Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • In the Image Registries section:

    • UA - Amazon Elastic Container Registry (ECR) - Docker Integration

    • UA - Azure Container Registry Integration

    • UA - Docker Image Integration

    • UA - Google Container Registry Docker Integration

    • UA - JFrog Artifactory Docker Registry Integration

  • In the AVM section:

    • Migrating Fortify/ThreadFix Agent to the AVM Agent


Major improvements to the Azure DevOps integration will be introduced in July. The underlying scanning mechanism will be modified to allow a direct WhiteSource scan from within the Azure DevOps pipeline. As part of this change, the following updates will be introduced:

  • The extension activation procedure will be moved to the Organization settings section by navigating to Organization settings > Extensions > WhiteSource page.

  • The WhiteSource tab under Project > Pipelines will be deprecated.

  • The WhiteSource Open Source Risk Report will be available at the Azure DevOps build level only, deprecating the project level aggregated report.

  • The direct WhiteSource scan from within the Azure DevOps pipeline will be the only scanning option.

Version 21.5.1 (23-May-2021)


  • NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.

  • Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.


The TeamCity plugin will reach its End Of Life starting November 1, 2021. After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until May 1, 2022. Following this date, the TeamCity plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on November 1, 2021 to maintain full support of your product.


  • Archive extraction of the Zstandard format RPM file failed.

  • A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.

  • Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.

  • Running the Generating the Due Diligence Report resulted in a blank report.

  • When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.


The following is planned for the next Unified Agent releases:


  • The NuGet Plugin page was deprecated.

  • In the next version, 21.3.2, the following changes will be implemented:

    • The Deprecated Features topic will be deprecated and the content will move to the Noticespage

    • The High Severity Bugs Report topic will be deprecated

    • The File Systemtopic will be deprecated

  • Additional modifications will be implemented to the opening documentation sections, beginning with the login/homepage documentation. 


In the next Unified Agent release, major improvements to the Go Modules dependencies detection will be introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. After this change, two separate settings will be supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver will detect only the actively used dependencies and will enable controlling whether to include test dependencies and duplicate dependencies. 


  • Several issues have been resolved regarding Docker Layers:

    • Layers with the same SHA1 were represented as one resource.

    • Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer

    • Layers with SHA1 were unnecessarily looked up in the index 

  • Discrepancies were found between the Alerts Widget and the Library Page.

  • Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.


  • In the Unified Agent’s upcoming releases, major improvements to the Go Modules’ dependencies detection will be introduced. A new optimized resolver for Go Modules, controlled by a separate set of parameters will become active, paving the way for more specific control over Go resolution.


  • If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.

  • When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.


  • Within the next two releases of the Unified Agent, a significant improvement to the NPM dependency detection will be introduced. An optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. This will significantly improve the scanning time of NPM projects and produce more accurate results. 


  • Scanning docker images with source files leads to duplicate appearances of the source libraries in the Hierarchy view.


  • Within the next two releases, WhiteSource will be improving the Unified Agent configuration by removing the requirement to have a configuration file, if all the mandatory parameters are set (passed as command-line parameters or by environment variables).


  • If the field last scan comment contains multiple lines, only the first line will be displayed in the project vitals area.


  • In the next release, improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag will be introduced. The improvements will include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to true.