2017 Release Notes

Veracode Release Notes

View the list below for highlights of releases in 2017.

December 18 2017

Veracode Static Analysis

iOS 11 Support, iOS Mobile Behavioral Analysis Support
Veracode is pleased to announce the release of a new iOS security analysis solution, which supports iOS 11 and Xcode 9, and includes significantly improved scan performance. This new support also includes mobile permissions reporting for iOS applications.

This new scan engine utilizes Bitcode, which is enabled by default in Xcode 9. Applications must support Bitcode in order to be analyzed, and require a new packaging method, details of which are available in the Help Center.

This new packaging method may result in changes in analysis size and scan results.
Highlighting Changes Between Static Scans
Veracode has released an improvement to the static analysis user experience, which helps users identify changes between the files uploaded in two subsequent scans of the same application. This feature helps users understand differences in scan results, and helps users to perform a consistent module selection.

A summary of the differences in file size and module selection is available after prescan, and detailed differences are available by reviewing the scanned modules after a scan is complete.

Android 8 Support
Veracode has improved static analysis of Android applications by releasing support for Android 8 (Oreo).

Veracode Application Security Platform

Whitelisting Veracode URLs
Veracode has changed the URLs used by some of the Veracode Application Security Platform UI components, specifically the Schedule a Consultation and Support Case services. The majority of our customers are not affected by this change, but if you do experience any problems, clear your cache to resolve this issue. If your organization requires that you whitelist every domain and subdomain for your users to have access to the Veracode Platform, please whitelist the following URLs to ensure there is no disruption in service:
  • https://web.analysiscenter.veracode.com
  • https://analysiscenter.veracode.com
  • https://api.veracode.com
  • https://ui.analysiscenter.veracode.com
  • https://api.veracode.io
  • https://web.veracode.io
  • https://api.veracode.io
  • https://elearning.veracode.com (eLearning users only)
  • https://downloads.veracode.com (to download Greenlight and other integrations plugins)
OWASP Top Ten 2017 – Not Yet Supported
In 2018, Veracode will begin updates to the OWASP Security Standard to align with the 2017 version of the OWASP Top 10. Veracode is not making these changes in 2017.
Export Data Updates
Veracode has changed the methods for providing customer data in Reports > Export Data. You can expect to see performance increases to the Export Data reports and a reduced report generation time. In addition to these changes, this update addresses a number of bugs discovered in these reports.

The following Export Data reports were updated:

  • Applications: This report was updated to include the count of findings per flaw categories.
    The Business Days to Publish column now provides a count of total days. For third-party users, the Is Latest Pub Build column refers to the latest scan published to the enterprise. The Get_Prev_Build column now more accurately reports on regressed and remediated flaws between static and DynamicDS scans. There is also an updated calculation of the ELAPSED_DYN_DAYS column.
    Note: This update changes the order of fields in the report. Update any macros or automation associated with an expected field order accordingly.
  • DynamicMP Flaw Remediation: This report was updated to no longer include false positives (FPs).
  • Fixes Required by Policy: This report was updated to no longer include deleted scans.
  • Flaws by Module: The method used in this report to count manual flaws was changed, which may result in some updates to total flaw counts.
  • Frameworks Used: The methods used in this report were updated to remove redundant data.
  • Mitigation Data: This report was updated to handle published scans that were deleted.

Veracode Integrations

Support for JIRA Data Center
The Veracode Integration for JIRA has been updated to support deployment to a JIRA Data Center, a JIRA clustered environment.
New Native TeamCity Extension
A new Veracode integration for JetBrains TeamCity is available from the JetBrains marketplace. This integration supports both policy and sandbox scans, authentication with both username/password or API ID/key, and optionally stopping the build when the results fail your policy evaluation.
IDE Plugins Updated with UX Improvements and Feedback
The Veracode Eclipse Plugin, Veracode IntelliJ Plugin and Veracode Visual Studio Extension have been updated to address user experience feedback. Now, when you choose results to download, these integrations present scans in chronological order, and display mitigation information more consistently with the Veracode Application Security Platform.

Veracode Greenlight

Greenlight for Eclipse - Auto-Scan Improvements
The Greenlight for Eclipse auto-scan feature has been enhanced. Now, when you open a file in the Eclipse IDE and the file is in focus, that file is added to the Greenlight auto-scan queue.
Greenlight for Eclipse - Links to the Veracode Community
In Greenlight for Eclipse, there are links to the Veracode Community on the Preferences popup and Results pane. This link helps Greenlight developers find answers about application security, ask questions to their peers, and share their knowledge with other developers.
Greenlight for Visual Studio - Scan Timeout Limit Update
Greenlight for Visual Studio has increased the scan timeout from three minutes to five minutes.
Greenlight for Visual Studio - Scan at the Folder Level
Greenlight for Visual Studio allows you to select a folder to initiate a Veracode Greenlight scan as long as the number of files is five or less, and the files are in C# or VB.NET languages.
Greenlight for Visual Studio - Compatible with Enterprise, Professional and Community Versions
Greenlight for Visual Studio 2015 and 2017 are compatible with Visual Studio Enterprise, Professional and Community versions without requiring the update 3 to Visual Studio.
Greenlight for Visual Studio - Auto-Scan Feature Now Available
The Veracode Greenlight auto-scan feature, which is on by default, automatically initiates a Greenlight scan when a developer saves a file in Visual Studio. Scan results are returned in the Veracode Greenlight Findings window.

If you save multiple files at a time, or in close succession, auto-scan adds the files in a queue to be sent to the Veracode Greenlight service to scan. You also have the ability to see which files are in the queue, and when the file is sent to Veracode Greenlight service from the Queue tab. Files are separated by 30-second wait time.

You can still trigger a Greenlight scan manually using the Veracode Greenlight menu, icon or shortcut keys. A user-initiated Veracode Greenlight scan takes priority over auto-scanned files. Therefore, the approximate time in the Veracode Greenlight Scan queue is reset, and new time is provided when the user-initiated Greenlight scan is complete.

Greenlight for IntelliJ - Third-Party Build Tools Documentation Update
The documentation in the Veracode Help Center now provides information on how to import projects into IntelliJ that are compiled using third-party build tools such as Maven and Gradle to enable Greenlight to scan those binaries.

