Skip to main content

Accelerating Software Development With
Secure Open Source Libraries

Gaining visibility into your open source risk and exposure reduces the risk of breaches from vulnerabilities. High-performing companies rely on Veracode’s flexible SaaS platform to provide the insights they need to easily identify open source libraries in use, their vulnerabilities, licenses, and risks to their applications – protecting both their applications and their customers’ data through better DevSecOps practices. Veracode Software Composition Analysis (SCA) integrates right into your pipeline for automated scanning and alerts you about defects in your ticketing system.

  • green-box

    What libraries are we using, and are they safe?

    Veracode provides deep insights into the open source libraries used in your applications, complete with versions, licenses, and vulnerabilities present.

  • pink-bug

    Are vulnerabilities impacting my code?

    For the most popular languages, we are able to map out your application and tell if the vulnerability is specifically impacting your code.

  • blue-stopwatch

    Can I react quickly to new vulnerabilities?

    From CI integrations to security alerts on new vulnerabilities, Veracode helps you stay on top and get ahead of vulnerabilities.

  • purple scale icon

    How do I scale my open source risk program?

    We are a SaaS-first platform, with years of experience in scaling AppSec programs in every type of development environment.

Find more vulnerabilities, even those undisclosed

The open source movement is growing exponentially, with more than 5 million open source libraries today. Organizations worldwide face a daunting challenge to stay up-to-date with vulnerabilities in these libraries as code changes are made daily. This is made more difficult by the fact that many open source contributors fix vulnerabilities without registering them with the NVD. Veracode crawls open source project repositories to identify these silent fixes. We extract vulnerability information using machine learning models to detect vulnerabilities in open source libraries in near-real time.

Our proprietary database contains:

  • All open source vulnerabilities in the National Vulnerability Database (NVD)
  • Undisclosed vulnerabilities from open source libraries, found by mining popular repositories and other sources

Check out the Veracode Open Source Vulnerability Database

Learn More

Get continuous visibility into your open source risk

With modern application development processes and frequent releases, your code and risk posture are constantly changing.

Now you can ensure that your applications currently in production are staying protected, even when you’re not actively scanning them.

  • Continuous Monitoring: Get alerts about new vulnerabilities in your code, even without a rescan
  • Centralized Policy Management and Reporting: View all scan results, manage users, apply policy requirements and make data-driven decisions to proactively manage your risk in the centralized platform

Prioritize vulnerabilities that affect your app and fix them fast

Finding vulnerabilities is only half the challenge in application security. Veracode SCA also provides automated prescriptive fix information, which allows organizations to improve fix rates quickly reduce risk.

  • Vulnerable Methods: Identify whether or not the vulnerable code can be exploited by an attacker, allowing you to prioritize fixes based not only on severity but also exploitability
  • Automated generation of pull requests: Remediate faster by approving automated code changes

Learn how your apps are using open source libraries

Many solutions on the market today only look at the libraries directly used by your proprietary code. However, dependencies of these libraries can also contain their own vulnerabilities, which expose you to just as much risk.

  • Vulnerabilities in transitive dependencies: Detect vulnerabilities not only in direct dependencies but also their dependencies - multiple levels deep
  • Stack traces & call graphs: We map your code so you can see all of the libraries, how they’re getting pulled in, and full stack traces of call chains to vulnerable code.
  • Container Security: We scan Docker containers and container images to find vulnerabilities associated with open source libraries in Linux distributions and base libraries
  • Extensive language/framework support: We support Java, JavaScript, Python, Ruby, PHP, Node.js, Go, Objective C, .NET, C/C++, Swift, and Scala.
  • Manage legal risk: Identify open source licenses used by your source code that could introduce legal risks to your business.

Download our SCA Technical Whitepaper


Work with your native development processes and tools

Our agent deploys directly in your pipeline so you can test for security vulnerabilities directly in your CI system.

  • CI integration: We integrate with every popular CI and build system: Jenkins, GitLab, Travis, Circle, Gradle, Maven, etc.
  • Workflow management: Security defects are automatically tracked in your ticketing system so that security fixes are tracked as part of your sprint.
  • Integrated with Veracode Static Analysis: If you are also using Veracode Static Analysis, you can use your existing processes to also scan for open source vulnerabilities, reducing the number of integrations you need to set up and maintain.

Leverage the Veracode Approach to Scale your AppSec Program

Many AppSec programs fail because companies buy tools but they don't have the bandwidth and specialized expertise to manage a program and service developer needs. Veracode SCA is part of the Veracode Platform, Which combines all major application security methodologies under one roof so you can mange risk across your entire application landscape.

  • Scan on day one: No hardware to install or manage due to our SaaS-based approach
  • Extend your team: Veracode has more than 400,000 hours of program management experience and security expertise
  • Unified results: Get visibility into application status across your entire application landscape and all testing types including SCA, SAST, DAST, and MPT in one centralized view

Get A Demo