Edit Project: Review and Remediation Settings Tab

The Review and Remediation Settings tab on the Edit Project window enables you to overwrite default settings that configure the automation of the review, remediation, and status notification processes for published inventory in your project. These settings, which work in conjunction with the set of policies in the project’s policy profile, are used to set up the following in your project:

The policy profile to associate with the project. The policies in the selected profile work in conjunction with the review, remediation, and notification configuration defined on this tab.
Automatic creation of manual review tasks for inventory items not reviewed by policy during publication performed as part of a scan.
Automatic assignment of review tasks to the default legal or security contact that you specify.
Automatic creation of remediation tasks and associated external work items for inventory that is rejected either automatically by policy or during manual publication by an analyst.
Automatic assignment of remediation tasks to the default engineering contact that you specify.
Automatic rejection of published inventory impacted by new vulnerabilities detected in the latest scan, Electronic Update, or Library Refresh.
The automatic generation of email notifications that alert the Project Contact of rejected or non-reviewed published inventory items that need attention.

See the following field descriptions for more information.

Edit Project: Review and Remediation Settings Tab

Category

Section/Field

Description

Automated Review Options

Policy Profile

Select policy profile you want to associate with your project.

The policy profile contains a set of policies that use vulnerability scores and severities, license types, and component versions as criteria to automatically reject or approve inventory items during a codebase scan (or post-scan).

For more information about policy profiles in general, see Managing Policy Profiles.

Automatically reject inventory items impacted by a new vulnerability that violates your policy

Determine what action the system should take for published inventory affected by a new security vulnerability discovered during a post-publication scan, an Electronic Update, or Library Refresh. The selected action applies to both non-reviewed and previously approved inventory items on the Project Inventory tab.

Select this checkbox to automatically reject those project inventory items impacted by a new security vulnerability only if this vulnerability has a CVSS score or severity greater than the thresholds configured as policy for the Code Insight project. For each inventory item rejected due to a new security vulnerability, the icon and a tip are added to indicate the status change and its reason.

If a new vulnerability does not exceed policy thresholds, the current status of the inventory item is not affected.

Leave the checkbox unselected to retain the current status of inventory items impacted by the new vulnerability.

For information about setting policies that define CVSS-score and severity thresholds used to reject or approve inventory items automatically, see Policy Page and Policy Details Window. For information about associating these policies with a project, see Managing Policy Profiles.

Manual Review Options

What should happen if inventory items are not reviewed by policy?

Determine what action should be triggered for those inventory items that are not affected by policy (and therefore have a Not Reviewed status) during the publication of inventory either as part of a scan or manually by a user:

Do nothing—Simply show the status of the inventory item as Not Reviewed on the Project Inventory tab.
Send an email notification to the project contact—Automatically send an email to the Project Contact, stating the need for a manual review of the item. The value for Select the minimum priority... (described in the next table entry) affects this option.
Automatically create a manual review task—Automatically create a manual review task assigned to the default security or legal contact, and send an email, notifying the contact about the assigned task. (Information about managing such a task to track the progress of a manual review is found in Creating Inventory from the Project Inventory Tab.) The value for Select the minimum priority... (described in the next table entry) affects this option.

The Project Contact is automatically designated as the creator of manual review task.

Select the minimum priority to perform the action selected above

(Enabled when an option other than do nothing is selected for the previous field.) Select the minimum inventory priority (P1, P2, P3, or P4) to which the value for the previous field applies.

For example, if the previous field is set to send an email notification to the project contact and minimum priority is set to P3, then the email notification will be sent for only those non-reviewed inventory items with a P1, P2, or P3 priority. No email notification will be sent for P4 inventory items.

Note:This option has no effect on the do nothing value.

 

What type of manual reviews will be performed on this project?

