Versions Compared

Old Version 12

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

Image Added

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.

...

For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API.

Introduction

Veracode Software Composition Analysis detects open source vulnerabilities in the software development process with higher accuracy. Veracode SCA reduces false positives by prioritizing vulnerabilities in the execution path of the application. Its proprietary database contains significantly more vulnerabilities than the NVD because it datamines pull requests, bug reports, and release notes.

Account Requirements

Application Access

If the Veracode account that you're using to connect from ThreadFix has any team restrictions, it will only be able to see applications that the team(s) can access.

Example:

...

Image Added

In this scenario, the account will only be able to see applications to which the 'ThreadFix Team' team is allowed access.

Role

In order to import scans from Veracode...

  • If using an API Account (non-human user), it must at least have the 'Results API' role within the User Roles section of the account's Access Settings.

  • If using a human account, it must at least have the 'Reviewer' role within the User Roles section of the account's Access Settings.

Mitigation and Remediation Status Parsing

Mitigation Status

  • Accepted -

...

  • if the action is "Potential False Positive," ThreadFix marks the vuln as False Positive.

  • Proposed - ThreadFix marks the vuln as Contested.

Remediation Status

  • Fixed or Mitigated (e.g., Mitigated By Design/OS Environment/Network Environment) - will not be imported into ThreadFix. If the finding had been previously imported, the vuln will be closed.

Software Composition Analysis (SCA) 

In ThreadFix 2.8 and higher, Software Composition

...

Analysis findings are displayed alongside standard Veracode findings.

Image Modified

Above image shows Recent Applications view in Veracode.

Image Modified

Above image shows Veracode SCA section where we can see component servlet-api.jar version 6.0.13 being used by Veracode application.

Image Modified

After importing into ThreadFix, the above image shows Veracode SCA results on ThreadFix application vulnerability tree view along

...

with CVE reference link,

...

 component affected, version and description.  

Info

When there is no scan data to import, a “No scans were found” message will display as the Last Import Attempt Status.

Table of Contents

Table of Contents