Visual Studio 2022

Open the VeraDemo-DotNet project.

VSCode

Try to build the solution and make sure the project builds properly before proceeding.

Submit Greenlight IDE Static scan

See more about Greenlight here - https://docs.veracode.com/r/c_master_greenlight

Right-click the Controllers folder and click Scan with Veracode Greenlight.

VSCode

The bottom left shows a messaging stating “Scanning Controllers”. VSCode

SAST results are returned. Review the results and the remediation details link. VSCode

Submit a SAST/SCA Sandbox scan

Click the Veracode Static Scan tab on the bottom, or click Extensions - VSCode

A wizard will pop up to help configure the project. VSCode

Go to the Veracode platform and create a new application profile and a new Sandbox in that profile.

VSCode

The wizard will allow you to select that profile and sandbox. VSCode

This is the Veracode scan configuration files stored with the project. VSCode

Run the Package step to create a artifact of the DotNet app for scanning. VSCode

Click the Run Scan button to submit a SAST/SCA sandbox scan. VSCode

Remediate | re-scan | no new flaws

While we wait a few minutes for that to complete, lets fix a SQLi issue and resubmit the scan. In HomeController.cs, comment out the two bad code sections, and uncomment the two good code sections. VSCode

Should look like this. VSCode

Click the V in the toolbar to scan the file with Greenlight. You can monitor the output folder to see it running. VSCode

You should see the SQLi now removed from the Veracode Greenlight Findings tab. VSCode

Lets submit another version to the sandbox without the SQLi. First make sure the existing scan completed (should take a few minutes). VSCode

Once completed we can submit a new sandbox scan. While you are here, click into the sandbox to review the report. VSCode

This is the Triage Flaws view. VSCode

Back to the Veracode Static Anlasys tab we can submit another version to the sandbox. Click Publish and Package. VSCode

Then Run Scan. VSCode

Click Extensions - Veracode Static Analysis - View Results - View Results (Sandbox) to download the findings from our first scan. The SQLi exists. VSCode

Once the second sandbox scan completes, download the results again. VSCode

VSCode

The SQLi is now gone. VSCode

Visit the sandbox to see two completed scans. VSCode

Click Results Latest on the left side to see that one issue has been fixed. VSCode

While you are here, review the Software Composition Analysis page. VSCode

Next steps would be:

Remediate or mitigate any issues that violate policy
Automate scans via CI/CD to prevent new flaws from being committed.
Connect bug tracking systems to establish a continuos feedback loop of any issues.
Establish a recurring DAST scan.
Developer training

Return to Home

Return to GitHub/Veracode-Demo-Labs

veracode-demo-labs.github.io

Visual Studio 2022

Submit Greenlight IDE Static scan

Submit a SAST/SCA Sandbox scan

Remediate | re-scan | no new flaws