Veracode Web Application Scanning

Updated Scan Technology Coverage Option

The Front End Framework option was removed from Scan Technology Coverage because the option was rarely used.

Single Page Application Mode Updates
Scan performance in Single-Page Application (SPA) mode (an early adopter feature) has been enhanced with a Flash plugin update and coverage improvements. With these changes you may notice improved coverage and an increase of vulnerabilities found by Veracode.
New VSA Service IP Address in January
In January 2018, Veracode is moving the VSA service to a location that has a redundant BGP (Border Gateway Protocol) platform across multiple telecommunications providers.

Your organization must whitelist the following IP address to perform VSA scans: 192.157.28.50

New VSA YUM Repository in January
In January 2018, Veracode is also providing an externally resolvable YUM repository to update the VSAs that use a hostname. A YUM repository is needed to receive software updates from Veracode. Your organization must also whitelist the new IP address 192.157.28.52, and the DNS, vsa-repo.veracode.com.

Release 2017.11 (November 2017)

The highly substantial November release announces a 30-day, free self-service trial of Veracode Greenlight for Eclipse, documentation on how to use Greenlight for Eclipse to scan class files built with a non-Eclipse compiler, enhancements and improved support for seven languages/frameworks, and the support of Kantu Web Browser Automation for crawl script recording for Veracode Dynamic Analysis scan configurations. In addition, there is a new incorrect login lockout procedure for the Veracode Platform, a new capability to asynchronously upload files using the Visual Studio extension, and updates to the VSTS Extension, Eclipse, HPE ALM, Java API Wrapper and C# API wrapper. Major enhancements to Veracode Software Component Analysis (SCA) include new IP license risk rating information and the availability of SCA results upon completion of a Veracode Static Analysis prescan.

Note: Some of Veracode URLs have changed with this release, therefore, Veracode recommends that you whitelist the URLs listed here in the release notes.

Veracode Static Analysis

PHP 7 Compatibility Support

Veracode has improved static analysis of PHP applications to support PHP 7.

.NET 4.7 Support

Veracode has improved static analysis of .NET applications to support .NET version 4.7.

New .NET Findings
Veracode has improved static analysis of .NET applications to support two additional classes of security findings, CWE 295 (Improper Certificate Validation) and CWE 502 (Deserialization of Untrusted Data).
Improved Android 7 Support
Veracode has improved static analysis of Android applications by implementing additional security checks for Android 7 APIs. You may see additional findings as a result of these improvements.
Bootstrap.js Support
Veracode has improved static analysis of JavaScript applications by implementing support for Bootstrap.js. Users of this technology may see additional findings as a result of this improvement.
JavaScript Parsing Improvements
Veracode has improved analysis of JavaScript applications by resolving some circumstances in which we were unable to scan customer-submitted files due to parsing errors. You may see flaw counts increase as a result of this more-thorough analysis of applications. This change also contains performance improvements for analysis of JavaScript files.
Static Consistency Improvements
Over the last six months, Veracode has been gradually releasing a change to the static analysis engine across the customer base, which has improved scan-to-scan consistency. We accomplished this improvement by refining the algorithm used to analyze the data flow in applications, which then enabled Veracode to build a more consistent model of the application from one scan to the next.

Veracode Application Security Platform

Whitelisting Veracode URLs
Veracode has changed the URLs used by some of the Veracode Platform UI components, specifically the Schedule a Consultation and Support Case services. The majority of our customers are not affected by this change, but if you do experience any problems, clear your cache to resolve this issue. If your organization requires that you whitelist every domain and subdomain for your users to have access to the Veracode Platform, please whitelist the following URLs to ensure there is no disruption in service:
  • https://web.analysiscenter.veracode.com
  • https://analysiscenter.veracode.com
  • https://api.veracode.com
  • https://ui.analysiscenter.veracode.com
  • https://api.veracode.io (for Greenlight users only)
  • https://web.veracode.io
  • https://api.veracode.io
  • https://elearning.veracode.com (eLearning users only)
  • https://downloads.veracode.com (to download Greenlight and other integrations plugins)
Flaws Report Update

Veracode has updated the Flaws report on the Export Data page to indicate if the discovered flaws were found in a sandbox or policy scan. With this information, you can ensure you are accurately tracking and reporting risk across the whole application portfolio.

Incorrect Credentials Lockout
When logging in to the Veracode Platform, if you provide incorrect credentials five times consecutively, you are locked out. At this point, you will receive an email telling you how long you are locked out before you can try again, which will be a randomly chosen amount of 15, 20, 25, or 30 minutes. If you again provide incorrect credentials five times consecutively, you are locked out permanently and will require your Veracode administrator or Veracode Support to reset your credentials. You can request a password reset by your Veracode administrator or Veracode Support at any time during this process.
New User Registration Email Update
When new users register themselves in the Veracode Platform, they receive a new user registration email. If new users do not complete the entire registration process but, instead, attempt to register a second time, they receive an email notification prompting them to log back in to finish their registration.
Authentication and Authorization for iOS Course Update
The Authentication and Authorization for iOS course is updated with new interactive points and animations. This course is now HTML5-compliant, providing an improved experience for eLearning users.
PCI for Developers Course Update
The Introduction to Payment Card Industry Data Security Standard (PCI DSS) 3.2 for Developers is updated with the testing procedure requirement 6.5.10.

Veracode Integrations

Visual Studio Asynchronous Uploads
The Veracode Visual Studio Extension is updated to allow uploads to process in the background and to address some issues that previously caused slow uploads.
Java API Wrapper in Maven
The Veracode Java API Wrapper is now available in the Maven Central open source component repository. This new capability makes it easier for projects that incorporate the wrapper to ensure they are using the most current version.
Veracode Integrations Updates

The Veracode VSTS Extension (for VSTS and TFS), Eclipse, HPE ALM, Java API Wrapper and C# API Wrapper are all now updated to address a number of customer issues. Download the latest versions to use the most current integration.

Veracode Greenlight

Greenlight for Eclipse Self-service Free Trial
Veracode Greenlight for Eclipse offers a 30-day, free self-service trial that developers can sign up for through the Eclipse Marketplace. Please note that we will not link this trial to your Veracode account. Upon registration, you receive an automated email with an activation code for you to use for authentication in Greenlight for Eclipse plugin.
Greenlight for Eclipse - Third-party Build Tools Support
The documentation in the Veracode Help Center now provides information on how to import projects into Eclipse that are compiled using third-party build tools such as Maven and Gradle to enable Greenlight to scan those binaries.

