WhiteSource

What is WhiteSource

GÉANT projects need to be aligned with their own IPR policies, but also the general GÉANT IPR policy guidelines. Projects use libraries whose use is subject to license definitions by the authors or IPR holders of those libraries, and all licenses must be mutually compatible. WhiteSource, as a platform for managing the security and compliance of software licenses, helps in checking this compatibility. It can support the process of managing and approving the used components. It integrates into all phases of the software development life cycle and enables real-time monitoring and alerts to solve problems in a timely manner.

How it works

WhiteSource scans directories to find software components and then identify vulnerable libraries and licensing conflicts or risks and then displays the results in the WhiteSource web application, without actually scanning the source code. By default, it checks digital signatures of used components in the WhiteSource database to detect all open-source or commercial components in the product. WhiteSource is a platform that allows to connect to a given GÉANT product (without having to review the code) and to check the compliance of the product with a predefined IPR policy. The verification is performed by 'scanning' the project, which enables the production of overview reports on compliance.

Scans of the organization's products can be found in the WhiteSource application. A scan of each scanned product is displayed on the corresponding product page. The product page shows detailed information about a specific product and features a variety of dashboard options, providing a rich and varied view of the organization's open-source status. The Product page shows summary information about a specific product and all contained projects and libraries that are used by them. The Product page is the result of a scan for a GÉANT product (from one integral UA product scan or several per-project scans).

WhiteSource can analyze projects in several ways:

• On-demand:
  • The provided software may be a locally stored source code (details in MANUAL: Adding project to WhiteSource (Scan Flow))
  • Code is stored in a Git, Bitbucket or SVN source code repository (including GÉA​NT Gitlab and Bitbucket) 
• Continuous inspections within a continuous integration by a tool such as  Bamboo, (details in MANUAL: Automated WhiteSource scans with Bamboo).

What it provides

The Web-based GUI provides numerous options and panels to view and analyze the scans of open-source software in an organization's products and projects. Administrators can customize the system settings, manage the additional users' permissions, and configure the integration with third-party components.

The information shown in the dashboards is as follows:

• The Product Alerts section shows valuable information about the actual library (component) alerts generated for a product. The New Versions category shows the number of alerts triggered for scanned libraries that were found to be out-of-date (i.e., not having the latest version). Whenever an out-of-date library is located in the inventory, a new alert is generated and displayed in the Alerts report. The Alert shows the out-of-date library as well as indicating what is the new version.
• Security and Quality - shows the number of libraries that include vulnerabilities sorted by severity, the score of your most vulnerable library, counts the libraries that have newer versions and include vulnerabilities, counts the number of "bugged" libraries.
• The libraries section shows detailed information about the Product libraries (components): library name, library license, library occurrence by the project.
• License Analysis - The dashboard provides license distribution data in which you can see the licenses resolution organization has. This dashboard displays the number of the different license types.

WhiteSource provides open-source license information for License Type, Copyrights, Patent and Royalty, Royalty Free, Linking, OSD Compliant.

WhiteSource has also conducted an in-house analysis of many of the main license types and provided risk scores to help developers determine what risks and factors they should keep in mind when deciding which license they should use. WhiteSource scan service can provide GÉANT project teams with tracking of IPR compliance to help them to make their code compatible with  IPR policies. WhiteSource provides full visibility and control over the risk associated with open source compliance.