...
This document describes the product scanning scenario. It is not expected to set up your project in WhiteSource yourself. It Thw work described here is part of our scan service GEANT WhiteSource setup-assistance service. This information is published to give provide a deeper understanding of the workflows and functioning of WhiteSource and capture its key elements.
In the beginningFirstmost, it is necessary to get acquainted with Unified Agent (UA).
Unified Agent (UA) - Overview
The Unified Agent is a Java command-line tool that scans directories' open source components for vulnerable libraries and license complications and displays the results in the WhiteSource web application. The Unified Agent works the following way: Directories are scanned and identify the open-source components, whereupon the Unified Agent checks each new component against organizational policies (note that no source code is scanned - only descriptive information is sent to WhiteSource).
...
- apiKey - unique identifier of the organization. It can be retrieved from the 'Integrate' page in your WhiteSource account
- userKey - unique identifier of the user, and it is optional. It can be generated from the 'Profile' page in your WhiteSource account. With the user key WhiteSource recognize who runs the scan.
- wss.url url - e enable the relevant URL according to your organization's WS Server URL from your Profile page on the Server URLs panel (additionally, it can be found in the Integrate tab). Then, add the agent path. in the config file. There tree versions of wss.url:
- #wss.url=https://saas.whitesourcesoftware.com/agent
- #wss.url=https://app.whitesourcesoftware.com/agent
wss.url=https://app-eu.whitesourcesoftware.com/agent (our WhiteSource run under this url)
- productToken - identified what product we scan. First, create a new product.
To create a new product do the following:From the menu bar, select Products > New Product. The Create New Product screen is displayed.
Enter the product name, and click Create.
ProductToken can be retrieved from be retrieved from the 'Integrate' page in your WhiteSource account. In the product, we can define many projects.
- projectToken - ProjetToken can be retrieved from the 'Integrate' page in your WhiteSource account. To add a new project:
Click Add Project.
Enter the project name, and click Create.
After After running the scan, the output goes to the project.
Best Best practices - WhiteSource recommends placing the project and product names in the configuration file (versions are optional). This is preferable This is preferable for the first-time setup as it automatically creates a new project and product in WhiteSource. If names or versions change rapidlychange rapidly, then use the the 'projectToken' and 'productToken' of of the existing WhiteSource counterparts.
In section Polices:
- checkPolicies - checkPolices=false, for now, Policies are not checking, because we don't have policies for now
In section General:
- generateScanReport - uncomment, when set to true, a report in JSON format is created at the end of the scan, which includes information on vulnerabilities, policy violations, top fixes and inventory details
In the section Package section Package Manager Dependency resolvers, there are all dependencies that UA can scan (#resolveDependencies=false), all are comments so it means that all will be scanned by UA. In GÉANT there are many different projects with many technologies and written in many different languages and it will be safer to scan all dependencies.
...
To run the Unified Agent from the command line, execute the following command on the machine where your code base is located,:
Linux/macOS:
java -jar /path/to/wss-unified-agent.jar -c /path/to/wss-unified-agent.config -d /path/to/project/root/directory
Windows:
java -jar "C:\path\to\wss-unified-agent.jar" -c "C:\path\to\wss-unified-agent.config" -d "C:\path\to\project\root\directory"
Note: If When the scan is done locally, you need to have to install software that of the project use.