How Policy Profiles Work in the Automated Inventory-Review Process

A policy profile is a set of policies whose criteria is based on OSS or third-party component versions, licenses, or security vulnerability score and severities. A given policy profile can be associated with one or more projects to enable automatic reviews of inventory items within any of these projects. (These reviews are triggered by a number of different events described later in this section.)

During a review, the policy criteria are evaluated against a given published inventory item to automatically approve or reject the inventory item. Any conflicting criteria are resolved in favor of an automated rejection of the inventory item. In other words, the rejection per a single criterion will result in an overall rejection of an inventory item despite the number of approvals per other criteria.

When published, if an inventory meets no criteria in the policy, the system can leave the inventory item in a Not Reviewed state, thus requiring the inventory to be manually reviewed.

The following sections provide more information the application of the review policy.

Events Triggering an Automatic Review of Inventory

In general, whenever an inventory item is published either manually or during a scan or rescan, an automated review by policy takes place. Additionally, any inventory updated during a scan, rescan, Electronic Update, or Library Refresh is automatically reviewed.

User Actions Triggering an Automatic Review of Inventory

The following user actions also trigger an automatic review of inventory.

• Saving any updates to the component, version, license, or usage information in an existing published inventory item. See Editing Inventory from the Analysis Workbench and Editing Inventory from the Project Inventory Tab.

• Creating an inventory item from the Project Inventory tab. (The item is automatically published, thus triggering an automatic review.) See Creating Inventory from the Project Inventory Tab.

• Initiating an Apply Policy job (as needed) to automatically review the inventory in a given project against the current review policy with which the project is associated. See Forcing an Automatic Review of All Inventory in a Project.

• Initiating an Apply Policy job (as needed) to automatically review the inventory across all projects associated with a given policy profile in the Code Insight instance. See Forcing an Automatic Review of Inventory Across All Projects.

Because these actions trigger can an automatic review, users do not have to manually unpublish and re-publish individual inventory items for an immediate application of the latest policy. Nor do users have to wait for the next scan (or such event) for an automated review process across inventory.

Further Automation of the Inventory Review Process

Users can further automate the review workflow by configuring project-level parameters that determine the actions Code Insight takes once inventory is rejected or given a Not Reviewed status during an automatic review by policy. For example, a remediation or review task can be automatically created for such inventory. See Updating Inventory Review and Remediation Settings for a Project for more information.