Software Composition Analysis

Veracode acquires SourceClear, enhancing SCA for DevSecOps


Veracode’s State of Software Security Report found that 88% of Java applications had at least one open sourced based vulnerability – one of which leaked the Social Security numbers of 143 million Americans. Veracode Software Composition Analysis (SCA) identifies risks from open source libraries early so you can reduce unplanned work, covering both security and license risk. SCA helps Engineering keep roadmaps on track, Security achieve regulatory compliance, and the Business make smart decisions.

See first-hand how we can reduce your risk from open source components

GET a Demo

Active Protection From Open Source Risk

Veracode SCA protects your Java, Javascript, and .NET applications from open source risk by identifying known vulnerabilities in open source libraries used by your applications. View our broader language coverage. In addition to providing a list of vulnerabilities when your application is scanned, Veracode SCA can also alert you when new vulnerabilities are discovered after your application has been scanned or when existing known vulnerabilities have had their severity level upgraded. Integrated with Jenkins for your build pipeline, you can fail your build based on vulnerabilities discovered as well as any components that your security team has blacklisted. As part of the Veracode Platform, Veracode SCA provides a unified experience to display all of your security testing results in one place. Additionally, the platform provides unified management of users, policies, mitigations, and integrations.

Lower Cost To Resolve Security Defects

Fixing a vulnerable open source library can be more complex than simply updating it. Teach your team to code securely, provide instant guidance and schedule one-on-one sessions with Veracode’s specialists so you reduce risk and cost because you spend less time fixing security defects.

Reducing License Risk To Your Business

Many open source libraries have licenses that, when used in commercial purposes, can cost your organization millions of dollars. Veracode provides more than just vulnerability findings in our SCA product, we can also point out when your company is taking on license risk. Our SCA solution tells you which licenses you are exposing your application to, so you can take the proper steps to address them before going into production.

Get your personal guided tour of the Veracode Platform

Schedule a demo

Find New Vulnerabilities Without Rescanning

Software is still rife with vulnerable components: more than 85% of all applications have at least one vulnerability in them, and more than 13% have at least one critical severity flaw.

[Source: Veracode State of Software Security Report]

Continuously monitor your applications for new vulnerabilities in open source libraries without rescanning. Get an overview of your entire application portfolio’s security landscape, not just a single application. Measure all of the vulnerabilities found by different testing methodologies against a single policy, including SCA, static analysis, dynamic analysis and penetration testing.

Follow Industry Best Practices And Comply With Regulations

Several industry regulations and security frameworks require that you find and patch known vulnerabilities in your applications, including PCI DSS, OWASP Top 10, FS-ISAC, NIST, and HITRUST.

Successfully Scale Your Program Without Hiring

AppSec professionals are hard to find. Tap into our experts , who have delivered 16,000 developer consultations and 400,000 hours of program management. Get help planning your program, onboarding engineering teams, coaching developers on remediation, and reviewing mitigations.

Simplify Your Program Through Saas

No need to set up or manage any hardware: Simply upload your application for scanning – either manually or through automation. Manage the remediation workflow of both known and unknown vulnerabilities, including information on safe component versions to use and eLearning for software engineers.

Veracode Has Acquired Sourceclear 

Over the next several months, Veracode will work to integrate the SourceClear technology into our existing SCA solution.

Start a SourceClear Free Trial Today

SourceClear brings the following technologies to SCA:


SourceClear SCA  

Broad Language Coverage

SourceClear covers Java, JavaScript, .NET, Python, Ruby, Objective C, GO, and PHP.

SourceClear SCA  

Prioritizing Your Work

Prioritize the open source vulnerabilities that are a real threat to your applications. With SourceClear’s Dependency Mapping and Vulnerable Methods technologies available for some languages, the scanner maps your entire application and leverages control flow analysis to determine if your application is actually using the part of the open source library that is vulnerable. Customers reduce their security focused development time by 90%.

Solving your Open Source Risk

Learn More

SourceClear SCA  

Finding Unknown Vulnerabilities

Greatly reduce your risk by finding vulnerabilities that nobody knows about.  SourceClear takes SCA one step further identifying unknown vulnerabilities by leveraging data-science and machine learning to find vulnerabilities for some languages that have not been disclosed to the general public, by data-mining:

  • commits in open source libraries,
  • bug trackers, and
  • change logs

SourceClear SCA  

Bringing SCA Scanning Where You Want It

The SourceClear solution integrates with your CI Pipeline, to enable your DevOps practices.  With a single line of code, you are up and scanning in seconds.

  • Continuous Integration: Atlassian, Bitbucket, CircleCI, Codeship, Gitlab, Jenkins, Travis
  • Desktop: Gradle, Mavin, CLI Agent
  • Issues: Atlassian, Github
  • SAML: Okta, PingOne

Over the next several months, Veracode will work to integrate the SourceClear technology into our existing SCA solution.

Start a SourceClear Free Trial Today

Get A Quote





contact menu