Veracode Web Application Security

Selenium and Firefox Solutions

In 2017.9, Veracode informed you of the technical incompatibility between Firefox version 55 and Selenium IDE. We now support Kantu Web Browser Automation and continue to support Selenium IDE for login and crawl scripting for Veracode Dynamic Analysis scans, and will provide more information at a later date. Refer to the Selenium IDE and Kantu Web Browser Automation product documentation for more information.

Dynamic Advanced Options
We have now provided recommended values for specific advanced options that you choose when configuring a Veracode DynamicDS scan, such as the subdirectory limit, crawl depth, and exchanges per link (which is now updated to reflect the default of 25). These settings are not applicable to all applications and are mostly useful for large, template-driven web applications such as blogs, documentation, entertainment, news, and retail websites.
Single Page Application Mode Updates
Scan performance in Single-Page Application (SPA) mode (an early adopter feature) is improved due to SQLI and Directory Traversal plugins. Users of the SPA mode may see a 5-10% increase in scan speed without any impact on coverage. Contact Veracode Support for more information about SPA mode scanning.

Veracode Software Composition Analysis

IP License Risk Rating
In addition to outlining the security risk for using a third-party or open source component, Veracode now provides IP license risk rating information in the Software Composition Analysis (SCA) results. Veracode provides a recommendation for the license risk and not legal advice; Veracode recommends that you perform your own due diligence after reviewing the license risk information provided by Veracode.
SCA Results Upon Prescan
SCA results are available immediately after the static analysis prescan, enabling you to take action on the security results faster, even before the static analysis has completed.

Release 2017.10 (October 2017)

The October release provides new code examples in Greenlight for IntelliJ that can help users to remediate flaws directly in their IDE. In addition, this release includes eLearning course enhancements, Jenkins and IntelliJ plugin improvements, as well as C# and Java wrapper updates.

Veracode Application Security Platform

Updated eLearning Course
The Authentication and Authorization for Android course has been updated with new interactive points and animations. This course is also now HTML5-compliant.
Improved AppSec Tutorial Slide Requirement
Veracode has changed the number of slides required to complete an AppSec Tutorial from eight slides to six slides, so that users can skip through two slides and still complete the course, since most users only need to reivew one of the two slides on remediation guidance.

Veracode Integrations

Jenkins Plugin Update
The Veracode Jenkins plugin version 17.10.5.1 is available. With this release, scans that run from a remote Jenkins scan report a successful build status.
IntelliJ Plugin Update

The Veracode IntelliJ plugin version 2.3.0 is available. This plugin update provides the ability to navigate to the line of a flaw in first-party source code.

Veracode Integration for JIRA Update

Veracode Integration for JIRA version 3.6.1 (for server-hosted JIRA) is now available on the Atlassian Marketplace and includes a number of improvements.

Veracode Greenlight

Greenlight for IntelliJ - Enhanced Remediation Guidance
Greenlight for IntelliJ now includes remediation guidance with code examples for CWEs. You can now can click the Details link for more information on the security flaw. This information includes a description of the issue, why it is a problem and how to fix it, in addition to examples that show the flawed code and the corrected code to help developers remediate the issue in their IDE.

Release 2017.9 (September 2017)

The September release announces new support for Mobile Behavioral Analysis for Android, a feature that can provide insights into the behavior of a mobile application. This month in integrations, there is easier customization of the JIRA integration, support for performing a DynamicDS rescan from Jenkins, as well as other integrations improvements. In this release, there is also a new Veracode Customer Community site where you can engage with Veracode directly. Veracode Web Application Scanning has two new options in this release to allow you to fine-tune your scan configuration.

Veracode Static Analysis

Mobile Behavioral Analysis for Android

Veracode is pleased to announce support for mobile behavioral analysis for Android. Veracode now examines permissions requested by mobile applications that can provide valuable insights into the behavior of the application.

Mobile permissions findings are reported after users select the Mobile Behavioral Analysis module when they initiate a static scan of an Android mobile application. You can view the results by the Mobile Behavioral Analysis link in the Veracode Platform after the scan completes.

Custom Cleanser Improvements

Veracode has improved the custom cleanser functionality to allow custom cleansers the ability to apply mitigations for flaws that were previously identified.

Koa.js Support

Veracode has improved static analysis of JavaScript applications to support Koa.js. Customer applications using Koa.js could see additional findings as a result of this improved coverage.

New Spring MVC Findings

Veracode has improved static analysis of Java applications built using the Spring MVC framework to identify additional findings related to improper access control.

Veracode Application Security Platform

Security Question Updates
The security questions used when you forgot your password now ignore case, as well as leading or trailing white space for newly saved security question answers. Existing security answers still require the correct case, leading, or trailing white space until you update the answers.
Customer Community General Availability

Veracode has launched the Veracode Community, a destination for product information, integration and remediation guidance, and answers to frequently asked questions. The Veracode Community also includes groups where you can exchange ideas and collaborate with peers and Veracode on secure development and application security best practices. You can navigate to the customer community from the Veracode Platform or go to https://community.veracode.com.

New eLearning Manager View
The eLearning manager view has been streamlined to efficiently track their employee's progress, and to assign users to required courses.
Updated eLearning Courses

The Application Security Testing, C\C++, and Android Data Security courses are all updated with a new look-and-feel and are now html 5 compliant.

New AppSec Tutorial - CSRF
A new AppSec tutorial about Cross-Site Request Forgery (CSRF) is available.

Veracode Integrations

New Jenkins Action to Start Dynamic Rescan

The Veracode Jenkins Plugin is updated with an additional post-build action that provides the ability to start a DynamicDS rescan. This feature works for applications that have already had at least one DynamicDS rescan complete in the Veracode Platform. Administrators can specify whether to submit a full rescan and crawl, or to only rescan DynamicDS flaws that were already found.

Custom Field Mapping in JIRA

The Veracode Integration for JIRA is updated to provide a flexible UI for mapping Veracode application custom fields to JIRA fields. This feature allows JIRA administrators to easily update tickets with information from the Veracode Platform, including the ticket subtype, assignee, and other standard and custom fields.

Scan Results in Jenkins

The Veracode Jenkins Plugin now displays a summary of the static scan results for builds or pipeline steps that are configured to wait for build results to return.

DynamicDS Rescans in Java API Wrapper

The Veracode Java API wrappers are updated to add methods for starting a DynamicDS rescan. These methods work for applications that have already had at least one DynamicDS scan complete in the Veracode Platform. The wrapper now supports both full rescan and crawl and flaw-only rescan.

Updated API Wrappers

Both the Java and C# API Wrappers are updated to return a distinct error code from the UploadAndScan method if the scan fails policy.

Integrations Center in Help Center

The Veracode Help Center now contains a central page to consolidate all relevant integrations documentation.

Visual Studio Extension Improvements

The Visual Studio Extension was updated to improve downloading reports and sandbox functionality.

Web Application Scanning

New Scan Configuration Options
There are two new detection coverage options for DynamicDS, which may speed up time to results. They are available when you set up a new DynamicDS scan from Advanced Options > Application Coverage. You should run full scans on a quarterly basis using the default setting to baseline your application.
  • Subdirectory Limit: This option enables you to set the number of subdirectories Veracode samples under each directory in your application. This option is most useful for large, templated web applications.
  • Vulnerable Parameter Auditing: This option tests only the parameters that are most likely to contain vulnerabilities, which helps to find some of the important vulnerabilities in short scan timeframes.
Changes to Selenium and Firefox
As of August 2017, there is a technical incompatibility between Firefox version 55 and Selenium IDE, a third-party open-source technology. Users may not be able to use Selenium IDE to create new login scripts if they are using Firefox version 55 or higher.
Note: This change only affects recording of Selenium scripts by Selenium IDE. This change does not affect the replay of existing Selenium scripts by the Dynamic engine. Existing scripts uploaded by users can still be reused to run DynamicDS scans as before.
Veracode suggests that you use Firefox 54 or earlier when creating and testing forms-based login scripts and crawl scripts through the Selenium IDE. This workaround is a one-time change using a compatible browser version.
If you do not want to download a compatible browser version, you can pass login credentials through the auto-login option. If users run into challenges with this workaround, Veracode can intercept the failed prescan and fix the login issue.

Veracode Greenlight

IntelliJ Greenlight General Availability
The Veracode Greenlight IntelliJ plugin is now available in the JetBrains Marketplace at

https://plugins.jetbrains.com/plugin/10026-veracode-greenlight-intellij-plugin

The plugin supports IntelliJ 2016.3 and higher.
Visual Studio Greenlight General Availability

Veracode has expanded support for Greenlight to include Visual Studio and .NET. The Veracode Greenlight Visual Studio plugin supports Visual Studio 2015 and 2017 IDEs for C# and VB.NET scanning.

Improved Remediation Guidance
Veracode has improved the remediation guidance for Eclipse to include code samples. When a security flaw is returned, you can click the Details link for more information, including a description of the issue, why it is a problem, and how to fix it. For certain high priority CWEs, Veracode shows sample code with the vulnerability and sample code with the corrected code. You can copy and paste the corrected sample code into your code.

Release 2017.8

The August release announces all-around performance improvements for Veracode Static Analysis, new support for React.JS, and improved support for two other languages. Integrations updates include upgrades of the Veracode IntelliJ plugin to support IntelliJ 2017.2 and Android Studio, and the enhancement of all the Veracode IDE plugins to be able to detect flaws in submodules. In addition, Veracode Software Composition Analysis now discovers license agreements for third-party code.

Veracode Static Analysis

Automatic Extraction of JavaScript from Java Uploads
Veracode now extracts client-side JavaScript from JSP files that are packaged within a JAR, WAR, or EAR file. The extractions are selectable as separate JavaScript modules, which, if analyzed, could result in additional findings for the application. To avoid duplicate scans, do not upload the same JavaScript files separately if you have already manually extracted the JavaScript from the Java for previous scans. Note: In uploads for most existing application profiles, Veracode does not select by default the new JavaScript module for analysis.
React.JS Support
Veracode has improved static analysis of JavaScript applications to support React.JS. Customer applications using React.JS could see additional findings as a result of this improved coverage.
Improved ASP.NET Core 1.1 Support
Veracode has improved static analysis of ASP.NET applications by adding additional security checks for ASP.NET Core 1.1 specific APIs. You may find that Veracode static analysis now finds additional flaws in applications using ASP.NET Core 1.1.
Improved Scala Support
Veracode has improved static analysis of Scala applications by adding additional security checks for Scala and Scala Play Framework APIs. You may find that Veracode static analysis now finds additional flaws in Scala applications.
Static Analysis Performance Improvements
Veracode has implemented several performance enhancements to the static analysis engine, improving the speed of static analysis for all languages.

Veracode Application Security Platform

Improved Triage Flaws Page Search
When searching on text strings in the Triage Flaws page, all results containing any portion of the search term are now displayed.
Platform Login Improvements
The password reset email now contains updated Veracode Support hours and the user experience is improved when entering security questions.

Veracode Integrations

Veracode IntelliJ Plugin Update
The Veracode IntelliJ plugin is updated to support IntelliJ 2017.2, the most recent version.
Android Studio IDE Support
The Veracode IntelliJ plugin now supports use with Android Studio. Developers using Android Studio can download and install the Veracode IntelliJ plugin, upload Android applications to Veracode for testing, and then download scan results for triage.
Submodule Flaw Location Support
The Veracode Visual Studio, Eclipse, and IntelliJ IDE integrations and the VSTS extension are now updated to provide users with more precise location information for a flaw within a module.

Veracode Software Composition Analysis (SCA)

Open-source License Discovery
Veracode SCA now discovers license agreements for third-party code and provides this information as part of the component overview. This functionality helps organizations assess and reduce the business risk of open-source components, such as viral open-source licenses and code usage that require royalty payments. Please read the legal disclaimer here.

Release 2017.7

The July release heralds the announcement of a new Help Center for the Veracode service that is available to everyone without the need to be logged in to the Veracode Platform. When you seek assistance with any of the Veracode features, you now have a dynamic interface that has a very powerful search function. In addition, this release provides Swift 3 support, context-aware findings for JSP pages, and enhancements to the Veracode Visual Studio Team Services extension, the Veracode IntelliJ plugin, and the Veracode Greenlight for Eclipse plugin.

