Reviewing SCA License Data

Software Composition Analysis

Before using third-party, open-source components, you should review the license and associate risk to understand the implications of using the component in your application.

Veracode SCA discovers license data during the scan of third-party components in your application and provides information that includes the license name and data so you can investigate the license obligations further. Veracode provides risk ratings to a selection of third-party component licenses.
Note: Review the Veracode legal disclaimer before acting upon the license information listed in the SCA results for your application.
Click the link in the License column of a third-party component to go to the Open Source Initiative website for details about the license.

Veracode only displays the first license found for the component. There may be more than one license associated with the component. In addition to the results provided from Veracode, you should also perform your own diligence, because the contents in a file could be subject to different or additional licenses.

Table. License Risk Ratings
License Risk Rating Icon Risk Details
Low Low-risk licenses are typically permissive licenses that require you to preserve the copyright and license notices, but allow distribution under different terms without disclosing source code.
Medium Medium-risk licenses are typically weak copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms.
High High-risk licenses are typically strong copyleft licenses that require you to preserve the copyright and license notices, and require distributors to make the source code of the component and any modifications under the same terms.
Unassessable Unassessable indicates that this file could be subject to commercial license terms. If so, you should refer to your applicable license agreement with such vendor for additional information.
Unrecognized   Unrecognized indicates that no license was found for the component. However, this does not indicate that there is no risk associated with the license.