Avoid scanning third party libraries in Veracode

We recently started using Veracode for vulnerability testing. Is there a way to selectively exclude all the third party libraries and focus the scan only on our internal libraries code?

Hi: The answer to your question depends on the language in which the application you are scanning was written.

• Java: Veracode respects WAR file structure conventions and treats JARs in the /lib directory as third party code. They are included in Software Composition Analysis results, if you subscribe to that service, but we do not otherwise report vulnerabilities that reside in code in this directory.
• C/C++ / .NET: By default only the top level executables will be scanned. The static engine will also follow code paths from the top level executables into third party libraries if they are present, but will not check all possible parts of the third party libraries for flaws. You can go into Advanced Mode and click Show Dependencies if you want to scan all possible paths in the third party dependent libraries for flaws.
• PHP/JavaScript/Android/iOS/other languages: It's not possible to exclude third party libraries for these languages.

If you have additional questions, please contact Veracode Support and they can help you further.