Veracode Static Analysis

Swift 3 Support

Veracode has improved static analysis of iOS applications by implementing support for the Swift 3 programming language.

Customers building their iOS apps with Swift 3 may have additional findings as a result of this new support.

Context Aware Cross-Site-Scripting Findings
Veracode has improved accuracy in detecting cross-site scripting (XSS) in JSP pages through context awareness. This improvement reduces false negatives by enabling Veracode to detect cases where an inappropriate cleansing function has been applied. Veracode reports this type of XSS as CWE 159, as a type of Code Quality finding.
Custom Cleanser Libraries Published to NuGet and Maven Central
Veracode has now published to Maven Central and NuGet the annotations files required for our custom cleansers feature. This update gives you a more seamless integration into your development environments when using the custom cleansers feature. Veracode has also published the source code to these annotation files to GitHub at https://github.com/veracode.

Veracode Application Security Platform

New Veracode Help Center
The new Veracode Help Center is available at https://help.veracode.com, and is open to the public and indexed by search engines such as Google. There is no need to be signed in to the Veracode Platform to access the new help system.

Veracode Integrations

VSTS Extension Supports Sandbox Creation
The Veracode VSTS extension now allows an administrator to specify that a sandbox should be created within an application profile if a sandbox does not already exist.
Veracode IntelliJ Plugin
The Veracode IntelliJ plugin now provides flaw location detail at the sub-module level, making it easier for developers to fix flaws in their code.

Veracode Greenlight

Greenlight for Eclipse: Installation for Restricted Environments
The recommended way to install the Greenlight for Eclipse plugin is via the Eclipse marketplace. However, in the event of a restricted development environment where it is not always possible to access the Internet to download the plugin, Veracode has packaged the installation in a ZIP file that is available at https://downloads.veracode.com/securityscan/com.veracode.greenlight.site-latest.zip.
Greenlight for Eclipse: Canceling a Scan
When scanning files in Eclipse, the progress of a scan displays in the standard Eclipse view. With this release, you can now cancel any scan that is in progress.

Release 2017.6

The June release delivers static analysis support for the Scala language, as well as improved support for the Play web application framework, Angular 2x and 4x, and GCC 4.9. This release also provides new fields for DynamicDS applications to help users fine tune their scan configuration. Additionally, there is a new support ticket on the Veracode Platform to enable users to better resolve their issues quickly, as well as a new landing page for eLearning users. Also, the Veracode Integration for JIRA is available to download on the Atlassian Marketplace.

Note: Veracode will be making significant improvements to the Veracode Help Center during the summer of 2017. These improvements will impact any Help Center bookmarks you may have saved.

Veracode Static Analysis

Scala Support
Veracode is happy to announce support of the Scala language for Veracode Static Analysis. Users can now submit Scala applications for analysis. In addition, there is enhanced support of the Play web application framework for Java and Scala web applications.
Angular 2.x and 4.x Support
Veracode has improved static analysis of JavaScript applications by implementing support for Angular version 2 and 4.
GCC 4.9 Support
Veracode has improved static analysis of C and C++ applications to support GCC version 4.9
Additional Data Paths for Flaws
Veracode has improved static analysis reporting by showing additional data paths that could lead to a flaw. The Veracode Platform now shows up to ten data paths for a single flaw. This improves the flaw review process by giving users access to more information to aid in fixing these flaws.

Veracode Application Security Platform

New Platform Support Ticket
Veracode has made improvements to the process of filing support tickets, which enables users to provide more information so that Veracode Support can better understand user issues and provide a faster response.
Enhanced eLearning Student Page
Veracode has enhanced the user experience for how eLearning students view courses. eLearning students are now be able to view a to-do list of courses, completed courses, and a listing of all courses on a single page.
AppSec Bytes are now AppSec Tutorials
Veracode has renamed AppSec Bytes to AppSec Tutorials throughout the eLearning product to better reflect the content. AppSec Tutorials continue to provide detailed trainings on an individual flaw's business risk, possible attack vector, and how to remediate the flaw in the future.

Veracode Integrations

Eclipse 4.7 (Oxygen) and IBM RAD 9.6 Support
The Veracode Eclipse Plugin has been certified compatible with Eclipse 4.7 (Oxygen) and IBM RAD 9.6.
Microsoft Team Foundation Services (TFS) 2017 Support
The Veracode VSTS Extension has been certified compatible with Microsoft Team Foundation Services (TFS) 2017.
JIRA Plugin Available from Atlassian Marketplace
The Veracode Integration for JIRA has been updated to simplify installation, and can now be downloaded from the Atlassian Marketplace.
Visual Studio 2017 Support
The Veracode Visual Studio Extension has been updated to support Microsoft Visual Studio 2017.
Note: the Visual Studio Extension does not currently support automated precompilation of ASP.NET Core 1.0 or 1.1 projects.
Updated XML Encoding for Most API and XML Download Reports
Veracode has made an update to our XML encoder. If you are using the Veracode Java or C# Wrapper, please download the updated version of the wrapper. If you are directly integrating with Veracode, review the parsing if you experience any issues.

Veracode Greenlight

Eclipse Oxygen 4.7 Support
Veracode Greenlight for Eclipse supports the generally available release of Eclipse Oxygen.
Veracode Greenlight Plugin 1.2.2
The Veracode Greenlight plugin for Eclipse version 1.2.2 is available at the end of June and includes usability improvements and bug fixes.

Release 2017.5

The May release introduces a new integration to HP ALM, static framework support for Python Boto3, and new eLearning courses, in addition to a greatly improved static upload experience. This release also announces a new custom report format, improvements to several developer tool integrations, and new Veracode Greenlight enhancements.

On 23 May 2017, for security reasons, Veracode APIs will block connections that use TLS 1.0. In addition, Veracode will also discontinue support of the Team Foundation Server 2010 and Veracode Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. However, Veracode Static Analysis will continue to support applications compiled with Visual Studio 2003 and later.

Note: Veracode will be making significant improvements to the Veracode Help Center during the summer of 2017. These improvements will impact any Help Center bookmarks you may have saved.

