| Table of Contents |
|---|
Overview
| Info |
|---|
Major improvements to the Azure DevOps integration will be introduced in July 2021. The underlying scanning mechanism will be modified to allow a direct WhiteSource scan from within the Azure DevOps pipeline. As part of this change, the following updates will be introduced:
|
This integration is not currently supported for customers on a WhiteSource Dedicated Instance or WhiteSource On-Premises instance.
This integration does not support Azure DevOps Server (TFS) installations.
...
Detect and remediate vulnerable open source components
Generate a comprehensive open-source inventory report per project or build
Enforce open source license compliance, including dependencies’ licenses
Identify outdated open-source libraries with recommendations to update
...
The extension maps an Azure DevOps Project (and all of its pipelines which are integrated with WhiteSource) to a defined specified WhiteSource Product. The WhiteSource Product is generated by the extension as part of the integration.To In order to map between an Azure DevOps pipeline build Pipeline Build and a WhiteSource Product, it is recommended to use the Unified Agent integration.
...
The Azure DevOps Services integration supports programming languages and package managers that are supported today by the Unified Agent.
...
Docker image scanning is not supported.
Effective Usage Analysis capabilities are not supported
The ability to fail a pipeline build due to a WhiteSource Policy violation is not currently supported.
Prerequisites
Ensure the following:
Your Azure DevOps organization is connected to an Azure AD via Organization Settings > Azure Active Directory.
An activation key for this Azure DevOps integration, available via the WhiteSource application's Integrate tab.
The New Version alerts setting is enabled via Admin > Alert Settings. When disabled, no information is displayed in the Outdated Libraries tab of the Open source risk report.
If you are using a self-hosted build agent, note that running it behind a web proxy is not currently supported.
The relavant package manager used by your project is installed.
Python support: The the default supported Python version supported is 2.7. If you have a python Python project with version 3 or above, you will need to perform the following procedure:
In the WhiteSource task, locate the WhiteSource Configuration field.
Add the following parameter to it: python
python.path=python3.
Installing the Extension
...
To re-activate the extension using a different WhiteSource account (activation key), uninstall the extension and then follow the instructions below.
Inside After installing the extension, navigate to Organization Settings > Extensions > WhiteSource within your Azure DevOps organization, open any of your projects. If you do not have any projects, create one before proceeding.
In the project page, from the sidebar, click Pipelines. The Pipelines page is displayed.
From the sidebar, click WhiteSource.
In the WhiteSource page, an activation form enabling you to connect to
An activation form for connecting to your WhiteSource account is displayed. Enter the following details:
First name
Last name
Work email
Company name
Country
Activation key - Go to the WhiteSource application, and from navigate to Integrate > Azure DevOps Integration, click in the WhiteSource application. Click the Generate Activation Key link, and then copy-paste the activation key. NOTE: If you are not a WhiteSource administrator, you will need to get the activation key from the administrator.
Click Connect Account. Your extension is now connected to your WhiteSource account.
Configuring Organizational Settings
You can define whether After completing the activation process, you can choose whether to override WhiteSource projects with data from the latest build on each (which is the default behavior). This will be applied to all of your organization’s pipelines will overwrite previous build data (default). This way, WhiteSource will only store and generate and will result in WhiteSource storing and generating a report for only the latest build data of a for each particular pipeline definition.
Alternatively, you can have WhiteSource store data and generate a report for all builds instead of only the latest. Do as follows:
...
Ensure that you followed the procedures in Activating the Extension.
...
the pipeline’s builds. This can be done by the following:
Navigate to Organization Settings > Extensions > WhiteSource.
Clear the Overwrite projects with latest build data checkbox, and click Save.
Ensure that you follow the procedures in Adding a WhiteSource Build Task to Your Pipeline.
Configuring Project Settings
The default WhiteSource product name, Product that will be associated with your specific Azure DevOps projectProject, is AZDO_<PROJECT_NAME>. You can customize the product name as needed.
There are two options to specify the WhiteSource product:
Existing WhiteSource scans that were triggered before changing the WhiteSource product name will remain under the previously-set WhiteSource product.
...
Define a new WhiteSource product to create and associate your Azure DevOps project to
...
To change the mapped WhiteSource Product, there are two available options:
Defining a New WhiteSource Product
To define a new WhiteSource product to create and to associate be created and associated with your Azure DevOps project to, do as follows:
Ensure that you followed the procedures in Activating the Extension.
Inside Navigate to your Azure DevOps organization, go to a specific projectProject.Inside your
Azure DevOps project, go Navigate to Project Settings > Extensions > WhiteSource of the specific project.
In Product name, enter Enter the desired WhiteSource product name in the Product name field. As you enter the name, it will simultaneously appear under the input field; click that name below.
In the Add a new Product dialog box, click Add.
Under the Product name field box click Save.
