Mitigate license risk with Veracode SCA

You can take mitigation actions to temporarily address license risks found in Veracode Software Composition Analysis (SCA).

Before you begin:

You must have the Reviewer or Security Lead role.

To complete this task:

1. In the Veracode Platform, go to Scans & Analysis > Software Composition Analysis.

2. Select an application from the Applications list.

3. Select Licenses.

4. Select the licenses on which you want to perform a mitigation action.

5. Select one of these actions from the Mitigation Actions dropdown:

   • Mitigate as Approved by Legal: the legal team of your organization has determined this license to be acceptable.
   • Mitigate as Commercially Licensed: the library has a dual license, both open-source and commercial, and this application contains the commercial version.
   • Mitigate as Experimental: your development team is experimenting with the functionality of the library and will not violate license terms by using it in production.
   • Mitigate as Internal Use: the license terms permit internal use of the library.
   • Accept the Risk: your business is willing to accept the risk associated with this license.
   • Comment: communicate information about the license to your team without applying mitigations.

6. Select Apply.

7. Enter a comment with details about the mitigation.

8. Select Continue.

   The mitigation type and status appear in the Mitigation column of the Licenses table and in the History tab of the component profile.

Next steps:

A user with the Mitigation Approver role must approve any proposed mitigations to apply them.