Setting Project Defaults
The settings on the Project Defaults tab on the Administration page work provide a convenient way to default fields used to configure new projects to ensure consistency and enable an easier project creation experience for users.
To set project defaults, do the following:
- On the Code Insight Dashboard, click administration. The Administration page appears with a list of side tabs. (You can also access this page by clicking the icon
in the upper right corner of the Code Insight web page to open the Code Insight main menu. From this menu, select ADMINISTRATION.) - Select the Project Defaults tab.
- Update global default values as needed, using the information in the Project Default Descriptions table.
Project Default Descriptions
The following table lists the project default descriptions.
| Category | Field | Description |
|---|---|---|
| General Options | These options set defaults for project creation and assign default users to project roles. Users can change these defaults when creating a project or when editing a project or its users using Manage Project > Edit Project > General or Manage Project > Edit Project > Edit Project Users on the project Summary tab. | |
| Project Visibility | Select the default for visibility status— Public or Private —for projects. (The initial system default is Public .) Any user in the system read-only access to a public project. To what degree a user can interact with the project depends on whether the user has a project role and what the role is—Project Administrator, Analyst, or Reviewer. However, private projects are hidden from all users except the Project Contact and those users assigned as Project Administrators, Analysts, Reviewers, or Observers of the project. Additionally, project and vulnerability ID searches will not return private projects unless the user performing the search has the permissions to see a given private project. | |
| Project Risk | Select the default risk value ( Low, Medium, or High ) for projects. To edit, select another value from the dropdown list. The initial system default is Medium . | |
| Project Users | Click the Edit Project Users link to open the Edit Default Project Users page. From here you assign project roles—Analysts, Reviewers, and Observers—that will default for any new project created (but which can then be edited at the project level). See the “Edit (Default) Project Users Page” in the online help or the Code Insight User Guide for details. | |
| On the data import or rescan, delete inventory with no associated files | This option determines whether “empty” system-generated inventory items are deleted in the target project during project imports and rescans. Empty inventory items have no associated files. - Selected—Deletes empty inventory items from the target project during project imports and rescans. Only inventory items with associated files are retained/created. - Unselected—Retains/creates all inventory items—with or without matching associated files in the target codebase—in the target project during imports and rescans. For example, you might want to retain inventory items to save their analysis details. (Users will need to manually delete inventory that is not applicable in the current project.) This configuration (unselected) is required when importing a scanned codebase into an inventory-only project, which has no codebase, to ensure inventory is generated in the target project. | |
| Expand Source and Uber jar files | This option determines whether uber and sources jars and are expanded during a codebase upload to the project. - When selected, this option enables the expansion of the uploaded top-level uber or sources jar and any uber or sources jars contained in the uploaded jar, according to the expansion level defined for the upload. - When not selected, this option does expand any uber or sources files in the uploaded codebase. For more information, see the “Expansion of a Sources or Uber Jar” section in the Code Insight User Guide. | |
| Scan Settings | These options identify the default Scan Server and scan profile for projects. Users can change these settings when creating a project or when editing a project using Manage Project > Edit Project > Scan Settings from the project Summary tab. | |
| Scan Profile | Select the scan profile to default for projects. Click (i) to view the details of the scan profile. | |
| Scan Server | Select the Scan Server to default for projects. Note that only those Scan Servers in an “enabled” state are available for selection (see Adding or Editing Scan Servers or Checking Server Status). If only one Scan Server has been identified to the system, this server is automatically selected as the default. | |
| Automated Inventory Publish Options | These options configure defaults for automatically publishing project inventory as part of the project scan process. Users can change these settings at the project level by navigating to the project Summary tab and selecting Manage Project > Edit Project > Scan Settings . If the Auto-publish system-created inventory items meeting this minimum Confidence Level is selected to enable auto-publication, the other auto-publish options are made available. | |
| Auto-publish system-created inventory items meeting this minimum Confidence Level | Select this option to enable the auto-publication of system-generated inventory items. (By default, the option is selected.) Then select the minimum Inventory Confidence level required to determine which items to auto-publish: - Low—Automatically publish all system-generated inventory. - Medium—Automatically publish only those system-generated inventory items with Medium and High confidence levels. - High—Automatically publish only those system-generated inventory items with a High confidence level. For a description of the Confidence levels and how they are used, refer to the “Inventory Confidence” section in Code Insight User Guide. | |
