Versions Compared

Old Version 26

changes.mady.by.user Michelle Friedman

Saved on

compared with

New Version 27

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. From the sidebar on the left, select Extensions. The Extensions panel is displayed.

  2. In the search bar on top, enter whitesource and press Enter. The WhiteSource Advise “widget” is displayed in the panel.

  3. Click the Manage icon.

    Image RemovedImage Added

  4. In the popup that opens, click Extension Settings.

  5. In the WhiteSource screen, review the options and modify if necessary. See here for a list of all options.

...

  1. Select one or multiple folders from the Explorer pane.

  2. Right-click the folder (or a selection of folders) and from the context menu, click Scan folder(s) with WhiteSource Advise.

Developer Focus Mode

The developer focus mode will allow Developer Focus Mode allows developers to see only vulnerability alerts that are new in their feature branches compared to a predefined base branch. This will promote promotes the security shift left approach and will empower empowers developers to fix newly-introduced vulnerabilities immediately as part of their feature development efforts and prior to merging vulnerable code into production branches.

In order to To enable focus Focus mode, do as follows:

  1. In the WhiteSource Advise project-level configuration, enable the

...

  1. Diff operation to be performed on a base

...

  1. branch checkbox.

  2. Choose the base branch to which all other branch scans will be compared

...

  1. .

  2. Make sure that your base branch is checked out, and trigger a WhiteSource Advise scan either manually or by building your project.

In case If there was no scan on the predefined base branch after its initial configuration, all branches will show all the scan results, not just the newly created security alerts. 

Info

Every time the base branch configuration changes, a WhiteSource Advise scan must be triggered on that branch prior to seeing new security results.   

Vulnerable Commit Alert

An alert can be enabled to notify about newly added vulnerabilities when committing the code inside the VS Code. This alert will appear only if the committed feature branches have new vulnerabilities compared to a preconfigured base branch.

To enable a Vulnerable Commit Alert, do as follows:

  • Enable the Focus Mode (enable the Diff operation, choose the base branch, and trigger a WhiteSource Advise scan).

  • Go to Setting > Extensions > WhiteSource Advise and make sure that Notify on new OS vulnerabilities is enabled.

In case the commit has new vulnerabilities, the txt file will open with a notification. If you close this file, the commit will be declined and you will be able to review new vulnerabilities in the feature branch. To commit anyway type 'y' and close the file.

Advanced information about the Vulnerable Commit Alert

For this feature Advise extension is using git hooks to block a commit when new vulnerabilities are presented in the feature branch (this is a script that will run before each commit).

Advise extension will check if you have an active hook named pre-commit (all hooks are stored in the project directory in .git/hooks; if they have .sample extension it means that they are not used). If such a file isn't already used, Advise will update it so it can block vulnerable commits as described above.

If such a file already exists and doesn’t have a .sample extension (meaning, this script runs before each commit), Advise will not update this file or create a new one. In order for Vulnerable Commit Alert to work you have to manually update the pre-commit file so it has the following script.

Expand
titleScript for pre-commit file (only for Advanced use)

Code Block
exec < "./.vscode/diff/vulsCount.txt"
read -p "vuls" vuls

if [ "0" = $vuls ]
then
	exit 0
fi

if grep -q '"WhiteSource Advise.Diff.NotifyNewOsVulnerabilities": false' "./.vscode/settings.json"; then
  exit 0
fi 

#dynd=`cat ./.vscode/diff/vulsResult.txt`
#echo "$dynd" > asd2.txt

exec < "./.vscode/diff/vulsResult.txt"
echo 'WhiteSource: new vulnerabilities were found in this commit that. If you want to cancel the commit just close this file.' > "./.vscode/diff/vulsResult.txt"
echo 'If you want to proceed and commit anyway type “Y” and close this file:' >> "./.vscode/diff/vulsResult.txt"
echo 'Commit was canceled'
open -W -a TextEdit ./.vscode/diff/vulsResult.txt
#read -p "results" res
res=`cat ./.vscode/diff/vulsResult.txt`
res=`echo ${res/"WhiteSource: new vulnerabilities were found in this commit that. If you want to cancel the commit just close this file."/""}`
res=`echo ${res/"If you want to proceed and commit anyway type “Y” and close this file:"/""}`

if [[ "y" == "$res" || "Y" == "$res" || "yes" == "$res" || "YES" == "$res" ]]
then
	exit 0
fi

echo 'Please fix vulnerabilities'
exit 1

Reviewing Scan Results

After a scan is completed, a notification is displayed with informative statistics regarding the scan. These include the number of high, medium, and low severity vulnerabilities. To view more specific information regarding the vulnerability, click Show Problems inside the notification to open the Problems section. In the Problems section, for each vulnerability, the following details are displayed (note that some Problem descriptions are found on the same line):

...