Policy Fields
The Policy Details Window provides the following fields to define policies that automatically approve or reject an inventory item when it is published. If no policy applies to an inventory item, the item’s status is Not Reviewed, requiring the item to be reviewed manually. Only users with Policy Manager permissions can edit these fields.
When you select to view a policy profile from the Policy Page, the following fields are read-only. Any user can view a profile, including those users who do not have Policy Manager permissions.
|
Category |
Column/Field |
Description |
|||||||||||||||||||||||||||||||||
|
General |
These fields identify the policy profile you are creating or editing. |
||||||||||||||||||||||||||||||||||
|
Name |
The name of the policy profile that you are editing or copying. If you are copying a profile, the name of the copy will be Copy of selected_policyProfile, where selected_policyProfile is the name of the original profile. To change the name of the profile copy, type over the generated name with the new name in this field. |
||||||||||||||||||||||||||||||||||
|
Description |
The policy profile description, if it exists. You can edit or add a description. |
||||||||||||||||||||||||||||||||||
|
Created |
(Available in the Edit and View versions of the profile) The name of the user who created the policy profile, and the date and time the profile was created. You can click the hyperlinked name to send an email to the user who created the profile. |
||||||||||||||||||||||||||||||||||
|
Updated |
(Available in the Edit and View versions of the profile) The name of the user who last updated the policy profile, and the date and time the profile was updated. You can click the hyperlinked name to send an email to the user who updated the profile. |
||||||||||||||||||||||||||||||||||
|
Vulnerabilities |
The following define policies that automatically approve or reject inventory items with security vulnerabilities. Note:These policies ignore suppressed vulnerabilities when making decisions whether to automatically approve or reject published inventory items. (A change in policy due to the suppression of a vulnerability does not change the existing approval/rejection status of an inventory item unless the item is manually recalled and then republished.) |
||||||||||||||||||||||||||||||||||
|
|
Click this icon next to a vulnerability policy to provide (or edit or view) meaningful content intended for inventory reviewers about the impact of the given policy. For example, this content might include reasons why the specific security vulnerabilities identified in the policy pose a risk to your intellectual property. This information is propagated to those project inventory items that are actually rejected by the policy, providing reviewers with context about the inventory’s status. For more information, see Adding Reviewer Content to Policies. |
||||||||||||||||||||||||||||||||||
|
Only auto-approve inventory items if there are no associated security vulnerabilities |
Select this checkbox to have Code Insight skip any matching license-based or component policies if the inventory item has any associated security vulnerabilities. |
||||||||||||||||||||||||||||||||||
|
Reject inventory items if any associated security vulnerabilities have a CVSS score above <score> |
Select this checkbox to have Code Insight automatically reject any inventory items with any associated security vulnerabilities that have a CVSS score above the value you enter. (The scores available for this field are based on the CVSS version currently used by Code Insight. For information, see Security Vulnerabilities Associated with Inventory.) This policy takes precedence over any other automated approval policy. Note:If the Code Insight System Administrator changes the CVSS version used by Code Insight, the value you selected for this field might change. See Impact on Policies When Code Insight’s CVSS Configuration Changes for details. |
||||||||||||||||||||||||||||||||||
|
|
Reject inventory items if any associated security vulnerabilities have a severity equal to or higher than <severity level> |
Select this checkbox to have Code Insight automatically reject any inventory items with any associated security vulnerabilities that have a severity equal to or higher than severity you select. (The severities available for this field are based on the CVSS version currently used by Code Insight. For information, see Security Vulnerabilities Associated with Inventory.) This policy takes precedence over any other automated approval policy. Note:If the Code Insight System Administrator changes the CVSS version used by Code Insight, the value you selected for this field might change. See Impact on Policies When Code Insight’s CVSS Configuration Changes for details. |
|||||||||||||||||||||||||||||||||
|
Licenses |
The following fields describe and manage the policies that automatically approve or reject inventory associated with a given license. |
||||||||||||||||||||||||||||||||||
|
Add License |
Click this button to add a new license policy based on a selected license and inventory usage criteria. (The Edit [or Add] License and Usage Criteria window is opened to enable you to do this.) See Maintaining License Policies for further details. Once you create the license policy, its entry is added to the Licenses list. For the entry, you can then select the review status (under Action) that this policy automatically assigns an inventory item if the policy’s criteria are met. |
||||||||||||||||||||||||||||||||||
|
|
Click this icon to the left of each license policy to provide (or edit or view) meaningful content intended for inventory reviewers about this policy. For example, the content might list requirements for using the licenses identified in the policy’s criteria or reasons why these licenses pose a legal risk. This information is then propagated to those project inventory items that are actually approved or rejected by the policy, providing reviewers with context about the inventory’s status. For more information, see Adding Reviewer Content to Policies. |
||||||||||||||||||||||||||||||||||
|
|
Click this icon to the left of each license policy to open the License Details Window, enabling you to view information about the license, including its attributes and license text. |
||||||||||||||||||||||||||||||||||
|
|
Licenses (list) |
The list of license policies (in a grid format) currently used by this profile for automatically reviewing inventory items. Each license policy entry contains the license name, inventory usage criteria that can impact the obligations incurred by the use of the license, and actions you can perform on the policy.
The following read-only criteria are currently defined for the given license policy and describe how a software package developed in your organization uses the OSS or third-party component associated with an inventory item. (This usage can have an impact on your license obligations and conditions of use.) To define or edit these criteria for a license policy, see for Maintaining License Policies.
The following field specifies the review status automatically assigned to inventory items based on their meeting the criteria for this license policy:
The following icons at the right of each license policy are used to manage the policy:
|
|||||||||||||||||||||||||||||||||
|
Components |
The following fields define and manage policies that automatically approve or reject inventory based the component version associated with the inventory. |
||||||||||||||||||||||||||||||||||
|
Add Component |
Click this button to select a component on which to create the policy, or create a new component from the Lookup Component window. (See Lookup Component Window for information about how to use this window.) Once you select a component, its entry is added to the Components policy list. |
||||||||||||||||||||||||||||||||||
|
|
Click this icon to the left of each component policy to provide (or edit or view) meaningful content intended for inventory reviewers about this component. For example, this content might include “need to know” information about why the component versions identified in the policy pose a risk. This information is then propagated to those project inventory items that are actually approved or rejected by the policy, providing reviewers with context about the inventory’s status. For more information, see Adding Reviewer Content to Policies. |
||||||||||||||||||||||||||||||||||
|
|
Click this icon to the left of each component policy to open the Component Details Window window, enabling you to view relevant information about the component, including its forge, possible licenses, CPE names, and more. |
||||||||||||||||||||||||||||||||||
|
|
Components (list) |
The list of current components and versions (in a grid format) currently used as criteria for automatically reviewing inventory items.
The unknown option applies to certain components that were collected without a version value. To specifically handle unknown versions, set both Versions from and to fields to unknown.
Click |
|||||||||||||||||||||||||||||||||
|
Actions |
These actions manage the entire policy profile. |
||||||||||||||||||||||||||||||||||
|
Save Close |
Click to save the changes you have made to this policy profile. |
||||||||||||||||||||||||||||||||||
|
Click to close the Policy Details window. If you have made changes the profile, be sure that you have clicked Save before closing the page; otherwise, changes are lost. |
|||||||||||||||||||||||||||||||||||
(edit)
to the right of each component to delete the component from the policy.