| Do not auto-publish inventory items with an undetermined license | Select this option to not auto-publish any system-generated inventory item with an undetermined license (that is, an inventory item whose License value is I don’t know ). An undetermined license can occur under the following conditions: - The scan was not able to identify a license for the given component during the scan and therefore set the I don’t know license value. - The inventory item has multiple possible disjunctive licenses (for example, “GPLV2 or MIT”). However, the scan could find no evidence of the desired selected license and therefore set the I don’t know license value. - The inventory item has multiple possible conjunctive licenses (for example, “GPLv2 and MIT”). However, since Code Insight currently supports only a single selected license, the scan automatically set the I don’t know value for the inventory item. This option is available only if Auto-publish system-created inventory items meeting this minimum Confidence level is selected. By default, when you first open Code Insight instance after it has been installed or migrated, this option is unselected, allowing the auto-publication of inventory with undetermined licenses. | |
| Mark associated file as reviewed | Select this option if you want Code Insight to automatically mark the files associated with each automatically published inventory item as “reviewed”. This option is available only if Auto-publish system-created inventory items meeting this minimum Confidence level is selected. | |
| Automated Review Options | These options configure defaults for enabling policies that automatically accept or reject inventory when it is published. Users can change these settings when creating a project or when editing a project using Manage Project > Edit Project > Review and Remediation Settings from the project Summary tab. | |
| Policy Profile | Select the default policy profile to associate with all new projects. (The system default is Default License Policy Profile .) The policy profile contains a set of policies that use components, versions, licenses, and vulnerability scores and severities as criteria to automatically reject or approve inventory items during a codebase scan (or post-scan). For more information about policy profiles in general, see “Managing Policy Profiles” in the online help or the Code Insight User Guide. | |
| Automatically reject inventory items impacted by a new vulnerability that violates your policy | Determine what action the system should take for published inventory affected by a new security vulnerability discovered during a post-publication scan, an Electronic Update, or Library Refresh. The selected action applies to both non-reviewed and previously approved inventory items on the Project Inventory tab. Select this checkbox to automatically reject those project inventory items impacted by a new security vulnerability only if this vulnerability has a CVSS score or severity greater than the thresholds configured as policy for the Code Insight project. For each inventory item rejected due to a new security vulnerability, the icon and a tip are added to indicate the status change and its reason. If a new vulnerability does not exceed policy thresholds, the current status of the inventory item is not affected. Leave the checkbox unselected to retain the current status of inventory items impacted by the new vulnerability. For information about setting policies that define CVSS-score and severity thresholds used to reject or approve inventory items automatically, see “Policies Page” and “Policy Details Page” in the online help or the Code Insight User Guide. For information about associating these policies with a project, see “Managing Policy Profiles” in either of these same resources. | |
| Manual Review Options | These options configure defaults for project inventory not automatically reviewed by policy. Users can change these settings at the project level by navigating to Manage Project > Edit Project > Review and Remediation Settings from the project Summary tab. | |
| What should happen if inventory items are not reviewed by policy? | Indicate the default action to trigger for those inventory items that are not affected by policy (and therefore have a Not Reviewed status) during the publication of inventory either as part of a scan or manually by a user: - Do nothing—Simply show the status of the inventory item as Not Reviewed on the Project Inventory tab. - Send an email notification to the project contact—Automatically send an email to the Project Contact, stating the need for a manual review of the item. The value for Select the minimum priority... (described in the next table entry) affects this option. - Automatically create a manual review task—Automatically create a manual review task assigned to the default legal or security reviewer (or both reviewers), and send an email, notifying the reviewer(s). The Project Contact is automatically designated as the creator of manual review task. Information about managing such a task to track the progress of a manual review is found in “Creating and Managing Tasks for Project Inventory” in the online help or the Code Insight User Guide. The value for Select the minimum priority... (described in the next table entry) affects this option. | |
| Select the minimum priority to perform the action selected above | (Enabled when an option other than do nothing is selected for the previous field.) Select the default minimum inventory priority ( P1, P2, P3, or P4 ) to which the value for the previous field applies. For example, if the previous field is set to send an email notification to the project contact and minimum priority is set to P3, then the email notification will be sent for only those non-reviewed inventory items with a P1, P2, or P3 priority. No email notification will be sent for P4 inventory items. This option has no effect when the do nothing value is selected. | |
