2018 Release Notes

Veracode Release Notes

View the list below for highlights of releases in 2018.

Veracode Static Analysis

December 19, 2018

Java 11 Compatibility Support
Veracode Static Analysis has improved support of Java applications by adding compatibility support for Java 11.
Angular 5 and 6 Support
Veracode Static Analysis has improved support of JavaScript applications by adding support for Angular versions 5 and 6, as well as improved support for the latest revisions to Angular Templates.
Improved .NET Core 2.1 Support
Veracode Static Analysis has improved support of .NET applications by adding new security checks for APIs specific to .NET Core 2.1. This enhancement may result in additional static findings for applications using .NET Core.
Improved iOS 12 Support
Veracode Static Analysis has improved support of iOS applications by adding new security checks for APIs specific to iOS 12. This enhancement may result in additional static findings for applications using iOS 12 APIs.
Android 9 Compatibility Support
Veracode Static Analysis has improved support of Android applications by adding compatibility support for Android 9 (Pie).
Improved Android Findings
Veracode Static Analysis has improved support for Android applications by testing for additional security issues based on components registered in the Android manifest file. These findings are reported as CWE 926. This enhancement may result in additional static findings for Android applications.
Improved Estimated Completion Time Notifications
Veracode has improved the Veracode Platform to more clearly communicate updates to the estimated completion time of a Veracode Static Analysis scan.

November 19, 2018

.NET Core 2.1 Compatibility Support
Veracode Static Analysis now supports compatibility with .NET Core 2.1. Support for APIs and features specific to .NET Core 2.1 will be added in future releases.
Improved ASP.NET Core 2.0 Support
Veracode Static Analysis has improved support of .NET web applications by adding new security checks for ASP.NET Core 2.0. This enhancement may result in additional static findings for applications using ASP.NET Core.
Improved Android 8 Support
Veracode Static Analysis has improved support of Android applications by adding new security checks for Android 8 (Oreo). This enhancement may result in additional static findings for applications using Android 8 APIs.
Improved React Native Support
Veracode Static Analysis has improved accuracy for React Native applications. This enhancement may result in additional static findings for React Native applications.
Improved Perl Scan Performance
Veracode Static Analysis has improved performance and accuracy for Perl applications. This enhancement may result in faster results for Perl scans.
Retiring the Static Legacy Scan Engine Option
Veracode is discontinuing support of the Static Analysis legacy scan feature in March 2019. If you have used this feature in 2018, it remains available to you until March. If you have not used it in 2018, it is no longer available.
If this change impacts you, contact your Veracode account manager for best practices on discontinuing the use of legacy scanning in your security testing program.

October 27, 2018

Improved C++ Scan Performance
Veracode has improved static analysis performance and accuracy for C++ applications. This improvement may result in faster results for C++ scans.

October 15, 2018

Zend Framework 2 and 3 Support
Veracode has improved static analysis of PHP applications using the Zend framework by adding support for security checks for Zend versions 2 and 3.
You may find that Veracode Static Analysis finds additional flaws in applications using Zend.
Retiring the Static Legacy Scan Engine Option
Veracode is discontinuing support of the Status Analysis legacy scan feature in March 2019. If you have used this feature in 2018, it remains available to you until March. If you have not used it in 2018, it is no longer available.
If this change impacts you, contact your Veracode account manager for best practices on discontinuing the use of legacy scanning in your security testing program.

September 27, 2018

Groovy and Grails Support
Veracode is pleased to announce support of applications written in the Groovy language for Veracode Static Analysis. This release also includes support for the Grails web application framework.
ASP.NET Core 2.0 Improvements
Veracode has improved static analysis of .NET web applications by adding new security checks for ASP.NET Core 2.0-specific APIs.

You may find that Veracode Static Analysis finds additional flaws in applications using ASP.NET Core.

Spring 5 and Spring Boot 2 Improvements
Veracode has improved static analysis of applications using the Spring Framework by adding new security checks for Spring 5 and Spring Boot 2.

You may find that Veracode Static Analysis finds additional flaws in applications using Spring.

Android 8 Improvements
Veracode has improved static analysis of Android applications by adding new security checks for APIs specific to Android 8 (Oreo).

You may find that Veracode Static Analysis finds additional flaws in applications using Android 8 APIs.

iOS 12 Compatibility Support
Veracode has improved static analysis of iOS applications by adding compatibility support for iOS 12 and Xcode 10. Support for iOS 12-specific features will be added in future releases.
Veracode has also improved support of iOS applications by adding new security checks related to certificate management.
Note: iOS applications built for iOS 11 and 12 must be compiled using bitcode.
Additional Supported Cleansing Functions
Veracode has added support for several additional third-party cleansing functions.

The Veracode Platform now automatically identifies usage of these functions and considers data that use them protected.

August 23, 2018

Go Support General Availability
Veracode is pleased to announce support of applications written in the Go language for Veracode Static Analysis.
Python 3 Improvements
Veracode has improved static analysis of Python applications by adding additional security checks for APIs specific to Python version 3. You may find that Veracode Static Analysis finds additional flaws in applications using Python version 3.
GCC 5 and GCC 6 Support
Veracode has improved static analysis to support C and C++ applications built using the GCC 5 and 6 compilers.
Zend Framework Improvements
Veracode has improved static analysis of PHP applications using the Zend framework, by adding additional security checks for Zend version 1.
You may find that Veracode Static Analysis finds additional flaws in applications using Zend.
Spring Framework Improvements
Veracode has improved static analysis of applications using the Spring Framework, by adding additional security checks for the Spring JSP tag library.
You may find that Veracode Static Analysis finds additional flaws in applications using Spring and the JSP tag libraries.
COBOL Improvements
Veracode has improved support for COBOL applications by improving scan accuracy, as well as adding compatibility support for several new COBOL dialects.

July 30, 2018

React Native Support
Veracode has improved static analysis support of mobile applications by releasing support for the React Native cross-platform mobile framework.
Kotlin Android Support
Veracode has improved static analysis support of Android applications by releasing support for Android applications built using the Kotlin programming language.
Support for Red Hat Enterprise Linux 7 (64-bit)
Veracode has improved static analysis support of C++ applications by releasing support for applications built for Red Hat Enterprise Linux version 7.
ECMAScript 2018 Support
Veracode has improved static analysis of JavaScript applications by building support for the ECMAScript 2018 language standard.
.NET Accuracy Improvements
Veracode has improved scan accuracy of ASP.NET Razor applications.
Updated Cleansers for Spring and GWT
Veracode has improved static analysis of Spring and Google Web Toolkit (GWT) applications by recognizing additional cleansing functions. For applications that already use these functions, you may find a decrease in flaws reported by Veracode.

June 28, 2018

Improved iOS 11 and Swift Support
Veracode has improved static analysis of iOS applications by adding several new security checks for applications built for iOS 11, as well as improved support of the Swift programming language.
You may see additional findings as a result of these improvements.
Additional Python Security Findings
Veracode has improved static analysis of Python applications by adding several new security checks for SSL and TLS-related flaws.
You may see additional findings as a result of these improvements.
Improved Spring MVC 4 Findings
Veracode has improved static analysis of applications using the Spring MVC framework, by adding new security checks for Spring MVC version 4.
You may see additional flaws in applications using Spring MVC.
Improved Flaw Mitigation Consistency
Veracode has improved the static flaw review process to more consistently apply mitigations between scans. This improvement resolves some circumstances where flaw mitigations would not persist in subsequent scans of the same application.
Updated Language Support Documentation
Veracode has updated the documentation in the Help Center to indicate more clearly the maturity of static analysis support for several technologies.
JavaScript Performance Improvements
Veracode has improved static analysis performance of JavaScript applications, which may result in faster JavaScript scans for most customers.

