Veracode uses multiple data sources for vulnerabilities: Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD), and Veracode Agent-Based Scan vulnerabilities (SRCCLR) from the Veracode Agent-Based Scan Vulnerability Database.
To find vulnerabilities outside of the NVD, the researchers at Veracode Agent-Based Scan curate and validate public database entries and track developer lists, code commits and releases, discussion forums, underground bulletin boards, and social chatter. The technology uses machine learning, extracting patterns from known vulnerabilities and applying new techniques and theories. Veracode Agent-Based Scan uses clone verification to validate versions are patched as intended.
Vulnerability Data Sources
The Veracode Platform may list two different data sources in the Vulnerability column for vulnerabilities: a CVE ID indicates that the vulnerability came from the NVD and a SRCCLR ID indicates that the vulnerability came from the SCA Vulnerability Database.