Veracode Analytics Frequently Asked Questions (FAQ)


What data can I see in Veracode Analytics?

Veracode Analytics includes data from:

  • Static Analysis
  • DynamicDS
  • Manual Penetration Testing
  • DynamicMP or Dynamic Analysis scans that are linked to applications

Veracode Analytics does not currently include data from:
  • Veracode eLearning
  • Veracode Software Composition Analysis
  • Discovery
  • DynamicMP or Dynamic Analysis scans that are not linked to applications
You can view Veracode Analytics data on only the applications to which you have access in the Veracode Platform, based on your user roles and team memberships. If you have a team-limited role such as Reviewer, you can only view applications from the teams to which you belong.

The following roles grant access to Veracode Analytics data:

All teams: Security Lead or Executive

User's teams only: Security Insights

How frequently does Veracode refresh the data?
Veracode Analytics receives refreshed data from the Veracode Platform every four hours.
What are dimensions and measures? How are they different?
Dimensions are qualitative pieces of information. In Veracode Analytics, dimensions always relate to the parent explore concept: applications, scans, findings, or users. For example, under the applications explore, Business Unit, Created Date, and Current Policy Compliance are all dimensions of the applications explore.

Measures are mathematical aggregations. Similarly to dimensions, measures are always related to the parent explore concept. For example, under the scans explore, Count, Count 365 Days, and Count 90 Days are all measures related to the scan.

How do I download data? Can I download data from an entire dashboard?
You can download data on any chart, graph, or visualization from the three dot menu () in the top-right corner of a chart. Click Download Data to download the data in CSV, XLS, PNG, JSON, HTML, or MD format. If you want to download data from an entire dashboard, you can download a PDF file, or collection of CSV files that represent the data in each dashboard module.
In what ways are Veracode Analytics and Veracode Platform data different? Which set of data is correct?

Both sets of data are correct. The underlying data model in the Veracode Platform is different from the underlying data model in Veracode Analytics, but they are equivalent. Veracode Analytics performs joins, which combine one or more tables in a relational database, on data as fast as possible to load visualizations and large amounts of data quickly. Veracode Analytics uses a modified star schema model to load data, which requires only a single join to produce any piece of data, as opposed to the relational data model in the Veracode Platform, which requires many joins to produce a report.

Veracode has also refined the data model in Veracode Analytics to match how users interact with data. For example, in the Veracode Platform, findings with statuses of Open, New, and Reopened are all peer statuses, meaning a finding that is new is not listed as Open. All three statuses mean that the finding has the potential to be exploited, and you should remediate it. In Veracode Analytics, the statuses Open and Closed are parent statuses.
Note: Veracode Analytics does not use real-time data. It receives refreshed data every four hours. This refresh rate means that sometimes changes in the Veracode Platform are not reflected in Veracode Analytics until the next time the data refreshes.
Is Dynamic Analysis data available?
Veracode provides Dynamic Analysis data in Veracode Analytics under the scans explore page, however, a limited amount of information is available. Veracode does not include Dynamic Analysis data in the default dashboards under the shared space because Dynamic Analysis data is significantly different from the existing Static Analysis, DynamicDS, DynamicMP, and Manual Penetration Testing data provided today.
To access Dynamic Analysis data, you can set the filter Analysis_Type equal to DynamicAN under the scans explore page.
How are third-party applications handled?
Similarly to how third-party application data is displayed in the Veracode Platform, enterprise-funded applications are included in the enterprise view of the data. VAST (vendor-funded application security testing) applications are not included in Veracode Analytics, and are only available in the Veracode Platform.
What does the Findings Policy or Sandbox filter mean in the findings explore?
The Findings Policy or Sandbox filter allows you to view findings that were discovered in the Policy or Sandbox context.
Note: Dynamic Analysis findings are always reported under the Policy context because sandboxes are not available for Dynamic Analysis.
What does the measure Count of Flaws Sandbox mean?

The measure Count of Flaws Sandbox provides a total count of findings that were discovered in all sandbox and policy contexts. This count does not remove findings that are flaw-matched, but instead counts the total number of findings for each context.

By design, the dimension Findings Policy or Sandbox and the measure Count of Flaws Sandbox are used so that you only see the count of findings found in the Policy context. You also have the flexibility to view all findings including findings from the sandbox context. If you want to see findings from the sandbox context, change the filter to Sandbox to include those counts. If you are designing a chart or report for yourself, Veracode recommends that you use the Count of Flaws Application measure, as it only provides the flaw-matched, unique findings for the policy context.

How do the date filters work?

Date filters work as follows:

Filter Meaning Example
Past 1 week Includes all days starting with today, and going to the Sunday of the current week. 30 Sept 2018 - 02 Oct 2018
Past 1 complete week Includes all days in the prior complete week. 23 Sept 2018 - 29 Sept 2018
Past 7 days Includes all days starting with today, and going 7 days back. 26 Sept 2018 - 02 Oct 2018
Past 1 month Include all days starting with the first day of the current month through today. 01 Oct 2018 - 02 Oct 2018
Past 1 complete month Include all days in the prior complete month. 01 Sept 2018 - 30 Sept 2018
Past 30 days Include all days starting with today, and going 30 days back. 03 Sept 2018 - 02 Oct 2018
Where can I find my saved visualizations?
You can access your saved visualizations from the four square icon on the explore pages. You can also view saved visualizations from My Personal Dashboards or My Organization's Dashboards.