Using CVSS versions
Veracode Software Composition Analysis supports applying version 3 of the Common Vulnerability Scoring System (CVSS) to your policies. The severity ratings are based on CVSS version 3.
If your organization is still using CVSS v2, you must contact Veracode Technical Support to switch to CVSS v3. The version you apply can impact whether a finding from an SCA scan causes your application to fail policy.
After updating the scoring system, Veracode determines policy evaluations for all future scans of your applications based on the new CVSS version.
You can view the severity of your SCA findings according to either scoring system by selecting a version from the Display dropdown menu on the Third-Party Components or Vulnerabilities tab.
The display defaults to the CVSS version associated with your organization.