Well, I am not that familiar with this Veracode application either. This (hopefully) future customer requires that all software they install must be "secure" in the sense of best practices and standards like CWE, SANS and OWASP. The customer uses this Veracode software for this validation.
The description of the issue in the report is as follows:
Use of Hard-coded Password (CWE ID 259)
A method uses a hard-coded password that may compromise system security in a way that cannot be easily remedied.
The use of a hard-coded password significantly increases the possibility that the account being protected will be
compromised. Moreover, the password cannot be changed without patching the software. If a hard-coded password
is compromised in a commercial product, all deployed instances may be vulnerable to attack.
Recommendations
Store passwords out-of-band from the application code. Follow best practices for protecting credentials stored in locations such as configuration or properties files.
It sounds that this Veracode software is just reporting a false positive then?