| What type of manual reviews will be performed on this project? | Set the default type of manual review tasks to be generated: - Legal Only—Review tasks are generated for those non-reviewed inventory items that so not meet legal policy criteria. The tasks are automatically assigned to the default Legal reviewer. - Security Only—Review tasks are generated for only those non-reviewed inventory items that have security vulnerabilities. The tasks are automatically assigned to the default Security reviewer. - Both Legal and Security—Review tasks are generated for all non-reviewed inventory items that do not meet legal policy criteria; these are assigned to the default Legal reviewer. Additionally, review tasks are generated for those non-reviewed inventory tasks associated with security vulnerabilities and are assigned to the default Security reviewer. With this value, a single inventory item might have both a legal review task and security review task generated. However, if the default reviewers are the same user, a single task is created, describing the requirement for both a legal and security manual review. | |
| Select reviewers for this project | If desired, designate a new default Legal reviewer or Security reviewer (or both) to which to assign manual review tasks. (The Project Contact is the designated as the initial system default for both reviewers.) Then, depending on the type of manual review selected for the project (see the What type of manual reviews will be performed... option described previously), Code Insight determines which reviewer (Legal or Security or both) is assigned the task and then notified of the task by email. The reviewer(s) can then manage the task accordingly, possibly reassigning it to another user. For details about managing and reassigning tasks, see “Creating and Managing Tasks for Project Inventory” in the online help or the Code Insight User Guide. To select a new default reviewer, click Change User next to the name of the current Legal reviewer or Security reviewer assignee, then select a user from the Select new...contact dialog, and click Apply . (To reset the reviewer to the Project Contact, click Reset .) When a new default reviewer is selected, that user is automatically given the role of project “reviewer” should the user not currently have this role. However, should the current reviewer reassign a specific task to another user, the “reviewer” role is not automatically assigned to that user. If “Project Contact” is specified as a default reviewer, the Project Contact’s actual user name is displayed for the reviewer in the project. | |
| Remediation Options | These options configure defaults for rejected project inventory. Users can change these settings at the project level by navigating to Manage Project > Edit Project > Review and Remediation Settings from the project Summary tab. | |
| What should happen if inventory items are rejected? | Determine what action should be triggered for those inventory items that are automatically rejected by policy during an Electronic Update, Library Refresh, or the publication of inventory (either as part of a scan or manually by a user): - Do nothing—Simply show the status of the inventory item as Reject on the Project Inventory tab. - Send an email notification to the project contact—Automatically send an email to the Project Contact, stating the need for remediation work on the inventory item. - Automatically create a remediation task—Automatically create a remediation task assigned to the default development contact (see the Assignee for remediation work option) and send an email, notifying the this contact about the assigned task. The Project Contact is automatically designated as the task creator. - Automatically create a remediation task and an external work item—Automatically do the following: Create a remediation task assigned to the default development contact (see the Assignee for remediation work option) and send an email, notifying the contact about the assigned task. (See the previous bulleted item for more information.) The Project Contact is automatically designated as the creator of manual review task. Create a work item and associate it with the task. The work item is created in your Application Lifecycle Management (ALM) system by using the settings defined for the ALM instance with which the Code Insight project is associated. For more information about configuring an ALM instance for the project, see “ALM Settings” in the online help or the Code Insight User Guide. Note: Currently Code Insight supports only Jira as an ALM system and Jira issues as work items. | |
| Assignee for remediation work | If desired, designate a new default development contact—for example, an engineering manager—to which to assign remediation tasks. (The Project Contact is the initial system default.) This contact can then manage the task accordingly—for example, reassigning it to another user or manually creating an external work item and assigning it to someone on the development team. For details about managing and reassigning tasks, see “Creating and Managing Tasks for Project Inventory” in the online help or the Code Insight User Guide. To select a new contact, click Change User next to the name of the current assignee, select a user from the Select new...contact dialog, and click Apply . (To reset the reviewer to the Project Contact, click Reset .) If “Project Contact” is specified as the default, the Project Contact’s actual user name is displayed as the remediation assignee in the project. |