Adding Reviewer Content to Policies
When reviewers (and other users) examine published inventory that has been approved or rejected automatically by the Code Insight policy, they likely do not know or have access to the policy that resulted in the approved or rejected inventory. Without this information, they might not know what factors were involved in the rejection of inventory, what issues need to be addressed for rejected inventory, or what guidelines or special notes are available for approved inventory.
From the Policy Details Window, users with Policy Manager permissions can provide such information for reviewers by adding guidance content for any given policy in the policy profile currently open in the window. (To add this information, simply click 
at the left of the policy row, and enter the content in the Usage Guidance pop-up.) Then, if an inventory item is automatically approved or rejected by the policy, this content is propagated to the Usage Guidance pane for the item on the Project Inventory tab, providing reviewers with context about the inventory’s status. (While users can generally edit content in the Usage Guidance pane for project inventory, they cannot edit the specific content propagated from policies to this pane.)
Refer to the following topics for more information:
| • | Usage Guidance Scenario |
| • | Samples of Usage Guidance Content |
Suppose you define the following policy for a component version on the Policy Details window.
You also provide the following content in the Usage Guidance popup for the policy. (Click 
to the left of the policy to open the pop-up.)
When an inventory item is rejected because its component and version meet the criteria of this policy, the Usage Guidance pane on the Notes & Guidance tab for this inventory item shows your explanation.
If one or more policies approve an inventory item, the Usage Guidance content from each of the policies is listed in the Usage Guidance pane for the inventory.
If one or more policies reject an inventory item, the Usage Guidance content from the only the first policy that rejected the inventory item is displayed in the Usage Guidance pane for that item.
User cannot edit the specific content propagated from policies to the Usage Guidance pane. However, they can edit and add other information in this pane.
Samples of Usage Guidance Content
The following shows examples of Usage Guidance content that can be provided for policies:
| • | For Vulnerability Policies |
| • | For License Policies |
| • | For Component Policies |
These are samples of Usage Guidance content that can be provided for policies listed in the Vulnerabilities section.
Rejection based on CVSS score:
This item has been automatically rejected due to one or more associated security vulnerabilities with a CVSS score greater than 7.0. Please consult with your security team for further guidance.
Rejection based on severity:
This item has been automatically rejected due to one or more associated security vulnerabilities with a high severity. Please consult with your security team for further guidance.
These are samples of Usage Guidance content that can be provided for policies listed in the Licenses section.
Approval based on license:
License Name: Apache License 2.0 (Apache-2.0)
License Priority: 3 - Permissive / Public Domain
Usage Guidance:
- Registration required before use
- Include in third-party notices if shipped
- Retain copyright notices
Rejection based on license:
This item has been automatically rejected based on a combination of the associated weak-copyleft license (LGPL-2.1) and the fact that the items has been modified and is being distributed.
This is a sample of Usage Guidance content that can be provided for a policy listed in the Components section.
Rejection based on a component with version range:
This item has been automatically rejected due to the component being OpenSSL versions 1.0.1 through 1.0.1f. These are known to be exposed to the heartbleed security vulnerability. We recommend you upgrade to a minimum OpenSSL version of 1.0.1g.