Include SCA Findings in Policy

Software Composition Analysis

You can add Veracode Software Composition Analysis requirements in your policy to restrict the usage of vulnerable third-party components. You can also enforce that minimum Veracode Levels and CVSS scores are met for the application to pass policy.

Procedure

  1. To add SCA findings in your policy, from Policies > Policies, select an existing policy from the list where you want to add SCA rules, or click New Policy.
  2. Under the Rules section, select a minimum Veracode Level that contains Veracode Software Composition Analysis requirements.
  3. For Minimum Veracode Level, select one of the following:
    • VL5 + SCA to require that the application has a minimum score of 90, as well as static, manual, and software composition analysis testing.
    • VL4 + SCA to require that the application has a minimum score of 80, as well as static and software composition analysis testing.
    • VL3+ SCA to require that the application has a minimum score of 70, as well as static and software composition analysis testing.
  4. Under the Software Composition Analysis Rules section, from the Rule Type dropdown menu, select one or more of the following:
    • Disallow Component Blacklist to add a rule that automatically prevents an application from passing policy if a scan detects a blacklisted component. Click Blacklist to see which components are on the blacklist.
    • Disallow CVSS Score to add a rule that automatically prevents an application from passing policy if a scan detects any flaw with the specified CVSS score or higher.
    • Disallow Vulnerabilities by Severity to add a rule that automatically prevents an application from passing policy if a scan detects any flaw with the specified severity or higher.

    • Disallow Component by License Risk to add a rule that automatically prevents an application from passing policy if a scan detects any license with the specified risk rating.

Results

If you choose to add an SCA policy feature to a policy already assigned to an application, after the policy is saved, the policy compliance status is recalculated to include the SCA policy measures that were added for all applications with the assigned policy. This change can cause applications which were not rescanned to change from a passing status to a failing status.