May 24, 2018

Java 9 and 10 Compatibility Support

Veracode has improved static analysis to support compatibility with Java 9 and 10 applications.

Security checks for Java 9 and 10 specific features will be released in a future Veracode release.

Vue.js Support

Veracode has improved static analysis of JavaScript applications to support 1.x and 2.x versions of the Vue.js framework and Vue-router 1.x - 3.x.

You may see additional findings as a result of this improvement.

Improved ASP.NET Core 1.1 and .NET Core 2.0 Support

Veracode has improved support and accuracy for ASP.NET Core 1.1 and .NET 2.0 applications.

You may see additional findings as a result of this improvement.

April 26, 2018

Visual C++ 2017 Support

Veracode has improved static analysis of Visual C++ applications to support Visual C++ 2017. You may see additional findings as a result of these improvements.

Zend PHP Framework Support

Veracode has improved static analysis of PHP applications to support version 1 of the Zend framework. Additional security findings for the Zend framework and support for additional versions of Zend will be coming in future releases. You may see additional findings as a result of these improvements.

Custom Cleansers Support for Cross-Site Scripting

Veracode has added support for additional flaw class of cross-site scripting to custom cleansers functionality.

Spring Boot 2.x Support

Veracode has improved static analysis of Java applications to support compatibility with the Spring Boot 2.x framework. Support for New Sprint Boot 2.x features will be added in future releases.

Improved JavaScript Analysis

Veracode has improved static analysis of JavaScript applications to support analysis of source map files. When you submit source map files that include JavaScript source, Veracode can analyze them, leading to higher quality scan results, particularly in the case of JavaScript applications that are minified.

Additional iOS 11 Findings

Veracode has improved static analysis of iOS applications by adding several new security checks for applications built for iOS 11. You may see additional findings as a result of these improvements.

Additional Android Findings

Veracode has improved static analysis of Android applications by adding several new security checks for secure sockets layer (SSL) and certificate verification flaws. You may see additional findings as a result of these improvements.

Improved iOS Prescan Warnings

Veracode has improved the user experience of submitting iOS applications by adding more details to the prescan warning messages that users may encounter while submitting iOS applications.

April 4, 2018

ACUCOBOL-GT Support

Veracode has improved static analysis of COBOL applications by adding support for the ACUCOBOL-GT dialect.

March 22, 2018

Python 3 Support
Veracode has improved static analysis of Python applications to support Python 3.
Go Early Adopter Access

Veracode is pleased to announce early adopter support for the Go programming language.

If you are interested in participating in the early adopter program, contact your Veracode program manager.

General release support for Go will come in a future release.

Additional Android Security Findings
Veracode has improved static analysis of Android mobile applications by adding additional security checks for CWE 327, use of a broken or risky cryptographic algorithm. You may see additional findings as a result of these improvements.

March 20, 2018

Mobile Permissions Data Exports

Veracode has improved the mobile behavioral analysis user experience by enabling users to download a list of mobile permissions identified in a mobile application. You can download these data exports as a CSV or XML file.

February 22, 2018

.NET Core 2.0 Support
Veracode has improved static analysis of .NET applications to support .NET Core 2.0 and ASP.NET Core 2.0
Improved .NET Support

Veracode has improved static analysis of .NET and ASP.NET applications by adding additional security checks for .NET 4.7 and ASP.NET Core 1.1 APIs. You may now notice that Veracode Static Analysis finds additional flaws as a result of this enhancement.

Ember.JS Support

Veracode has improved static analysis of JavaScript applications by implementing support for Ember.JS. You may now notice that Veracode Static Analysis finds additional flaws as a result of this enhancement.

Additional Xamarin Support

Veracode has improved static analysis of Xamarin applications by adding support for additional versions of Xamarin.Android and Xamarin.iOS. Veracode has also added support for the Xamarin.Mac platform.

Improved Play Framework Support

Veracode has improved static analysis of Java and Scala applications by adding additional security checks for the Play framework.

You may now notice that Veracode Static Analysis finds additional flaws in applications using the Play framework.

64-Bit Visual C++ Support
Veracode has improved static analysis of Visual C++ applications by adding support for applications compiled on 64-bit operating systems.
Simplified Mobile Permissions Testing for Android

Veracode has simplified the experience of reporting on mobile application permissions for Android applications. Now you do not have to select a separate module during the upload process to view mobile permissions findings.

Mobile permissions are now automatically reported for every Android scan submitted. You can view the findings from the Mobile Behavioral Analysis link on the Veracode Platform.

February 20, 2018

Email Notifications for Accelerated Results

Veracode has improved scan results communication by sending an email informing you when the first module that includes flaws is ready for review. You can begin reviewing these flaws while a scan is in progress.

February 6, 2018

Improved Accuracy for Cross-Site Scripting (XSS) Findings

Veracode has improved static analysis to better identify when you use cleansing functions to protect your applications against cross-site scripting. You may notice additional cross-site scripting findings because of this improved accuracy.

January 23, 2018

Component Changes Between Scans

Veracode has released improvements to the static analysis module review user experience. You can now view a greater level of detail about which components changed between the most recent scan of an application and the previous scan.

Details of these changes are also now available in the downloadable module report list from the Veracode Platform.

Spring MVC 4 Support

Veracode has improved static analysis of applications using the Spring MVC framework by adding security checks for Spring MVC version 4.

You may notice that Veracode Static Analysis now finds flaws in applications using Spring MVC.

Spring 5 Support

Veracode has improved static analysis of Java applications to support the Spring 5 framework.

Improved JavaScript Analysis and Findings

Veracode has improved static analysis performance and accuracy of JavaScript applications.

You may now see additional flaws in JavaScript applications as a result of these improvements.

Improved Play framework Application Findings

Veracode has improved static analysis of Java and Scala applications by adding more security checks for the Play framework.

You may now notice that Veracode Static Analysis finds additional flaws in applications using the Play framework.

Improved AngularJS Findings

Veracode has improved static analysis of AngularJS applications by adding more security checks for AngularJS 1.x series applications.

You may now notice that Veracode Static Analysis finds additional flaws in applications using AngularJS 1.x.

Improved Android 7 Findings
Veracode has improved static analysis of Android applications by adding security checks for more Android 7 (Nougat) specific APIs. You may now notice that Veracode static analysis finds increased flaws in Android applications.

Veracode Application Security Platform

View the list below for highlights of previous releases.

December 17, 2018

New REST APIs for Applications and Findings

New REST APIs allow you to easily retrieve static, dynamic, manual penetration testing, and SCA findings. You can obtain a history of each finding and retrieve only findings that meet your criteria, including findings that changed within a certain period of time.

Deletion of Artifacts from Unsubmitted Scans
If you configure a scan and upload files for Veracode Static Analysis but never submit the scan, Veracode deletes the binaries after 60 days, even if the scan was prescanned. If you log in to the Veracode Platform and edit or submit the scan, triggering a prescan, the 60-day time resets and the binaries are not deleted. This feature provides you with enhanced security by ensuring that unsubmitted binaries are removed in the same way that submitted binaries are removed.

