When Veracode implements support for version 3.2 of the MITRE CWE list in June 2019, additional findings will cause policies to fail if they are configured to meet the OWASP 2017 or CERT security standards. Using Veracode Analytics, you can identify which applications contain findings that will fail policy when Veracode supports CWE 3.2.
About this task
To identify which applications in your application security program currently pass policy but will fail policy when Veracode implements support for CWE 3.2:
- Navigate to .
From the Findings pane, click Filter on the Current
In the Applications Current Policy field, select the name of a policy
configured to meet the OWASP 2017 or CERT security standard.
Note: PCI 3.2.1 contains the OWASP 2017, CERT, and SANS security standards.
- From the Findings pane, click Filter on the Policy or Sandbox Scan dimension.
- In the Findings Policy or Sandbox Scan field, select Policy to limit the results to findings from policy scans.
- From the Findings pane, click Filter on the Policy Rule Passed (Yes / No) dimension.
- In the Findings Policy Rule Passed (Yes / No) field, select Yes to limit the results to findings that currently do not cause your application to fail policy.
- From the Findings pane, click Filter on the ID dimension.
In the CWE ID field, enter the CWE IDs that will be added to the
standards included in your policy.
- OWASP 2017: 117
- CERT: 117, 121, 122, 123, 125, 191, 194, 195, 227, 253, 327,
331, 338, 456, 481, 664, 666, 672, 680, 685, 758, 762, 771, 772,
773, 775, 786, 789, 843, 908, 910
Note: You can copy and paste this list directly into the CWE ID field.
From the Findings pane, select the Application Name dimension and the Total
Number of Findings - Application measure to include them as fields in your
Note: Do not click the Filter or Pivot button for these fields. Just click on the name of the field.
- From the Findings pane, click Pivot on the Finding Status dimension to indicate in your visualization whether the findings are open or closed in the latest scan of your applications.