# AI Plan and AI Remediate

## Understanding AI Plan and AI Remediation

[Gates and policies](https://docs.veedna.com/sbom360-osm/policies-and-gates) that are applied to an org results in creation of [findings](https://docs.veedna.com/sbom360-osm/explore-your-sbom/findings). Findings are nothing but policy violations.  Lineaje uses AI to create various plans and suggest remediations. Once a plan is selected, JIRA tickets are raised for all the components in the plan and AI recommendation is listed for remediation.

### What is AI generated plan?

Lineaje uses AI to generate 3 different plans as described below.

#### **Compatible Update**

The "Compatible Update Plan" focuses on guiding you through the application of update patches that are safe and compatible. It's akin to an immediate update plan swiftly addressing vulnerabilities without introducing significant changes or disruption to your system.

 **Minor Update**

The "Minor Update Plan" is ideal for software minor updates. While it suggests changes that enhances security and functionality, some testing is recommended to ensure seamless operation post-update. This plan strikes a balance between addressing vulnerabilities and maintaining system stability.

 **Major Update**

The "Major Update Plan" addresses all unfixed vulnerabilities and issues related to unmaintained components. It involves thorough remediation efforts, including outsourcing of inner-sourcing OSS component fixes. This plan ensures comprehensive security coverage by addressing underlying OSS dependency issues.

### What happens when a plan is selected?

When a plan is selected, a JIRA ticket is created with the finding details and AI recommendation. It is mandatory to [configure JIRA ](https://docs.veedna.com/sbom360-osm/ai-plan-and-ai-remediate/jira-integration)to select a plan.

* If the plan selected is either Compatible Update or Minor Update, then the components under the plan are added to the configured JIRA
* If the plan selected is "Major Update", then the 
  * components that can be fixed locally are added to the configured JIRA project. This typically include private components, third-party components, open source components with known fixes.
  * open source components without fixes are eligible for outsourcing for fixes and are added to an external JIRA project.

For the configured JIRA project, a JIRA EPIC is created for each project.

<figure><img src="https://2983949833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzRZpxg1UUX5iPuJAfelm%2Fuploads%2FyGHFzeJjiGyy6DmLmAA5%2Fimage.png?alt=media&#x26;token=74784e0a-d355-4b44-8fe9-40db14ba642f" alt=""><figcaption></figcaption></figure>

* The EPIC summary gives the info of the project name, version, project id
* All components that are part of the plan is represented by a story under the epic
* The epic will have label - "Lineaje AI"

<figure><img src="https://2983949833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzRZpxg1UUX5iPuJAfelm%2Fuploads%2FeOHJiRIb7S2vS4YVFKuE%2Fimage.png?alt=media&#x26;token=4caa3b81-5652-4d07-b589-5eff9635f235" alt=""><figcaption></figcaption></figure>

* Each story represents one component that is part of the plan
* Each story gives a summary of the project name, version, project id and component name: version
* Each story provides a summary and an action:
  * Plan selected
  * Component details
  * Classification of the component
  * Policies contributing to the current finding
  * AI Recommendation
  * Details about the vulnerabilities present in the component

### Where can I see the projects that are part of AI Remediation?

The AI Plan & AI Remediate on the left navigation bar shows the list of projects under plan and remediate

<figure><img src="https://2983949833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzRZpxg1UUX5iPuJAfelm%2Fuploads%2FJZJTuW2enonX87umuZng%2Fimage.png?alt=media&#x26;token=5f0edffe-e80d-470b-89d8-fee422763adc" alt=""><figcaption></figcaption></figure>

* AI Plan tab lists the projects that are eligibale for AI Plan. Any project that has at least one Vulnerability Finding is eligible for AI Plan.
* AI Remediate tab lists the projects that are part of AI Remediate plan.

### AI Plan and Remediate example

For e.g., below is a project for Atlassian velocity (atlassian-apache-velocity-1.6.4-atlassian, <https://bitbucket.org/atlassian/apache-velocity-1.6.4-atlassian>)

<figure><img src="https://2983949833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzRZpxg1UUX5iPuJAfelm%2Fuploads%2FbwGYmRRsr0IkfDwWjnCq%2Fimage.png?alt=media&#x26;token=a80d0696-25c7-4507-9eff-2ec113b76976" alt=""><figcaption></figcaption></figure>

With all the gates and policies applied to this org and hence the project, there are 3 components and a total of 10 findings. Out of 10 findings, 9 of them are created by vulnerability related policies and the remaining one is created by software integrity related policy.

A new option "Vulnerability Findings" is shown towards the top right with a "Create Plan" included. This option can be used to exercise AI Plan and AI Remediate feature.

### What is a Vulnerability Finding?

Any finding (policy violation) that resulted due to a check against the vulnerability of a component is shown as Vulnerability Finding.

Findings can be generated due to a policy checking for violations against vulnerability or attestation (LACL) or Risk Level (IRL) or Code Quality Issues or Security Posture Issues. If a finding is created by a policy, checking for vulnerability of a component, it is shown as vulnerability finding.

### Preview plans

Clicking on "Create Plan" in the findings tab or on the "AI Plan and AI Remediate" tab generates the preview of the available plans.

<figure><img src="https://2983949833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzRZpxg1UUX5iPuJAfelm%2Fuploads%2FqH81QaRTbZdngL6yY3vx%2Fimage.png?alt=media&#x26;token=2a152f5e-e194-4eea-b7f8-b577bdc42a2e" alt=""><figcaption></figcaption></figure>

* Each plan shows the summary of the plan
* Each plan shows a list of (top 10) components and their recommended upgrades.
* A "View Details" option lists down all components that can be remediated as part of the plan

<figure><img src="https://2983949833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzRZpxg1UUX5iPuJAfelm%2Fuploads%2Fb6Iz3vaSiwYBZ0cnLx5p%2Fimage.png?alt=media&#x26;token=9292b24f-e031-420a-b9f9-ad9fcf13c8ee" alt=""><figcaption></figcaption></figure>

* By default all components are selected to be part of remediation.
* You can exclude specific components that should not be part of the plan
* Click on "Save Plan" to save the changes
* Click on "Return to AI Plans"

<figure><img src="https://2983949833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzRZpxg1UUX5iPuJAfelm%2Fuploads%2Fh9lAlkUg0v8SvFUWnncU%2Fimage.png?alt=media&#x26;token=edae82e3-7fd5-44c8-883d-12f38a4d2f60" alt=""><figcaption></figcaption></figure>

### Select a plan

* Click on "Select Plan" to select the plan.
* Note that a JIRA integration is a must for the "Select Plan" to appear
* On applying the plan, JIRA tickets will be created automatically
* Lineaje periodically checks for the changes in the tickets states and reflects the status.

<figure><img src="https://2983949833-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FzRZpxg1UUX5iPuJAfelm%2Fuploads%2FtnZfixRE1R5Q9rD9r1XW%2Fimage.png?alt=media&#x26;token=3add5738-1758-4db3-a31a-5146ec0f34a4" alt=""><figcaption></figcaption></figure>

###