Please share with the community what you think needs improvement with Veracode Software Composition Analysis.
What are its weaknesses? What would you like to see changed in a future version?
The licensing model could be improved. If they can provide an automatic upload model, that would be really good. Right now we have to upload the NK bucket hosting to get through the analysis. That is kind of cumbersome. The documentation is poor and the technical support isn't helpful.
There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising. When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless. As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.
The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified. The solution needs to be more flexible. It needs to work with clients more effectively. Right now, the licensing model is based on the number of applications as opposed to being flexible and based on the number of developers or based on some other parameters. This constrains our company in terms of defining what an application is and doing the scans. We have an application with multiple deposit rates, but Veracode has a hard time recognizing the different components sitting in different depositories as one application. The solution is pretty similar to others. There wasn't anything that was so startlingly different it would make us want to stay.
A high number of false positives are reported and this should be reduced.