Reviewing SCA License Data

Software Composition Analysis

Before using third-party, open-source components, Veracode recommends you review the license and associated risk to understand the implications of using the component in your application.

Veracode SCA discovers license data during the scan of third-party components in your application and provides information that includes the license name and data so you can investigate the license obligations further. Veracode provides risk ratings to a selection of third-party component licenses. Click the link in the License column of a third-party component to go to the Open Source Initiative website for details about the license. You can also filter your third-party component data by risk rating.

Veracode displays all licenses found for a component. If there are more than three licenses of a component, you can click the Show More link to view the additional licenses. In addition to the results that Veracode provides, you should also perform your own investigation, because the contents in a file could be subject to different or additional licenses.

You can add a license rule to your policy to automatically prevent an application from passing policy when a scan detects any license with the specified risk rating.

License Risk Rating Icon Risk Details
Low

Low-risk licenses are typically permissive licenses that require you to preserve the copyright and license notices, but allow distribution under different terms without disclosing source code.
Medium

Medium-risk licenses are typically weak copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms.
High

High-risk licenses are typically strong copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms.
Unassessable

Unassessable indicates that this file could be subject to commercial license terms. If so, you should refer to your applicable license agreement with such vendor for additional information.
Unrecognized   Unrecognized indicates that no license was found for the component. However, this does not indicate that there is no risk associated with the license.