Can Veracode Scan SQL Files?

Yes, Veracode Static Analysis is capable of scanning specific types of SQL files. Primarily, it focuses on Transact-SQL (T-SQL) files that possess the standard .sql extension. However, it's important to understand that Veracode does not analyze general SQL scripts or queries that fall outside of this specific scope.

Understanding Veracode's SQL Scanning Capabilities

Veracode's static analysis engine is designed to identify security flaws within your application code, including how that code interacts with databases. When it comes to SQL files, its capabilities are highly specific to the dialect commonly used in Microsoft SQL Server environments.

Supported SQL File Types for Static Analysis

Veracode provides robust support for Transact-SQL (T-SQL) files. T-SQL is a proprietary extension to SQL (Structured Query Language) used by Microsoft SQL Server. When these files have the .sql extension, Veracode can process them as part of your application's source code during a static analysis scan. This allows the platform to detect potential vulnerabilities like SQL injection flaws, insecure database configurations defined in scripts, or other security weaknesses embedded within your T-SQL code.

For more detailed information on packaging T-SQL applications for analysis, you can refer to the Veracode documentation on Transact-SQL packaging.

What Veracode Does Not Scan

While T-SQL files are supported, Veracode Static Analysis does not analyze:

• General SQL scripts or queries: This includes standalone SQL files that might not be T-SQL, or simple data manipulation (DML) or data definition (DDL) scripts that are not part of a larger T-SQL application context.
• Other SQL dialects: Files written in SQL dialects such as MySQL, PostgreSQL, Oracle PL/SQL (unless integrated into another supported language like Java or .NET applications that Veracode can analyze), or SQLite are generally not directly scanned as SQL files by Veracode Static Analysis. The focus remains on T-SQL.

Why the Specificity?

Static analysis tools excel when they have a deep understanding of the language, framework, and specific dialect they are analyzing. By focusing on T-SQL, Veracode can provide more accurate and relevant findings for applications that utilize Microsoft SQL Server. This specialization helps in identifying complex vulnerabilities that might be specific to T-SQL syntax, functions, and common coding patterns within that environment.

Practical Guidance for Developers

If your application involves SQL files, understanding these distinctions is crucial for effective security testing.

Ensuring Your T-SQL Files Are Scanned

To ensure your T-SQL files are included and properly analyzed by Veracode:

1. Verify Dialect: Confirm that your SQL files are indeed written in Transact-SQL.
2. Use Correct Extension: Ensure all relevant T-SQL files have the standard .sql file extension.
3. Include in Package: When preparing your application for a Veracode Static Analysis scan, make sure these T-SQL files are included in the packaged archive alongside your application's source code.

Handling Unsupported SQL Content

For SQL content that falls outside of Veracode's direct static analysis capabilities (e.g., non-T-SQL dialects or general scripts):

• Consider Other Tools: Explore database-specific security tools or manual review processes for these unsupported SQL types.
• Focus on Application Code: Remember that Veracode will still analyze your application's source code (e.g., Java, .NET, PHP) for how it interacts with the database, regardless of the SQL dialect. This includes detecting issues like parameterized query misuse or ORM misconfigurations that lead to injection flaws.

Overview: Veracode SQL Scan Types

The following table summarizes Veracode's support for different types of SQL content in static analysis: