Mitigating Veracode SCA Vulnerabilities and Licenses

Veracode Software Composition Analysis

You can review vulnerabilities and licenses found during Veracode Software Composition Analysis (SCA) to decide if you want to address them temporarily using mitigation actions.

After you identify a finding as mitigated, users in your organization with the Mitigation Approver role can accept or reject the mitigations. Accepting the mitigated findings removes them from the application score calculation and from the determination of the policy status. You cannot mitigate Veracode SCA findings in sandboxes.

Note: You should not consider mitigations as long-term fixes for application security findings. Environmental changes or new attack techniques can render ineffective many mitigating factors, including network and operating system mitigations. Veracode recommends that you use mitigations as part of a long-term plan to remediate the flaws in the code.