November 27, 2018

New Greenlight User Role
A new Veracode Greenlight user role is now available in the Veracode Platform, for organizations that have active Greenlight subscriptions. Starting January 16, 2019, only users with the Greenlight role will be able to submit Greenlight scans and review results.
Deprecated Analysis Report
Veracode has deprecated the Analysis Report as all of its components are available in the new Customizable Report that released in September 2018.

October 27, 2018

Policy Preview in Sandbox Scans

You can now use the Fix for Policy filter in the Triage Flaws view for sandbox scans. It is now possible to see a preview of how mitigations affect the policy evaluation in sandbox scans as you can for policy scans.

Maintenance Message Modification
Veracode changed the message "Veracode is undergoing scheduled maintenance" to "Veracode is undergoing maintenance," to clarify that some downtime is not scheduled.

You can view more detailed information about the availability of the Veracode Platform on status.veracode.com, which is now linked from the maintenance page.

Analysis Report Changes
Veracode plans to remove access to the Analysis Report in a future release. Veracode recommends that you download the Customizable Report instead, which enables you to specify what information is included in your report.
New Analytics Features Planned
Veracode plans to provide updated analytics features in an upcoming release. In preparation for these new features, Veracode plans to remove access to the existing Custom Reports and dashboards. If you are actively using the Custom Reports and dashboard features today, contact your Veracode Program Manager to prepare the transitioning of your reports to the new Analytics.

September 18, 2018

Customizable PDF Report
Veracode has released a new PDF report that you can customize to include only the information you need when generating the report. You can now choose which findings, scan types, and sections are included in the report. You can download the customizable PDF report from Results > Download > Customizable Report (PDF).
Note: The Customizable Report has replaced the New Detailed Report in the dropdown menu.
New Mobile Security Policies

Veracode has released a new recommended mobile policy to help users focus on the risks most pertinent to mobile application platforms. You can select this policy in the Policy Manager section of the Veracode Platform.

Veracode has also released support for the OWASP Mobile Top Ten security standard that you can use to build custom security policies.

August 29, 2018

New eLearning Course: OWASP 2017
Veracode eLearning has released a new course on OWASP 2017. This course highlights the most common security vulnerabilities from the OWASP 2017 standard that affect web applications. eLearning users now have an overview of the security vulnerabilities included in 2017 release of OWASP Top 10 and an outline of remediation techniques for these security issues. If you are an administrator who uses a customized curriculum, you can add the OWASP 2017 course to existing and new curricula by selecting the required option in the Curriculum Details section.

July 24, 2018

Export Data Reports Update
The Export Data reports are updated to resolve an issue that caused numeric IDs to incorrectly display as commas when the format of the reports was converted from CSV to XLS.
Manual Penetration Testing Findings Added to New Detailed Report
Veracode has added support for Manual Penetration Testing findings to the New Detailed Report. With this enhancement, you can generate a single PDF report that includes every Veracode analysis type for your application.

June 28, 2018

New PDF Report Available
Veracode now provides a new PDF report with SCA scan data and updated Veracode branding. To access the new PDF, navigate to your latest scan results and click download.
Note: Veracode Manual Penetration Testing results are not available in the new PDF Report at this time.

June 27, 2018

Launch of Veracode Status Page
Veracode is pleased to announce the availability of status.veracode.com, which tracks the uptime and responsiveness of user-facing services, including the Veracode Platform, the API authentication gateway, and the Help Center. With this site, you can check service availability overall as well as see if there are problems in any geographical areas.
If Veracode is experiencing any production issues, status.veracode.com is updated, advising our users of the issue. This site helps users who are having trouble determining if Veracode services are unavailable for everyone or if it is an issue with their connection.
Next-Day Scheduling for Consultation Calls
Users who have purchased a next-day scheduling SKU now have the ability to schedule consultation calls for the following day through the automated scheduling workflow.
Improvement to Sorting All Applications with Mitigations Page
In this release, Veracode has corrected an issue that caused a limitation in sorting functionality on the All Applications with Mitigations page. Sorting now works as intended across all results.
Mitigation Flaws View Filter for Current Mitigation Conformation Status
The Mitigation Conformation filter in the mitigation workflow now filters for the present state for conforms or deviates from guidelines. This update allows you to easily filter the results to see the current mitigation conformation status of the flaw.
Updated Validation and Encoding for Android Course
Veracode is releasing an updated version of the Validation and Encoding for Android eLearning course with new interactive points and animations. This course is now HTML5-compliant, providing an improved experience for eLearning users.
Improved eLearning API Documentation with Code Examples
Veracode has updated the Help Center documentation for the eLearning REST API calls to include new example code and JSON output. This update provides guidance on usage of these APIs and how users can import eLearning data into their own Learning Management System (LMS).

May 29, 2018

Threat Modeling eLearning Course Enhancements

The Threat Modeling eLearning course is updated with new interactive points and animations. This course is now HTML5-compliant, providing an improved experience for eLearning users.

Course Updates for OWASP Top 10 2017 Standard
The following eLearning courses are updated with references to the new OWASP Top 10 2017 standard:
  • Secure Coding for .Net - Validation and Encoding
  • Secure Coding for .Net - Information Handling
  • Secure Coding for .Net - Authorization
  • Secure Coding for .Net - Authentication
  • Secure Coding for .Net - Trust Boundaries
  • Secure Coding for .Net - Data Protection
  • Secure Coding for .Net - Configuration and Deployment

May 22, 2018

OWASP Top 10 2017 Implementation

Veracode now supports the 2017 version of the OWASP Top 10 in policies using either the Latest OWASP or PCI Security Standards. Using this new version means that applications with policies that include these standards are now evaluated against the 2017 version of the OWASP Top 10, instead of the 2013 version. This change can cause applications to have different policy results.

To revert your policy back to the OWASP Top 10 from 2013, select the Legacy OWASP 2013 security standard in your policy settings. If you revert your policy, it will be reevaluated when you run your next scan.

Note: The reevaluation of older scans against policies that include the Latest OWASP or PCI Security Standards may take several hours to complete after the 18.5 release.
Sandbox Mitigation Count Correction

With this release, an issue that caused some mitigations created in association with sandbox scan results to be miscounted on the All Applications with Mitigations - Completed Scans page has been resolved.

April 24, 2018

OWASP Top 10 2017

In the 2018.5 May release, Veracode will update the Latest OWASP security standard option that you can select when creating policy rules, to reflect the update from the 2013 version of the OWASP Top 10 to the 2017 version. With this change, all policies that use the Latest OWASP or PCI security standards will also update. Therefore, applications associated with policies that include these standards may now have different policy compliance results because they are being evaluated against the 2017 version of the OWASP Top 10, instead of the 2013 version.

To continue using the OWASP Top 10 from 2013, select the Legacy OWASP 2013 security standard in your policy settings.

Note: MITRE has made a minor update to the 2013 version of the OWASP Top 10, which Veracode will also apply in the May 2018.5 release.
eLearning Program Year Reset
eLearning administrators can now set a start date for an eLearning program year. On this date, all courses are reset so that it is clear to all learners that they must take all required courses for the new program year, even if they have taken them before.
eLearning AppSec Tutorial Updates for OWASP Top 10 2017 Standard
Veracode is continuing to update eLearning courses with references to the new OWASP Top 10 2017 standard. This month the Introduction to PCI DSS 3.2 for Developers Application Security Testing and Secure Coding for Java AppSec modules were updated.

