| Table of Contents |
|---|
Overview
...
NOTE: Subscribe to the Customer Community Portal Announcements section in order to receive immediate email notifications on important announcements and product release notes.
Notices of Deprecation
Documentation
Version 21.3.2
Beginning in this version the following pages were archived and are therefore no longer in use:
High Severity Bugs Report
File System
Getting Started
Setup Projects
Automate the Process by Using the Unified Agent
Deprecated Features was deprecated and the content was moved to the Notices page
Setting the Home Page was deprecated and the content was moved to the WhiteSource Home Page topic.
Version 21.2.2
Beginning in this version the following page was archived and is therefore no longer in use.
WhiteSource Advise for Visual Studio Codespaces
Version 21.2.1
Beginning in this version the following page was archived and is therefore no longer in use.
Fortify Software Security Center Integration
Version 21.1.2
Beginning in this version the following integration pages were archived and are therefore no longer in use. The material contained therein is contained in the Unified Agent parameter documentation.
Selecting a Plugin for Integration
Providing only a Project name in a Unified Agent Scan
Configuration Recommendation Mode
Unified Agent Scan Steps and Summary
Unified Agent JSON Report Example
...
Name Changes
File System Agent
The WhiteSource File System Agent (FSA) has been renamed to the WhiteSource Unified Agent.
Sun License
The name of the Sun license was changed to Sun Public License. (21.3.2, 4/11/21)
New and/or Modified Documentation
New Unified Agent Documentation (version 20.10.2)
Beginning in version 20.10.2, a modified and updated Unified Agent documentation repository has been launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.
The documentation is now spread over 4 contiguous topics (pages), in this order:
An overview page – this text will replace the current text on the page in Confluence to which the Web GUI links, so there will be no issues with broken bookmarks, missing pages, SEO issues etc. This page will also provide links to the following three topics listed here.
A Getting Started page, with prereqs, download info, config info, etc
A Parameters page
Advanced Topics (similar to an appendix)
New Policies Documentation (version 20.10.2)
Beginning in version 20.10.2 (approximate release - November 8), a modified Policies page has been launched, with the intent to update existing content, fill in missing gaps, and create a linear flow.
This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter has been archived and therefore no longer in use.
Notices of Deprecation
Documentation
Version 21.3.2
Beginning in this version the following pages were archived and are therefore no longer in use:
Documentation Tips
Kubernetes FAQ
ThreadFix Integration
Ruby Plugin
Python Plugin
NAnt Plugin
Gradle Plugin
Bower Plugin
Bamboo Plugin
Ant Plugin
Fortify Software Security Center Integration
...
High Severity Bugs Report
File System
Getting Started
Setup Projects
Automate the Process by Using the Unified Agent
Deprecated Features was deprecated and the content was moved to the Notices page
Setting the Home Page was deprecated and the content was moved to the WhiteSource Home Page topic.
Version 21.2.2
Beginning in this version 20.12.2 the following integration pages were page was archived and are is therefore no longer in use. The material contained therein is contained in the Unified Agent parameter documentation.
Gradle
Maven
Python
...
.
WhiteSource Advise for Visual Studio Codespaces
Version 21.2.1
Beginning in version 20.12.1 this version the following page was archived and is therefore no longer in use.
Fortify Software Security Center Integration
Version 21.1.2
Beginning in this version the following integration pages will be were archived and are therefore no longer be in use. The material contained therein is contained in the Unified Agent parameter documentation.
Bower
Cargo
Cocoapods
Haskell
Hex (Erlang/Elixir)
Ocaml
Paket
php
Poetry
Ruby
SBT
Additionally, the following pages will be archived:
Previous Versions of the Unified Agent
Previous GitHub Integration
Features
API Version 1.0 and Below
Beginning on February 15, 2020, WhiteSource will deprecate API version 1.0 and below for new developments to make way for the more advanced and secure versions 1.1, 1.2 and 1.3. Support for 1.0 versions and below will end six months from that date (August 15, 2020).
Additionally, on February 15, 2020, WhiteSource will begin enforcing the quota limits for API usage per customer according to the contract. Please prepare accordingly for these changes. For any questions or concerns, contact WhiteSource support.
IntelliJ Old Plugin End of Life
On July 12, 2020, WhiteSource will deprecate the old plugin version of WhiteSource Advise for IntelliJ (see here).
