New in Veracode Fix: Additional Language Support and Batch Fix
We’re excited to bring you two significant updates to Veracode Fix: our AI-powered security flaw remediation tool. Since we launched Fix nearly a year ago, two requests have dominated our customer feedback:
- Can we have it for <our language>?
- Can you make it work for <our scenario>?
We recently launched a new version of Veracode Scan for VS Code that included Fix (with more IDE’s to follow), which answered some of those requests, and now we’re updating Fix to cover more languages and a new mode that will automatically apply the top-ranked fix.
Veracode Batch Fix
Using Fix in the Veracode CLI tool with the new –-apply flag, you will be able to apply the top fix suggestion to the source code in one of two modes:
Apply Single Finding to a Single File
By supplying Veracode Fix with the results JSON file, the source code file to update, and the relevant issue ID (contained in the results file) you can apply the top-recommended fix to the source code file.
./veracode fix my_java_application/commands/IgnoreCommand.java --results my_results/results.json --issue-id 1234 --applyFor example:
% veracode fix ./dvsa/client/src/components/MessageView.js --type file --issue-id 1002 -a --results ./dvsa/client-results.json
----------------------------------------------------------------
Veracode Fix
Version VERACODE_CLI_2.14.0
Processing file ./dvsa/client/src/components/MessageView.js
Request submitted with projectId: 1282f6d6-4a8c-45d3-a653-68f19e65091c
Applying fix 1...In this way, Veracode Fix can apply remediations directly to a source file without further intervention. Since the Issue IDs are stored in a machine-readable JSON file, it’s possible to script a sequence of scanning, applying, and rescanning until all flaws of a certain severity are addressed.
If that seems overly complex then the next mode of applying remediations is probably for you:
Resolving All Addressable CWEs in a Directory
This use case is a trade-off between what kind of activity is quicker and easier for a developer. When a source file or project has multiple security flaws, a developer can choose to work through them one-by-one and address any changes needed to make sure the code still builds and functions properly after each fix is applied, or take the approach to resolve all flaws in one step, then work on any issues that arise afterward. Which practice works best is probably as much to do with the developer’s experience, preference, and mindset as anything else.
To apply all possible remediations to files in a directory, use the following syntax:
./veracode fix my_java_application/commands/ --results my_results/results.json --type directory --applyFor example:
% veracode fix ./dvsa/client/src/components/ --type directory -a --results ./dvsa/client-results.json
----------------------------------------------------------------
Veracode Fix
Version VERACODE_CLI_2.14.0
Processing directory ./dvsa/client/src/components/
Request submitted with projectId: ae33dd40-0c0b-4a83-a92e-d89d4f936f9b
Uploading flaws..
Processed 1 out of 9 flaws.
Processed 2 out of 9 flaws.
Processed 4 out of 9 flaws.
Processed 5 out of 9 flaws.
Processed 7 out of 9 flaws.
Processed 8 out of 9 flaws.
Uploading flaws..
Processed all the flaws.
The following files had vulnerabilities patched:
dvsa/client/src/components/MessageView.js
Issue 1002: CWE-80 on line 49
dvsa/client/src/components/ContactPage.js
Issue 1001: CWE-80 on line 73
Issue 1006: CWE-117 on line 120
dvsa/client/src/components/AdminPage.js
Issue 1005: CWE-117 on line 66
Issue 1004: CWE-117 on line 50
Issue 1008: CWE-117 on line 68
Issue 1007: CWE-117 on line 57
dvsa/client/src/components/ProfilePage.js
Issue 1000: CWE-80 on line 175
Unable to apply fixes for the following files; please scan the new code and request fixes again:
dvsa/client/src/components/ContactPage.js
Issue 1003: CWE-601 on line 121 To make useful commit messages, Veracode suggests you use a command like tee to pipe the output of the command into a text file (tee is available in most Linux distributions, MacOS, and PowerShell on Windows, or via the UnixUtils port of common GNU Utilities for Windows.
For example, this command pipes a copy of the output text from the command above into a file that can be used as a commit message:
veracode fix ./dvsa/client/src/components/ --type directory -a --results ./dvsa/client-results.json | tee ./mycommit.txtNew Language Support
We’re excited to announce three new supported languages, bringing the total number that Fix supports to eight, which covers a majority of the static analysis scans that Veracode performs.
Fix now supports the following languages and CWE
| Language | Supported CWE IDs |
| C# | 80, 89, 201, 209, 259, 352, 404, 601, 611, 798 |
| Java | 73, 80, 89, 113, 117, 327, 331, 382, 470, 597, 601, 611 |
| JavaScript and TypeScript | 73, 78, 80, 89, 113, 117, 327, 611, 614 |
| PHP | 73, 78, 80, 89, 117 |
| Python | 73, 78, 80, 89, 295, 327, 331, 757 |
| KotlinNew! | 80, 89, 113, 117, 331 |
| GoNew! | 73, 78, 117 |
| ScalaNew! | 78, 80, 89, 117, 611 |
To get the latest version of Fix in the CLI, follow the installation instructions, or to take advantage of Fix in VS Code install the Veracode Scan Extension. If you’re not a Veracode customer yet or would like to try Veracode Fix, then contact us or arrange a demo.
