Mitigate vulnerabilities

Mitigate vulnerabilities from Veracode Software Compositions Analysis (SCA) scans of your application to temporarily address vulnerabilities you won't resolve. For vulnerabilities that you must resolve, see the remediation guidance.

In the Veracode Platform, use the SCA Results page to get a unified view of all vulnerabilities from both SCA Upload and Scan or SCA Agent-based Scan for an application. Then, use the mitigation actions to propose mitigating factor and add comments to the vulnerabilities. After you identify a finding as mitigated, users in your organization with the Mitigation Approver role can accept or reject the mitigations. Accepting the mitigated findings removes them from the determination of the policy status.

note

Mitigations do not provide long-term fixes for application security vulnerabilities. For example, changes to your environment or new attack techniques can make many mitigating factors, such as network and operating system mitigations, ineffective. We recommend using mitigations as part of a long-term plan to remediate findings in your applications.

To avoid adding malicious components to your projects, use Veracode Package Firewall.

To review and mitigate flaws from a Static Analysis Upload and Scan or Dynamic Analysis of your application, use the Triage Flaws page in the Veracode Platform. Typically, findings from Dynamic Analysis are called vulnerabilities, but they appear on the Triage Flaws page as flaws.

How can I mitigate vulnerabilities?

You can mitigate vulnerabilities using the following Veracode products.

Using the Veracode Platform

Use the mitigation workflow explained in this section.

Using the REST API

• Annotations API

Mitigation workflow

The SCA mitigation workflow using the Veracode Platform involves:

1. Reviewing vulnerabilities and proposing mitigations.
2. Reviewing licenses and proposing mitigations.
3. Accepting or rejecting mitigations.

Propose mitigations for vulnerabilities

You can take mitigation actions to temporarily address the vulnerabilities found in the latest SCA scan of your application.

note

Mitigating SCA vulnerabilities in development sandboxes is not supported.

To complete this task:

1. Sign in to the Veracode Platform.

2. Select My Portfolio > Applications.

3. On the All Applications page, locate an application with results ready. The shield in the Policy column indicates the application's policy assessment status.

4. In the Results column, select View. The Results page opens.

5. From the left menu, select Software Composition Analysis. The SCA Results page opens.

6. Select the Third-Party Components tab.

7. Select a component filename to investigate the vulnerabilities found in the component. The Component Profile opens where you can view additional information about the component including other versions of the component, component vulnerabilities, and applications that depend on the component.

8. After you address the vulnerability, you must specify the reason or method you took to address it.

9. From the Action menu, select one of the following action types:

   • Mitigate by Environment to state that an environmental control provided by the operating system hosting the application addressed the vulnerability.
   • Mitigate by Design to state that custom business logic within the body of the application, which might not be fully identifiable by an automated process, addressed the vulnerability.
   • Potential False Positive to state that Veracode has incorrectly identified a vulnerability.
   • Accept the Risk to state that your business has evaluated the potential risk and effort required to address the vulnerability and is willing to accept the associated risk.
   • Comment to communicate information about the vulnerability to your team without applying mitigations. If you use TSRV (Technique, Specifics, Remaining Risk, and Verification) format for mitigation proposals, Veracode prompts you to enter details about the mitigation.

   The mitigation type is displayed in the Mitigation column after you apply an action. All mitigations are displayed with a (proposed) notation after the mitigation type until the mitigation is approved by a member of your team with the Mitigation Approver role.

10. To view the mitigation history of a component, select the Component Filename, and go to History on the Component Profile.

Component mitigation information by severity is also available from My Portfolio > Application > Software Composition Analysis > Third-party Components. Hover over vulnerabilities with an asterisk to view a tooltip with mitigation information.

Next steps:

A Mitigation Approver can approve or reject your proposed mitigations.

Propose mitigations for licenses

Use mitigation actions to temporarily address license risks.

Before you begin:

You must have the Reviewer or Security Lead role.

To complete this task:

1. Sign in to the Veracode Platform.

2. Select My Portfolio > Applications.

3. On the All Applications page, locate an application with results ready. The shield in the Policy column indicates the application's policy assessment status.

4. In the Results column, select View. The Results page opens.

5. From the left menu, select Software Composition Analysis. The SCA Results page opens.

6. Select the Licenses tab.

7. Select the licenses on which you want to perform a mitigation action.

8. Select one of these actions from the Mitigation Actions dropdown:

   • Mitigate as Approved by Legal: the legal team of your organization has determined this license to be acceptable.
   • Mitigate as Commercially Licensed: the library has a dual license, both open-source and commercial, and this application contains the commercial version.
   • Mitigate as Experimental: your development team is experimenting with the functionality of the library and will not violate license terms by using it in production.
   • Mitigate as Internal Use: the license terms permit internal use of the library.
   • Accept the Risk: your business is willing to accept the risk associated with this license.
   • Comment: communicate information about the license to your team without applying mitigations.

9. Select Apply.

10. Enter a comment with details about the mitigation.

11. Select Continue. The mitigation type and status appear in the Mitigation column of the Licenses table and in the History tab of the component profile.

Next steps:

A user with the Mitigation Approver role must approve any proposed mitigations to apply them.

Approve or reject mitigations

Approve or reject mitigations that your team proposed on the vulnerability.

Before you begin:

You must have the Mitigation Approver role.

To complete this task:

1. Sign in to the Veracode Platform.

2. Select My Portfolio > Applications.

3. On the All Applications page, locate an application with results ready. The shield in the Policy column indicates the application's policy assessment status.

4. In the Results column, select View. The Results page opens.

5. From the left menu, select Mitigations.

6. Select the Mitigated Component Licenses tab or the Mitigated Component Vulnerabilities tab.

7. Under Proposed, select one or more vulnerabilities or licenses on which you want to take action.

8. Select one of these actions:

   • Approve to accept the proposed mitigation.
   • Reject to reject the proposed mitigation.
   • Comment to enter additional information about the proposed mitigation. You must enter a comment when you approve or reject mitigations.

9. Select Continue.

Next steps:

To view the mitigation history of a component, select History on the Component Profile.

You can also view component mitigation information by severity from Third-Party Components. Hover over vulnerabilities with an asterisk to view a tooltip with mitigation information.

Remediation guidance

Use the following guidelines when remediating vulnerabilities that you must resolve.

• Download the latest version, or least-vulnerable version of the open-source component. The latest version of the component is not always the least vulnerable.
• Replace the vulnerable component with a different component with similar functionality.
• Use environmental controls to suppress application risk. If you are using the vulnerable portion of the component, try a workaround.
• Mitigate the functionality of the vulnerability or license in the component.
• Build your own secure component.