March 28, 2018

eLearning Updates for OWASP Top 10 2017 Standard
The Secure Coding for PHP AppSec Tutorials are updated with references to the new OWASP Top 10 2017 standard.

March 20, 2018

Updated Support Hours in New User Email

Veracode has updated the email that new users receive to provide the new support hours for users to contact Veracode.

OWASP Top Ten 2013 Legacy Option

In preparation for the upcoming update to OWASP Top Ten 2017, which Veracode does not yet support, Veracode has made available a legacy OWASP 2013 standard that you can use in your policy. If you choose this option, the applications assigned to your policy are not affected by the upcoming update to OWASP 2017.

By default, all policies that use the OWASP or PCI 3.2 security standards will use OWASP 2017 when Veracode implements support for that standard.

If you do not want your policy to be affected by the OWASP 2017 update, you must update your policy to apply the legacy OWASP 2013 standard. Veracode does not offer a legacy version of PCI using OWASP 2013.

Note: The Veracode policy management feature does not yet support OWASP Top Ten 2017. Veracode must coordinate with MITRE on updates to the CWE before making the transition to the latest version of the OWASP Security Standard. Veracode is committed to making the updates and will notify you in the release notes and in the Veracode Application Security Platform, informing you of this major update.

February 26, 2018

eLearning AppSec Tutorial Updates for OWASP Top 10 2017 Standard
The following AppSec Tutorials are updated with references to the new OWASP Top 10 2017 standard.
  • Cross-site Scripting
  • Open Redirects
  • Information Leakage

February 20, 2018

Custom Severity Reporting Update
The following Export Data reports are updated to account for custom severities in policies:
  • DynamicMP Aggregate Report
  • DynamicMP Remediation
  • Mitigation Data
This enhancement eliminates inconsistencies in those reports when policies include custom severities.
Updated Detailed Report XSD File

In preparation for the upcoming update to OWASP 2017, which is not yet supported in the Veracode Platform, Veracode has updated the detailed report XSD file. The XSD file was updated to include an OWASP2013 rule set to differentiate it from the latest OWASP rule set. The latest OWASP rule set will update to OWASP 2017 when it is available from MITRE.

The detailed report XSD file is updated to include two additional parameters:
<xs:attribute name="owasp" type="xs:positiveInteger" use="optional"/>
        <xs:attribute name="owasp2013" type="xs:positiveInteger" use="optional"/>

January 30, 2018

Security Awareness eLearning Course Update
The Security Awareness eLearning course is updated with new interactive points and animations. This course is now HTML5-compliant, providing an improved experience for eLearning users.

January 23, 2018

OWASP Top Ten 2017 – Not Yet Supported

The Veracode policy management feature does not yet support OWASP Top Ten 2017. Veracode must coordinate with MITRE on updates to the CWE before making the transition to the latest version of the OWASP Security Standard.

Veracode is committed to making the updates and will notify you in the release notes and in the Veracode Application Security Platform, informing you of this major update. In addition, Veracode will provide a new Security Standard aligned to the OWASP 2013 to enable you to upgrade to the latest version of OWASP at your convenience.

Platform Access Lockout Improvements

Veracode is improving the process of logging into the Veracode Platform. With this release, the Veracode Platform automatically recommends that you reset your password if you fail to successfully log in three consecutive times. This improvement addresses a common cause of login difficulties, and with this improvement users are less likely to accidentally lock themselves out of their Veracode account.

Veracode Software Composition Analysis

View the list below for highlights of previous releases.

December 28, 2018

SourceClear SCA PDF Report

You can now generate a PDF report of your SourceClear SCA workspace project scan results. You can generate a PDF report from a workspace portfolio or an individual workspace.

October 31, 2018

New License Risk Policy Rule

Veracode Software Composition Analysis now gives you the ability to evaluate license risk in your applications against policy. The new license risk rule provides the ability to prevent applications from passing compliance based on the presence of a low, medium, or high risk license in third-party libraries.

October 10, 2018

SourceClear .NET Support
SourceClear users can now scan .NET applications for third-party libraries and licenses to find the risk associated with them. You can access this enhanced language support under the Agent menu to deploy a continuous integration agent for Windows.
Note: This release includes support for vulnerable methods, but does not include the ability to view all the .NET third-party libraries and vulnerabilities in the SourceClear Vulnerability Database.

October 4, 2018

SourceClear Organization-Level Agents
SourceClear users with Enterprise subscription plans can now deploy and manage continuous integration/command-line interface (CI/CLI) agents from the organization settings instead of creating agents for each individual workspace. You must have the Organization Owner or Organization Administrator role to create organization-level agents.

September 26, 2018

SourceClear CVSS 3 Support

SourceClear users with Enterprise subscription plans can now view the vulnerabilities in their third-party libraries in the context of Common Vulnerability Scoring System (CVSS) version 3 scoring metric.

July 24, 2018

Additional Data Source for JavaScript Vulnerabilities
Veracode Software Composition Analysis now supports the SourceClear Vulnerability Database as a data source for JavaScript vulnerabilities. The National Vulnerability Database has not yet assigned CVEs to the majority of JavaScript vulnerabilities. However, SourceClear is able to identify and report on these non-CVE vulnerabilities. To ensure Veracode SCA customers have all of the available information on potential vulnerabilities with their JavaScript components, Veracode uses SourceClear data to assist in identifying non-CVE vulnerabilities.
New Default Veracode Recommended Policies for SCA
Veracode now supports three new default Veracode Recommended Policies that include SCA findings. These policies leverage three new Veracode Levels that include SCA findings.
For this initial release, Veracode Levels for applications are not automatically recalculated after you implement vulnerability data updates. You must scan applications again to reflect the most up-to-date Veracode Level calculation. This issue will be addressed in an upcoming release.

July 9, 2018

Vulnerabilities List Now Updated Twice a Week
Starting July 9, 2018, Veracode updates the vulnerabilities list every Monday and Wednesday between 12:00pm and 10:00pm ET to reflect any changes in the National Vulnerability Database.

June 27, 2018

All Open-Source Licenses Displayed on Third-Party Components
Users can now view all open-source licenses recognized in a third-party component in their Software Composition Analysis results.
When you view Software Composition Analysis applications at the portfolio level, you cannot sort the grid by license, but you can use the filter functionality to find specific licenses. If you view Software Composition Analysis results at the application level, the sort functionality for lists of open-source licenses works as expected. A future release will provide the ability to sort licenses at the portfolio level.

June 13, 2018

JavaScript Bower and Yarn Support for SCA
Veracode has improved software composition analysis of JavaScript applications by implementing support for Bower and Yarn package managers as data sources.
If you use JavaScript components from these package managers you may see additional findings as a result of this improvement.
Note: You must package your application according to the instructions to properly identify JavaScript components from Bower and Yarn.

Veracode Integrations

View the list below for highlights of previous releases.

November 21, 2018

Jenkins Plugin Enhancements
The Veracode Jenkins Plugin version 18.11.5.8 includes the following enhancements:
  • The Veracode Jenkins Plugin allows Jenkins to accept a single quotation mark as part of a sandbox name.
  • The flaw count is now displayed in red if the number of flaws that do not pass policy is greater than zero.
  • The Veracode Jenkins Plugin now supports environment variables for include and exclude filepath patterns.

