Veracode Static Analysis Release Notes

Veracode Release Notes

July 1, 2020

New Veracode Static Analysis Support
Veracode has added static analysis support for these technologies:
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:
  • AWS SDK for Python (Boto3).
  • Additional security checks for applications built using Java 12, 13, and 14. You may see additional findings for applications as a result of these improvements.
  • Additional security checks for applications built using .NET Core 3.1. You may see additional findings for applications as a result of these improvements.
  • Additional security checks for applications using Apache Commons libraries. You may see additional findings for applications as a result of these improvements.
  • Additional security checks for applications using Go templates. You may see additional findings for applications as a result of these improvements.
  • Improved scan coverage for iOS application submissions. Veracode now analyzes all components submitted with an iOS application, including standalone frameworks, extensions, and watchOS extensions. After a prescan, you can select these components from a list of modules.

June 13, 2020

New Veracode Static Analysis Support
Veracode has added static analysis support for these technologies:
  • Improved analysis of Go applications by adding support for the Gorilla framework, and improving overall results quality.
  • Improved analysis of JavaScript applications using AWS Lambda and other functions by adding support for the AWS SDK.
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:
  • Improved static analysis of iOS applications by improving the results of scans, to better focus the results on custom first-party components, instead of third-party libraries.
  • Improved static analysis of .NET and Java applications to more accurately report the analysis size of dependent modules. These changes may result in smaller reported sizes for scan submissions.
  • Veracode now reads the contents of the go.mod file included in an application submission to more accurately identify which Go components to analyze.

May 13, 2020

Pipeline Scan Improvements
Veracode Static Analysis using pipeline scanning includes these enhancements:
  • New command parameters for storing information about the application you are scanning:
    • --app_id
    • --development_stage
  • New code examples that show how to integrate pipeline scan with GitHub actions and Azure DevOps. These examples are included in both the pipeline scan Readme file and the Veracode Help Center.

May 4, 2020

New Veracode Static Analysis Support
Veracode now supports static analysis of these libraries for Apex:
  • Visualforce
  • Lightning
  • Aura components for Salesforce
Improved Veracode Static Analysis Support
Veracode now supports static analysis of these technologies:
  • Apex version 49.
  • Java applications built on Java 14.
  • Version 2.6 and 2.7 of the Play framework for Scala. You may see additional findings for Play applications as a result of these improvements.
  • Python application analysis improvements, including additional security checks for risks related to certificate management and cryptography settings. You may see additional findings for Python applications as a result of these improvements.
  • Updated CWE definitions for flaws that had been reported previously as CWE 100 and 391. MITRE is deprecating these CWEs. MITRE is recategorizing CWE 100 flaws as CWE 1174, and recategorizing CWE 391 flaws as either CWE 252 or CWE 273, depending on the details of the flaw.

    Veracode has updated policy rules that included entries for CWE 100 and CWE 391 to include the new CWEs.

    After you run the next scan of affected applications, the Veracode Platform reports and analytics reflect the new CWE values. Data for previous scans still include the historical values.

April 23, 2020

Improved Veracode Static Analysis Support with Pipeline Scanning
Veracode static analysis using pipeline scanning now includes these features:

April 14, 2020

New Video - Run a Pipeline Scan in Your CI/CD Environment
This video shows you how the pipeline scan runs directly within a CI/CD environment.

April 2, 2020

New Veracode Static Analysis Support
Veracode has improved static analysis by adding support for AWS Lambda functions for Java, .NET, Node.js, and Python.
Improved Veracode Static Analysis Support
Veracode has improved static analysis of these technologies:

Veracode has changed reporting of CWE 404 flaws to be more specific about where they occur, which may result in additional findings. Veracode has also changed the severity of CWE 404 to Informational.