Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Avoid scanning third party libraries in Veracode

Tags:

veracode

We recently started using Veracode for vulnerability testing. Is there a way to selectively exclude all the third party libraries and focus the scan only on our internal libraries code?

like image 914
user6126683 Avatar asked Oct 28 '25 12:10

user6126683

2 Answers

Hi: The answer to your question depends on the language in which the application you are scanning was written.

  • Java: Veracode respects WAR file structure conventions and treats JARs in the /lib directory as third party code. They are included in Software Composition Analysis results, if you subscribe to that service, but we do not otherwise report vulnerabilities that reside in code in this directory.
  • C/C++ / .NET: By default only the top level executables will be scanned. The static engine will also follow code paths from the top level executables into third party libraries if they are present, but will not check all possible parts of the third party libraries for flaws. You can go into Advanced Mode and click Show Dependencies if you want to scan all possible paths in the third party dependent libraries for flaws.
  • PHP/JavaScript/Android/iOS/other languages: It's not possible to exclude third party libraries for these languages.

If you have additional questions, please contact Veracode Support and they can help you further.

like image 98
Tim Jarrett Avatar answered Oct 31 '25 19:10

Tim Jarrett

Veracode agent based scan is to find out vulnerabilities in all the dependency libraries including third party libs.

For JavaScript/NPM projects scope can be set to production to exclude devDependencies from the scan. Add a file named srcclr.yml to the root of the project add this to it:

# Prevent scanning 'devDependencies' for an NPM project
scope: production

References from Veracode: https://docs.veracode.com/r/Multi_Language_Scan_Directives https://docs.veracode.com/r/Veracode_SCA_Agent_Commands

For NPM, you can set the scope directive to one of these values:

production or prod to restrict the scan to production dependencies, including > the optional dependencies you can install.
development or dev to restrict the scan to development dependencies.
like image 42
Kiran Makam Avatar answered Oct 31 '25 20:10

Kiran Makam

Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!