Project Defaults Tab

The settings on Project Defaults tab on the Administration page work provide a convenient way to pre-populate fields used to configure new projects to ensure consistency and enable an easier project creation experience for users. Although the settings you define here are global across all projects, they can be overridden at the project level as needed. See the following field descriptions for more information.

Project Defaults Tab

Category

Field

General Options

These options set defaults for project creation and assign default users to project roles. Users can change these defaults when creating a project or when editing a project or its users using Manage Project | Edit Project | General or Manage Project | Edit Project | Edit Project Users on the project Summary tab.

Project Visibility

Select the default for visibility status—Public or Private—for projects. (The initial system default is Public.)

Any user in the system read-only access to a public project. To what degree a user can interact with the project depends on whether the user has a project role and what the role is—Project Administrator, Analyst, or Reviewer.

However, private projects are hidden from all users except the Project Contact and those users assigned as Project Administrators, Analysts, Reviewers, or Observers of the project. Additionally, project and vulnerability ID searches will not return private projects unless the user performing the search has the permissions to see a given private project.

Project Risk

Select the default risk value (Low, Medium, or High) for projects. To edit, select another value from the dropdown list. The initial system default is Medium.

 

Project Users

Click the Edit Project Users link to open the Edit Default Project Users page. From here you assign project roles—Analysts, Reviewers, and Observers—that will default for any new project created (but which can then be edited at the project level). See Edit (Default) Project Users Page for details.

On the data import or rescan, delete inventory with no associated files

This option determines whether “empty” system-generated inventory items are deleted in the target project during project imports and rescans. Empty inventory items have no associated files.

Selected—Deletes empty inventory items from the target project during project imports and rescans. Only inventory items with associated files are retained/created.
Unselected—Retains/creates all inventory items—with or without matching associated files in the target codebase—in the target project during imports and rescans. For example, you might want to retain inventory items to save their analysis details. (Users will need to manually delete inventory that is not applicable to the current project.)

This configuration (unselected) is required when importing a scanned codebase into a project for which no codebase has been uploaded or obtained through synchronization. This option ensures that inventory is generated in the target project.

Scan Settings

These options identify the default Scan Server and scan profile for projects. Users can change these settings at the project level by navigating to Manage Project | Edit Project | Scan Settings from the project Summary tab.

Scan Profile

Select the scan profile to default for projects. Click to view the details of the scan profile.

Scan Server

Select the Scan Server to default for projects. Note that only those Scan Servers in an “enabled” state are available for selection. If only one Scan Server has been identified to the system, this server is automatically selected as the default.

Automated Inventory Publish Options

These options enable and configure the automatic publication of project inventory as part of the project scan process. Users can change these settings at the project level by navigating to the project Summary tab and selecting Manage Project | Edit Project | Scan Settings.

If the Auto-publish system-created inventory items meeting this minimum Confidence Level is selected to enable auto-publication, the other auto-publish options are made available.

 

Auto-publish system-created inventory items meeting this minimum Confidence Level

Select this option to enable the auto-publication of system-generated inventory items. (By default, the option is selected.)

Then select the minimum Inventory Confidence level required to determine which items to auto-publish:

Low—Automatically publish all system-generated inventory.
Medium—Automatically publish only those system-generated inventory items with Medium and High confidence levels.
High—Automatically publish only those system-generated inventory items with a High confidence level.

For a description of the Confidence levels and how they are used, see Inventory Confidence.

Do not auto-publish inventory items with an undetermined license

Select this option to not auto-publish any system-generated inventory item with an undetermined license (that is, an inventory item whose License value is I don’t know). An undetermined license can occur under the following conditions:

The scan was not able to identify a license for the given component during the scan and therefore set the I don’t know license value.
The inventory item has multiple possible disjunctive licenses (for example, “GPLV2 or MIT”). However, the scan could find no evidence of the desired selected license and therefore set the I don’t know license value.
The inventory item has multiple possible conjunctive licenses (for example, “GPLv2 and MIT”). However, since Code Insight currently supports only a single selected license, the scan automatically set the I don’t know value for the inventory item.

This option is available only if Auto-publish system-created inventory items meeting this minimum Confidence level is selected. By default, when you first open Code Insight instance after it has been installed or migrated, this option is unselected, allowing the auto-publication of inventory with undetermined licenses.

Mark associated file as reviewed

Select this option if you want Code Insight to automatically mark the files associated with each automatically published inventory item as “reviewed”.

This option is available only if Auto-publish system-created inventory items meeting this minimum Confidence level is selected.

Automated Review Options

These options configure defaults for enabling policies that automatically accept or reject inventory when it is published. Users can change these settings at the project level by navigating to Manage Project | Edit Project | Review and Remediation Settings from the project Summary tab.

Policy Profile

Select the default policy profile to associate with all new projects. (The system default is Default License Policy Profile.)

The policy profile contains a set of policies that use components, versions, licenses, and vulnerability scores and severities as criteria to automatically reject or approve inventory items during a codebase scan (or post-scan).

For more information about policy profiles in general, see Managing Policy Profiles.

Automatically reject inventory items impacted by a new vulnerability that violates your policy

Indicate the default action to take for published inventory affected by a new security vulnerability downloaded as part of an Electronic Update or Library Refresh. The selected action applies to both non-reviewed and previously approved inventory items on the Project Inventory tab.

Select this checkbox to automatically reject those project inventory items impacted by a new security vulnerability only if this vulnerability has a CVSS score or severity greater than the thresholds configured as policy for the Code Insight project. For each inventory item rejected due to a new security vulnerability, the icon and a tip are added to indicate the status change and its reason.

If a new vulnerability does not exceed policy thresholds, the current status of the inventory item is not affected.

Leave the checkbox unselected to retain the current status of inventory items impacted by the new vulnerability.

