Reviewing the Veracode default policies
Veracode provides default policies to make it easier for organizations to begin measuring their applications against policies. There are these two sets of default policies:
-
Veracode Transitional Policies: the default policies for all organizations and which are designed to set a minimum level for those initially adopting Veracode for application security programs.
-
Veracode Recommended Policies: the best practice recommendation based on Veracode Levels.
Veracode Transitional Policies
Veracode Transitional Policies are assigned to all of your applications by default and are the default policies for newly created applications. The policies emphasize performing an initial scan to establish the baseline quality of an application, and use the Veracode score (numeric score 1-100) as a progressive quality gate.
The transitional policies do not take advantage of the remediation grace period feature. With no grace period, the transitional policy functions like the existing Veracode rating system, where the score is effective as soon as the application is published.
| Policy name | Target VL | Minimum score | Scan requirement | Grace period |
|---|---|---|---|---|
| Veracode Transitional Very High | VL1 | 90 | Any (Once) | 0 |
| Veracode Transitional High | VL1 | 80 | Any (Once) | 0 |
| Veracode Transitional Medium | VL1 | 70 | Any (Once) | 0 |
| Veracode Transitional Low | VL1 | 60 | Any (Once) | 0 |
| Veracode Transitional Very Low | VL1 | 50 | Any (Once) | 0 |
Veracode Recommended Policies
Veracode Recommended Policies are based on the Veracode Level definitions. They are an option when you are ready to move beyond the initial requirements set by the Veracode Transitional Policies.
| Policy name | Target VL | Flaw severities | Minimum score | Scan requirement | Grace period |
|---|---|---|---|---|---|
| Veracode Recommended Very High | VL5 | No Medium or above | 90 | Static (quarterly) Manual (annually) | 0 |
| Veracode Recommended High | VL4 | No Medium or above | 80 | Static (quarterly) | 0 |
| Veracode Recommended Medium | VL3 | No High or above | 70 | Static (quarterly) | 0 |
| Veracode Recommended Low | VL2 | No Very High or above | 60 | Any (semi-annually) | 0 |
| Veracode Recommended Very Low | VL1 | Any (once) | 0 | ||
| Veracode Recommended Mobile Policy | Static (quarterly) | 0 |
Default policy for SCA agent-based scans
By default, the Veracode Recommended SCA Very High policy is assigned to workspaces used for SCA agent-based scanning. You can change the default policy in your policy settings. The following table lists the rules included in this policy:
| Rule type | Requirement | Advanced options |
|---|---|---|
| Component Blocklist | Enforced | n/a. This rule does not apply to agent-based scans. |
| Findings by Severity | Low and above not allowed | n/a. This rule does not apply to agent-based scans. |
| Vulnerability Severity | Very High not allowed | Vulnerable Methods: Any Dependency: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | High not allowed | Vulnerable Methods: Any Dependency: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | Medium not allowed | Vulnerable Methods: Any Dependency: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | Low not allowed | Vulnerable Methods: Any Dependency: Any Build Action: Warning Override Severity: No |
| Component License | High | Dependency: Direct Build Action: Warning Override Severity: No Non-OSS Licenses Unrecognized Licenses: Allowed Component with Multiple Licenses: All licenses must meet requirements |
| Component Version | Outdated | Dependency: Direct Build Action: Warning Override Severity: No |