Image Removed

Image Added

Introduction

Veracode Software Composition Analysis detects open-source vulnerabilities in the software development process with higher accuracy. Veracode SCA reduces false positives by prioritizing vulnerabilities in the execution path of the application. Its proprietary database contains significantly more vulnerabilities than the NVD because it data mines pull requests, bug reports, and release notes.

Account Requirements

Application Access

If the Veracode account used to connect from ThreadFix has any team restrictions, it will only be able to see applications that the team(s) can access. Example:

Image Removed

Image Added

In this scenario, the account will only be able to see applications to which the 'ThreadFix Team' team is allowed access.

Role

In order to import scans from Veracode:

• If using an API Account (non-human user), it must at least have the 'Results API' role within the User Roles section of the account's Access Settings.

• If using a human account, it must at least have the 'Reviewer' role within the User Roles section of the account's Access Settings.

Mitigation and Remediation Status Parsing

Mitigation Status

• Accepted - if the action is "Potential False Positive," ThreadFix marks the vuln vulnerability as False Positive.

• Proposed - ThreadFix marks the vuln vulnerability as Contested.

Remediation Status

• Fixed or Mitigated (e.g., Mitigated By Design/OS Environment/Network Environment) - will not be imported into ThreadFix. If the finding had been previously imported, the vuln vulnerability will be closed.

Software Composition Analysis (SCA) 

In ThreadFix 2.8 and higher, Software Composition Analysis findings are displayed alongside standard Veracode findings. The image below shows a Recent Applications view in Veracode.

Image Removed

Image Added

The image below shows the Veracode SCA section where users can see component servlet-api.jar version 6.0.13 being used by Veracode application.

Image Removed

Image Added

After importing into ThreadFix, the image shows Veracode SCA results in the ThreadFix application vulnerability tree view along with CVE reference link, component affected, version and description. 

SAST, DAST, and SCA Data Importing

The following describes how to import build IDs and obtain a report.

1. Get previously imported build IDs.
   

2. Get Build IDs of applications to import from Veracode by using their GetBuildList API call.
   

3. Compare these with previously imported build IDs and determine which to import. There is some import logic to consider.

   1. If the user has force last scan and most recent scan only then this is only done for the most recent build ID.

   2. If the user has most recent scan but not force last scan, ThreadFix will only fetch the scan if the Policy Updated Date provided by Veracode is after the most recently updated date provided by threadfix. Scan.updatedDate.

   3. If the user needs all scans, ThreadFix will check the build IDs against those that have previously been imported and add all that have not been imported.

      1. If a build ID has been previously imported, it will be imported if force last scan is enabled.

      2. If a build ID has been previously imported, but force last scan is not enabled, dates will be compared to determine if it will be imported as described above.
         

4. After determining the build IDs, pull the detailed report for each one. This report contains the Dynamic, Static, and SCA flaw data by using Veracode’s DetailedReport API call. The results of this report follow this schema: https://analysiscenter.veracode.com/resource/detailedreport.xsd