A new WhiteSource Advise plugin is already available directly from the IntelliJ IDEA Marketplace (see here), which besides offering the same features as the old plugin, includes functionality improvements as well as performance-related enhancements.
Please make sure to migrate to the new plugin by deleting the old plugin and then only installing the new one. See our documentation for more information.
NuGet Plugin End of Life
With the wide functionality of the WhiteSource Unified Agent providing support for more than 200 languages, the NuGet plugin will reach its End Of Life starting October 1, 2020.
After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until April 1, 2021. Following this date, the NuGet plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on October 1, 2020 to maintain full support of your product.
Jfrog Xray Integration Support
JFrog's vulnerability data integration strategy has changed: Integration with third-party providers of solutions that scan open-source libraries will no longer be available. Therefore, WhiteSource’s Xray Integration will be deprecated.
Shared customers integrating Xray with WhiteSource will no longer be supported or maintained by JFrog. Note that existing integrations with JFrog Artifactory (independent of JFrog Xray) are not affected.WhiteSource invites you to continue to use its variety of supported integrations for detecting vulnerabilities in open-source software. For more information, contact support@whitesourcesoftware.com.
NPM and Maven GitHub Repositories - Visibility Change
Following the deprecation of NPM and Maven Plugins, the visibility of existing GitHub repositories was changed to 'private'.
Deprecation of the Vulnerable Methods
In some cases, vulnerabilities are fixed by the deprecation of the vulnerable classes or methods. To that extent, WhiteSource, as other official advisories, will mark the vulnerabilities as fixed with the relevant version. In these cases, the vulnerabilities are fixed by adding "@Deprecated" to the vulnerable method.
Example:
CVE-2016-1000027:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000027
Fixing commit: https://github.com/spring-projects/spring-framework/commit/d9ccd618ea9cbf339eb5639d24d5a5fabe8157b5
Vulnerable range: 4.1.4 - 5.2.12
Deprecated in: 5.3.0
The classes are scheduled for removal in 6.0.0.
Parameters
...
Name Changes
File System Agent
The WhiteSource File System Agent (FSA) has been renamed to the WhiteSource Unified Agent.
Sun License
The name of the Sun license was changed to Sun Public License. (21.3.2, 4/11/21)
New and/or Modified Documentation
New Unified Agent Documentation (version 20.10.2)
Beginning in version 20.10.2, a modified and updated Unified Agent documentation repository has been launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.
The documentation is now spread over 4 contiguous topics (pages), in this order:
An overview page – this text will replace the current text on the page in Confluence to which the Web GUI links, so there will be no issues with broken bookmarks, missing pages, SEO issues etc. This page will also provide links to the following three topics listed here.
A Getting Started page, with prereqs, download info, config info, etc
A Parameters page
Advanced Topics (similar to an appendix)
New Policies Documentation (version 20.10.2)
Beginning in version 20.10.2 (approximate release - November 8), a modified Policies page has been launched, with the intent to update existing content, fill in missing gaps, and create a linear flow.
...
Selecting a Plugin for Integration
Providing only a Project name in a Unified Agent Scan
Configuration Recommendation Mode
Unified Agent Scan Steps and Summary
Unified Agent JSON Report Example
The following topics have been completely deprecated and are therefore no longer in use:
Documentation Tips
Kubernetes FAQ
ThreadFix Integration
Ruby Plugin
Python Plugin
NAnt Plugin
Gradle Plugin
Bower Plugin
Bamboo Plugin
Ant Plugin
Fortify Software Security Center Integration
Version 20.12.2
Beginning in version 20.12.2 the following integration pages were archived and are therefore no longer in use. The material contained therein is contained in the Unified Agent parameter documentation.
Gradle
Maven
Python
Version 20.12.1
Beginning in version 20.12.1 the following integration pages will be archived and therefore no longer be in use. The material contained therein is contained in the Unified Agent parameter documentation.
Bower
Cargo
Cocoapods
Haskell
Hex (Erlang/Elixir)
Ocaml
Paket
php
Poetry
Ruby
SBT
Additionally, the following pages will be archived:
Previous Versions of the Unified Agent
Previous GitHub Integration
Features
API Version 1.0 and Below
Beginning on February 15, 2020, WhiteSource will deprecate API version 1.0 and below for new developments to make way for the more advanced and secure versions 1.1, 1.2 and 1.3. Support for 1.0 versions and below will end six months from that date (August 15, 2020).
