Veracode Application Security Platform Release Notes

Veracode Release Notes

December 10, 2019

New Workflow for Managing Policies
The Veracode Platform now includes a more streamlined policy management workflow. This update simplifies the process of creating and editing application policies.

December 7, 2019

Authentication Upgrade
Veracode has upgraded its back-end authentication functions for user access to the Veracode Application Security Services products. You will receive a prompt to update your security question and answer pair and your multifactor authentication (MFA) method, if your account requires MFA.
Updated MFA Support
Veracode now supports using Google Authenticator, FIDO2, and WebAuthn for MFA. Administrators can assign MFA requirements to users in their organization, prompting them to set up MFA the next time they log in.
Veracode no longer supports RSA tokens. Please mail your RSA tokens to Veracode for recycling at this address:
Attn: IT Support
65 Network Drive
Burlington, MA 01803
To receive a free shipping label from Veracode, contact Veracode Technical Support at

November 25, 2019

Basic Authentication Obsolete
Veracode no longer supports basic authentication for Veracode integrations and API calls. All automation or ad hoc queries configured to use basic username and password authentication now fail. All integrations and APIs now require HMAC authentication.
Promoted Scan Attribute in Veracode Analytics
Veracode Analytics now allows you to filter your data to only include results from scans promoted from sandbox to policy.

November 6, 2019

New Video - Create a Custom Policy in the Veracode Platform
This video shows you how to create a custom policy in the Veracode Platform.

November 4, 2019

Veracode Analytics Provides Mitigation Details
Veracode Analytics now provides details of your most recent mitigation actions. This enhancement enables you to build reports or graphs on the most recent proposal, acceptance, or rejection of a mitigation. Additional mitigation details include the date or time of the mitigation action, the associated comment, and the username of the person who took the action. This new data enables you to better inspect and improve your use of mitigations to address security findings that Veracode discovers. If you do not use Veracode Analytics, the same level of detail is also provided if you have purchased the Veracode Mitigation Proposal Review (MPR) service.
Veracode Analytics Adds Module Name Dimension

Veracode Analytics now provides the name of the module where the finding was most recently seen. This dimension enables you to better focus your remediation efforts and finds trends in your Veracode Static Analysis results.

October 9, 2019

Configurable Policy Notifications
Veracode now provides the option to subscribe to and unsubscribe from notifications for events related to your policies, such as upcoming scan requirements, grace period expirations, and new policy assignments.

October 5, 2019

Retired Basic Authentication for APIs and Integrations
Veracode has retired basic authentication for Veracode integrations and XML APIs. Basic authentication consists of only a username and password. If you have not already moved to API ID and key authentication, complete these steps:
  1. Generate API ID and key credentials for your Veracode Platform account.
  2. Configure your integration to use API ID and key credentials. This step applies to officially supported Veracode integrations and custom-scripted integrations.
    Note: The Veracode Java and C# API wrappers support API ID and key credentials. For other custom integrations, you must include HMAC signing in your script.
For more information, see the Veracode Community or contact Veracode Technical Support.
Python Authentication Library Supports Python 3
The Python authentication library, which Veracode uses for HMAC authentication, now supports Python 3. You can download and install the library from the Python Package Index (PyPI).
Scan Requirements Cause Applications to Fail Policy
Applications now fail policy if they fail the scan frequency requirement, regardless of the remediation grace period allowed in the policy.
Discontinued Curriculum Self-Assignment for eLearning
Veracode has removed the option for Veracode administrators to allow eLearning users in their organization to assign their own curriculum.
XML API Report Calls Indicate Accessibility of Software Composition Analysis Results

The and XML APIs now include the SoftwareCompositionAnalysis attribute, which provides information on the accessibility of Software Composition Analysis (SCA) results for an application. The attribute indicates whether there is an error, such as a network issue, preventing access to the SCA results or the results are no longer available.