Veracode Application Security Platform Past Release Notes

Veracode Release Notes

View the list below for highlights of previous releases.

November 25, 2019

Basic Authentication Obsolete
Veracode no longer supports basic authentication for Veracode integrations and API calls. All automation or ad hoc queries configured to use basic username and password authentication now fail. All integrations and APIs now require HMAC authentication.
Promoted Scan Attribute in Veracode Analytics
Veracode Analytics now allows you to filter your data to only include results from scans promoted from sandbox to policy.

November 6, 2019

New Video - Create a Custom Policy in the Veracode Platform
This video shows you how to create a custom policy in the Veracode Platform.

November 4, 2019

Veracode Analytics Provides Mitigation Details
Veracode Analytics now provides details of your most recent mitigation actions. This enhancement enables you to build reports or graphs on the most recent proposal, acceptance, or rejection of a mitigation. Additional mitigation details include the date or time of the mitigation action, the associated comment, and the username of the person who took the action. This new data enables you to better inspect and improve your use of mitigations to address security findings that Veracode discovers. If you do not use Veracode Analytics, the same level of detail is also provided if you have purchased the Veracode Mitigation Proposal Review (MPR) service.
Veracode Analytics Adds Module Name Dimension

Veracode Analytics now provides the name of the module where the finding was most recently seen. This dimension enables you to better focus your remediation efforts and finds trends in your Veracode Static Analysis results.

October 9, 2019

Configurable Policy Notifications
Veracode now provides the option to subscribe to and unsubscribe from notifications for events related to your policies, such as upcoming scan requirements, grace period expirations, and new policy assignments.

October 5, 2019

Retired Basic Authentication for APIs and Integrations
Veracode has retired basic authentication for Veracode integrations and XML APIs. Basic authentication consists of only a username and password. If you have not already moved to API ID and key authentication, complete these steps:
  1. Generate API ID and key credentials for your Veracode Platform account.
  2. Configure your integration to use API ID and key credentials. This step applies to officially supported Veracode integrations and custom-scripted integrations.
    Note: The Veracode Java and C# API wrappers support API ID and key credentials. For other custom integrations, you must include HMAC signing in your script.
For more information, see the Veracode Community or contact Veracode Technical Support.
Python Authentication Library Supports Python 3
The Python authentication library, which Veracode uses for HMAC authentication, now supports Python 3. You can download and install the library from the Python Package Index (PyPI).
Scan Requirements Cause Applications to Fail Policy
Applications now fail policy if they fail the scan frequency requirement, regardless of the remediation grace period allowed in the policy.
Discontinued Curriculum Self-Assignment for eLearning
Veracode has removed the option for Veracode administrators to allow eLearning users in their organization to assign their own curriculum.
XML API Report Calls Indicate Accessibility of Software Composition Analysis Results

The detailedreport.do and summaryreport.do XML APIs now include the SoftwareCompositionAnalysis attribute, which provides information on the accessibility of Software Composition Analysis (SCA) results for an application. The attribute indicates whether there is an error, such as a network issue, preventing access to the SCA results or the results are no longer available.

August 27, 2019

Veracode Analytics Reports Show User Roles and SAML Authentication
You can now create Veracode Analytics reports that include a list of roles assigned to each user and show which users are using SAML authentication.

August 14, 2019

New Video - Create a New Application Profile in the Veracode Platform
This video shows you how to create a new application profile in the Veracode Platform.
New User Roles and SAML Data Available in Analytics
You can now build reports in Veracode Analytics that include the list of roles assigned to a user and indicate if a user chose SAML for authentication.

August 5, 2019

New Video - Create and Manage Users and Teams in the Veracode Platform
This video shows you how to create and manage users and teams in the Veracode Platform.

August 1, 2019

Triage Flaws Links to New eLearning Secure Coding Courses
In the Static Analysis Triage Flaws page, the CWE findings are updated to link to new recommended eLearning Secure Coding courses for Python and OWASP 2017.

July 20, 2019

Update to CWE Version 3.3
Veracode has updated the CWEs we support to conform to the new CWE version 3.3.
Greenlight Usage Dashboard in Analytics
If you are a Greenlight user, you can now access scan usage data directly in Veracode Analytics. Veracode provides a dashboard with relevant information as well as an Explore where you can create reports and visualizations for your Greenlight data from a blank template. If you are not a Greenlight user, you see the Greenlight dashboard and Explore but no data is available.
Remediation Guidance and Code Examples Available in eLearning
Veracode now provides in eLearning remediation guidance with code examples in .NET and Java for seven CWEs. You can access this information in the eLearning Knowledge Base by clicking the links within the following flaw categories:
  • Directory Traversal (CWE-73)
  • OS Command Injection (CWE-78)
  • Cross Site Scripting [XSS] (CWE-80)
  • SQL Injection (CWE-89)
  • CRLF Injection in Logs (CWE-117)
  • Information Leakage (CWE-209)
  • Open Redirects (CWE-601)
AppSec Tutorials Available from the Triage Flaws Page

All Veracode Platform users can now access AppSec tutorials via links on the Triage Flaws page. The tutorials provide detailed information to help you better understand scan findings and remediation.

