2016 Release Notes

Veracode Release Notes

View the list below for highlights of releases in 2016.

Release 2016.12

The December release delivers new support for JavaScript and Python languages, as well as an updated approved cleanser for .NET. In addition, Visual Studio users are now able to save their scan results locally, and there is added support for RAD 9.5 IDE. This release also delivers a new eLearning course on PHP secure coding and a new Operating System Command Injection (OSCI) tutorial. Also, user interface updates were made to the Veracode Platform scan menus and release note access.

Veracode Static Analysis

ECMAScript 2016 Support
Veracode has improved static analysis of JavaScript applications to support the ECMAScript 2016 JavaScript syntax.
Python httplib2 Support
Veracode has improved static analysis of Python applications to support the httplib2 library.
New Approved .NET Cleansing Function
Veracode has updated our list of approved cleansing functions for .NET to support a new function, HttpUtility.JavaScriptStringEncode.

Veracode Application Security Platform

New Course - PHP Secure Coding
Veracode has expanded its suite of language specific secure coding eLearning courses, currently consisting of Java and .NET, to now include PHP. This course covers topics ranging from trust boundaries to information handling and data protections. PHP developers can learn how to code using application security best practices from sample code examples throughout the course.
Operating System Command Injection (OSCI) AppSec Tutorial
A new eLearning AppSec tutorial course has been released for the Operating System Command Injection (OSCI) flaw. During this 10-minute course, eLearning users can learn about what makes an OSCI flaw, watch an OSCI attack take place, and learn how to protect against an OSCI attack.
Updated Scan Menu
Changes have been made to improve the user experience of the navigation menu. The Scans menu has been renamed to Scans & Analysis, and items have been rearranged across the menu to provide a more logical user experience.
Improvements to Application Custom Fields
Improvements have been made to the application profile level custom fields metadata fields. Administrators can now choose to increase the custom field limit from 5 to up to 25 for their account. Additionally, account administrators can now rename custom fields. If administrators rename custom fields associated with the Veracode JIRA Import Plugin, TFS Flaw Synchronizer, or custom integration code, they need to update the associated custom field in the Veracode JIRA Import Plugin, TFS Flaw Synchronizer, or custom integration code.
Release Notes Improvements
You can now access release notes on the Veracode Security Platform Home page by clicking the Release Notes link under the Learn tile.
Data Dictionary for Custom Reports in Analytics
In addition to the recommended dashboard and metrics provided by Analytics, Veracode now enables users to explore their application security data available in custom reports. The data dictionary provides details of the measures and attributes used in the custom reports to enable users to better understand their application security information.

Veracode Integrations

Save IDE Scan Results Locally in Visual Studio
Visual Studio users now have the ability to automatically save their IDE scan results locally. When users close and reopen their IDE, they can navigate to the results without having to connect to Veracode and download the results again.
Support for RAD 9.5
Veracode has added support for Rational Application Developer (RAD) 9.5 to our Eclipse IDE plugin. The plugin allows users to upload and scan their code, view results, and mitigate findings from their IDE.
End of Life: Plugin Support for Visual Studio 2005 and 2008
Veracode is discontinuing IDE plugin support for Visual Studio 2005 and 2008 because these versions are no longer actively supported by Microsoft. The Veracode static engine continues to support applications compiled with Visual Studio 2003 and later.

Release 2016.11

The November release delivers new support for Python and RPG programming languages, as well as support and documentation improvements to six other static binary analysis languages and frameworks. In addition, the Veracode Jenkins plugin now supports Credentials Binding and Jenkins Pipeline, which helps Jenkins users mask sensitive data and better support continuous delivery. This release also delivers a new eLearning course on PHP secure coding, and eLearning users now have the capability to print certificates for courses they pass.

Veracode Static Analysis

Static Scanning of Python 2.x Applications
Veracode is excited to announce support of the Python programming language with Veracode Static Analysis. Our support of Python includes support for several important Python application frameworks and libraries, including:
  • Django
  • Flask
  • Requests
  • Cryptography
  • SQLAlchemy
Static Scanning of RPG Applications
Veracode is also excited to announce support of the RPG programming language with Veracode Static Analysis.
Android 7.0 (Nougat) Support
Veracode has improved static analysis of Android applications to support the latest version of Android, Version 7 (Nougat).
PHP 5.6 Support
Veracode has improved static analysis of PHP applications by adding support for PHP version 5.6.
Google Web Toolkit Support
Veracode has improved static analysis of Java applications by adding support for the Google Web Toolkit framework.
Cheerio.js Support
Veracode has improved static analysis of JavaScript applications by releasing support for cheerio.js.
OpenJDK Support
Veracode has improved static analysis of Java applications by releasing support for OpenJDK.
JSX Support
Veracode has improved static analysis of JavaScript applications to provide support for the JSX JavaScript syntax.
Compilation Guide Refresh
We have made some substantial updates to our entire compilation guide and static section of the online Help Center, including clarifying language, removing redundant information, and rearranging content.
Log Entry for Rescan without Reupload
Veracode has improved our Platform to create a log entry when performing an application rescan.

