Policy Fields

Code Insight 2021 R2

The Policy Details Window provides the following fields to define policies that automatically approve or reject an inventory item when it is published. If no policy applies to an inventory item, the item’s status is Not Reviewed, requiring the item to be reviewed manually. Only users with Policy Manager permissions can edit these fields.

When you select to view a policy profile from the Policy Page, the following fields are read-only. Any user can view a profile, including those users who do not have Policy Manager permissions.

Policy Details Window

Category

Column/Field

Description

General

These fields identify the policy profile you are creating or editing.

Name

The name of the policy profile that you are editing or copying.

If you are copying a profile, the name of the copy will be Copy of selected_policyProfile, where selected_policyProfile is the name of the original profile. To change the name of the profile copy, type over the generated name with the new name in this field.

Description

The policy profile description, if it exists. You can edit or add a description.

Created

(Available in the Edit and View versions of the profile) The name of the user who created the policy profile, and the date and time the profile was created. You can click the hyperlinked name to send an email to the user who created the profile.

Updated

(Available in the Edit and View versions of the profile) The name of the user who last updated the policy profile, and the date and time the profile was updated. You can click the hyperlinked name to send an email to the user who updated the profile.

Vulnerabilities

The following define policies that automatically approve or reject inventory items with security vulnerabilities.

Click this icon next to a vulnerability policy to provide (or view) meaningful content intended for inventory reviewers concerning the impact of the given policy (for example, reasons why the specific security vulnerabilities identified by the policy’s criteria pose a risk to your intellectual property). This information is then propagated to those project inventory items that are actually rejected by the policy, providing reviewers with context about the inventory’s status. For more information, see Adding Reviewer Content to Policies.

Only auto-approve inventory items if there are no associated security vulnerabilities

Select this checkbox to have Code Insight skip any matching license-based or component policies if the inventory item has any associated security vulnerabilities.

Reject inventory items if any associated security vulnerabilities have a CVSS score above <score>

Select this checkbox to have Code Insight automatically reject any inventory items with any associated security vulnerabilities that have a CVSS score above the value you enter. (The scores available for this field are based on the CVSS version currently used by Code Insight. For information, see Security Vulnerabilities Associated with Inventory.)

This policy takes precedence over any other automated approval policy.

Note:If the Code Insight System Administrator changes the CVSS version used by Code Insight, the value you selected for this field might change. See Impact on Policies When Code Insight’s CVSS Configuration Changes for details.

Reject inventory items if any associated security vulnerabilities have a severity equal to or higher than <severity level>

Select this checkbox to have Code Insight automatically reject any inventory items with any associated security vulnerabilities that have a severity equal to or higher than severity you select. (The severities available for this field are based on the CVSS version currently used by Code Insight. For information, see Security Vulnerabilities Associated with Inventory.)

This policy takes precedence over any other automated approval policy.

Note:If the Code Insight System Administrator changes the CVSS version used by Code Insight, the value you selected for this field might change. See Impact on Policies When Code Insight’s CVSS Configuration Changes for details.

Licenses

The following fields define policies that automatically approve or reject inventory associated with a given license.

Add License

Click this button to add a new license policy based on a selected license and inventory usage criteria. See Maintaining License Policies for details. Once you create the license policy, its entry is added to the Licenses list. For the entry, you can then select the review status (under Action) that this policy automatically assigns an inventory item if the policy’s criteria are met.

Click this icon next to a license policy to provide (or view) meaningful content intended for inventory reviewers (for example, certain requirements for using the licenses identified by the policy’s criteria or reasons why the licenses pose a legal risk). This information is then propagated to those project inventory items that are actually approved or rejected by the policy, providing reviewers with context about the inventory’s status. For more information, see Adding Reviewer Content to Policies.

Licenses (list)

The list of license policies (in a grid format) currently used by this profile for automatically reviewing inventory items. Each license policy entry contains the license name, inventory usage criteria that can impact the obligations incurred by the use of the license, and actions you can perform on the policy.

Name—The name of the license on which the policy is based.

The following read-only criteria are currently defined for the given license policy and describe how a software package developed in your organization uses the OSS or third-party component associated with an inventory item. (This usage can have an impact on your license obligations and conditions of use.) To define or edit these criteria for a license policy, see for Maintaining License Policies.

Distribution type—The criterion specifying how the OSS or third-party component associated with the inventory item is distributed with your software package.
Linking—The method that your software package uses to link to libraries in the OSS or third-party component associated with the inventory item.
Modified—The criterion specifying whether code from the OSS or third-party package has been modified for use by your organization.

 

 

The following field specifies the review status automatically assigned to inventory items based on their meeting the criteria for this license policy:

Action—Select one of the following to indicate what review status to automatically assign an inventory item that meets the criteria in this license policy:
Approve 
Reject 
No Action (same as the Not Reviewed status, thus requiring a manual review)

The following icons at the right of each license policy are used to manage the policy:

(delete)—Click this icon to delete the license policy.
(edit)—Click this icon to edit the license policy criteria. See Maintaining License Policies.

Components

The following fields define policies that automatically approve or reject inventory based the component version associated with the inventory.

Add Component

Click this button to select a component on which to create the policy, or create a new component from the Lookup Component window. (See Lookup Component Window for information about how to use this window.) Once you select a component, its entry is added to the Components policy list.

Click this icon next to a component policy to provide (or view) meaningful content intended for inventory reviewers (for example, “need to know” information about the component versions identified by the policy’s criteria or reasons why the component versions pose a risk). This information is then propagated to those project inventory items that are actually approved or rejected by the policy, providing reviewers with context about the inventory’s status. For more information, see Adding Reviewer Content to Policies.

 

Components (list)

The list of current components and versions (in a grid format) currently used as criteria for automatically reviewing inventory items.

Name—The name of the component.
Versions—Select a specific version or a range of versions for the given component. (The Versions from and to drop-down lists are populated with available versions for the component.) Here are some example ways to specify a version or version range:
To enter a specific version, select the same version in the Versions from and to fields.
To enter an explicit range, select a minimum version in the Versions from field and the maximum version in the to field.
To specify any version for the given component, select the wild card * in both Versions from and to fields.
To specify any version up to a specific version, enter the wild card * in the Version from field and the maximum version in the to field.
To specify any version after a specific version, select the specific version in the Versions from field and the wild card * in the to field.

The unknown option applies to certain components that were collected without a version value. To specifically handle unknown versions, set both Versions from and to fields to unknown.

Action—Select one of the following to indicate what status to automatically assign to inventory items associated with this component-version:
Approve 
Reject 
No Action (same as the Not Reviewed inventory status, thus requiring a manual review)

Click to the right of each component to delete the component from the policy.

Actions

These actions manage the entire policy profile.

Save

Close

Click to save the changes you have made to this policy profile.

Click to close the Policy Details window. If you have made changes the profile, be sure that you have clicked Save before closing the page; otherwise, changes are lost.