July 10, 2019

Email Subscriptions for Veracode News and Product Updates
In the Veracode Platform, you can now subscribe to emails about the latest product updates, industry news, and Veracode events.

July 8, 2019

Retiring Basic Authentication for APIs and Integrations
In the September 2019 Veracode Platform release, Veracode will retire basic authentication for Veracode integrations and XML APIs. Basic authentication consists of only a username and password. If you currently use basic authentication, complete these steps:
  1. Generate API ID and key credentials for your Veracode Platform account.
  2. Configure your integration to use API ID and key credentials. This step applies to officially supported Veracode integrations and custom-scripted integrations.
    Note: The Veracode Java and C# API wrappers support API ID and key credentials. For other custom integrations, you must include HMAC signing in your script.

For more information, see the Veracode Community or contact Veracode Technical Support.

CWE Version 3.2
Veracode now supports Common Weakness Enumeration (CWE) version 3.2.

Veracode references the CWE for many of the findings discovered through its products. Updating to CWE 3.2 impacts which CWE IDs you need to fix to comply with the OWASP 2017, CERT, and PCI standards. Applications that had previously passed policy may fail if they include findings that are now included in these standards.

To understand how this change impacts your security program, see the new mappings for each security standard.

For more information about CWE 3.2, see the announcement from MITRE.

July 1, 2019

SSL Certificates Will Begin to Expire
Starting mid-July 2019, Veracode SSL certificates that may be embedded in local trust stores will begin to expire. If this change affects your use of the Veracode APIs, read more in the Help Center for instructions on resolving the issue.

June 19, 2019

New Python eLearning Courses
Veracode eLearning has released this set of secure coding courses for Python:
  • Secure Coding for Python - Authentication
  • Secure Coding for Python - Authorization
  • Secure Coding for Python - Configuration & Deployment
  • Secure Coding for Python - Data Protection
  • Secure Coding for Python - Information Handling
  • Secure Coding for Python - Trust Boundaries
  • Secure Coding for Python - Validation and Encoding

These courses cover application security practices and associated vulnerabilities, including the OWASP Top Ten, and secure coding techniques in Python.

When managing eLearning users who use custom curriculum, administrators can add new courses to existing and new curriculum by selecting the Required option in the Curriculum Details section of the respective curricula.

June 13, 2019

Configurable Sandbox Notifications
Veracode provides the option to configure your sandbox scan notification settings to send emails regarding only the sandboxes you create. This additional customization eliminates unnecessary emails while providing visibility to your relevant scan activity.

May 30, 2019

Veracode Platform Disables Unused User Accounts
The Veracode Platform automatically disables any user account not logged into within two years from the last login. Please contact Veracode Technical Support if you need to re-enable an account.
Findings REST API Adds Statistics Endpoint
The new Findings REST API statistics endpoint summarizes findings information for an application by resolution type, finding status, severity, and CWE. This additional level of statistics provides the detail needed to create more comprehensive reports.

May 29, 2019

CWE Version 3.2
In the 2019.6 Veracode Platform release, Veracode will introduce support for Common Weakness Enumeration (CWE) version 3.2.

Veracode references the CWE for many of the findings discovered by its products. Updating to CWE 3.2 will impact which CWE IDs you need to fix to comply with the OWASP 2017, CERT, and PCI standards. When the June release implements this update, applications that had previously passed policy may fail if they include findings that have been added to these standards.

To understand how this change may impact your security program, see the new mappings for the OWASP and CERT standards. You can also generate a report of the applications the update affects.

For more information about CWE 3.2, see the announcement from MITRE.
Data Export Includes Informational Flaws Category
The Applications data export has a new column that lists Informational Flaws. This change affects any downstream reporting that relies on an expected column order for the Applications data export. You generate data exports from the Analytics tab in the Veracode Platform.
Veracode Help Center Updated With XML API for Uploading Large Files
Veracode has updated the Help Center to describe the uploadlargefile.do API call. You can use the call to upload a large file for static scanning. The call uploads the file as a set of parts to avoid timeout errors, which can occur when uploading a file with the uploadfile.do call.

May 15, 2019

Unsubscribe from Optional Scan Notifications

Veracode now provides the option to unsubscribe from some scan notifications. Instead of receiving all the scan notifications associated with your role and team membership, you can disable the optional email notifications for specific scan types that are not relevant to you.

May 6, 2019

Updated Introduction to PCI DSS for Developers eLearning Course
Veracode has updated the eLearning course Introduction to PCI DSS for Developers to reflect the PCI standard update from version 3.2 to version 3.2.1.

April 23, 2019

Informational Findings Option in Customizable Report
Veracode now provides the option to include informational findings in your Customizable Report. Informational findings contain contextual security details that may add value to your report.

