Mitigate License Risk with Veracode SCA

Veracode Software Composition Analysis

You can take mitigation actions to temporarily address license risks found in Veracode Software Composition Analysis (SCA).

You have the Reviewer or Security Lead role.
  1. In the Veracode Platform, go to Scans & Analysis > Software Composition Analysis.
  2. Select an application from the Applications list.
  3. Click the Licenses tab.

Licenses tab of the Mitigations page
  1. Select the licenses on which you want to perform a mitigation action.
  2. Select one of these actions from the Mitigation Actions menu:
    • Mitigate as Approved by Legal: the legal team of your organization has determined this license to be acceptable.
    • Mitigate as Commercially Licensed: the library has a dual license, open-source and commercial, and this application contains the commercial version.
    • Mitigate as Experimental: your development team is experimenting with the functionality of the library and will not violate license terms by using it in production.
    • Mitigate as Internal Use: the license terms allow using the library for internal purposes.
    • Comment: communicate information about the license to your team without applying mitigations.
  3. Click Apply.
  4. Enter a comment with details about the mitigation.
  5. Click Continue.
    The mitigation type and status appear in the Mitigation column of the Licenses table and in the History tab of the component profile.

    Licenses with proposed mitigations
A user with the Mitigation Approver role must approve any proposed mitigations to apply them.