Project Defaults tab
Section/Field
Description
Automated Review Options
automatically reject inventory items impacted by a new vulnerability that violates your policy
Determine what action the system should take for published inventory affected by a new security vulnerability discovered during a post-publication scan or Electronic Update. The selected action applies to both non-reviewed and previously approved inventory items on the Project Inventory tab.
| • | Select this checkbox to automatically reject those project inventory items impacted by a new security vulnerability only if this vulnerability has a CVSS score or severity greater than the thresholds configured as policy for the Code Insight project. For each inventory item rejected due to a new security vulnerability, the  icon and a tip are added to indicate the status change and its reason. |
If a new vulnerability does not exceed policy thresholds, the current status of the inventory item is not affected.
| • | Leave the checkbox unselected to retain the current status of inventory items impacted by the new vulnerability. |
For information about setting policies that define CVSS-score and severity thresholds used to reject or approve inventory items automatically, see Policies Page and Policy Details Page. For information about associating these policies with a project, see Managing Policy Profiles.
Manual Review Options
What should happen if inventory items are not reviewed by policy?
Determine what action should be triggered for those inventory items that are not affected by policy (and therefore have a Not Reviewed status) during the publication of inventory either as part of a scan or manually by a user:
| • | do nothing—Simply show the status of the inventory item as Not Reviewed on the Project Inventory tab. |
| • | send an email notification to the project owner—Automatically send an email to the project owner, stating the need for a manual review of the item. The value for Select the minimum priority... (described in the next table entry) affects this option. |
| • | automatically create a manual review task—Automatically create a manual review task assigned to the default legal or security reviewer, and send an email, notifying the reviewer about assigned task. (Default reviewers are defined at the project level on the Edit Project dialog, as described in Edit Project: Review and Remediation Settings Tab.) |
Information about managing such a task to track the progress of a manual review is found in Creating and Managing Tasks for Project Inventory in the “Using FlexNet Code Insight” chapter.)
The value for Select the minimum priority... (described in the next table entry) affects this option.
Select the minimum priority to perform the action selected above
(Enabled when an option other than do nothing is selected for the previous field.) Select the minimum inventory priority (P1, P2, P3, or P4) to which the value for the previous field applies.
For example, if the previous field is set to send an email notification to the project owner and minimum priority is set to P3, then the email notification will be sent for only those non-reviewed inventory items with a P1, P2, or P3 priority. No email notification will be sent for P4 inventory items.
Note • This option has no effect on the do nothing value.
What should happen if inventory items are rejected?
Determine what action should be triggered for those inventory items that are automatically rejected by policy during the publication of inventory either as part of a scan or manually by a user:
| • | do nothing—Simply show the status of the inventory item as Reject on the Project Inventory tab. |
| • | send an email notification to the project owner—Automatically send an email to the project owner, stating the need for remediation work on the inventory item. |
| • | automatically create a remediation task—Automatically create a remediation task assigned to the default development contact (for example, an engineering manager), and send an email, notifying the contact about the assigned task. (The default development contact is defined at the project level on the Edit Project dialog, as described in Edit Project: Review and Remediation Settings Tab.) |
| • | automatically create a remediation task and an external work item—Automatically do the following: |
| • | Create a remediation task assigned to the default development contact (for example, an engineering manager), and send an email, notifying the contact about the assigned task. (See the previous bulleted item for more information.) |
| • | Associate a work item with the task, creating the work item in an Application Lifecycle Management (ALM) system (such as an issue in Jira). The work item is created and assigned using the settings defined for the ALM instance to which the Code Insight project is associated. For more information about configuring an ALM instance for the project, see ALM Settings in the “Using FlexNet Code Insight” chapter. |