with Veracode marked build as failure Finished: FAILURE
This message indicates that the Java version you are using is not Java 7 or later. The Veracode Jenkins Plugin and the Veracode Java API wrapper require Java 7 or later.
Java API Wrapper I experience a PKIX path building failure when installing the plugin from Eclipse. Add these lines to the eclipse.ini file in your Eclipse installation directory:
-vmargs
--Djavax.net.ssl.trustStore="path for cacerts"
--Djavax.net.ssl.trustAnchors="path for cacerts"
Veracode Integration for Jira I cannot install or configure Veracode Integration for Jira. You need the JIRA administrator role to install and configure Veracode Integration for Jira.
Veracode Integration for Jira I installed Veracode Integration for Jira but it is not working. Ensure the API user has the Results API user role assigned. Then, for Veracode Integration for Jira, Associate Veracode Fields with Project Screens in Jira, or for Veracode Integration for Jira Cloud, Associate Veracode Fields with Project Screens in Jira Cloud.
Veracode Integration for Jira If you need to troubleshoot any issues, enable debug logging in Jira.
The location of the Jira logs depends on the Jira installation location. For example:
  • On Linux: /opt/atlassian/jira/logs/catalina.out
  • On Windows: C:\Program Files (x86)\Atlassian\Application Data\Jira\log\atlassian-jira.log
Enable Logging in Jira and set the logging level to DEBUG. After completing any debugging, ensure you change the logging level from DEBUG back to the logging level, such as INFO, and restart Jira.
Maven Build Script The following message appears: java.lang.ClassNotFoundException: Cannot find the specified class com.ibm.websphere.ssl The IBM WebSphere environment may prevent a Veracode UploadandScan target from executing if the Maven build script dependencies with the Java class path are missing. To resolve this, generate two pom.xml scripts, using one specifically for the Veracode upload.
Pipeline Scan I received an error code message. Try these resolutions for each error code:
  • 401: Unauthenticated. The API credentials may be expired. If they are not expired, verify the API credential ID and key you use in the pipeline match the generated credentials. They cannot contain extra spaces.
  • 403: Unauthorized. Check that the user accounts have Security Lead, Creator, and Submitter roles. Check that API user account credentials have Upload and Scan API or Upload API - Submit Only roles.
  • 429: Throttled. The API credentials were submitted more than six scans in the last one minute. Try again after a short delay.
  • -50x: Server side problems. This can be a problem with AWS or with Veracode services. Check the Veracode service status dashboards for details. For example, if the Identity Service is not working then Pipeline Scan also does not work.
Pipeline Scan I need to open a support case with Veracode Technical Support. Provide this information to Veracode Technical Support:
  • Pipeline Scan version
  • Java version
  • Platform application name and the URL of the application
  • Build logs
  • Debug logs
Veracode Greenlight I am having trouble signing on or managing users. Review the Administration section.
Veracode Greenlight I am having trouble generating an API ID. Review Using the Veracode Greenlight REST API.
Veracode Greenlight I do not know on which IDE to install Greenlight. Learn About Veracode Greenlight.
Veracode Greenlight I need to open a support case with Veracode Technical Support. Provide this information to Veracode Technical Support:
Results API The getappbuilds.do call is slow to deliver information. Veracode recommends that you use getapplist.do to generate a list of all applications and getbuildlist.do to generate a list of all builds for an application.  You can then use getappinfo.do and getbuildinfo.do to retrieve the information about specific applications and builds.
Veracode Software Composition Analysis I need to open a support case with Veracode Technical Support. Provide this information to Veracode Technical Support:
  • The package manager and version you are using.
  • The agent CLI, CI, and plugins you use for scanning, and their versions.
  • The environment variables, flags, and directives you use for scanning.
  • Your debug logs which you can get with any of these commands:
    • In your terminal: srcclr scan --debug
    • In a CI: curl -sSL https://download.sourceclear.com/ci.sh | DEBUG=1 bash
    • In a CI: export DEBUG=1 curl -sSL https://download.sourceclear.com/ci.sh | bash
  • The project you are scanning with the correct directory structure.
  • The command you use to start the scan, and answers to these questions:
    • Was your scan only a SRCCLR scan, or did you use other environment variables?
    • Did you use a CI script to perform the scan?
Upload API I do not know if the prescan is complete or successful. To check the prescan results in the Upload API, call getprescanresults.do.
Upload API My scan does not complete due to non-fatal errors. If you want to ensure the scan completes even though there are non-fatal errors such as unsupported frameworks, ensure you use the scan_all_top_level_modules parameter when you use the beginscan.do call.
Upload API and Integrations I received a fatal error after prescan, which is preventing my static analysis from starting automatically. Before the next time your static analysis is scheduled to start automatically, you need to:
  1. Review the prescan results to identify the modules that have fatal errors.
  2. Resolve the errors.
Optionally, if you do not want to resolve the errors, you can: If you have not added or deleted any modules since the last analysis that contained the fatal errors, the next automated analysis uses the same selected modules.
Any Plugin, Any API When using either a Veracode plugin, the Veracode API wrappers, or a custom script, I see this returned in the output text: App not in state where new builds are allowed. This message indicates that a previous static scan did not succeed for the specific application. Log into the Veracode Platform and review the application's current scans to determine if the previous scan did not successfully complete. A previous scan may still be in progress. If a previous scan is still running due to an error, select Delete. You can then use the plugin to submit a new scan request.
Any Plugin, Any API I receive an error when an API or integration attempts to access Veracode. Veracode APIs and integrations require access to analysiscenter.veracode.com and api.veracode.com. Contact your IT team to ensure these domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.
Veracode Static for Visual Studio I received a download error that says No applications exist for the specified user's account. Using the Visual Studio Veracode menu, you may have attempted to download results after selecting a specific application for which you do not have permission to access. You must be a member of each team associated with an application to be able to access that application's data.
Veracode Static for Visual Studio The Upload Build menu does not populate the Application dropdown list or allow me to complete the Build text box. This message indicates that you do not have the required role to either create a new application or build.
Veracode Static for Visual Studio I receive this message Support Issue: No precompiled files were found for this ASP.NET web application. Use the Veracode Static for Visual Studio to prepare your .NET application for uploading to Veracode. For information on how to use this extension, see Using Veracode Static for Visual Studio.
Veracode Static for Visual Studio I ran a scan from within Visual Studio, downloaded the scan results and, then, selected Veracode Static > View Results. The Results window is empty. If you are using Visual Studio 2019 with .NET Framework version 4.8, you must clear an option in Visual Studio to ensure the downloaded scan results display in the Results window. Otherwise, the Results window may be empty.

