This blog provides a basic overview of Veracode, a tool that scans open source dependencies for known vulnerabilities and makes it easier for teams to take advantage of open source libraries without increasing risk.
The technologies that are covered in this blog are a part of the Azure DevOps environment. If it’s something in which you have an interest or you want to learn, then you can visit our previous blog to know more about the [AZ-400] Microsoft Azure DevOps certification.
What Is Veracode?
Open-source libraries allow developers to meet the demands of today’s accelerated development times. However, they are also becoming the most popular attack vector. With Veracode Software Composition Analysis (SCA), teams can take advantage of open source libraries without increasing risk.
Veracode SCA scans open source dependencies for known vulnerabilities and makes recommendations on version updating.
Veracode SCA integrates into the pipeline through a simple command-line scan agent and delivers results in seconds. Teams can even use the same agent directly in their IDE to get feedback earlier.
Not every developer who fixes a vulnerability in an open-source project reports it to the National Vulnerability Database (NVD). Veracode uses data mining, natural language processing, and machine learning to significantly grow its SCA database.
Veracode SCA builds a call graph to identify which methods in the open-source libraries are being used. By prioritizing vulnerabilities that lie in the execution path, companies reduce remediation time by up to 90 percent.
Many open-source libraries depend on other libraries. Veracode SCA finds vulnerabilities not only in direct dependencies but also in several layers deep.
Get advice on which library version to update to, or even have Veracode SCA generate the pull request for review.
Demo Of How To Use The SCA Analysis
Step 1: We need to login to this site and register our company URL and then we will get the basic login details for us.
Step 2: We need to now install the source clear on our local terminal where we are cloning our code.
to install the Veracode sourceclear we need to use the following command.
curl -sSL https://srcclr.com/install | sh
Next, we need to activate the source clear by the below command.
srcclr activate
Paste the token you copied into your terminal and press Enter.
After entering your activation token, your agent.yml configuration file is installed to the ~/.srcclr folder. If that file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning. Veracode recommends that you use the name of the workspace with which the token is associated.
Step 3: Now we will be able to see the report from the same command line or also we will get the URL from which also we can log in and see the results with the username and password that you have received on the email when we register it.
This we can integrate as part of our CICD pipeline as well. In this way, we can check the vulnerability of the code and open source components in our application.
Related/References
- [AZ-400] Microsoft Azure DevOps Certification Exam: Everything You Need To Know
- [AZ-400] Azure DevOps Certification Path
- [AZ-400] Roles And Responsibilities As An Azure DevOps Engineer
- [AZ-400] Microsoft Azure DevOps Training: Step By Step Activity Guides/Hands-On Lab Exercise
- [AZ-400] Azure DevOps Services for Beginners
- [AZ-400] Designing and Implementing Microsoft DevOps Solutions [Official Page]
- Azure DevOps Service Hooks | Subscription Of Service Hooks | Release Approvals
- SonarCloud Azure DevOps | Integrating SonarCloud In Azure
- Azure DevOps Environments | How To Setup DevOps Environment | Approval Checks | Azure DevOps Pipeline
Next Task For You
Begin your journey towards becoming a Microsoft [AZ-400] Certified Azure DevOps Engineer and earning a lot more in 2020 by joining our FREE Class.
Click on the image below to Register for the Free Class Now!
The post Veracode – SourceClear SCA Analysis appeared first on Cloud Training Program.