You can review vulnerabilities and licenses found during Veracode Software Composition Analysis (SCA) to decide if you want to address them temporarily using mitigation actions.
After you identify a finding as mitigated, users in your organization with the Mitigation Approver role can accept or reject the mitigations. Accepting the mitigated findings removes them from the determination of the policy status. You cannot mitigate Veracode SCA findings in sandboxes.
The SCA mitigation workflow involves:
- Review vulnerabilities and propose mitigations.
- Review Licenses and propose mitigations.
- Accept or reject mitigations.
- View mitigated flaws on the History tab.
You should not consider mitigations as long-term fixes for application security findings. Environmental changes or new attack techniques can render ineffective many mitigating factors, including network and operating system mitigations. Veracode recommends that you use mitigations as part of a long-term plan to remediate the flaws in the code.