This document describes the product scanning scenario. At the beginning it is necessary to get acquainted with Unified Agent (UA).
Unified Agent (UA)
Overview
The Unified Agent is a Java command-line tool that scans directories' open source components for vulnerable libraries and license complications and displays the results in the WhiteSource web application. The Unified Agent works the following way: Directories are scanned and identify the open-source components, whereupon the Unified Agent checks each new component against organizational policies (note that no source code is scanned - only descriptive information is sent to WhiteSource).
...
- apiKey - unique identifier of the organization. It can be retrieved from the 'Integrate' page in your WhiteSource account
- userKey - unique identifier of the user, and it is optional. It can be generated from the 'Profile' page in your WhiteSource account. With the user key WhiteSource recognize who run runs the scan.
- wss.url - enable the relevant URL according to your organization's WS Server URL from your Profile page on the Server URLs panel (additionally, it can be found in the Integrate tab). Then, add the agent path. in the config file. There tree versions of wss.url:
- #wss.url=https://saas.whitesourcesoftware.com/agent
- #wss.url=https://app.whitesourcesoftware.com/agent
wss.url=https://app-eu.whitesourcesoftware.com/agent (our WhiteSource run under this url)
- productToken - identified what product we scan. After we add a new product, productToken can be retrieved from the 'Integrate' page in your WhiteSource account. In the product, we can define many projects.
- projectToken - after run running the scan, output goes to the project. ProjetToken can be retrieved from the 'Integrate' page in your WhiteSource account.
Best practices - WhiteSource recommends placing the project and product names in the configuration file (versions are optional). This is preferable for first for the first-time setup as it automatically creates a new project and product in WhiteSource. If names or versions change rapidly, then use the 'projectToken' and 'productToken' of the existing WhiteSource counterparts.
...
In the section Package Manager Dependency resolvers, there there are all dependencies that UA can scan (#resolveDependencies=false), all are comments so it means that all will be scanned by UA. In GEANT there are many different projects with many technologies and written in many different languages and it will be safer to scan all dependencies.
...
To execute the Unified Agent from the command line, run the following on the computer which the Unified Agent will scan.
Linux/macOS:
java -jar /path/to/wss-unified-agent.jar -c /path/to/wss-unified-agent.config -d /path/to/project/root/directory
Windows:
java -jar "C:\path\to\wss-unified-agent.jar" -c "C:\path\to\wss-unified-agent.config" -d "C:\path\to\project\root\directory"
Note: If scan locally you need to have to install software that the project use.
Running the Unified Agent in a Docker Container
The Unified Agent can also be executed via Docker container. A Dockerfile template containing different package managers (e.g. maven, npm, etc.) can be found here. The file includes installation commands that enable you to create a customizable run environment for scanning projects/files, plus a basic (editable) set of package managers.
...
Unified Agent JSON Report
A summary report in JSON format can be automatically generated locally at the end of each scan, using the 'generateScanReport' configuration parameter when running the Unified Agent.
This report includes information on vulnerabilities, policy violations, top fixes, and inventory details.
The default filename format of the JSON report is '<project_name>-<yyyy-mm-dd>T<HHmmss>+<UTC offset>-scan_report.json'.
For example: 'Demo App-2019-06-04T181226+0300-scan_report.json'
Risk Report
The risk report is a management level tool, providing a view of all aspects of the account's open-source libraries; security, quality, and compliance. It can display libraries by the organization, as well as a by-product (application).
The report is available from the "Reports" menu. More about this is here.
Sample of eduMEET project scan report: