Veracode uses multiple data sources for vulnerabilities: Common Vulnerabilities and Exposures (CVE) from the National Vulnerability Database (NVD), and SourceClear vulnerabilities (SRCCLR) from the SourceClear Vulnerability Database.
The researchers at SourceClear find vulnerabilities outside of the NVD by curating and validating public database entries and tracking developer lists, code commits and releases, discussion forums, underground bulletin boards, and social chatter. The technology uses data science and deep learning, extracting patterns from known vulnerabilities and applying new techniques and theories. SourceClear uses clone verification to validate versions have been patched as intended.
Vulnerability Data Sources
On the Veracode Platform you may see two different data sources listed for vulnerabilities. In the Vulnerability column, if there is a CVE ID listed for the vulnerability, that indicates the vulnerability came from the NVD. If you see a SRCCLR ID listed for the vulnerability, that indicates the vulnerability came from the SourceClear Vulnerability Database.