| Table of Contents |
|---|
This document describes the product scanning scenario. It is not expected that end-users set up their project in Mend themselves. The work described here is part of the GEANT Software Composition Analysis (SCA) assistance service. This information is published to provide a deeper understanding of the workflows and functioning of Mend and capture its key elements.
Firstmost, . At the beginning it is necessary to get acquainted with Unified Agent (UA).
Unified Agent (UA)
...
- Overview
The Unified Agent Unified Agent is a Java a Java command-line tool that scans directories' open source components for vulnerable libraries and license complications and displays the results in the WhiteSource the Mend web application. The The Unified Agent works the following way: Directories directories are scanned and to identify the open-source components, whereupon the Unified Agent checks the Unified Agent checks each new component against organizationalagainst organizational policies (note that no source code is scanned shared - only descriptive information is sent to WhiteSourceMend).
At the end of the Unified Agent's scan, it aggregates the information and uploads it to the WhiteSource the Mend web application, where it is presented in an Organization/Product/Project hierarchy, enabling you the user to view and analyze the scan results. Additionally, an informative report of the results is generated in HTML and JSON formats, located in the 'whitesourceMend' folder. This folder is created in the directory where the Unified Agent ranUnified Agent ran.
Prerequisites
Java JDK/JRE installation is required in order to run the Unified Agent. The following versions of Java are supported:
...
Additionally, depending on what you are scanning, ensure that the relevant build tools, package managers, etc. are installed. An overview of project types and corresponding project managers is given here.
Installation
- Download the Unified Agent .jar file from here.
- Download the configuration default configuration file from here and and place it in the same directory as the Unified Agent jar file.
Configuring the Unified Agent
Enter the following parameters in the configuration file:
- apiKey - unique identifier of the organization. It can be retrieved from the 'Integrate' page in your WhiteSource Mend account
- userKey - unique identifier of the user, and it is optional. It can be generated from the 'Profile' page in your WhiteSource Mend account. With the user key WhiteSourcekey, Mend recognize who runs the scan.
- wss.url url - e enable the relevant URL according to your organization's WS Mend Server URL from your Profile page on the Server URLs panel (additionally, it can be found in the Integrate tab). Then, add the agent path. in the config file. There tree are three versions of
wss.url:#wss.url=https://saas.whitesourcesoftware.com/agent#wss.url=https://app.whitesourcesoftware.com/agentwss.url=https://app-eu.whitesourcesoftware.com/agent (our WhiteSourceMend run under this url)
- productToken - identified what product we scanidentifies the product to be scanned. First, you need to create a new product.
To create a new product do the following:From the menu bar, select Products > New Product. The Create New Product screen is displayed.
Enter your the product name, and click Create.
ProductToken can be retrieved from be retrieved from the 'Integrate' page in your WhiteSourceMend account. In the product, we can define many several projects.
- projectToken - ProjetToken can be retrieved from the 'Integrate' page in your WhiteSource account. Mend account. To add a new project:
Click Add Project.
Enter the project name, and click Create.
After running the scan, the output goes to the project.
Best Best practices - WhiteSource Mend recommends placing the project and product names in the configuration file (versions are optional). This is preferable This is preferable for the first-time setup as it automatically creates a new project and product in WhiteSourceMend. If names or versions change rapidlychange rapidly, then use the 'projectToken' and 'productToken' of the existing WhiteSource the projectToken and productToken of the existing Mend counterparts.
In the section Polices:
- checkPolicies -
checkPolices=false, for now, Policies ; policies are not checkingbeing checked, because as we don't have policies for now
In section General:
- generateScanReport - uncomment, ;when set to true, a report in JSON format is created at the end of the scan, which includes information on vulnerabilities, policy violations, top fixes and inventory details
In the section Package section Package Manager Dependency resolversResolvers, there are are all dependencies that UA can scan (#resolveDependencies=false), all ; they all are comments, so it means that all will be scanned by UA. In GEANT GÉANT there are many different projects with many technologies and written in many different languages and it will languages, so it would be safer to scan all dependencies.
Running the Unified Agent from the Command Line (Scanning Procedure)
To execute run the Unified Agent from the command line, run execute the following command on the computer which the Unified Agent will scan. machine where your codebase is located:
Linux/macOS:
java -jar /path/to/wss-unified-agent.jar -c /path/to/wss-unified-agent.config -d /path/to/project/root/directory
Windows:
java -jar "C:\path\to\wss-unified-agent.jar" -c "C:\path\to\wss-unified-agent.config" -d "C:\path\to\project\root\directory"
Note: If When the scan is done locally, you need to have to install the software that the project use.
Running the Unified Agent in a Docker Container
The Unified Agent can also be executed via Docker container. A Dockerfile template containing different package managers (e.g. maven, npm, etc.) can be found here. The file includes installation commands that enable you to create a customizable run environment for scanning projects/files, plus a basic (editable) set of package managersof the project.