See Configure Visual Studio 2019 to Display Scan Results.

After configuring Visual Studio, you can select Veracode Static > View Results to view the scan results in the Results window.
Veracode Static for Visual Studio Upload and Scan fails to complete automatically. For web applications built on ASP.NET 3.0 Core and later, there is an executable that duplicates the artifacts included in the upload to the Veracode Platform. In your web application project, you must deselect the duplicate executable to exclude it from the upload, or you see an error and the Veracode Platform initiates a manual module selection.
Veracode Static for Visual Studio I need to open a support case with Veracode Technical Support. Provide this information to Veracode Technical Support:
  • Your IDE version.
  • Your Veracode Static for Visual Studio version.
  • If you are scanning at the file level or the project level.
  • The programming language of the application you are trying to scan.
  • The size of the file you are trying to scan.
  • If autoscan is on or off.
  • A list of third-party plugins you use to perform code analysis; for example, "Sonar Lint".
  • Precompilation output. If your application is a web application, then select the Use legacy precompilation method checkbox on the Precompilation page in the Veracode Visual Studio Extension Options.
  • If your application is built with the .NET Core framework, then provide a zipped folder of the Visual Studio log and name your ZIP file in this format: C:\Users\UserName\AppData\Local\Microsoft\VisualStudio\VisualStudioVersion#\Extensions\som efolder\Log\veracode_YYYYMMDD.log. These are the corresponding Visual Studio version numbers: 11 = VS 2012, 12 = VS 2013, 14 = VS 2015, 15 = VS 2017, and 16 = VS 2019. Note that in the Visual Studio log path above, the VisualStudioVersion# is in the format of 15.0_8ea552db for Visual Studio 2017 and later, and there may be multiple folders with that format. Because you can do side-by-side installs with Visual Studio 2017 and later, each install creates a new random sequence after the version number.
Veracode Static for Visual Studio I still cannot solve my problem. Reinstall Veracode Static for Visual Studio. Before uninstalling, clear the contents in this folder: C:\Users\UserName\AppData\Local\Microsoft\VisualStudio\

See more uninstall information here: https://stackoverflow.com/questions/22444799/how-to-uninstall-vsix-visual-studio-extensions.

Veracode Azure DevOps Extension The Veracode Release Summary report is not displaying in the TFS on-premise extension. If you rename the build step task Upload and Scan, the extension cannot find and execute the task, and no Veracode Summary Report is created.
Veracode Azure DevOps Extension I am receiving upload errors for my Azure DevOps builds.

To resolve the upload errors, you have these options:

  • Before uploading to Veracode, add the folder containing the files you want to scan to a ZIP archive. The ZIP archive suppresses errors due to unsupported file types.
  • After prescan, resolve any fatal errors:
    1. Review the prescan results to identify the modules that have fatal errors.
    2. Resolve the errors.
    Optionally, if you do not want to resolve the errors, you can: If you have not added or deleted any modules since the last analysis that contained the fatal errors, the next automated analysis uses the same selected modules.
  • Ensure your binaries are in the default location, or modify the default location system variable $(build.artifactstagingdirectory) if you require your files to be in a different location. For example, if your files have a different pathname and are in a bin folder, you can modify your system variable to look like this: $(build.sourcesdirectory)/<pathname>/bin.

Microsoft provides pipeline build steps for creating a folder with only the files that Veracode requires for scanning. See the Copy Files task and Delete Files task in the pipeline documentation on the Azure documentation website.

Veracode Azure DevOps Extension I selected the Veracode Scan Summary tab in Azure DevOps to view scan results and see the message Veracode is taking longer than expected to load. Clear your browser cache and, then, select the Veracode Scan Summary tab again.
Veracode C# Wrapper The wrapper is still not working.

You have these options:

Any IDE Plugin or Extension I am having problems with my credentials and am prompted to enter them multiple times.
  1. Check that you have saved your credentials. Go to Veracode > Options > Credentials and verify the Veracode API credentials are saved.
  2. Verify that the field Do not use stored credentials to log in is cleared.

For assistance with errors you receive while compiling your application, see the Troubleshooting Precompilation Errors page.

If you cannot find the solution to your problem on this page, contact Veracode Technical Support.