Log in

WhiteSource provides several methods for user login. In GEANT, use the single sign-on login (SSO):

Open WhiteSource login at https://app-eu.whitesourcesoftware.com/
Click Sign in with SSO.
Enter your GEANT email address to be forwarded to the GEANT login page.
Log in with your identity provider as you would for other GEANT services.
Your GEANT WhiteSource Home Page opens.

On subsequent logins, you can go directly to https://app-eu.whitesourcesoftware.com/Wss/WSS.html - depending on saved cookies, some or all of the previous steps may be skipped.

For more information on accounts management and customisation of WhiteSource and products visibility, see Re: MANUAL: Accessing WhiteSource and visibility levels (THIS PAGE SHOULD BE MOVED!).

Dashboard (key information in WhiteSource user interface)

Many things are shown on the WhiteSource dashboard. To understand them, read the following text which is focused on licenses and interpretation of the provided data for GEANT.

The dashboard in WhiteSource can be at the level of organization (GEANT), Product or Project. A detailed explanation of the terms Products, Projects, and Organizations in WS is here. In a nutshell: your team is working on a WhiteSource 'product' which may consist of several pieces of software, which are in WhiteSource called 'projects'.

The dashboard at the organization level is WhiteSource Home Page; at the product level, it is Product Page, and at the project level, Project Page. Regardless of the level, the dashboard contains the following key information:

Detailed information about the libraries

Libraries alert types:
- New Versions - The total count of outdated libraries (counts the libraries that have newer versions)
- Multiple Versions - Multiple versions of the same library are in use
- Multiple Licenses - An alert is triggered for any library that has more than one license.
Security alerts:
- Per-Library Alerts - The total number of libraries with vulnerability alerts (for example, the alert count for a Product with two Projects where each features an alert for the same library will be "one" and will be displayed in one row noting two project occurrences.)
- Per-Vulnerability Alerts - The total number of vulnerability alerts
The Libraries table shows detailed information about the product’s (project's) libraries (components). The following attributes are listed:
- Library: Clicking the library name redirects you to the specific library page.
- Licenses: The licenses that are associated with the library.
- Occurrences: The number of occurrences of the library per project.

The Library table in the header has a link to the Inventory Report. This report is a tabular view of detailed information about open source libraries. The Inventory Report provides the following columns of information per library:

Library Name - the standard name of the library
Type - indicates whether the library is a source library
Description - short functional description of the library
Licences - licences associated with the library
Match Type - can be one of the following:
- Exact match - the library was matched by SHA-1 checksum
- Best match - source file was matched by SHA-1 checksum; library assigned to a source library by best match
- Filename match- library could not be matched by SHA-1 checksum but matched the filename
- Suspected match - library match is expected and will be updated with the exact match
Occurrences - number of all instances in which the library is used in any project in the organization (you can click the details link to see the name of the project(s) and their associated product names)

Detailed information about the licences (Licence Analysis)

This section provides an overview of the license distribution of the organization (or product, project), showing which licences are used and how many libraries are associated with each license. The distribution of licences is shown in the pie chart. The following information is displayed for each licence:

Name - Name of the licence
Occurrences - Number of occurrences by libraries
Copyright - Copyright Risk Score which is a measurement of the copyright risk

The Project dashboard within this section has a link View In Due Diligence Report. This report is a tabular view of detailed information about all detected licences. The Due Diligence Report provides the following columns of information:

License - the name of the licence for the library
License Type - the type of licence (Open Source, Closed Source, Unknown)
Risk - the licence copyright risk score (for details, see Risk Score Attribution)
Library - the name of the open-source library. (click the library name to be forwarded to its Library Details page)
License Reference - includes an indication as to where the licence was found
Copyright - the range of years for the library's copyright
Homepage - link to the homepage of the library
Author - name of the author of the library
Project - the project where the library is used
Product - the product where the library is used
Custom Attribute - displayed only if a custom attribute was selected in Select Custom Attribute in the scope area
Level - the level of the licence, root or nested

Finding your product and projects

The Product page displays detailed information about a specific product (the result of a product scan for a specific version). The product page for a product is accessed from the Products menu item of the main menu.

The Project page displays detailed information about a specific project within a previously selected product. It can be accessed from the Projects menu item in the main menu.

The difference in interpreting the presence of a problematic library when assessing the situation vs exploring license compatibility and compliance options vs checking compliance with the established product's licence

same policy/licence across projects in the product vs differentiated project policies

Interpreting Risk report

The Risk Report is a tool that provides a view of all aspects of open-source libraries concerning their licenses, security, quality and compliance.

Creating the Report

The report is available from the "Reports" menu.
Define the scope for which the report should be created. The defaults scope is Organizational (GEANT), or you can select any individual product and/or project
Click Apply

Understanding the Report Data

The report contains a number of panels and tables displaying risk-related information. The Risk Report has the following sections:

How do we compare? - This section compares the results of measuring the level of risk and compliance of the selected range (GEANT, product or project) with the overall average statistics calculated for WS clients. Includes the following three charts: Vulnerable Libraries, Policy Violating Libraries, Outdated Libraries.
Security - This panel displays the vulnerability score (base on the highest severity vulnerability), the number of vulnerable components out of total components, severity distribution, aging security vulnerabilities, license risk distribution, outdated components out of total components and libraries with multiple versions.
License Risks and Compliance - This panel provides an overview of the License Distribution of the organization (or product), showing which licenses are used and how many libraries are associated with each license.
Quality - This panel provides information about any outdated libraries
Additional Risk Information - Contains detailed tables with various component-level breakdowns.

Exporting the Report

Click Export to PDF at the top right of the report and export the Risk report as a PDF file.

Customising visibility

The GEANT WhiteSource admins can always see all scanned GEANT products.

By default, anyone who applies to WhiteSource can see the content of all non-restricted GEANT products and projects in WhiteSource. It is possible to restrict read permissions to scan results for specific products and projects. You can contact the GEANT WhiteSource support to get access to a specific project that has limited visibility or to restrict the permissions for a specified product or project.