Determine the type of manual review tasks to be generated:

Legal Only—Review tasks are generated for those non-reviewed inventory items that meet no policy criteria. The tasks are automatically assigned to the default Legal reviewer.
Security Only—Review tasks are generated for only those non-reviewed inventory items that have security vulnerabilities. The tasks are automatically assigned to the default Security reviewer.
Both Legal and Security—Review tasks are generated for all non-reviewed inventory items meeting no policy criteria and are assigned to the default Legal reviewer. Additionally, review tasks are generated for those non-reviewed inventory tasks associated with security vulnerabilities and are assigned to the default Security reviewer.

With this value, a single inventory item might have both a legal review task and security review task generated. However, if the default reviewers are the same user, a single task is created, describing the requirement for both a legal and security manual review.

Select reviewers for this project

If desired, designate a new default reviewer to which to assign manual review tasks. (The available reviewer types—Legal or Security or both—depend on the type of manual reviews your site performs, as defined for the previous option.)

If your site generates both Legal and Security review tasks, Code Insight determines which reviewer—Legal or Security—is assigned the task and then notified of the task by email. (See the previous option description for “both Legal and Security” for more information about how this determination is made.)

The reviewer can then manage the task accordingly, possibly reassigning it to another user. For details about managing and reassigning tasks, see Creating and Managing Tasks for Project Inventory.

To select a new reviewer, click Change User next to the name of the current Legal reviewer or Security reviewer assignee, select a user from the Select new...contact dialog, and click Apply.

When a new default reviewer is selected, that user is automatically given the role of project “reviewer” if the user does not currently have this role. However, if a specific task is reassigned to another user, that user is not automatically given the “reviewer” role and must be given that role manually (if the user is not already have it).

Remediation Options

These options determine the next step in the remedial process for rejected project inventory.

What should happen if inventory items are rejected?

Determine what action should be triggered for those inventory items that are automatically rejected by policy during an Electronic Update, Library Refresh, or the publication of inventory either as part of a scan or manually by a user:

Do nothing—Simply show the status of the inventory item as Reject on the Project Inventory tab.
Send an email notification to the project contact—Automatically send an email to the Project Contact stating the need for remediation work on the inventory item.
Automatically create a remediation task—Automatically create a remediation task assigned to the default development contact (see the Assignee for remediation work option) and send an email, notifying the contact about the assigned task. (Information about managing such a task to track the remediation progress is found in Creating and Managing Tasks for Project Inventory.) The Project Contact is a automatically designated as the task creator.
Automatically create a remediation task and an external work item—Automatically do the following:
Create a remediation task assigned to the default development contact (see the Assignee for remediation work option) and send an email, notifying the contact about the assigned task. (Information about managing such a task to track the remediation progress is found in Creating and Managing Tasks for Project Inventory.) The Project Contact is automatically designated as the task creator.
Create a work item and associate it with the task. The work item is created in your Application Lifecycle Management (ALM) system by using the settings defined for the ALM instance with which the Code Insight project is associated. For more information about configuring an ALM instance for the project, see Associating the Project with an Application Life Cycle System to Create Work Items.

Note:Currently Code Insight supports only Jira as an ALM system and Jira issues as work items.

 

Assignee for remediation work

If desired, designate a new default development contact to which to assign remediation tasks. This contact can then manage the task accordingly—for example, reassigning it to another user or manually creating an external work item and assigning it to someone on the development team. For details about managing and reassigning tasks, see Creating and Managing Tasks for Project Inventory.

To select a new contact, click Change User next to the name of the current assignee, select a user from the Select new...contact dialog, and click Apply.

Actions

These buttons control whether changes to project settings are saved across all Edit Project tabs.

Save

Click this button to save your project edits and return to the Summary tab.

Cancel

Click this button to return to the Summary tab without saving your project edits.

See Also

Editing the Project Definition and General Settings

Policy Page

Policy Details Window

Project Defaults Tab

Managing Policy Profiles

Creating Inventory from the Project Inventory Tab

Creating and Viewing External Work Items for a Project Inventory Task

Updating Inventory Review and Remediation Settings for a Project

Associating the Project with an Application Life Cycle System to Create Work Items