Skip to main content

Address Veracode SCA vulnerabilities

You can take mitigation actions to temporarily address the vulnerabilities found in the latest Veracode Software Composition Analysis (SCA) scan of your application.

To complete this task:

  1. Go to Scans & Analysis > Software Composition Analysis to view which of your applications are violating your policy.

  2. After you select an application, on the Third-party Components tab, click a component filename to investigate the vulnerabilities found in the component.

    The Component Profile opens where you can view additional information about the component including other versions of the component, component vulnerabilities, and applications that depend on the component.

  3. After you address the vulnerability, you must specify the reason or method you took to address it. From Application > Vulnerabilities tab, search by CVE ID, Severity, or Component Filename, and select one or more vulnerabilities to flag as mitigated.

  4. From the Action menu, select one of the following action types:

    • Mitigate by Environment to state that an environmental control provided by the operating system hosting the application addressed the vulnerability.

    • Mitigate by Design to state that custom business logic within the body of the application, which might not be fully identifiable by an automated process, addressed the vulnerability.

    • Potential False Positive to state that Veracode has incorrectly identified a vulnerability.

    • Accept the Risk to state that your business has evaluated the potential risk and effort required to address the vulnerability and is willing to accept the associated risk.

    • Comment to communicate information about the vulnerability to your team without applying mitigations.


      If you use TSRV (Technique, Specifics, Remaining Risk, and Verification) format for mitigation proposals, Veracode prompts you to enter details about the mitigation.

    The mitigation type is displayed in the Mitigation column after you apply an action. All mitigations are displayed with a (proposed) notation after the mitigation type until the mitigation is approved by a member of your team with the Mitigation Approver role.

  5. To view mitigation history of a component, select the Component Filename, and go to the History tab on the Component Profile.

    Component mitigation information by severity is also available from Application > Software Composition Analysis > Third-party Components tab. Hover over vulnerabilities with an asterisk to view a tooltip with mitigation information.

Next steps:

A Mitigation Approver can approve or reject your proposed mitigations.