November 8, 2018

Jira Integration Custom Mapping Enhancements
The Veracode Integration for Jira update v3.1.5 provides expanded options for mapping Veracode Platform fields and custom fields to Jira fields, to provide additional flexibility for reporting security flaws in user Jira environments.
Jira Integration State Transitioning Improvement
The Veracode Integration for Jira update v3.1.5 provides improved state transitioning so that vulnerabilities reported in an earlier scan and not captured in a successive scan now report a successful state transition status.

October 22, 2018

Visual Studio Extension Enhancements
The Veracode Visual Studio Extension is updated to provide the following enhancements:
  • Flaws displayed in the Results Viewer are deselected when you select a different filter.
  • Property pages in .NET Core projects are no longer at risk of breaking.

October 9, 2018

Veracode Adds Support For Latest TeamCity Version
Veracode adds support for TeamCity 2018.1.2 in the TeamCity Plugin.

September 27, 2018

Fixed Flaws Excluded from Eclipse Plugin Results
The Veracode Eclipse Plugin is updated to exclude fixed flaws in the Flaw Detail view of Eclipse. Previously, you would see fixed flaws in addition to currently open flaws on the Flaw Detail view. To make the Flaw Detail view more useful, only currently open flaws are shown.
Fixed Flaws Excluded from IntelliJ Plugin Results
The Veracode IntelliJ Plugin is updated to exclude fixed flaws in the Flaw Detail view of IntelliJ. Previously, you would see fixed flaws in addition to currently open flaws on the Flaw Detail view. To make the Flaw Detail view more useful, only currently open flaws are shown.

September 20, 2018

Visual Studio Extension Updated to Improve Precompilation Process
The Veracode Visual Studio Extension is updated to improve the precompilation process to avoid such issues as XML errors, random REM timeouts, and anti-virus application crashes.
Java API Wrapper Certified For Latest Java Versions
The Java API wrapper is updated to support Java versions 9 and 10.
VSTS Extension Update
The VSTS Flaw Synchronizer is updated to include Scrum and CMMI process templates so you can use the Flaw Importer task to generate work items in these new templates. Note that Visual Studio Team Services (VSTS) is rebranded as Azure DevOps.

September 13, 2018

Jira Integration is Updated to Expand Custom Field Mapping
Veracode Integration for Jira expands the functionality of mapping Veracode API data fields into Jira by including more application, scan, and flaw-level fields.

August 21, 2018

Visual Studio Extension Flags Corrected for Debug Information for C++ Projects

The Veracode Visual Studio Extension is updated to correct the build flags for C++ projects in Visual Studio 2017, and include debug information.

August 7, 2018

Hide Veracode Summary When No Tasks Performed for VSTS Extension
The Veracode Visual Studio Team Services Extension is updated to hide the Veracode Summary section in the VSTS build results when no Veracode tasks are included in the build definition. This update improves speed and adds clarity to the build results.
VSTS Extension Updates
The Veracode Visual Studio Team Services Extension is updated to implement the following improvements:
  • The Veracode Upload and Scan vNext build task now properly provides Veracode results in the build results for the release pipeline.
  • Custom tags that users add to work items are no longer removed during flaw imports.
  • The Veracode Flaw Importer task no longer pulls data from outdated dynamic scans. This issue had caused the extension to import flaws that had already been corrected.
  • Flaws categorized as Informational in the Veracode Platform are now mapped as Low severity flaws in VSTS.

July 31, 2018

Manually Manage Mitigated Findings for Jira Integration
The Veracode Integration for Jira now supports the option to manually manage the status of findings mitigated in the Veracode Platform.
Manually Closed Issues are Reopened for Jira Integration
The Veracode Integration for Jira is updated to automatically reopen issues that had been manually closed in Jira if the issue is found in the Veracode Platform during the next scan.
C# Wrapper Update
The Veracode C# wrapper is updated to resolve an issue that prevented users from passing the issamluser and customid parameters when creating new users.

June 28, 2018

SCA Import Functionality for Jira Integration
The Veracode Integration for Jira now supports importing Software Composition Analysis findings into Jira.
Updated User Interface for Jira Integration
The administration page of the Veracode Integration for Jira is updated to provide a more streamlined user experience.
Java API Wrapper Update
The criticality parameter for the createapp, updateapp, and uploadandscan API calls is updated from required to optional for the Veracode Java API wrapper. This change enables users to perform these actions without needing to invoke additional API calls.
Resolved Filepath Issue with Scan Results for IntelliJ Plugin
The Veracode IntelliJ Plugin is updated to resolve an issue that caused the wrong file to open when users tried to view their scan results.

June 21, 2018

Resolved Import Issue for HPE ALM
The Veracode HPE ALM Synchronizer Plugin is updated to resolve an issue users encountered when importing flaw data while a Veracode scan is in progress.

June 15, 2018

Import Limits per Application for Jira
The Veracode Integrations for Jira and Jira Cloud now allow you to limit the number of flaws imported to Jira on a per application basis, with higher severity flaws imported first. This functionality allows you to set a limit that applies to each application and set custom limits for specific applications.
Resolved Build Issues for TFS XAML
The Veracode TFS XAML Build Integration is updated to resolve validation issues users encountered when running builds with TFS XAML 2013.

May 30, 2018

Linux Support for VSTS Extension

The Veracode Visual Studio Team Services Extension now supports VSTS and TFS build agents running on Linux.

May 23, 2018

CA Veracode Integration for CA Agile Central

The CA Veracode Integration for CA Agile Central is now available. The integration allows you to automatically create, update, and close defects in CA Agile Central based on Veracode findings, as well as propose flaw mitigations within the defect in CA Agile Central.

Jenkins Plugin Configuration for Sandbox Scans that Fail Policy
The ability to configure the Veracode Jenkins Plugin to automatically fail builds that fail policy is now extended to sandbox scans. This update matches the existing functionality for policy scans.

May 16, 2018

Visual Studio Extension Updates
The Veracode Visual Studio Extension is updated to provide the following enhancements:
  • When the extension encounters invalid files during an upload, it excludes them and continues the upload, instead of stopping it.
  • The VSIX Installer includes a Veracode digital signature to verify the authenticity of the extension.
  • You can save scans, application profiles, and sandboxes that contain special characters that violate Windows naming conventions to your Windows system without generating errors.
VSTS Extension Updates

The Veracode Visual Studio Team Services Extension is updated to improve security, resolve issues with passing proxy settings, and provide a revised description of the extension on the VSTS marketplace.

April 24, 2018

Veracode Java API Wrapper Updates
The Veracode Java API wrapper is updated to:
  • Correctly report the status of sandbox scans that fail policy
  • Enable deployment method configuration when creating or updating an application
  • Improve performance for sandbox scans running behind a proxy

April 19, 2018

Custom Field Mapping in Jira Cloud
The Veracode Integration for Jira Cloud is updated to support mapping Veracode application custom fields to Jira fields. This feature allows Jira administrators to easily update tickets with information from the Veracode Platform, including the ticket subtype, assignee, and other standard and custom fields.

March 29, 2018

C# API Wrapper Updates
The Veracode C# API Wrapper is updated to expose the following optional parameters for the uploadandscan composite action that refine module selection:
  • toplevel - Limits the scan to top-level modules.
  • scanallnonfataltoplevel - Limits the scan to top-level modules with no fatal errors.
  • selectedpreviously - Limits the scan to modules selected in the previous scan.
This update also provides improved help text when using the wrapper from the command line.