The new product will be created in the WhiteSource application. Any build that will run in the specific Azure DevOps project will have results appear in the WhiteSource
...
application under the provided product name
...
.
Selecting a Product From a List of Existing WhiteSource Products
...
Ensure that you followed the procedures in Activating the Extension.
Inside Navigate to your Azure DevOps organization, go to a specific projectProject.
Inside your Azure DevOps project, go Navigate to Project Settings > Extensions > WhiteSource.
In Click the input field of the Product name, click the input field, and a to display the list of the existing WhiteSource product names will be displayedproducts.
Select a suitable nameproduct from the list. Once selected, it should be displayed in the input field. Click Save.
Any build that will run in the specific Azure DevOps project will have results appear in the WhiteSource
...
application under the provided existing WhiteSource product.
...
Existing WhiteSource scans that were triggered before changing the WhiteSource product name will remain under the previously-set WhiteSource product.
Adding a WhiteSource Build Task to Your Pipeline
To add After completing the relevant settings, all is set for adding a WhiteSource build task to your existing pipeline, do the pipeline. Do as follows:
Go to the relevant Azure DevOps project for which you want WhiteSource to run.
Inside your Azure DevOps project, from the sidebar, click Pipelines. The Pipelines page is displayed.
Click the relevant pipeline. The specific pipeline page is displayed.
Click Edit. Do one of the following procedures:
...
In the pipeline edit page, from the right side, click Show assistant. The Tasks sidebar is displayed.
In the search bar, enter whitesource. The WhiteSource task is displayed.
Click the WhiteSource task.
From the bottom right corner, click Add. The WhiteSource task is added to the pipeline.
Code Block - task: whitesource.WhiteSource-azure-devops-services.bolt.wss.WhiteSource@21
(Optional) To specify the name of the WhiteSource project to be created, add the following to the WhiteSource task. In the following example, replace
New_Project_Namewith the name you want to give your WhiteSource project:
NOTE: When the Overwrite projects with latest build data checkbox from the Organization Settings > Extensions >WhiteSource is selected, you will be unable to change the project name after the first build run.Code Block - task: whitesource.WhiteSource-azure-devops-services.bolt.wss.WhiteSource@21 inputs: cwd: '$(System.DefaultWorkingDirectory)' projectName: 'New_Project_Name'(Optional) To specify custom Unified Agent Configuration parameters, add all parameters in the WhiteSource Configuration field (ensure each parameter along with its value are provided on a separate line). In the following example, under
configuration, provide all relevant parameters.
NOTE: The parameters used here overwrite the default configuration parameters. Configuration parameters that were not provided will use the default values as described here /wiki/spaces/WD/pages/2169274372.Code Block - task: whitesource.WhiteSource-azure-devops-services.bolt.wss.WhiteSource@21 inputs: cwd: '$(System.DefaultWorkingDirectory)' configuration: | npm.resolveDependencies=true maven.resolveDependencies=trueClick Save & queue.
...
To add a task to the Agent Job, click the plus (“+”) sign next to the agent job section. The Add Tasks section is displayed.
In the search bar, enter whitesource. The WhiteSource task is displayed.
Click the WhiteSource tab, and then click Add. The WhiteSource task is added to the pipeline.
(Optional) To specify the name of the WhiteSource project to be created, enter the name in the Project name field.
NOTE: When the Overwrite projects with latest build data checkbox from Organization Settings > Extensions > WhiteSource is selected, you will be unable to change the project name after the first build run.(Optional) To specify custom Unified Agent Configuration parameters, add all parameters in the WhiteSource Configuration field (ensure each parameter name along with its value are provided on a separate line).
NOTE: The parameters used here overwrite the default configuration parameters. Configuration parameters that were not provided will use the default values as described here /wiki/spaces/WD/pages/2169274372.Click Save & queue.
NOTE: The WhiteSource task can be moved to other locations within the steps section, depending on your preferences.
...
The WhiteSource report comprises of four tabs: Inventory, Outdated Libraries, Security Vulnerabilities, and License Risks. You can view the WhiteSource report at a build or project level (aggregated report of all your builds).
Viewing the Report at a Build Level
To view the report at a build level, do as followsby following these steps:
Ensure that you followed the procedures in Activating the Extension and Adding a WhiteSource Build Task to Your Pipeline.
Go to the specific build’s results page for your project, and click the WhiteSource tab. The WhiteSource open-source Risk Report is displayed.
Viewing the Report at a Project level
NOTE: Data in this report relates to all projects that were created in WhiteSource as part of the specific Azure DevOps project pipeline runs.
...
project
...
,
...
Ensure that you followed the procedures in Activating the Extension and Adding a WhiteSource Build Task to Your Pipeline.
Open a specific project and from the sidebar, click Pipelines. The Pipelines page is displayed. Click the WhiteSource tab. The WhiteSource open-source Risk Report is displayed.
...