Veracode Application Security Platform

Allowed IP Addresses Field Now Optional
The Allowed IP Addresses field is now no longer required when you create an API user, so that you can choose whether or not you want to implement an IP address restriction for API users.
New eLearning Course Certificate
eLearning users can now be rewarded with certificates after they complete Veracode eLearning courses. You can download these certificates from the Veracode Platform to share or print.
Introduction to PCI Updates
Veracode has updated the Introduction to PCI DSS for Developers course to meet the recent updated standards of the organization. The course now reflects PCI DSS 3.2.

Veracode Secure Development

Jenkins Credentials Binding Plugin Support
The Veracode Jenkins plugin now supports credentials managed by Credentials Binding, to support additional methods for storing and masking Veracode credentials.
Jenkins Pipeline Support
Veracode plugin now supports Jenkins Pipeline, which allows Jenkins users to manage and store continuous delivery pipeline as Groovy code. Please note: Pipeline is a separate plugin for Jenkins 1.x, but is included with Jenkins 2.x.

Release 2016.9

The September release of the Veracode service introduces a mitigation workflow for Software Composition Analysis (SCA), improved support for GCC 4.8, CWE 90, and Android 5.1, and two new eLearning courses. API access is now more secure with the introduction of ID/key credentials, and Web Application Security improvements include the integration of linked DynamicMP results into Analytics as well as improved use of the Bing search engine in Discovery scans. Please note: Veracode has now blocked Internet Explorer 10 due to security concerns.

Veracode Static Analysis

GCC 4.8 Support - 32-bit
Veracode has improved static analysis of C and C++ applications by adding support for version 4.8 of the GCC compiler on 32-bit platforms.
CWE 90 (LDAP Injection) Support for Java
Veracode has improved static analysis of Java applications by adding support for CWE 90, LDAP Injection.
Android 5.1 (Lollipop) API Support
Veracode has improved static analysis of Android applications by adding additional security checks for Android 5.1 Lollipop-specific APIs.

Veracode Application Security Platform

Internet Explorer 10 is Now Blocked
Starting in the 2016.9 release, Veracode is blocking Internet Explorer 10 due to security concerns. Please upgrade to a Veracode supported browser now to avoid any issues.
eLearning AppSec Byte for CRLF Injection
There is a new AppSec Byte course about the Carriage Return Line Feed (CRLF) Injection flaw that explains what comprises a CRLF Injection, shows a CRLF Injection attack take place, and teaches how to protect against CRLF Injection.
Secure Coding .NET - Trust Boundaries Course Enhancements
The Secure Coding for .NET - Trust Boundaries course is updated with new interactivity and animations for improved usage of course materials.

Veracode Secure Development

SCA Mitigations
It is now possible to mitigate Veracode Software Composition Analysis (SCA) results using the new mitigation workflow.
VSTS/TFS Integration
An enhancement to the existing Veracode VSTS/TFS Build/Release extension now provides options to import Veracode scan results into a build or release summary and stop a build or release if an application fails policy. This enhancement requires a build or release step to wait for the scan to complete.
VSTS/TFS SSO Support
Single Sign-on (SSO) support is now available for the Veracode VSTS/TFS Build/Release extension, which supports the definition of service endpoints for credential management that can accept either a username and password or an API ID and key.
Local IDE Scan Results

Scan results viewed in Eclipse and IntelliJ are now automatically saved to the local computer. Users can resume work after closing their IDE by opening the local copy of the results. This feature is only available for Eclipse and IntelliJ, however, we will provide the same feature for the Veracode Visual Studio integration in the future.

Increased API Security
API security is enhanced with a new, more secure self-managed ID/key credential option that is available to all users. Both current and new API user credentials are supported at this time.

Veracode Web Application Services

Bing Search Engine Discovery Plugin
Veracode has enhanced the ability to use the Microsoft Bing search engine within Discovery to find more websites and more consistent results in general.
Discovery Excel Results Enhancements
We have resolved Excel pivot table issues for Apple Macintosh users who view the Discovery results in Microsoft Excel 2011 and 2016 for Mac.
DynamicMP Analytics
DynamicMP scan results linked to applications profiles are now integrated into Analytics in the Platform. Please use the automated application linking feature in DynamicMP.

Release 2016.8

The August release introduces the new Dynamic Vulnerability Rescan feature, which provides the capability to rescan previously found vulnerabilities without running a complete rescan. In addition, the Visual Studio Team Services (VSTS) build extension was updated to support Team Foundation Server 2015 (TFS), and there is new eLearning messaging functionality that allows eLearning managers to send emails to eLearners directly from the Veracode Platform.