March 22, 2018

Jenkins Plugin SCA Results
The Veracode Jenkins Plugin now displays Software Composition Analysis (SCA) results to help development teams understand what causes Veracode to fail a Jenkins build or pipeline job. The display of Veracode results is updated to provide the following details about SCA findings:
  • Number of blacklisted components
  • Highest found Common Vulnerability Scoring System (CVSS) score
  • Number and severity of SCA vulnerabilities
  • List of components added since the previous build

March 15, 2018

IntelliJ Plugin Update
The Veracode IntelliJ Plugin is updated to improve sandbox scans when using a proxy.

March 12, 2018

Eclipse Plugin Update
The Veracode Eclipse Plugin is updated to improve sandbox scans when using a proxy.

February 28, 2018

Visual Studio Extension Updates
The Veracode Visual Studio Extension is updated to add security improvements, as well as resolve issues that prevented users from selecting modules and opening project property files.
Java API Wrapper Update

The Veracode Java API wrapper is updated to expose additional optional parameters for the uploadandscan composite action that relate to module selection.

Visual Studio Team Services Extension Update

The Veracode TFS build activity is updated to improve the use of credentials and logging.

February 26, 2018

Jenkins Plugin Update
The Veracode Jenkins Plugin is updated to resolve an issue that caused Jenkins pipeline jobs configured in an older version of the plugin to fail after upgrading to a newer version.

February 22, 2018

IntelliJ Plugin Proxy Connection
The Veracode IntelliJ Plugin is updated to resolve an issue preventing users from connecting to Veracode through a proxy.

February 16, 2018

Jenkins Plugin Updates
The Veracode Jenkins Plugin is updated to accept application names containing spaces. In addition, when a user does not provide a scan time limit for a build that is configured to wait for the scan to complete, Veracode applies a default time limit.
Eclipse Plugin Updates
The Veracode Eclipse Plugin is updated to add security improvements and to resolve an issue preventing users from connecting to Veracode through a proxy.

February 6, 2018

New Xcode Packaging Tool for iOS
Veracode has released a packaging tool that assists you with packaging your iOS applications for analysis.

January 30, 2018

VSTS Extension Updates

The Visual Studio Team Services Extension is updated to provide a summary of findings that correctly accounts for mitigated flaws, specify files to be included or excluded from scans without waiting for results to complete, and issue a warning instead of breaking the build if a scan fails due to another scan already running.

HPE ALM Plugin Upgrade

The Veracode HPE ALM Synchronizer Plugin is updated to patch a vulnerability in a third-party component. Please ensure that you update to the latest version (1.4.0).

January 24, 2018

JIRA Cloud Support
Veracode has released the Veracode Integration for JIRA Cloud, which is now available on the Atlassian Marketplace.

January 23, 2018

Visual Studio Extension Filtering
The Visual Studio Extension is updated to automatically filter out fixed flaws from displaying in the results table.

January 5, 2018

TFS XAML Improvements
The Veracode TFS build activity (for TFS 2015 and TFS 2013) is updated to improve the installation on TFS 2012.

Veracode Greenlight

View the list below for highlights of previous releases.

December 27, 2018

Greenlight for Visual Studio Output Window Switches
Veracode Greenlight for Visual Studio is updated to ensure that the Visual Studio output window does not switch focus to Greenlight activity each time Greenlight performs an auto-scan of a file, avoiding any unnecessary interruptions. You can always review any Greenlight scan activity in the Veracode Greenlight Findings pane in Visual Studio.

December 5, 2018

Greenlight for Android Studio IDE Plugin

Veracode announces a Greenlight plugin for Android Studio, which is available for Android Studio version 3.0 and later. The plugin can scan Java or JavaScript files or packages.

November 14, 2018

New Parameter for the Greenlight CI Tool
The Greenlight continuous integration (CI) tool has a new parameter you can use to ensure your build does not fail when the uploaded file or package exceeds the Greenlight maximum size of 1 MB.

October 18, 2018

Greenlight API for Java
The Greenlight API enables development teams to integrate Greenlight into their CI/CD pipelines, and receive immediate feedback during a commit, merge, or pull request. Having a Greenlight scan job follow a build job in the pipeline means that flaws are found before the code moves downstream. If you use Git for source code management, you can use the Greenlight CI tool, which scans commits for amended and scannable Java source files and submits them to Veracode for analysis. If you do not use Git but are still interested in the Greenlight API, documentation is available from Veracode Support.
Veracode is extending a promotional offer for Greenlight API for Java. The offer runs from October 2018 through September 2019. If you have purchased 10 Greenlight IDE seats or more, you can use the Greenlight API for Java to run up to 250 API scans each month per organization account. The use of the Greenlight API does not impact consumption of Greenlight IDE seats. Contact your Veracode Program Manager or Veracode Support to learn more about the Veracode Greenlight API promotional offer and to enable the Greenlight API for your account.

October 3, 2018

Greenlight for IntelliJ Support for JSP Files
Veracode Greenlight for IntelliJ now supports the scanning of JSP files or folders containing JSP files that were compiled by IntelliJ IDEA Ultimate Edition, where the project is deployed on a local Tomcat server.
Greenlight for Eclipse Results Retention Between Sessions
Veracode Greenlight for Eclipse now retains scan results and scan queues between Eclipse IDE sessions.
Greenlight Support for Red Hat Enterprise Linux 7
Veracode Greenlight for Eclipse and IntelliJ now support Red Hat Enterprise Linux 7 and later.
Greenlight Support for Typescript and Other JavaScript-based Files
Veracode Greenlight for Eclipse, IntelliJ, and Visual Studio added support for Typescript and other JavaScript-based files and folders.
Greenlight for Visual Studio FIPS Support
Veracode Greenlight for Visual Studio now supports Federal Information Processing Standards (FIPS).
Greenlight for Eclipse Open File Control Setting
You can now control when the Veracode Greenlight for Eclipse auto-scan feature triggers a scan based on either opening or saving a file.
Visual Indicator for Package or File-level Scanning
Veracode Greenlight for Eclipse, IntelliJ, and Visual Studio have a new feature of visually indicating whether the Greenlight scan is at the package or file level. This enhancement helps you better understand the context of the Greenlight results.
Greenlight for Visual Studio .NET Performance Enhancement

Veracode Greenlight for Visual Studio is enhanced to compile individual C# and VB.NET files with the minimal number of .NET dependencies. This improvement reduces the size of the file upload and reduces scan time. Greenlight continues to compile and upload the precompiled view for ASP.NET single-view file scans, while folders that contain ASP.NET views and CS or VB files still need a full project build with precompiled views before being scanned.

August 2, 2018

Greenlight for Visual Studio Links to the Veracode Help Center and Veracode Community
The Visual Studio IDE now has links to the Veracode Help Center and Veracode Community from the Veracode Greenlight menu and results screens. This enhancement helps developers quickly find more information about Veracode Greenlight and application security.

July 12, 2018

Greenlight for Visual Studio Remediation Guidance
Remediation guidance is enhanced in Greenlight for Visual Studio to include code examples. The information provided in the Veracode Greenlight Findings pane includes a description of the issue, an explanation of why it is a problem, and suggestions for how to fix the flaw with code examples that compare flawed code with the corrected code to help developers understand how to remediate issues quickly and efficiently within the IDE for certain CWEs.

