Displaying Results with the Veracode Jenkins Plugin

Build Systems

You can choose to display the results of a Veracode Static Analysis scan in Jenkins for freestyle or pipeline jobs.

To display the Veracode scan results, you must select the Wait for scan to complete checkbox when you configure the Jenkins job. If you configure the Jenkins job to scan with Veracode and wait for the results, the results display to the build summary page and indicate the policy compliance status of the scan.

Click the Veracode link in the left navigation pane or in the main summary to see the results details.

The details page provides:
  • Overall policy compliance status
  • Policy name
  • Policy rules:
    • Veracode Level
    • Static scan requirement
    • Static scan score
  • Link to the Executive Summary page on the Veracode Platform
  • Flaw count table (derived from the Veracode Detailed Report)
  • Flaw trend chart (only against successful Jenkins builds)

If scans do not complete due to errors, the Jenkins build summary states that results are unavailable. The console output lists more information, including the cause of the error.

In master/slave Jenkins environments, the master returns the Veracode scan results and, therefore, must have access to the Veracode Platform. If there is no access to the Veracode Platform, the Jenkins build status is not affected.

SCA Results

If the organization associated with the Veracode Platform account is configured to provide Software Composition Analysis (SCA) results, the details page includes additional information related to the analysis.

In addition to the information in the standard details page, the SCA details page provides:
  • Number of blacklisted SCA components
  • Highest found Common Vulnerability Scoring System (CVSS) score
  • SCA vulnerability count table
  • List of components added since the previous build