Versions Compared

Old Version 11

changes.mady.by.user Milica Ristic

Saved on

compared with

New Version 12

changes.mady.by.user Milica Ristic

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document describes the product scanning scenario and is intended for GEANT WhiteSource administrators. In the beginning, it is necessary to get acquainted with Unified Agent (UA).

Unified Agent (UA)

Overview

The Unified Agent is a Java command-line tool that scans directories' open source components for vulnerable libraries and license complications and displays the results in the WhiteSource web application. The Unified Agent works the following way: Directories are scanned and identify the open-source components, whereupon the Unified Agent checks each new component against organizational policies (note that no source code is scanned - only descriptive information is sent to WhiteSource).

At the end of the Unified Agent's scan, it aggregates the information and uploads it to the WhiteSource web application, where it is presented in an Organization/Product/Project hierarchy, enabling you to view and analyze the scan results. Additionally, an informative report of the results is generated in HTML and JSON formats, located in the 'whitesource' folder. This folder is created in the directory where the Unified Agent ran.

Prerequisites

Java JDK/JRE installation is required in order to run the Unified Agent. The following versions of Java are supported:

...

Additionally, depending on what you are scanning, ensure that the relevant build tools, package managers, etc. are installed. An overview of project types and corresponding project managers is given here.

Installation

  1. Download the Unified Agent .jar file from here.
  2. Download the default configuration file from here and place it in the same directory as the Unified Agent. 

Configuring the Unified Agent

Enter the following parameters in the configuration file:

...

      In the section Package Manager Dependency resolvers, there are all dependencies that UA can scan (#resolveDependencies=false), all are comments so it means that all will be scanned by UA. In GÉANT there are many different projects with many technologies and written in many different languages and it will be safer to scan all dependencies.

Running the Unified Agent from the Command Line (Scanning Procedure)

To run the Unified Agent from the command line, execute the following command on the machine where your code base is located,

...