Additionally, on February 15, 2020, WhiteSource will begin enforcing the quota limits for API usage per customer according to the contract. Please prepare accordingly for these changes. For any questions or concerns, contact WhiteSource support.
IntelliJ Old Plugin End of Life
On July 12, 2020, WhiteSource will deprecate the old plugin version of WhiteSource Advise for IntelliJ (see here).
A new WhiteSource Advise plugin is already available directly from the IntelliJ IDEA Marketplace (see here), which besides offering the same features as the old plugin, includes functionality improvements as well as performance-related enhancements.
Please make sure to migrate to the new plugin by deleting the old plugin and then only installing the new one. See our documentation for more information.
NuGet Plugin End of Life
With the wide functionality of the WhiteSource Unified Agent providing support for more than 200 languages, the NuGet plugin will reach its End Of Life starting October 1, 2020.
After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until April 1, 2021. Following this date, the NuGet plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on October 1, 2020 to maintain full support of your product.
Jfrog Xray Integration Support
JFrog's vulnerability data integration strategy has changed: Integration with third-party providers of solutions that scan open-source libraries will no longer be available. Therefore, WhiteSource’s Xray Integration will be deprecated.
Shared customers integrating Xray with WhiteSource will no longer be supported or maintained by JFrog. Note that existing integrations with JFrog Artifactory (independent of JFrog Xray) are not affected.WhiteSource invites you to continue to use its variety of supported integrations for detecting vulnerabilities in open-source software. For more information, contact support@whitesourcesoftware.com.
NPM and Maven GitHub Repositories - Visibility Change
Following the deprecation of NPM and Maven Plugins, the visibility of existing GitHub repositories was changed to 'private'.
Deprecation of the Vulnerable Methods
In some cases, vulnerabilities are fixed by the deprecation of the vulnerable classes or methods. To that extent, WhiteSource, as other official advisories, will mark the vulnerabilities as fixed with the relevant version. In these cases, the vulnerabilities are fixed by adding "@Deprecated" to the vulnerable method.
Example:
CVE-2016-1000027:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000027
Fixing commit: https://github.com/spring-projects/spring-framework/commit/d9ccd618ea9cbf339eb5639d24d5a5fabe8157b5
Vulnerable range: 4.1.4 - 5.2.12
Deprecated in: 5.3.0
The classes are scheduled for removal in 6.0.0.
Parameters
In version 21.2.2, a newparameter, fileSystemScan, replaces the deprecated ignoreSourceFiles.
Scan Results
GO Scan Results
...
CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGH
Vulnerable Projects
Project | Vulnerabilities | Vulnerable Versions | Mitigation |
|---|---|---|---|
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. | 6.x: 6.0 - 6.2.3 | 6.x: No fix available. | |
CVE-2019-9512, CVE-2019-9514. Official Website Advisory | 1.11.x: 1.11.0 - 1.11.12 | 1.11.x: Upgrade to 1.11.13 (patch). | |
CVE-2019-9512, CVE-2019-9514, CVE-2019-9515. Official Website Advisory | 2.2.x: 2.2.0 - 2.2.5 | 2.2.x: Upgrade to 2.2.6 (patch). | |
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. Official Website Advisory | 9.3.x - 9.4.20 | Upgrade to 9.4.21 (patch). | |
CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518. Official Website Advisory | 4.1.0-beta4 - 4.1.38 | Upgrade to 4.1.39 (patch-1 [9512, 9514, 9515], patch-2 [9518]). | |
CVE-2019-9511, CVE-2019-9513. Official Website Advisory | 0.1.0 - 1.39.1 | ||
CVE-2019-9511, CVE-2019-9513, CVE-2019-9516. Official Website Advisory | NOTE: The releases (X.Y.Z) splitted into two types: if Y is divisible by 2 - stable, otherwise - mainline. | Stable: Upgrade to 1.16.1 (patch-1 [9511], patch-2 [9513], patch-3 [9516]). | |
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. Official Website Advisory | 8.x: 8.0.0 - 8.16.0 | 8.x: Upgrade to 8.16.1 (patch-1 [9511, 9517], patch-2 [9511, 9517], patch-3 [9512, 9515], patch-4 [9512, 9515], patch-5 [9513], patch-6 [9513], patch-7 [9514], patch-8 [9514], patch-9 [9516], patch-10 [9518]). |
...