...
From the Project Administration page in the WhiteSource Web-UI, add a new project tag and define the corresponding AVM application name in the WhiteSource project tag, as shown here:
NOTES:
Tags names are case sensitive (that is, they must be AVM.application.version and AVM.application.version)
If there are no applications in the AVM platform, they will be created if the avm.application.sync configuration parameter is set to true. See Configuration File & Parameters.
On Windows operating systems, the values for AVM.application.name and AVM.application.version do not support the following:
Special characters: / : * ? " < > |
All non-printable characters such as NULL, TAB, ESC, etc.
It is assumed that there is a 1:1 relationship between an application name in the AVM platform and the product/project name in WhiteSource. If the same AVM application name is mapped to multiple projects/products, only one of them will be synchronized to the AVM platform.
...
Following are the minimal parameters that must be set in the command line:
Parameter | Description | |
---|---|---|
wss.url |
| |
wss.apiKey | Unique identifier of the organization. It can be retrieved from the Admin page in your WhiteSource account GUI. | |
wss.userKey | Unique user identifier. It can be generated from the Profile page in your WhiteSource account GUI. | |
avm.name | Name of the AVM application. | |
AVM platform connectivity parameters: | ||
avm.url | URL for your Application Vulnerability Management Server. | |
avm.apikey or | api key as defined in the AVM application’s account OR username and password for your Application Vulnerability Management Server. |
Command Line Parameters
Parameter | Type | Description | Required | Default |
---|---|---|---|---|
-c (only CLI) | String | Configuration file name (including file path) | No | whitesource-avm-agent.config |
wss.apiKey | String | Unique identifier of the organization. It can be retrieved from the Admin page in your WhiteSource account GUI. Old name: apiKey | Yes | No default value |
wss.url | String | WhiteSource HTTP API entry point. Old name: url | No | No default value |
wss.userKey | String | Unique user identifier. It can be generated from the Profile page in your WhiteSource account GUI. Old name: userKey |
Yes | No default value | |||
generateOfflineReport | Boolean | Whether to perform the scan in offline mode and generate a zip file for each product/project in your WhiteSource organization. | No | false |
force_sync | Boolean | Whether to synchronize all products/projects or only updated products/projects.
| No | true |
wss.proxy | String | A proxy that should be used to connect HTTP platform, overwrites proxy parameter below. | No | No default value |
fromDate | String | Fetch vulnerability alerts from WhiteSource from the specified date. | No | No default value |
toDate | String | Fetch vulnerability alerts from WhiteSource until the specified date. | No | No default value |
wss.connectionTimeout | Integer | WhiteSource connection timeout is measured in milliseconds. Old name: connectionTimeout | No | Default value is 120,000 milliseconds. |
-requestFiles (only CLI) | String | Provide comma-separated list of absolute paths to generated by offline requests. | No | No default value |
whiteSourceFolderPath | String | Path to the whitesource folder. This folder is created when retrieving the vulnerability alerts report in offline mode. The path can either be absolute or relative. Only CLI for now | No | Default value is the folder from which the agent is running |
synchronizeFrom | String | The direction of alerts status synchronization.
If the value is set to AVM:
| No | AVM |
avm.application.sync | Boolean | If enabled, the specified applications are created in AVM. Includes all the products/projects in WhiteSource that have the tag "AVM.application.name". This will also create the application versions according to the "AVM.application.version" in WhiteSource. If disabled, no applications will be created on AVM. | No | true |
avm.name | String | The AVM application name. | Yes | Fortify |
avm.url | String | API base URL for your application vulnerability management server. For example: "https://threadfix.example.com:8080/threadfix". | No | No default value |
avm.apikey | String | api key as defined in the AVM application’s account. | No, if avm.user and avm.pass are set. | No default value. See https://denimgroup.atlassian.net/wiki/spaces/TDOC/pages/22619214/API+Keys |
avm.user | String | Username for your application vulnerability management server | No if avm.apiKey is defined | No default value |
avm.pass | String | User's password for your application vulnerability management server | No, if avm.apiKey is defined | No default value |
threadfix.team.name | String | Name of team to add applications (ThreadFix only) | No | No default value. If left empty, WS organization name will be used to create a new team. |
avm.proxy | String | A proxy that should be used to connect the AVM platform; overwrites the proxy parameter below. | No | Format protocol://<user>:<password>@host\:port/ |
avm.connectionTimeout | Integer | AVM connection timeout measured in milliseconds. | No | 50,000 milliseconds. |
avm.pluginName | Engine name at your application vulnerability management server. | No | No | |
include_avm_applications | String | Enables including AVM applications to be synchronized.
| No | No default value |
exclude_avm_applications | String | Enables excluding AVM applications to be synchronized.
| No | No default value |
-deleteAlerts (only CLI) | String | Deletes the Artifact History from AVM for the specified applications. | No | No default value |
-deleteApplications (only CLI) | String | Deletes all specified applications from AVM. Enter a comma-separated list of applications as they appear in WhiteSource (case-sensitive). Entering "*" removes all WhiteSource generated applications from AVM. | No | No default value |
proxy | String | HTTP Proxy to use by Agent. Could be overwritten by avm.proxy and/or wss.proxy | No | Format protocol://<user>:<password>@host\:port/ |
-h (CLI only) | String | Provides an explanation of all parameters. | No | |
logLevel | String | Define the debug level for logs. Options are INFO and DEBUG. Example: -logLevel DEBUG Optional values: ALL, DEBUG, INFO, WARN, ERROR, OFF | No | INFO |
Note: Almost all command line parameters match configuration file parameters (the exclusions are explicitly listed in the table above). Use "-" + parameter
...