April 19, 2019

CWE Version 3.2
In the 2019.6 Veracode Platform release, Veracode will introduce support for Common Weakness Enumeration (CWE) version 3.2.

Veracode references the CWE for many of the findings discovered by its products. Updating to CWE 3.2 will impact which CWE IDs you need to fix to comply with the OWASP 2017, CERT, and PCI standards. When the June release implements this update, applications that had previously passed policy may fail if they include findings that have been added to these standards.

To understand how this change may impact your security program, see the new mappings for the OWASP and CERT standards. You can also generate a report of the applications affected by the update.

For more information about CWE 3.2, see the announcement from MITRE.

April 12, 2019

Conditional Pass Updates
Veracode now calculates grace periods based on the date a finding is first found or reopened instead of the last time a finding is found or reopened. You must fix the finding before the grace period ends to pass policy. In addition, if your policy has scan type and frequency requirements, your application fails policy until those requirements are met instead of moving into a Conditional Pass state.
Analytics Drilldown Details
Veracode Analytics now enables you to drill down to a more granular level, directly from a chart. You can click a data point in a chart or visualization to see additional data. These data points are defined by the measures used for the visualization and are available for all Veracode-defined visualizations and custom visualizations you have created for yourself or your organization.

April 5, 2019

Policy REST API
The Veracode Policy REST API enables you to create, read, update, and delete policies, as well as evaluate an application or sandbox against any policy. You can use this API to assess an application or sandbox against any policy, even one not currently assigned to the application. The response from the policy evaluation shows you why the application is passing or failing policy, including scan frequency requirements and findings that are past their grace period due date.
Manual Testing REST API
The Veracode Manual Testing REST API provides access to details about published Manual Penetration Testing (MPT) scans and findings. It works with the Findings API to provide more information about MPT findings, including detailed notes from the penetration tester, screenshots, and code samples, if provided.

March 29, 2019

More Frequent Analytics Refresh
Veracode Analytics now updates every four hours, an improvement on the previous cadence of every six hours.
Largest Scan Analytics Data
Veracode Analytics has a new datapoint. The Largest Scan Size measure provides the size in MB of the largest static scan for the selected dimension, across all policy and sandbox scans.

March 25, 2019

PCI 3.2.1 Support
Veracode has updated its support for the PCI standard to adhere to PCI version 3.2.1, which is now reflected in the Veracode PCI Report. There are no changes to the PCI policy and the definitions of findings that fall under the PCI requirements.
Data Export Includes Informational Flaws Category
The Applications data export has a new column that contains Informational Flaws. This change affects any downstream reporting that relies on an expected column order for the Applications data export. You generate data exports from the Analytics tab in the Veracode Platform.
Analytics Static Lines of Code Measurement Update
Veracode Analytics has updated the static lines of code measurement in the Static Scan - General dimension to provide more accurate data.
New Manual Penetration Testing Finding Details API
Veracode has a new REST API that enables the retrieval of additional data about manual penetration testing (MPT) findings, including screenshots, code snippets, and detailed notes from the Veracode MPT testers. This API works together with the Findings API to provide a complete view of manual findings data.
New eLearning User Incentive Program - Learner Levels
Veracode is introducing an incentive program in which eLearning users can work towards achieving Learner Level badges while enhancing their secure coding knowledge. Learner levels are tiered categories of Veracode eLearning courses that align with the Veracode Verified program.

February 26, 2019

Informational Findings in Applications Data Exports Report
In the 2019.3 release, Veracode will add a column to the Applications Data Exports in the Veracode Platform to include informational findings. This change affects any downstream reporting that relies on an expected column order for the Applications Data Export. You generate Data Exports from Analytics in the Veracode Platform.
Removal of the Veracode Directory
Veracode is simplifying the Veracode Platform by removing the Veracode Directory.

February 11, 2019

New Configuration Calls for Consultations
You can now schedule a consultation call for assistance with configuring a static or dynamic scan from the Veracode Platform. In addition, you also have the ability to schedule a scan results consultation call from the Application Overview page.

February 7, 2019

Manual Penetration Tests Use CVSS 3.0
Veracode Manual Penetration Tests now use Common Vulnerability Scoring System (CVSS) version 3.0 to provide you with the latest vulnerability information.
Updated Time to Resolve Calculation
In Veracode Analytics, the calculation for the Time to Resolve measure has been updated to better handle mitigations as a resolution type.

February 4, 2019

Added MPT Fields in Customizable Report
The information in the Reviewer Note, Note, and Location fields from Veracode Manual Penetration Testing (MPT) now appears in the Customizable Report.
Business Unit Filter for Veracode Analytics
You now have the ability to filter by business unit on all Veracode Dashboards to view analytics data on specific functions of your business.

January 7, 2019

Veracode Analytics General Availability
The new Veracode Analytics functionality allows you to quickly view information about your security program using built-in dashboards. You also have the ability to construct your own data visualizations and access them from personal or shared dashboards. The new analytics data includes detailed findings information, average time to remediate findings, mitigation status reporting, and is restructured for improved performance.