Skip to main content

Ensuring Proper Configuration for the Library Refresh

The Library Refresh service always updates the Code Insight Data Library tables with new vulnerability data and information that maps new vulnerabilities to component versions. However, the service requires that certain configurations be in place in order to display alerts in UI, send users email notifications of these alerts, and create remediation tasks for inventory items rejected due to new vulnerabilities that violate policy.

The following sections describe these requirements:

Required Configuration for Displaying and Sending Alerts and Creating Remediation Tasks

Enable the post-Update phase of the Electronic Update if you want the Library Refresh to do any of the following:

  • Display alerts in the user interface for inventory associated with the new vulnerabilities

  • Send these alerts in email notifications to users

  • Create remediation tasks for inventory items rejected due to their association with new vulnerabilities that exceed policy thresholds

By default, this phase is enabled. See Configuring the Electronic Update to Skip the Post-Update Phase for more details about this phase and how to re-enable it should it be disabled.

If you do not want the Library Refresh perform the tasks listed above, disable the post-Update phase of the Electronic Update. (Note that disabling this phase also impacts the Electronic Update.) The Library Refresh still updates the Data Library tables with new vulnerability data and information that maps the new vulnerabilities to component versions.

Additional Configuration Required for Email Notifications

Email notifications of alerts require that an email server be configured for Code Insight. For more information, see Configuring an Email Server.

Additional Configuration Required for Remediation-Task Creation

The creation of a remediation task for an inventory item that is automatically rejected due to its association with a given new vulnerability is based on the policy profile assigned to the inventory’s project and on the project’s Review and Remediation settings. The policy profile sets the vulnerability severity and CVSS-score thresholds that, if exceeded, automatically reject inventory associated with a given new vulnerability (see the “Policy Details Window” section in the Code Insight User Guide). However, the project’s review and remediation settings actually enable the Library Refresh to create remediation tasks for the rejected inventory, as described next.

Project Options for Automatic Creation of Remediation Tasks

Ensure that the following Review and Remediation options are selected for any projects for which you want the Library Refresh to create remediation tasks for inventory rejected due to vulnerability policies.

note

Refer to the “Updating Inventory Review and Remediation Settings for a Project” section in the Code Insight User Guide for information about accessing and defining these options for existing individual projects. Also see Setting Project Defaults in this guide for information about accessing and defining these options as system-wide defaults for all new projects.

  • In the Automated Review Options section of Review and Remediation settings for a project, select Automatically reject inventory items impacted by a new vulnerability that violates your policy.

    • If you do not want the Library Refresh to reject inventory associated with vulnerabilities that violate policy, do not select this option. Remediation tasks are not created during the Library Refresh. (That is, the option selected for Remediation Options is ignored by the Library Refresh.)
    note

    Keep in mind that the option you select in the Automated Review Options section also applies to new vulnerabilities discovered during an Electronic Update.

  • In the Remediation Options section of Review and Remediation settings for a project, select either Automatically create a remediation task or Automatically create a remediation task and external work item.

    • If you do not want the Library Refresh to create remediation tasks for inventory rejected by policy, select Send an email notification to the project contact or Do nothing.
    note

    Keep in mind that the option you select in the Remediation Options section also applies to the automatic creation of remedial tasks for inventory rejected by any policy during an Electronic Update, a scan, or the manual publication of inventory by an analyst.