Frequently Asked Questions (FAQ)


This section contains the answers to common questions about the Veracode XML APIs, plugins, and REST APIs.

XML API and Veracode Plugin FAQ

Question Answer
How can I call the APIs from the command line without showing my password? If you are using cURL from the command line and want to mask your password, eliminate the “:<VeracodePassword>” portion of the statement. For example, if you write:
curl --compressed -u  <VeracodeUsername>:<VeracodePassword> -F "app_id=<app_id>"
Instead write:
curl --compressed -u <VeracodeUsername> -F
If you do this, you are prompted for the password on the next line.  The password is not displayed on the screen.
Why does Veracode use passwords for API integrations? I thought passwords were inherently insecure. Veracode recommends that you change to using the Veracode API ID and key with HMAC signing, where possible, because this method provides maximum protection against man-in-the-middle and session replay attacks. User credential authentication using username and password is only supported on the Veracode XML APIs, which are the legacy APIs, while the REST APIs are the newer APIs that Veracode offers.
Does the Veracode Eclipse Plugin work with other Eclipse-derived IDEs? The Veracode Eclipse Plugin may run on Eclipse-derived IDEs like Spring Suite, but Veracode does not provide support for these IDEs.
How do I check prescan results in the API? Prescans usually complete very quickly and you receive email notifications when they complete. If you want to check for prescan results using the Upload API, use the call.
How do I use the API to query tags in the Results API? If you want to query tags in applications, you can add unique tags as metadata when creating your applications. You can then query your applications based on any of the metadata. Use to create an application with metadata. Use the following calls of the Results API to get the scan results of applications: to get the full list of your applications and then to get information for a specific application, including any metadata, if applicable. To get a detailed report for any application, call, which returns the results in an XML document.
How does Veracode ensure secure communication when making API calls to the Veracode Platform? Using the Veracode API ID and key credentials ensures the most secure communication when using APIs. Security features include HMAC signatures to ensure the identity of the requester, a nonce to prevent replay attacks, and the ability to revoke API ID and key pairs if they are ever compromised.

When using user credentials, Veracode uses TLS 1.2 or later for both the IDE plugins and for the Veracode XML APIs, which ensures that data transmitted between your client and the Veracode Platform is encrypted and secure.

How do I run an API scan if there are "unsupported frameworks" warnings in my prescan results? If you want to ensure the scan completes even though there are non-fatal errors such as unsupported frameworks, ensure you use the scan_all_top_level_modules parameter when you use the call. Alternately, you can use scan_selected_modules, scan_previously_selected_modules, or modules with a list of module IDs, returned by the prescan.


Question Answer
Can I use my Veracode Platform username and password with the Veracode REST APIs? No, the REST APIs only support the Veracode API credentials and HMAC signing are supported with the REST APIs.
I want to use HMAC signing but I am not using Java. What are my options? You can do one of the following: