Edit Project: Review and Remediation Settings tab
Section/Field
Description
Automated Review Options
Select your policy profile
Select policy profile you want to associate with your project. (By default, Default Policy Profile is selected.)
The policy profile contains a set of policies that use vulnerability scores and severities, license types, and component versions as criteria to automatically reject or approve inventory items during a codebase scan (or post-scan). To view the policies defined in the selected policy profile, click the down arrow next to View Policy Details.
For more information about policy profiles in general, see Managing Policy Profiles in the “Using FlexNet Code Insight” chapter.
automatically reject inventory items impacted by a new vulnerability that violates your policy
Determine what action the system should take for published inventory affected by a new security vulnerability discovered during a post-publication scan or Electronic Update. The selected action applies to both non-reviewed and previously approved inventory items on the Project Inventory tab.
| • | Select this checkbox to automatically reject those project inventory items impacted by a new security vulnerability only if this vulnerability has a CVSS score or severity greater than the thresholds configured as policy for the Code Insight project. For each inventory item rejected due to a new security vulnerability, the  icon and a tip are added to indicate the status change and its reason. |
If a new vulnerability does not exceed policy thresholds, the current status of the inventory item is not affected.
| • | Leave the checkbox unselected to retain the current status of inventory items impacted by the new vulnerability. |
For information about setting policies that define CVSS-score and severity thresholds used to reject or approve inventory items automatically, see Policies Page and Policy Details Page. For information about associating these policies with a project, see Managing Policy Profiles.
Manual Review Options
What should happen if inventory items are not reviewed by policy?
Determine what action should be triggered for those inventory items that are not affected by policy (and therefore have a Not Reviewed status) during the publication of inventory either as part of a scan or manually by a user:
| • | do nothing—Simply show the status of the inventory item as Not Reviewed on the Project Inventory tab. |
| • | send an email notification to the project owner—Automatically send an email to the project owner, stating the need for a manual review of the item. The value for Select the minimum priority... (described in the next table entry) affects this option. |
| • | automatically create a manual review task—Automatically create a manual review task assigned to the default security or legal contact, and send an email, notifying the contact about the assigned task. (Information about managing such a task to track the progress of a manual review is found in Creating Inventory from the Project Inventory Tab in the “Using FlexNet Code Insight” chapter.) The value for Select the minimum priority... (described in the next table entry) affects this option. |
Select the minimum priority to perform the action selected above
(Enabled when an option other than do nothing is selected for the previous field.) Select the minimum inventory priority (P1, P2, P3, or P4) to which the value for the previous field applies.
For example, if the previous field is set to send an email notification to the project owner and minimum priority is set to P3, then the email notification will be sent for only those non-reviewed inventory items with a P1, P2, or P3 priority. No email notification will be sent for P4 inventory items.
Note • This option has no effect on the do nothing value.
What type of manual reviews will be performed on this project?
Determine the type of manual review tasks to be generated:
| • | Legal Only—Review tasks are generated for those non-reviewed inventory items that meet no policy criteria. The tasks are automatically assigned to the default Legal reviewer. |
| • | Security Only—Review tasks are generated for only those non-reviewed inventory items that have security vulnerabilities. The tasks are automatically assigned to the default Security reviewer. |
| • | both Legal and Security—Review tasks are generated for all non-reviewed inventory items meeting no policy criteria and are assigned to the default Legal reviewer. Additionally, review tasks are generated for those non-reviewed inventory tasks associated with security vulnerabilities and are assigned to the default Security reviewer. |
With this value, a single inventory item might have both a legal review task and security review task generated. However, if the default reviewers are the same user, a single task is created, describing the requirement for both a legal and security manual review.
Select reviewers for this project
Designate a new default Legal reviewer or Security reviewer as needed to which to assign the generated manual review tasks. (By default, the project owner is designated as both reviewers.)
Then, depending on the type of manual reviews selected for the project (see the What type of manual reviews will be performed... option described previously), Code Insight determines to which reviewer to assign the task and notify by email. The reviewer can then manage the task accordingly, possibly reassigning it to another user. For details about managing and reassigning tasks, see Creating and Managing Tasks for Project Inventory in the “Using FlexNet Code Insight” chapter.
To select a new reviewer, click Change User next to the name of the current Legal reviewer or Security reviewer assignee, select a user from the Select new...contact dialog, and click Apply.
The selected user is automatically given the role of project “reviewer” if the user is not already assigned this role. However, if the default reviewer then reassigns the task to another user, the “reviewer” role is not automatically assigned to that user if the user does not already have that role.
What should happen if inventory items are rejected?
Determine what action should be triggered for those inventory items that are automatically rejected by policy during the publication of inventory either as part of a scan or manually by a user:
| • | do nothing—Simply show the status of the inventory item as Reject on the Project Inventory tab. |
| • | send an email notification to the project owner—Automatically send an email to the project owner, stating the need for remediation work on the inventory item. |
| • | automatically create a remediation task—Automatically create a remediation task assigned to the default development contact (for example, an engineering manager), and send an email, notifying the contact about the assigned task. (Information about managing such a task to track the remediation progress is found in Creating and Managing Tasks for Project Inventory in the “Using FlexNet Code Insight” chapter.) |
| • | automatically create a remediation task and an external work item—Automatically do the following: |
| • | Create a remediation task assigned to the default development contact (for example, an engineering manager), and send an email, notifying the contact about the assigned task. (Information about managing such a task to track the remediation progress is found in Creating and Managing Tasks for Project Inventory in the “Using FlexNet Code Insight” chapter.) |
| • | Associate a work item with the task, creating the work item in an Application Lifecycle Management (ALM) system (such as an issue in Jira). The work item is created and assigned using the settings defined for the ALM instance to which the Code Insight project is associated. For more information about configuring an ALM instance for the project, see ALM Settings in the “Using FlexNet Code Insight” chapter. |
Assignee for remediation work
If needed, designate a new default development contact to which to assign the generated remediation tasks. (By default, the project owner is the designated contact.)
This contact can then manage the task accordingly—for example, reassigning it to another user or manually creating an external work item and assigning it to someone on the development team. For details about managing and reassigning tasks, see Creating and Managing Tasks for Project Inventory in the “Using FlexNet Code Insight” chapter.
To select a new contact, click Change User next to the name of the current assignee, select a user from the Select new...contact dialog, and click Apply.