Veracode Static Analysis
Improvements to Static Upload Tool
Veracode has improved the static upload experience by adding a new uploader widget, allows you to drag and drop files and upload multiple files at once, and provides a more response user experience.
Python Boto3 Support
Veracode has improved static analysis of Python applications to support the Boto3 library. Boto3 is used for interfacing with Amazon Web Services, and applications that use the Boto3 library can expect to see additional findings.
Identification of Java and .NET Web Applications
Veracode has improved static analysis of Java and .NET to more accurately identify when submitted applications are web applications. This improvement could result in additional findings, especially when web and non-web components are uploaded in the same scan.

Veracode Application Security Platform

Open Redirect AppSec Tutorial
A new AppSec tutorial eLearning course for the Open Redirect vulnerability is now available. During this short, 10-minute course, developers see how Information Leakage flaws manifest, then learn to defend their code against this threat.
Secure Coding for Java Course
The latest upgrade of the Veracode Secure Coding for Java course suite now includes new visuals and points of interactivity. These enhancements provide the best practices for coding securely in Java in the most consumable way.
Updated XSD for Detailed Report API
Veracode has made updates to the definition of flaw status for policy and sandbox scans in the Detailed Report XSD to improve usability. This update does not affect the formatting of the Detailed Report PDF or XML file.
Custom Reports Available in CSV Format
Veracode has converted the downloadable portfolio reports available in Reports > Export Data to the comma-separated values (CSV) format with this release.

Veracode Integrations

End of Support for TLS 1.0, and the TFS 2010 and VS 2010 Integrations
For security reasons, starting 23 May 2017, Veracode APIs will block connections that use TLS 1.0. Veracode will also discontinue support of Team Foundation Server 2010 and Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. Veracode Static Analysis will, however, continue to support applications compiled with Visual Studio 2003 and later.
You must upgrade the following integrations to support .NET 4.5 and TLS 1.2:
  • .NET wrapper/SDK
  • TFS flaw synchronizer
  • TFS XAML build integration
  • Visual Studio extension

You must upgrade the following integrations if you are using Java 1.7:

  • Java wrapper/SDK
  • Eclipse plugin
  • IntelliJ plugin
  • Jenkins plugin
  • JIRA plugin

To support TLS 1.1 and 1.2 with Java 1.7, you must apply the Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction Policy to the JREs. The JCE Unlimited Strength Jurisdiction Policy files can be downloaded from Oracle. As supporting TLS 1.1 and 1.2 with Java 1.7 requires both an upgrade of Veracode integrations and a patch of the Java 1.7 JRE, Veracode recommends upgrading to Java 1.8 instead.

API Wrapper Improvements
The Java and C# API wrappers are updated to return errors when an API call does not complete as intended, such as when the API call times out. This improvement helps customers using these wrappers, as well as the integrations that are built on them, to debug integration failures and more quickly resolve issues.
HP ALM Support
Users of HPE Application Lifecycle Management 12.x (HP ALM, formerly HP Quality Center) can now synchronize static and DynamicDS flaws from the Veracode Platform as defect entities in HP ALM.
Visual Studio Extension Enhancements
The Visual Studio extension is redesigned to enable the user to minimize the file upload dialog when uploading and scanning from the extension. This change allows the user to continue working while the upload proceeds.
Jenkins Plugin Enhancements
The Veracode Jenkins plugin is enhanced to better support customers using remote build servers. With these changes, a build is now uploaded from the remote build server rather than the master, removing the requirement to copy build artifacts back to the master, which is better aligned with Jenkins best practices.

Veracode Greenlight

Passive Scanning Changes to Auto-Scan
The passive scanning feature in Veracode Greenlight has changed its name to Auto-Scan in the Veracode Greenlight menu, but the functionality remains the same.
Eclipse Greenlight Shortcut Keys
There are now two shortcut keys in Veracode Greenlight to quickly use the filter (Ctrl+8) and clear (Ctrl+0) functions.
Eclipse Greenlight Best Practice Details
The Details tab of the Best Practices for a scan using the Eclipse Greenlight plugin now clearly states that the best practice "Protected Against" specific CWEs.
Eclipse Greenlight Icon Updates
To enhance the user experience, Veracode Greenlight now has new icons to show the status of a scan and a different icon to indicate the clear action.

Veracode Web Application Security

DynamicMP Changes
Veracode DynamicMP now checks for the presence of Struts 2 and associated vulnerabilities in DynamicMP scans. This improvement, which is now available for all customers, keeps us up to date with the latest Previously, this was done on a one-off basis for select customers.

Release 2017.4

The April release delivers new custom cleansing functions that allow users to better control what Veracode identifies as flaws. Veracode has also added support for Visual C++ 2015, the Underscore.js and Backbone.js libraries, and Java 8 lambda functions. In addition, this release provides new API calls for eLearning for monitoring your team's progress on tracking systems, a new page for requesting support from Veracode, and updated Java and .NET wrappers.

Please note that on 23 May 2017, for security reasons, Veracode APIs will block connections that use TLS 1.0. In addition, Veracode will also discontinue support of the Team Foundation Server 2010 and Veracode Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. However, Veracode Static Analysis will continue to support applications compiled with Visual Studio 2003 and later.

Veracode Static Analysis

Custom Cleansers Support
Veracode now allows customers to identify their own input-cleansing functions. These functions provide teams more control over what Veracode identifies as flaws, reducing mitigation review time. Annotating custom cleanser functions is available for Java and .NET applications.
Visual C++ 2015 Support
Veracode has improved static analysis of Windows C++ applications to support Visual C++ 2015.
Underscore.js Support
Veracode has improved static analysis of JavaScript applications by adding support for the Underscore.js library. Customers testing JavaScript applications may find that Veracode Static Analysis will identify additional flaws in applications using Underscore.js.
Backbone.js Support
Veracode has improved static analysis of JavaScript applications by adding support for the Backbone.js library. Customers testing JavaScript applications may find that Veracode Static Analysis will identify additional flaws in applications using Backbone.js.
Improved Java 8 Support
Veracode has improved static analysis of Java applications by adding additional support for Java 8 lambda functions. Customers may find that Veracode Static Analysis will find additional flaws in applications using Java 8.
ASP.NET Core Support
Veracode has improved static analysis of ASP.NET applications to support ASP.NET Core 1.0 and 1.1.
Improved iOS Support
Veracode has improved static analysis of iOS applications by adding additional security checks for iOS 10 APIs. Customers may find that Veracode Static Analysis will find additional flaws in applications using iOS 10.
Play Framework Compatibility Support
Veracode has improved static analysis of Java applications to support initial compatibility with the Play application framework.