Code Security

Handlebars.js Support
Veracode has improved static analysis of JavaScript applications by releasing support for the Handlebars.js template engine.
Hogan.js Support
Veracode has improved static analysis of JavaScript applications by releasing support for the Hogan.js template engine.
TFS 2015 Support
The Visual Studio Team Services (VSTS) build extension was updated to support Team Foundation Server (TFS), which supports TFS 2015 update 2 and later, and is integrated with TFS builds with GUI instead of XAML.
Jenkins ID and Key Authentication Update
Veracode has updated the Jenkins plugin to support API ID and Key authentication for job configuration.
Jenkins Plugin Now Stops Build When Applications Fail Policy
The Jenkins plugin now provides functionality for teams to stop a build or release if the application fails policy via the new Wait for scan to complete option.
Streamlined IDE credential storage
Veracode has streamlined the authentication process across all IDE plugins by automatically deselecting the Do not use stored credentials to log in option, eliminating the Make this the default username option, and updating the documentation for Visual Studio, Eclipse, and IntelliJ.
Streamlined JIRA configuration
The JIRA plugin now automatically configures Veracode custom fields to eliminate the most time-consuming and error-prone part of the installation.

Core Platform

Developer Sandbox General Availability
The Developer Sandbox, a patented feature that provides teams the ability to scan applications and measure results against policy without affecting policy score, is now available to all static customers. Please contact Veracode Support to enable the feature for your account.
IE10 Blocked After the 2016.9 Release
Internet Explorer 10 will be blocked from the Veracode Platform by default due to security concerns beginning in September, 2016 (2016.9 release). Please upgrade to a Veracode supported browser now to avoid any upgrade issues in September 2016. If you use this browser and are unable to upgrade to a Veracode supported browser, please contact Veracode Support for assistance.
Improved New User Registration Experience
Improvements have been made to the new user registration process, including a unique user-friendly registration page, accompanying emails, and workflow. The registration process utilizes a unique registration code, and is now available in addition to a one-time registration link.
Improvements to Status Column in Triage Flaws View
Improvements have been made to the Status column in the Triage Flaws View. The following statuses have been added, which you can filter on:
Mitigated
Findings approved as Mitigated by OS Environment, Mitigated by Network Environment, and Mitigated by Design.
Potential False Positive
Flaws approved as Potential False Positive.
Mitigation Review Summary Information Now Available in Reports
Mitigation Review Summary information is now available in HTML, PDF and XML application reports.
eLearning Course Status Emails
eLearning managers are now able to send emails to eLearners from the Veracode Platform to prompt them to finish an incomplete course, retake a failed course, or congratulate them for passing a course.
iOS eLearning Course Updated
The Authentication and Authorization for iOS course has been updated based on advances in iOS development and customer feedback.
Updated eLearning Course Interactivity
The Introduction to Web Application Security course has been updated with new interactivity and animations.

Web Application Security

Dynamic Vulnerability Rescan
Veracode is introducing the Dynamic Vulnerability Rescan feature that provides the capability to rescan previously found vulnerabilities. Instead of running a complete time-consuming rescan, this feature saves you time by quickly rescanning only the vulnerabilities. The DynamicDS Scanner Options page has an additional option to run a flaw-only rescan. The Dynamic Flaw Inventory page provides a view of vulnerabilities across multiple scans with detailed statuses:
  • New
  • Open and Reopened
  • Cannot reproduce
  • Fixed
Dynamic Reporting Updates
The DynamicDS Summarized Results on the Veracode Platform and detailed PDF and XML reports available for download have been updated to match the new DynamicDS flaw inventory statuses.
  • A new Cannot Reproduce status
  • New, Open, Reopened, Fixed status counts are now calculated using the new status definition logic for DynamicDS scans only
The detailed PDF report has been updated with an Appendix B to show the Dynamic Flaw Inventory Status. The schema validation for the XML has been updated with the new dynamic status definitions. The Reports API detailedreports.do has been updated to ensure dynamic flaw results in both Platform and API are in sync.

Release 2016.7

The July release provides increased support for .NET, Ruby on Rails, and GCC. In addition, there is support for two new CWEs, enhanced support for three currently supported CWEs, and Software Composition Analysis (SCA) results are now available in the XML report on the Veracode Platform. The IntelliJ plugin is updated to support versions of the IntelliJ IDEA up to version 2016.1.x.

Code Security

.NET Core 1.0 Support
Veracode has improved static analysis of .NET applications to support .NET Core 1.0. Additional support for .NET Core 1.0-specific APIs and features will be added in future releases.
Ruby on Rails 4.x Support
Veracode has improved static analysis of Ruby on Rails applications by adding support for Ruby on Rails Version 4.x.
GCC 4.8 Support
Veracode has improved static analysis of C and C++ applications by adding support for version 4.8 of the GCC compiler.
Cryptography-related Scan Improvements
Veracode has improved static analysis of Java applications by refining existing and adding support for additional cryptography-related findings in Java applications. Veracode now supports CWE 338 and 780, and has refined detection of CWEs 326, 327, and 329.
SCA Results
Veracode customers who have Software Composition Analysis (SCA) can now view those results in the XML report available in the Veracode Platform and by using the Veracode APIs.

Code Platform

IntelliJ IDEA 2016.1.x Support
Veracode has updated the IntelliJ plugin to support IntelliJ IDEA versions up to 2016.1.x.