Reviewing Veracode SCA license data

Before using third-party, open-source components, Veracode recommends you review the license and associated risk to understand the implications of using the component in your application.

SCA discovers license details, such as the license name and data, when scanning third-party components in your application. You can use this information to further investigate your license obligations.

Click the link in the License column of a third-party component to go to the Open Source Initiative website for details about the license. You can also filter your third-party component data by risk rating.

Veracode displays all licenses found for a component. If there are more than three licenses of a component, you can click the Show More link to view the additional licenses. In addition to the results that Veracode provides, you should also perform your own investigation, because the contents in a file could be subject to different or additional licenses.

To prevent an application from passing policy when a scan detects any license with the specified risk rating, add a license rule to your policy.