You can set distinct grace periods for each of your Veracode Software Composition Analysis policy rules in the same policy in which you define grace periods for other scan types. You can also set grace periods for specific CVSS score ranges.
Before You Begin
You must have the Policy Administrator role.
For Veracode SCA findings, Veracode evaluates newly-announced vulnerabilities as new findings, so grace periods apply from the announcement date. For example, a Veracode SCA upload scan identifies a component on May 1 and, then, a vulnerability with a CVSS score of 8.0 is announced in that component on June 15. If you have a 30-day grace period for findings with a score of 8.0 and above, you must resolve the vulnerability by July 15 to pass policy.
From the Rules screen in the Add New Policy page, click Grace Periods > Software Composition Analysis.
Select the rule types for which you want to apply a grace period.
If your policy does not include a rule for the selected rule types, the grace period has no affect on your policy compliance.
Enter the number of days to allow before findings can cause your policy to not pass policy.
To set different grace periods for different CVSS score ranges:
a. Click Add Another under the Vulnerability CVSS Score option to create up to five grace periods.
b. Edit the first value in each score range to define the low end of the range. The high end of the first range is automatically 10.0. The high end of additional ranges is automatically one tenth of a point below the low end of the range above it. The low end of the last range is automatically 0.0.
c. Enter the number of days to allow for each CVSS score range.