You can take mitigation actions to temporarily address license risks found in Veracode Software Composition Analysis (SCA).
Before you begin:
You must have the Reviewer or Security Lead role.
To complete this task:
In the Veracode Platform, go to Scans & Analysis > Software Composition Analysis.
Select an application from the Applications list.
Click the Licenses tab.
Select the licenses on which you want to perform a mitigation action.
Select one of these actions from the Mitigation Actions menu:
- Mitigate as Approved by Legal: the legal team of your organization has determined this license to be acceptable.
- Mitigate as Commercially Licensed: the library has a dual license, both open-source and commercial, and this application contains the commercial version.
- Mitigate as Experimental: your development team is experimenting with the functionality of the library and will not violate license terms by using it in production.
- Mitigate as Internal Use: the license terms permit internal use of the library.
- Accept the Risk: your business is willing to accept the risk associated with this license.
- Comment: communicate information about the license to your team without applying mitigations.
Enter a comment with details about the mitigation.
The mitigation type and status appear in the Mitigation column of the Licenses table and in the History tab of the component profile.