If you do not customize the workspace rules, Veracode SCA applies the default rules.
Using the Veracode default rules, issues get created when:
- A vulnerability exists in either direct or transitive libraries.
- A direct library is out of date.
- A direct library contains a high-risk license.
Additional controls that you can use with custom rules include:
- A library has multiple licenses.
- A library has no license.
The issue severities are set as follows:
- Vulnerability issues, direct or transitive: the CVSS score of the vulnerability
- Outdated library issues, direct: 3.0