July 3, 2018

Greenlight for Eclipse Support of JSP Files

Veracode Greenlight for Eclipse now supports the scanning of Java Server Pages (JSP) files or folders containing JSP files, where the project has been deployed to a local Tomcat server.

Greenlight for IntelliJ Active Scan Compilation
Greenlight for IntelliJ prompts you to recompile a file after you edit and save it before it starts the scan.

June 28, 2018

Greenlight Scan Usage Summary Export Files
Greenlight scan usage summary export reports are available on the Veracode Platform under Reports > Export Data. The Daily Scan Summary logs scan activity of each user that scanned on that day. The Technology Summary lists such information as IDE and plugin used, and scans by IDE.
Greenlight for Eclipse Support for JSP

Greenlight for Eclipse can now scan JSP files.

May 30, 2018

Greenlight for Visual Studio Support for JavaScript

Greenlight for Visual Studio has expanded language support to now be able to scan JavaScript (JS) files.

Greenlight for IntelliJ Quick Tutorial
Greenlight for IntelliJ now includes a quick tutorial that appears when you activate Greenlight for the first time, and is always accessible from the Veracode Greenlight dropdown menu.
Greenlight for Visual Studio Quick Tutorial
Greenlight for Visual Studio now includes a quick tutorial that appears when you activate Greenlight for the first time, and is always accessible from the Veracode Greenlight dropdown menu.

May 4, 2018

Greenlight for IntelliJ Links to the Veracode Help Center and Community
Greenlight for IntelliJ now has links to the Veracode Community and Help Center from the Preferences and Results screens. Developers can navigate directly to the places where they can learn more about application security, ask questions, and share knowledge.
Greenlight for Visual Studio AppSec Tutorial Integration
The latest version of Greenlight for Visual Studio integrates with the Veracode AppSec tutorials available from the Details link.
Greenlight for Visual Studio Auto-Scan Setting Persistence
The Greenlight for Visual Studio extension now retains your auto-scan selection (on/off) between IDE sessions.

April 30, 2018

Greenlight for Eclipse Quick Tutorial
Greenlight for Eclipse now includes a quick tutorial that appears when you activate Greenlight for the first time, and is always accessible from the Veracode Greenlight dropdown menu.
Greenlight for IntelliJ Auto-Scan

Greenlight for IntelliJ has extended the auto-scan feature by starting a scan if you save the file or if IntelliJ automatically saves the file. The auto-scan feature is added functionality to a user always being able to initiate a scan on a file or package.

March 28, 2018

New Greenlight Domain
The following versions of the Veracode Greenlight plugins and extensions are updated to now use the URL https://api.veracode.com:
  • Greenlight for Eclipse v2.4
  • Greenlight for IntelliJ v1.2
  • Greenlight for Visual Studio v1.2
When you upgrade to the latest version, you are prompted to accept the valid signed Veracode certificate as part of the installation process. Ensure your organization whitelists https://api.veracode.com to ensure continuous service.
Greenlight for Visual Studio Supports Larger Files
The Veracode Greenlight for Visual Studio extension is updated to support project files that are up to 10MB.
Greenlight for Visual Studio Supports ASP.NET
The Veracode Greenlight for Visual Studio extension can now scan ASP.NET files. Please note that you must manually start ASP.NET scans because the auto-scan feature does not support ASP.NET files.
AppSec Tutorials for Greenlight for Eclipse and IntelliJ
The latest versions of Greenlight for Eclipse and IntelliJ have integrated AppSec tutorials available from the Details pane.
Auto-Scan Selection for Greenlight for Eclipse and IntelliJ
The latest versions of Greenlight for Eclipse and IntelliJ now ensure that the auto-scan selection persists when users close and reopen the IDE.

February 26, 2018

Greenlight for IntelliJ JavaScript (JS) Support
Veracode Greenlight for IntelliJ version 1.1.0 and later has expanded language support to include JavaScript (JS) scanning.
Greenlight for IntelliJ and Veracode IntelliJ Plugin
It is now possible to run Greenlight for IntelliJ and Veracode IntelliJ Plugin on the same instance of IntelliJ IDEA.
Greenlight for Eclipse Support of Spring Tools Suite (STS)
Veracode Greenlight for Eclipse version 2.3 supports the Spring Tool Suite (STS) IDE version 3.9 and later. STS users can now download and install the Veracode for Eclipse plugin into the STS IDE, enabling the scanning of Java and JavaScript (JS) code with Veracode Greenlight.

February 20, 2018

Support Deprecation of Older Greenlight Versions

To be able to focus on developing new features and functionality to better serve the Veracode Greenlight customers, Veracode will no longer support older versions of the Veracode Greenlight for Eclipse plugin after May 1, 2018. On this date, Veracode only supports Greenlight for Eclipse, version 1.4.0 (released in August 2017) and later.

Please migrate to newer versions of the Greenlight for Eclipse plugins, which are available at http://marketplace.eclipse.org/content/veracode-greenlight. To download a file offline, go to https://downloads.veracode.com/securityscan/com.veracode.greenlight.site-latest.zip

January 23, 2018

Greenlight for Eclipse - JavaScript Language Support
Veracode Greenlight for Eclipse has expanded language support to include JavaScript (.js) files.

Web Application Scanning

View the list below for highlights of previous releases.

December 19, 2018

New Dynamic Analysis Maintenance Banner
Dynamic Analysis now has a maintenance banner that displays 72 hours prior to any upcoming scheduled maintenance. This banner communicates the dates and times that Dynamic Analysis is not available during a maintenance window.

December 13, 2018

Dynamic Analysis Support of Unicode Characters

Dynamic Analysis has added support of the Unicode standard, enabling you to enter Unicode characters in strings such as analysis name and username.

November 15, 2018

New Dynamic Analysis Statuses
There are two new statuses for Veracode Dynamic Analysis that indicate when scans exit at the end of the scan duration timeframe without completing. These new statuses indicate where you need to increase the scan duration time to enable the scan to complete successfully with better coverage and results.

October 18, 2018

Dynamic Analysis Session Warning
Veracode added a session timeout warning to Dynamic Analysis to notify you to continue or log out. This enhancement can prevent you from losing any unsaved changes.

October 3, 2018

Extended Selenium Command Support

Veracode Dynamic Analysis and DynamicDS now support additional Selenium commands for login, logout, and crawl scripts when scanning in advanced mode.

Consistent Discovery Results

Veracode Discovery now includes a rescan feature that checks for the existence of sites found in previous scans that had similar inputs to the current scan. As a result, Discovery results are more consistent. You do not need to perform additional actions when you configure a Discovery scan to initiate the rescan.

October 3, 2018

Extended Selenium Command Support

Veracode Dynamic Analysis and DynamicDS now support additional Selenium commands for login, logout, and crawl scripts when scanning in advanced mode.

Consistent Discovery Results

Veracode Discovery now includes a rescan feature that checks for the existence of sites found in previous scans that had similar inputs to the current scan. As a result, Discovery results are more consistent. You do not need to perform additional actions when you configure a Discovery scan to initiate the rescan.

September 19, 2018

Dynamic Analysis Application Linking in Create Workflow
When creating a new Dynamic Analysis, it is now possible to link a URL to an application during the create and edit workflow, eliminating the need to wait until the results are available before linking them to the application.
Dynamic Analysis Default User Agent Update
Dynamic Analysis added a new default user agent that contains the Veracode Support email in the string, enabling you to know from where the scan traffic is coming.

