Approving/Rejecting Inventory Items

The next step in the Code Insight process flow is to have security and legal experts review all published inventory and categorize inventory items as either approved or rejected for use in the software project.

Note that Project Inventory page can include inventory items that were automatically approved or rejected. This automatic review occurs when policies defined for the project are applied at the time an inventory item is published, created, or updated. (Code Insight also supports forcing an automatic review across inventory at the project or instance level.)

The policies are based on the component version range, licenses, and security vulnerabilities. If a matching policy does not exist for a given inventory item at publication time, the item shows as Not Reviewed. However, the project can be configured to automatically assign review tasks to default legal and security contacts to conduct manual reviews on the non-reviewed items. These reviewers then check for intellectual property (IP) and security compliance. For more information, refer to “Managing Policies to Automatically Review Inventory” and “Updating Review and Remediation Settings for a Project” in the Code Insight User Guide.

To approve or reject an inventory item:

Open the Project Inventory page. The Inventory Items pane lists all published inventory items.
Click on one of the inventory items. In the right pane, the Inventory Details tab opens for the selected item.
The Vulnerabilities bar graph provides a count of each vulnerability found categorized by severity. Click the bar to see details on the vulnerabilities.

Review the following additional information:

Area	Description
Confidence	Indicates the confidence level (High, Medium, or Low) of an inventory item. This level is the measure of the strength of the discovery technique used to generate the inventory item. The confidence level is represented by a graph with three segments—three shaded segments indicate High confidence, two indicate Medium, and one indicates Low. For more information, refer to “Inventory Confidence” in the Code Insight User Guide.
Encryption	Indicates whether the inventory item contains encryption technology.
Priority	Specifies the priority of the inventory item in terms of its importance within the scope of the inventory review process, with `P1` as the highest priority. You can change the priority for this inventory item by selecting a different value from the list. For more information, refer to “Inventory Priority” in the Code Insight User Guide.
Status	Shows the status of the inventory item as being Approved, Rejected, or Not Reviewed.
Inventory Details Tab	Shows details about the inventory item including usage information and links to any open or closed tasks for the item. If your Code Insight installation is integrated with an external workflow system that tracks the tasks, links to this system and to details about your workflow request might be available.
Component Details Tab	Lists additional details about the inventory item.
Notices Text Tab	Displays the `As\-Found License Text` found in the codebase during the scan. Depending on the detection technique, this field can show actual license text for one or more licenses or be a reference to a license. The `As\-Found License Text` content cannot be edited, but you can copy it to the `Notices Text` field (also on this tab) if you need to modify it. Any text in the `Notices Text` field is considered final and is included in the Notices report. If the `Notices Text` field is empty, Code Insight uses the contents of the `As\-Found License Text` field as the license text for the inventory item in the Notices report. If both fields are empty, the report uses the license content from Revenera Data Library.
Notes & Guidance Tab	On this tab, the following information is listed: Detection Notes—Notes generated by Code Insight that specify the automated detection technique that was used to locate the component, license information (in the case that the license has changed from one version to another or the component has multiple licenses), attributes extracted from a POM or Manifest file containing project, and configuration details. Audit Notes—Notes entered by the analyst based on findings during the analysis. Usage Guidance—Notes that indicate how the component should or should not be used in accordance with company policy. This content can be automatically generated to explain the specific policy behind why the current inventory item was automatically approved or rejected during a scan. The reviewer can also manually add notes that offer guidance in maintaining the component within policy parameters. Remediation Notes—Notes entered by the security or legal experts related to remediation actions required for the given inventory item. For inventory items that are rejected, the security and legal experts can use the Remediation Notes field to record the steps required by the Engineering team to fix the items. (The remediation steps are also found in the Excel version of the Audit Report.)
Usage	Lists details such as how the item is being distributed with your product, how the item’s libraries are linked to your product, whether the item provides encryption technology, whether you have modified its code, and so forth. Usage details are important in determining how closely to monitor inventory items for intellectual property (IP) and security risk and in taking appropriate action to approve or reject inventory, create tasks for remediation, and issue alerts and notifications. Usage can also determine whether the item should be included in Third-Party Notices and what steps need to be taken to satisfy license obligations and conditions of use.
Associated Files Tab	Lists the codebase files associated with the inventory item.

After you review the inventory item’s information, mark it Approved () or Rejected () by clicking the appropriate icon in the Status column of the Inventory Items pane. A circle will appear around the selected status icon. Until the item has been approved or rejected, the item will remain in Not Reviewed status ().