Veracode Application Security Platform

Custom Cleansers Support
Veracode now allows customers to identify their own input-cleansing functions. These functions provide teams more control over what Veracode identifies as flaws, reducing mitigation review time. Annotating custom cleanser functions is available for Java and .NET applications.
Visual C++ 2015 Support
Veracode has improved static analysis of Windows C++ applications to support Visual C++ 2015.
Underscore.js Support
Veracode has improved static analysis of JavaScript applications by adding support for the Underscore.js library. Customers testing JavaScript applications may find that Veracode Static Analysis will identify additional flaws in applications using Underscore.js.
Backbone.js Support
Veracode has improved static analysis of JavaScript applications by adding support for the Backbone.js library. Customers testing JavaScript applications may find that Veracode Static Analysis will identify additional flaws in applications using Backbone.js.
Improved Java 8 Support
Veracode has improved static analysis of Java applications by adding additional support for Java 8 lambda functions. Customers may find that Veracode Static Analysis will find additional flaws in applications using Java 8.
ASP.NET Core Support
Veracode has improved static analysis of ASP.NET applications to support ASP.NET Core 1.0 and 1.1.
Improved iOS Support
Veracode has improved static analysis of iOS applications by adding additional security checks for iOS 10 APIs. Customers may find that Veracode Static Analysis will find additional flaws in applications using iOS 10.
Play Framework Compatibility Support
Veracode has improved static analysis of Java applications to support initial compatibility with the Play application framework.

Veracode Integrations

TLS 1.0, TFS 2010, and VS 2010 Integrations End of Support
For security reasons, starting 23 May 2017, Veracode APIs will block connections that use TLS 1.0. You must upgrade the following integrations to support .NET 4.5 and TLS 1.2:
  • .NET wrapper/SDK
  • TFS flaw synchronizer
  • TFS XAML build integration
  • Visual Studio addin and extension

You must upgrade the following integrations if you are using Java 1.7:

  • Java wrapper/SDK
  • Eclipse plugin
  • IntelliJ plugin
  • Jenkins plugin
  • JIRA plugin

To support TLS 1.1 and 1.2 with Java 1.7, you must apply the Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction Policy to the JREs. The JCE Unlimited Strength Jurisdiction Policy files can be downloaded from Oracle. As supporting TLS 1.1 and 1.2 with Java 1.7 requires both an upgrade of Veracode integrations and a patch of the Java 1.7 JRE, Veracode recommends upgrading to Java 1.8 instead.

In addition, Veracode will also discontinue support of Team Foundation Server 2010 and Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. Veracode Static Analysis will continue to support applications compiled with Visual Studio 2003 and later.

Updated Java and .NET Wrappers
The Java and .NET API wrappers have been updated to incorporate submodule reporting, which provides more precise locations of where vulnerabilities are located in a customer's uploaded application.
Jenkins Plugin Support
The Jenkins plugin has been updated to allow assigning an application to a team when it is created.

Release 2017.3

The March release announces the availability of the Veracode Greenlight plugin on the Eclipse Marketplace, APIs for eLearning users, and accelerated results for static analyses. With this release, it is now possible for developers to use custom-cleanser functions to control which flaws Veracode identifies in static applications. In addition, there are updates to support for scanning applications that use the underscore.js or backbone.js libraries, and for applications built using the IBM JDK.

Please note that on 23 May 2017, for security reasons, Veracode APIs will block connections that use TLS 1.0. In addition, Veracode will also discontinue support of the Team Foundation Server 2010 and Veracode Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. However, Veracode Static Analysis will continue to support applications compiled with Visual Studio 2003 and later.

Veracode Static Analysis

Underscore.js Support
Veracode has improved static analysis of JavaScript applications by adding support for the underscore.js library. Customers testing JavaScript applications may find that Veracode Static Analysis will identify additional flaws in applications using underscore.js.
Backbone.js Support
Veracode has improved static analysis of JavaScript applications by adding support for the backbone.js library. Customers testing JavaScript applications may find that Veracode Static Analysis will identify additional flaws in applications using backbone.js.
IBM JDK Support
Veracode has improved static analysis of Java applications by releasing support for applications built using the IBM JDK.
Accelerated Results
Veracode has made an improvement to how we deliver results for static analyses. Developers can now access results as they become available, prior to scan completion, for applications consisting of multiple modules. Accelerated results are published as each module finishes scanning, and you can triage and mitigate these results in the Triage Flaws view.
Custom Cleansers Support
Veracode now allows customers to identify their own input-cleansing functions. These functions provide teams more control over what Veracode identifies as flaws, reducing mitigation review time. Annotating custom cleanser functions is available for Java and .NET applications.

Veracode Application Security Platform

eLearning Data Extract APIs
Veracode now offers APIs that pull eLearning data from the Veracode Platform, enabling eLearning customers to automate the integration of course and user progress information into their own learning management systems (LMS) and tracking systems.
New First-time User Email
Veracode has enhanced the first-time user registration email that we send out all new user accounts on the Veracode Platform. In addition to visual improvements, this email now provides links helpful demos, tutorials, and getting-started information.

Veracode Greenlight

Latest Version of Veracode Greenlight
Download version 1.0.4 of Veracode Greenlight from your Eclipse IDE, which contains the latest updates and improvements.
Veracode Greenlight for Eclipse
The Veracode Greenlight Eclipse IDE plugin is also now available in the Eclipse Marketplace at https://marketplace.eclipse.org/. Developers can download the Veracode Greenlight Eclipse plugin from the marketplace in their IDE.
Veracode Greenlight Passive Scanning
The new Veracode Greenlight passive scanning feature automatically scans a files when it is saved, removing a manual step for developers. Developers can still trigger Greenlight scans using the UI functions or shortcut keys.

Release 2017.2

The February release delivers general availability for the Static analysis support of the Perl programming language. Also, there are improvements to analysis for PHP, .NET 4.6, and Angular.js. This release also delivers interactivity updates to the .NET Secure Coding eLearning course, as well as a new user registration workflow that enables users to get started faster on the Veracode Platform.

