Using Veracode Software Composition Analysis

Software Composition Analysis

Veracode Software Composition Analysis (SCA) helps you build an inventory of your third-party Java, .NET, and JavaScript components to identify vulnerabilities, including open-source and commercial code.

The Veracode Platform analyzes both your own and third-party code in a single scan, providing you visibility across your entire application portfolio. You can access SCA results after your static prescan is complete.

To use Veracode Software Composition Analysis, select Scans & Analysis > Software Composition Analysis at the top of the Veracode Platform. You must have the Executive, Security Lead, or Administrator role to view the data. You can also navigate to SCA from the left navigation menu to view SCA in the context of an application.

Depending on your role, you can:

Detailed composition information is organized by the following tabs:
Click Download to save a copy of the Veracode Software Composition Analysis report in CSV format. This report contains details about all components across all of your applications in your portfolio.
Note: In the report, you may see duplicate vulnerabilities if the same component is found in multiple locations within an application.

Download SCA report