Great Software Composition Analysis
December 13, 2021

Great Software Composition Analysis

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)

Overall Satisfaction with Veracode

I use Veracode Pipeline Scan locally to scan the code for flaws and SCA analysis, and I use Veracode Static Plugin to view the results of Veracode scans in the Jenkins pipeline. I view the reports in Jenkins and triage flaws for my team to work on.

Pros

  • Identify flaws and indicate its location in the code
  • Describe the flaw and vulnerabilities in great detail
  • Provide links to solutions on how to fix the flaws

Cons

  • Providing the dependency tree to show which dependency is introducing the vulnerability transitively will be helpful
  • Ways to automatically exclude vulnerable dependencies via the IDE plugin
  • Code suggestions to automatically fix the flaws in the IDE
  • Software Composition Analysis
  • Reporting
  • Jenkins Integration
  • Improved application security when using open source
  • Reduce time and cost in fixing the issues later in the life cycle
  • Help meet compliance requirements
I have used SonarQube for code quality and security analysis in the past, but Veracode's Software Composition Analysis analysis makes a big difference in terms of identifying vulnerabilities in dependencies. It would make it a lot easier if the IDE plugin could show the transitive dependency the introduces the vulnerabilities. I'm very pleased [in] Veracode reporting so far.

Do you think Veracode delivers good value for the price?

Yes

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

Yes

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Veracode is very helpful in identifying the flaws and vulnerabilities in our code. It takes longer to run on the Jenkins pipeline, and I wonder if there is a way to make it run faster when there [are] not a lot of code changes from the previous build. The interactive report helps me triage the flaws for my team to fix and improve security. I wish there was an automated tool in the IDE that suggests code fixes and dependency exclusions remove vulnerabilities.

Comments

More Reviews of Veracode