August 9, 2018

Fingerprinting Support
Dynamic Analysis now supports fingerprinting, which can determine during a scan which technologies are used by the application. Fingerprinting can improve scan speeds and provide faster results.

August 2, 2018

Extended Timeframe for Dynamic Analysis Scans
The timeframe for Dynamic Analysis scans has increased to 25 days to enable lengthy scans to complete.

July 24, 2018

Technology Fingerprinting in DynamicDS
The scan engine for DynamicDS is updated to detect a specific set of known databases, web servers, and operating systems and to optimize vulnerability tests for those technologies. This update improves scan speed for any application that uses the detected technologies.

June 27, 2018

Improved Scan Speed Using Advanced Mode in DynamicDS
Scans using advanced mode now finish 20% faster on average than before. Veracode DynamicDS scans have the ability to fingerprint websites and determine certain technologies used by the applications during each scan. Veracode modifies the vulnerability checks based on the technologies determined during the scan. This update reduces time during the auditing phases of a scan.

June 15, 2018

New Dynamic Analysis - General Availability
Veracode Dynamic Analysis is a new Web Application Scanning product that provides a solution for an automated, scalable, dynamic scanning solution with high-quality results. Dynamic Analysis enables you to start scanning quickly and scale as your security programs and scanning needs grow.
For existing Veracode Web Application Scanning customers: Dynamic Analysis combines in a single DAST product the capability to scan at scale that DynamicMP currently provides, with the configurability and ability to scan behind the login screen that DynamicDS provides now. It is new architecture that brings the automation, speed, and coverage necessary for your dynamic scanning needs.
Dynamic Analysis is an automated solution with the following rich features:
Scan Automation - Recurring Scan Scheduling
Dynamic Analysis provides the ability to automate dynamic scanning with new scheduling options for configuring recurring scans to start on a weekly, monthly, or quarterly schedule. It also provides scheduling automation that removes the need to return to the Veracode Platform to schedule the next scan, resulting in timesavings.
Scan Automation - Pause and Resume
Dynamic Analysis supports the ability to automate web application scanning with a new scheduling option for managing IT maintenance timeframes when applications should not be dynamically scanned. The automated pause and resume feature allows you to configure scheduling automation for a scanning timeframe that pauses and resumes when you want it to.
Scan Stop Actions
Dynamic Analysis provides the ability to stop an in-progress scan on demand, in case of an emergency. You can stop the scan of one URL in the Dynamic Analysis and allow the scanning of the rest of the URLs in the analysis to continue running. You can also stop an entire analysis (batch of URL scans) when necessary or cancel an analysis that is scheduled to start in the future.
Authentication Batch Scanning
Dynamic Analysis provides the ability to scan web applications that use authentication by supporting auto-login, basic authentication, and form-based authentication. In one single Dynamic Analysis, you can scan an entire batch of URLs that use authentication.
Upload URL and Credentials
Dynamic Analysis provides an Excel (CSV) template that you can use to upload several target URLs and auto-login and basic authentication credentials in one single step. You download the template when you are creating the Dynamic Analysis, and upload all the necessary authentication information for all the URLs quickly and easily.
Prescan Option
Dynamic Analysis supports an optional but highly recommended prescan action to ensure connection and authentication for all scans in the analysis are verified prior to submitting a scan. The prescan results clearly show connection status and authentication status, and email notifications are sent when there are prescan issues to fix ahead of the scheduled scan start time.
Scan Visibility and User Actions
Dynamic Analysis provides a detailed list of analyses you have run, their statuses, and the number of URLs in each analysis. From this list you can drill down into the list of individual target URLs and their scan configuration details. At these levels of visibility into your scans, you can edit the configuration of either the whole Dynamic Analysis or the URL configurations.
Application Linking
Dynamic Analysis supports the ability to link a completed scan to an existing or newly created application profile on the Veracode Platform, enabling you to see the application results in the Veracode Platform. When reviewing the results in the Platform, you can evaluate results against policies, review crawled or audited links, view PDF and XML reports, and take advantage of the Veracode Integration for Jira.
Advanced Mode
Dynamic Analysis enables you to choose to scan in the advanced mode, a mode that provides support for single-page applications, stateful websites, JavaScript frameworks, and improved redundant page detection for content-heavy sites.
Improved Documentation for Vulnerability Rescans
To improve clarity, Veracode has updated the feature name and documentation regarding vulnerability rescans, which were previously called flaw-only rescans. Vulnerability rescans exclusively scan links containing vulnerabilities found in previous scans.
DynamicDS Advanced Mode
Veracode now supports an advanced mode option for DynamicDS scans. Advanced mode provides increased support for stateful websites, JavaScript frameworks, single-page applications, and improved redundant page detection for content-heavy sites.
In upcoming releases, advanced mode will be available for all users when configuring their DynamicDS scans.

May 22, 2018

Improved Documentation for Kantu Browser Automation
Veracode now documents support for Kantu Selenium IDE, a Chrome plugin that can create login and crawl scripts. This plugin provides an alternative to using Selenium IDE in Firefox.
Data Dictionary for Discovery Results
To help users understand and more effectively triage Discovery results, the Veracode Help Center now provides the Discovery data dictionary, which documents the information found in the downloadable Discovery reports.

April 24, 2018

New DAST CWE

As part of the DynamicDS single-page application mode, the new scan mode that is currently in early adopter (EA) phase, DynamicDS now supports CWE 611, which is A4:2017 XXE in the OWASP 2017 Top 10. In the Veracode Platform, XXE is classed as a Severity 3 (Medium) vulnerability. An XML External Entity attack is a type of attack against an application that parses XML input and can occur when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

If you would like to use the single-page application mode in your DynamicDS scans, contact Veracode Support.

March 20, 2018

New Security Header and SQL Injection Checks

Veracode has updated security header checks and SQL injection checks for Veracode Web Application Scanning. With this change, CWE 614 is updated to check whether the website has the correct attributes for the same-site cookie in the HTTP headers. This CWE is part of the many secure header vulnerabilities found within dynamic application security testing. More information can be found on the OWASP website: https://www.owasp.org/index.php/SameSite

February 20, 2018

Optimized DynamicDS Link Processing

Veracode has optimized the processing of crawled links to reduce the number of scans that exit with a failure or scan error. This enhancement affects large web applications that have performed many DynamicDS scans in the same application profile.

To utilize this enhancement immediately, Veracode recommends that you start DynamicDS scans with a new application profile.

Faster Dynamic Scan Results
Veracode has improved the redundancy algorithm in DynamicDS to provide scan results in less time.

January 23, 2018

Veracode VSA Network Redundancy

Veracode is moving the Virtual Scan Appliance (VSA) service to a location that has a redundant Border Gateway Protocol (BGP) platform across multiple telecommunication providers. Your firewall team must whitelist the new IP address 192.157.28.50 to be able to perform VSA scans.

Veracode VSA YUM Repository Change

The Veracode VSA now provides an externally resolvable YUM repository to update the VSA using a hostname. The YUM repository is necessary to get software updates from Veracode.

Your firewall team must whitelist the new IP address 192.157.28.52 with the DNS of vsa-repo.veracode.com to be able to perform VSA scans.