AI Plan and AI Remediate

Select a Lineaje AI generated plan and remediate your findings

Understanding AI Plan and AI Remediation

Gates and policies that are applied to an org results in creation of findings. Findings are nothing but policy violations. Lineaje uses AI to create various plans and suggest remediations. Once a plan is selected, JIRA tickets are raised for all the components in the plan and AI recommendation is listed for remediation.

What is AI generated plan?

Lineaje uses AI to generate 3 different plans as described below.

Compatible Update

The "Compatible Update Plan" focuses on guiding you through the application of update patches that are safe and compatible. It's akin to an immediate update plan swiftly addressing vulnerabilities without introducing significant changes or disruption to your system.

Minor Update

The "Minor Update Plan" is ideal for software minor updates. While it suggests changes that enhances security and functionality, some testing is recommended to ensure seamless operation post-update. This plan strikes a balance between addressing vulnerabilities and maintaining system stability.

Major Update

The "Major Update Plan" addresses all unfixed vulnerabilities and issues related to unmaintained components. It involves thorough remediation efforts, including outsourcing of inner-sourcing OSS component fixes. This plan ensures comprehensive security coverage by addressing underlying OSS dependency issues.

What happens when a plan is selected?

When a plan is selected, a JIRA ticket is created with the finding details and AI recommendation. It is mandatory to configure JIRA to select a plan.

  • If the plan selected is either Compatible Update or Minor Update, then the components under the plan are added to the configured JIRA

  • If the plan selected is "Major Update", then the

    • components that can be fixed locally are added to the configured JIRA project. This typically include private components, third-party components, open source components with known fixes.

    • open source components without fixes are eligible for outsourcing for fixes and are added to an external JIRA project.

For the configured JIRA project, a JIRA EPIC is created for each project.

  • The EPIC summary gives the info of the project name, version, project id

  • All components that are part of the plan is represented by a story under the epic

  • The epic will have label - "Lineaje AI"

  • Each story represents one component that is part of the plan

  • Each story gives a summary of the project name, version, project id and component name: version

  • Each story provides a summary and an action:

    • Plan selected

    • Component details

    • Classification of the component

    • Policies contributing to the current finding

    • AI Recommendation

    • Details about the vulnerabilities present in the component

Where can I see the projects that are part of AI Remediation?

The AI Plan & AI Remediate on the left navigation bar shows the list of projects under plan and remediate

  • AI Plan tab lists the projects that are eligibale for AI Plan. Any project that has at least one Vulnerability Finding is eligible for AI Plan.

  • AI Remediate tab lists the projects that are part of AI Remediate plan.

AI Plan and Remediate example

For e.g., below is a project for Atlassian velocity (atlassian-apache-velocity-1.6.4-atlassian, https://bitbucket.org/atlassian/apache-velocity-1.6.4-atlassian)

With all the gates and policies applied to this org and hence the project, there are 3 components and a total of 10 findings. Out of 10 findings, 9 of them are created by vulnerability related policies and the remaining one is created by software integrity related policy.

A new option "Vulnerability Findings" is shown towards the top right with a "Create Plan" included. This option can be used to exercise AI Plan and AI Remediate feature.

What is a Vulnerability Finding?

Any finding (policy violation) that resulted due to a check against the vulnerability of a component is shown as Vulnerability Finding.

Findings can be generated due to a policy checking for violations against vulnerability or attestation (LACL) or Risk Level (IRL) or Code Quality Issues or Security Posture Issues. If a finding is created by a policy, checking for vulnerability of a component, it is shown as vulnerability finding.

Preview plans

Clicking on "Create Plan" in the findings tab or on the "AI Plan and AI Remediate" tab generates the preview of the available plans.

  • Each plan shows the summary of the plan

  • Each plan shows a list of (top 10) components and their recommended upgrades.

  • A "View Details" option lists down all components that can be remediated as part of the plan

  • By default all components are selected to be part of remediation.

  • You can exclude specific components that should not be part of the plan

  • Click on "Save Plan" to save the changes

  • Click on "Return to AI Plans"

Select a plan

  • Click on "Select Plan" to select the plan.

  • Note that a JIRA integration is a must for the "Select Plan" to appear

  • On applying the plan, JIRA tickets will be created automatically

  • Lineaje periodically checks for the changes in the tickets states and reflects the status.

PreviousLineaje AINextJIRA Integration

Last updated