For information about setting policies that define CVSS-score and severity thresholds used to reject or approve inventory items automatically, see Policy Page and Policy Details Window. For information about associating these policies with a project, see Managing Policy Profiles.

Manual Review Options

These options configure defaults for project inventory not automatically reviewed by policy. Users can change these settings at the project level by navigating to Manage Project | Edit Project | Review and Remediation Settings from the project Summary tab.

What should happen if inventory items are not reviewed by policy?

Indicate the default action to trigger for those inventory items that are not affected by policy (and therefore have a Not Reviewed status) during the publication of inventory either as part of a scan or manually by a user:

Do nothing—Simply show the status of the inventory item as Not Reviewed on the Project Inventory tab.
Send an email notification to the contact—Automatically send an email to the Project Contact, stating the need for a manual review of the item. The value for Select the minimum priority... (described in the next table entry) affects this option.
Automatically create a manual review task—Automatically create a manual review task assigned to the default legal or security reviewer (or both reviewers), and send an email, notifying the reviewer(s) about assigned task.

Information about managing such a task to track the progress of a manual review is found in Creating and Managing Tasks for Project Inventory.

The value for Select the minimum priority... (described in the next table entry) affects this option.

Select the minimum priority to perform the action selected above

(Enabled when an option other than do nothing is selected for the previous field.) Select the default minimum inventory priority (P1, P2, P3, or P4) to which the value for the previous field applies.

For example, if the previous field is set to send an email notification to the project contact and minimum priority is set to P3, then the email notification will be sent for only those non-reviewed inventory items with a P1, P2, or P3 priority. No email notification will be sent for P4 inventory items.

Note:This option has no effect when the do nothing value is selected.

 

What type of manual reviews will be performed on this project?

Set the default type of manual review tasks to be generated:

Legal Only—Review tasks are generated for those non-reviewed inventory items that so not meet legal policy criteria. The tasks are automatically assigned to the default Legal reviewer.
Security Only—Review tasks are generated for only those non-reviewed inventory items that have security vulnerabilities. The tasks are automatically assigned to the default Security reviewer.
Both Legal and Security—Review tasks are generated for all non-reviewed inventory items that do not meet legal policy criteria; these are assigned to the default Legal reviewer. Additionally, review tasks are generated for those non-reviewed inventory tasks associated with security vulnerabilities and are assigned to the default Security reviewer.

With this value, a single inventory item might have both a legal review task and security review task generated. However, if the default reviewers are the same user, a single task is created, describing the requirement for both a legal and security manual review.

Select reviewers for this project

If desired, designate a new default reviewer to which to assign manual review tasks. (The available reviewer types—Legal or Security or both—depend on the type of manual reviews your site performs, as defined for the previous option.)

If your site generates both Legal and Security review tasks, Code Insight determines which reviewer—Legal or Security—is assigned the task and then notified of the task by email. See the previous option description for “both Legal and Security” for more information on how this determination is made.

For details about managing and reassigning tasks, see Creating and Managing Tasks for Project Inventory.

To select a new default reviewer, click Change User next to the name of the current Legal reviewer or Security reviewer assignee, then select a user from the Select new...contact dialog, and click Apply. (To reset the reviewer to the Project Contact, click Reset.)

When a new default reviewer is selected, that user is automatically given the role of project “reviewer” should the user not currently have this role.

If “Project Contact” is specified as a default reviewer, the Project Contact’s actual user name is displayed for the reviewer in the project.

Remediation Options 

These options configure defaults for rejected project inventory. Users can change these settings at the project level by navigating to Manage Project | Edit Project | Review and Remediation Settings from the project Summary tab.

What should happen if inventory items are rejected?

Indicate the default action to trigger for those inventory items that are automatically rejected by policy when inventory is published during a scan or manually published by a user:

Do nothing—Simply show the status of the inventory item as Reject on the Project Inventory tab.
Send an email notification to the project contact—Automatically send an email to the Project Contact, stating the need for remediation work on the inventory item.
Automatically create a remediation task—Automatically create a remediation task assigned to the default development contact (see the Assignee for remediation work option) and send an email, notifying the contact about the assigned task.
Automatically create a remediation task and an external work item—Automatically do the following:
Create a remediation task assigned to the default development contact (see the Assignee for remediation work option) and send an email, notifying the contact about the assigned task. (See the previous bulleted item for more information.)
Associate a work item with the task, creating the work item in an Application Lifecycle Management (ALM) system (such as an issue in Jira). The work item is created and assigned using the settings defined for the ALM instance to which the Code Insight project is associated. For more information about configuring an ALM instance for the project, see Associating the Project with an Application Life Cycle System to Create Work Items.

Assignee for remediation work

If desired, designate a new default development contact—for example, an engineering manager—to which to assign remediation tasks. (The Project Contact is the initial system default.) This contact can then manage the task accordingly—for example, reassigning it to another user or manually creating an external work item and assigning it to someone on the development team. For details about managing and reassigning tasks, see Creating and Managing Tasks for Project Inventory.

To select a new contact, click Change User next to the name of the current assignee, select a user from the Select new...contact dialog, and click Apply. (To reset the reviewer to the Project Contact, click Reset.)

If “Project Contact” is specified as the default, the Project Contact’s actual user name is displayed as the remediation assignee in the project.

See Also

Policy Page

Policy Details Window

Edit Project: General Tab

Edit Project: Scan Settings Tab

Edit Project: Review and Remediation Settings Tab

Edit (Default) Project Users Page

Managing Policy Profiles

Assigning and Removing Project Users

Creating Inventory from the Project Inventory Tab

Creating and Viewing External Work Items for a Project Inventory Task

Associating the Project with an Application Life Cycle System to Create Work Items