/apr 25, 2024

New in Veracode Fix: Additional Language Support and Batch Fix

By Robert Haynes

We’re excited to bring you two significant updates to Veracode Fix: our AI-powered security flaw remediation tool. Since we launched Fix nearly a year ago, two requests have dominated our customer feedback:

  • Can we have it for <our language>?
  • Can you make it work for <our scenario>?

We recently launched a new version of Veracode Scan for VS Code that included Fix (with more IDE’s to follow), which answered some of those requests, and now we’re updating Fix to cover more languages and a new mode that will automatically apply the top-ranked fix. 

Veracode Batch Fix

Using Fix in the Veracode CLI tool with the new –-apply flag, you will be able to apply the top fix suggestion to the source code in one of two modes:

Apply Single Finding to a Single File

By supplying Veracode Fix with the results JSON file, the source code file to update, and the relevant issue ID (contained in the results file) you can apply the top-recommended fix to the source code file.

./veracode fix my_java_application/commands/IgnoreCommand.java --results my_results/results.json --issue-id 1234 --apply

For example:

% veracode fix ./dvsa/client/src/components/MessageView.js --type file --issue-id 1002  -a --results ./dvsa/client-results.json  
Veracode Fix
Version VERACODE_CLI_2.14.0

Processing file ./dvsa/client/src/components/MessageView.js 

Request submitted with projectId: 1282f6d6-4a8c-45d3-a653-68f19e65091c
Applying fix 1...

In this way, Veracode Fix can apply remediations directly to a source file without further intervention. Since the Issue IDs are stored in a machine-readable JSON file, it’s possible to script a sequence of scanning, applying, and rescanning until all flaws of a certain severity are addressed.

If that seems overly complex then the next mode of applying remediations is probably for you:

Resolving All Addressable CWEs in a Directory

This use case is a trade-off between what kind of activity is quicker and easier for a developer. When a source file or project has multiple security flaws, a developer can choose to work through them one-by-one and address any changes needed to make sure the code still builds and functions properly after each fix is applied, or take the approach to resolve all flaws in one step, then work on any issues that arise afterward.  Which practice works best is probably as much to do with the developer’s experience, preference, and mindset as anything else.

 To apply all possible remediations to files in a directory, use the following syntax:

./veracode fix my_java_application/commands/ --results my_results/results.json --type directory --apply

For example: 

% veracode fix ./dvsa/client/src/components/ --type directory -a --results ./dvsa/client-results.json 
Veracode Fix
Version VERACODE_CLI_2.14.0

Processing directory ./dvsa/client/src/components/ 

Request submitted with projectId: ae33dd40-0c0b-4a83-a92e-d89d4f936f9b
Uploading flaws..
Processed 1 out of 9 flaws.
Processed 2 out of 9 flaws.
Processed 4 out of 9 flaws.
Processed 5 out of 9 flaws.
Processed 7 out of 9 flaws.
Processed 8 out of 9 flaws.
Uploading flaws..
Processed all the flaws.

The following files had vulnerabilities patched:
	Issue 1002: CWE-80 on line 49 
	Issue 1001: CWE-80 on line 73 
	Issue 1006: CWE-117 on line 120 
	Issue 1005: CWE-117 on line 66 
	Issue 1004: CWE-117 on line 50 
	Issue 1008: CWE-117 on line 68 
	Issue 1007: CWE-117 on line 57 
	Issue 1000: CWE-80 on line 175 

Unable to apply fixes for the following files; please scan the new code and request fixes again:
	Issue 1003: CWE-601 on line 121 


To make useful commit messages, Veracode suggests you use a command like tee to pipe the output of the command into a text file (tee is available in most Linux distributions, MacOS, and PowerShell on Windows, or via the UnixUtils port of common GNU Utilities for Windows.

For example, this command pipes a copy of the output text from the command above into a file that can be used as a commit message:

veracode fix ./dvsa/client/src/components/ --type directory -a --results ./dvsa/client-results.json | tee ./mycommit.txt

New Language Support

We’re excited to announce three new supported languages, bringing the total number that Fix supports to eight, which covers a majority of the static analysis scans that Veracode performs.  

Fix now supports the following languages and CWE


Supported CWE IDs


80, 89, 201, 209, 259, 352, 404, 601, 611, 798


73, 80, 89, 113, 117, 327, 331, 382, 470, 597, 601, 611

JavaScript and TypeScript

73, 78, 80, 89, 113, 117, 327, 611, 614


73, 78, 80, 89, 117


73, 78, 80, 89, 295, 327, 331, 757


80, 89, 113, 117, 331


73, 78, 117


78, 80, 89, 117, 611

To get the latest version of Fix in the CLI, follow the installation instructions, or to take advantage of Fix in VS Code install the Veracode Scan Extension. If you’re not a Veracode customer yet or would like to try Veracode Fix, then contact us or arrange a demo.

Related Posts

By Robert Haynes

Robert’s quarter-century working in IT has progressed (or is that regressed?) through helpdesk, UNIX sysadmin, backup, storage, application security,  technical sales, and marketing.  He now spends his time hanging out at the intersection of artificial intelligence and human ingenuity, waving a sign that says: “This way for secure software."