You can take mitigation actions to temporarily address the vulnerabilities found in Veracode Software Composition Analysis (SCA).
- Go to to view which of your applications are violating your policy.
After you select an application, on the Third-party
Components tab, click a component filename to investigate the
vulnerabilities found in the component.
The Component Profile opens where you can view additional information about the component including other versions of the component, component vulnerabilities, and applications that depend on the component.
- After you address the vulnerability, you must specify the reason or method you took to address it. From CVE ID, Severity, or Component Filename, and select one or more vulnerabilities to mark as mitigated. tab, search by
From the Action menu, select one of the following action
The mitigation type is displayed in the Mitigation column after you apply an action. All mitigations are displayed with a (proposed) notation after the mitigation type until the mitigation is approved by a member of your team with the Mitigation Approver role.
Mitigate by Environment to state that an environmental control provided by the operating system on the server the application is running on addressed the vulnerability.
Mitigate by Design to state that custom business logic within the body of the application, which may not be fully identifiable by an automated process, addressed the vulnerability.
Potential False Positive to state that Veracode has incorrectly identified something as a vulnerability.
Comment to communicate information about the vulnerability to your team without applying mitigations.Note: If you use TSRV (Technique, Specifics, Remaining Risk, and Verification) format for mitigation proposals, you are prompted to enter details about the mitigation.
To view mitigation history of a component, select the Component
Filename, and go to the History tab on
the Component Profile.
Component mitigation information by severity is also available fromtab. Hover over vulnerabilities with an asterisk to view a tooltip with mitigation information.