Risk levels for open-source components
Veracode SCA scans detect the risk level of specific project components: open-source libraries and licenses. The risk levels help you prioritize the vulnerabilities and licenses you might need to address in your project.
Open-source libraries
The following table describes the risk level of vulnerabilities in open-source libraries. To determine the risk level of the libraries in your project, Veracode SCA uses the Common Vulnerability Scoring System (CVSS) v3.0 rating assigned to the Common Vulnerabilities and Exposures (CVE) ID for a given vulnerability.
| Vulnerability Risk Level | CVSS Score Range | Description |
|---|---|---|
 Critical | 9.0-10.0 | A very serious weakness that is an easy target for an attacker to exploit. Fix this vulnerability immediately to avoid potential attacks. |
 High | 7.0-8.9 | A serious weakness that is an easy target for an attacker to exploit. Fix this vulnerability immediately to avoid potential attacks. |
 Medium | 4.0-6.9 | A moderate weakness that might be an easy target for an attacker to exploit. Fix this vulnerability after fixing all Critical and High vulnerabilities. |
 Low | 0.1-3.9 | A low weakness that an attacker might exploit. Consider fixing this vulnerability after fixing all Critical, High, and Medium vulnerabilities. |
Open-source licenses
For information on the risk level for licenses, see About SCA license risk.