Using Third-Party Components Data

Software Composition Analysis

The Third-Party Components tab lists all the third-party components in your applications, and provides version, usage, license risk, and known vulnerability information.

The list of components shows the filename and an at-a-glance view of the severity of each vulnerability that Veracode found in each component. The Count column shows you how many times a component is used across all of your applications. The License column details the first license Veracode found for the component, and a risk rating Veracode assigned for the license.

Use the filter to find components by CVE ID, number of affected applications, blacklist presence, component name, severity, or any combination of these filters. If you sort by number of known vulnerabilities by severity, the components in the grid are sorted by total severity. If you switch tabs after filtering data, the filter sorts the content in the new tab unless you clear the filter. The Blacklist switch is only visible to users with the Security Lead role.

Note: If you scanned a JavaScript application that uses both Bower and npm package managers, and a component exists in both the bower_components and node_modules folders, Veracode SCA displays both of the components individually.

Component Details

Click a component filename to view detailed information for that component. The details in the popup include:
  • Other Versions: A list of all known versions of this component, an indication of whether that component is currently in your application portfolio, and the known vulnerabilities in that component.
  • Vulnerabilities: The list of vulnerabilities in this component as well as its severity, CVE ID, CWE ID, and description.
  • Dependent Applications: This tab lists any applications that contain this component, the policy associated with that application, and a color-coded shield icon that indicates if the application is in compliance with its policy.

Click the component link to get more details.

Adding Components to a Blacklist

When reviewing the components that comprise a software application, you can add any component that contains an unacceptable vulnerability to the blacklist. You must have the Security Lead role to add components to the blacklist.

To add components to a blacklist:
  1. Go to Scans & Analysis > Software Composition Analysis.
  2. Find the component that you want to blacklist, and in the Blacklist column, move the switch from OFF to ON.
  3. Optionally, in the Blacklisted Component popup, you can enter the remediation advice you want to provide for fixing the vulnerability.
  4. Click Save.

Set Blacklist toggle to ON or OFF.

You can change the remediation advice for any component at any time by clicking Edit at the end of the remediation advice line, and changing the text in the Blacklisted Component popup.
Enter the remediation advice in the popup.

Use the filter function to list applications by CVE ID, component, application name, or any combination of these filters.