Skip to main content

Use the latest CVSS version in SCA rules


If your organization has activated the Unified Policy feature, which replaces agent rules, all agent-based scans use Common Vulnerability Scoring System (CVSS) version 3 to evaluate your vulnerabilities.

You can use CVSS version 3 in your agent-based scanning rules to evaluate your vulnerabilities against the latest version of the standard.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role to edit the CVSS version for a workspace rule. You must have the Security Lead role to edit the CVSS version for an organization rule.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Click the Agent-Based Scan tab.

  3. Select a workspace.

  4. Click the Custom Rules tab.

  5. Click Edit.

  6. Choose a rule control you want to modify or click Add control to create a new control.

  7. For Level, choose if you want violations of this control to result in an error or a warning.


    Errors result in a build failure. Warnings result in log entries to the continuous integration systems, but they do not cause a build failure.

  8. Expand the control row to display all condition options.

  9. From the Severity dropdown menu, select the CVSS score you want to use for this control.

  10. If you want to generate issues based on the CVSS severity, select the Create Issue checkbox.

  11. Click Save.