Please note that on 23 May 2017, for security reasons, Veracode APIs will block connections that use TLS 1.0. In addition, Veracode will also discontinue support of the Team Foundation Server 2010 and Veracode Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. However, Veracode Static Analysis engine continues to support applications compiled with Visual Studio 2003 and later.

Veracode Static Analysis

Perl General Availability

Veracode is happy to announce Static analysis support of the Perl programming language. We support testing of Perl 5 CGI applications. Customers with Perl CGI applications can now test them using Veracode Static Analysis.

.NET 4.6 API Support
Veracode has improved Static analysis of .NET applications by adding additional security checks for .NET 4.6 specific APIs. Customers may find that Veracode Static Analysis identifies additional flaws in applications using .NET 4.6.
Angular-translate
Veracode has improved Static analysis of Angular.js applications by adding support for the angular-translate library. Customers testing Angular.js applications may find that Veracode Static Analysis identifies additional flaws in applications using angular-translate.
PHP Scan Improvements: CWEs, 760 and 916
Veracode has improved Static analysis of PHP applications by adding support for additional cryptography-related security findings in PHP applications. Customers testing PHP applications may find that Veracode Static Analysis identifies additional flaws.
Oracle Data Provider Support for .NET
Veracode has improved Static analysis of .NET applications by adding support for the Oracle Data Provider library. Customers testing .NET applications that make use of this library may find that Veracode Static Analysis identifies additional flaws.

Veracode Application Security Platform

Updated eLearning Course - Secure Coding for .NET
Veracode's Secure Coding for .NET course suite has been completely updated with new interactive points and animations throughout each course.
User Experience Improvements to the New User Registration Process
Veracode has improved the user experience for registration on the Veracode Platform to make it easier for first-time users.

Veracode Integrations

TLS 1.0, TFS 2010, and VS 2010 Integrations End of Support
For security reasons, starting 23 May 2017, Veracode APIs will block connections that use TLS 1.0. You must upgrade the following integrations to support .NET 4.5 and TLS 1.2:
  • .NET wrapper/SDK
  • TFS flaw synchronizer
  • TFS XAML build integration
  • Visual Studio addin and extension

You must upgrade the following integrations if you are using Java 1.7:

  • Java wrapper/SDK
  • Eclipse plugin
  • IntelliJ plugin
  • Jenkins plugin
  • JIRA plugin

To support TLS 1.1 and 1.2 with Java 1.7, you must apply the Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction Policy to the JREs. The JCE Unlimited Strength Jurisdiction Policy files can be downloaded from Oracle. As supporting TLS 1.1 and 1.2 with Java 1.7 requires both an upgrade of Veracode integrations and a patch of the Java 1.7 JRE, Veracode recommends upgrading to Java 1.8 instead.

In addition, Veracode will also discontinue support of Team Foundation Server 2010 and Visual Studio 2010 integrations, which do not support TLS 1.1 or 1.2. Veracode Static Analysis will continue to support applications compiled with Visual Studio 2003 and later.

Release 2017.1

Happy New Year from Veracode! With this first release of the new year comes the official release of Veracode Greenlight, an Eclipse IDE plugin that provides immediate scan results in your code. In addition, this Veracode release delivers seven improvements to supported languages and frameworks, sub-module level detail in flaw results of static scans, and automated scheduling of consultation calls.

Please note that on 23 May 2017, for security reasons, Veracode APIs will block connections that use TLS 1.0, and Veracode will discontinue support of the Visual Studio 2010 addin and extension.

Veracode Static Analysis

Improved JavaScript Analysis Time
Veracode has improved the analysis time of JavaScript applications as part of the Veracode continuous improvement process.
iOS 10 Support
Veracode has improved static analysis of iOS applications to support iOS 10.
Sub-Module Reporting Improvements
Veracode improved static analysis flaws reporting in the Veracode Platform and reports to show more precise detail about the location of a flaw. When a flaw is a sub-module within a top-level module, we now report the flaw at the most precise level possible. We have also updated the following API calls to return the additional detail:
  • detailedreport.do
  • getcallstacks.do
  • generatearcherreport.do
  • generateflawreport.do
New CWEs for RPG and COBOL
Veracode has improved static analysis of RPG and COBOL applications by adding additional security checks.
TypeScript Support
Veracode has improved static analysis of JavaScript applications by adding support for the TypeScript language.
Android 6 API Support
Veracode has improved static analysis of Android applications by adding additional security checks for Android 6 specific APIs.
Angular.js UI-Router Support
Veracode has improved static analysis of Angular.js JavaScript applications by adding support for the ui-router library.
Rescan Without Reupload in Sandbox
Veracode has improved the rescan without reupload feature to make it also available for sandbox scans.

Veracode Application Security Platform

AppSec Tutorial - Information Leakage
A new AppSec Tutorial course is now available about the Information Leakage flaw. During this 10-minute course, developers can see how Information Leakage flaws manifest and learn how to defend their code against this threat.
Automated Scheduling of Security Consultations
Automated scheduling of security consultations enables users to easily select available and convenient appointment times to speak to Veracode about scan results, improving the user experience and reducing the time it takes review and manage security findings.

Veracode Integrations

TLS 1.0 and VS 2010 Integrations End of Support
For security reasons, starting 23 May 2017, Veracode APIs will block connections that use TLS 1.0. You must upgrade the following integrations to support .NET 4.5 and TLS 1.2:
  • .NET wrapper/SDK
  • TFS flaw synchronizer
  • TFS XAML build integration
  • Visual Studio add-in and extension
In addition, Veracode will also discontinue support of the Veracode Visual Studio 2010 addin and extension, which do not support TLS 1.1 or 1.2. The static analysis engine will, however, continue to support applications compiled with Visual Studio 2003 and later.

Veracode Greenlight

Veracode is excited to announce the general availability of Veracode Greenlight, a new Veracode product. This Eclipse plugin finds security defects in your code and provides contextual remediation advice to help you fix issues in seconds, right in the Eclipse IDE. Leveraging our proven, SaaS-based static engine, Veracode Greenlight offers immediate results and scales to your needs. You do not need to provision any servers or tune the engine. It simply scans in the background and provides accurate and actionable results, without consuming resources on your machine. With Veracode Greenlight, find issues early, reduce development costs, and release your code on time at the speed of DevOps. Veracode Greenlight is a complement to a Veracode Static Analysis program. Contact your Veracode representative to learn more.