FlexNet Code Insight - Project Report Operational Risk Index (ORI) Explained
FlexNet Code Insight includes a Project Report which contains an Operational Risk Index (ORI) which represents the overall level of risk in a given project.
The Operational Risk Index is based on 2 elements (1) inventory items (if there are enough of them to matter); OR (2) range of copyright or license matches (which ever is higher).
The thinking behind that is that if inventory count is low, then file-level scan results are more important as they represent the remaining risk by only looking at the inventory items and not manually analyzing file-level evidence. This is especially true in cases of technologies where automated inventory counts are typically low; i.e. C/C++, etc. On the contrary, if inventory count is high, then inventory priority is a good-enough approximation of the overall risk in the project.
The threshold for inventory count is configurable in the project report template with a default value of 10.
If the inventory count is high, we look at the % of P1 inventory items and based on a configurable range determine the risk index. The defaults are LOW (<10), MEDIUM (10-24), HIGH 25+).
If the inventory count is low, we look at the higher absolute number of copyright OR license matches and based on a configurable range, determine the risk index. The defaults are LOW (<10), MEDIUM (10-24), HIGH 25+). We picked these evidence types as each copyright and license typically yields an inventory items since both claim ownership over files. These evidence types are good approximations into the overall complexity and likely inventory count for a given project codebase.
This feature was designed to be configurable by adjusting the inventory threshold as well as the ranges for inventory count and copyright/license match count.
You can play around with the numbers by un-hiding the data worksheet in the project report template, located in /tomcat/webapps/codeinsight/WEB-INF/classes/project_report_template.xlsx. If you make any changes to this template, you need to re-generate the project report to see the changes.