Versions Compared

Old Version 80

changes.mady.by.user Vital Batyr

Saved on

compared with

New Version 81

changes.mady.by.user David Jaffe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Overview

WhiteSource Mend Advise for IntelliJ IDEA is a plug-in for the IntelliJ IDEA Integrated Development Environment (IDE) that is designed to empower developers with important, valuable information on security vulnerabilities concerning open-source components employed in their development projects.

WhiteSource Mend Advise for IntelliJ IDEA does the following:

...

Support for Languages and Package Managers

WhiteSource Mend Advise for IntelliJ IDEA supports Java, Kotlin and Scala projects using Maven (pom.xml dependency files), and supports Java projects using Gradle (build.gradle dependency files).

NOTES: 

  • Gradle Kotlin projects are not supported in WhiteSource Mend Advise.

  • When using the "apply from" script plugin in Gradle projects, remote script location is not supported.

...

Ensure the following prerequisites are met:

  • A valid license for WhiteSource Mend for Developers

  • A license key for WhiteSource Mend Advise for IDE, available via one of the following options:

    • If you do not have direct access to the WhiteSource Mend Application, obtain the license key from your WhiteSource Mend Administrator.

    • If you have access to the WhiteSource Mend Application, do as follows (NOTE: This option is only available when using version 20.11.1 or later of WhiteSource Mend Advise):

      1. Go to the WhiteSource Mend Application.

      2. Open the Profile page.

      3. In the WhiteSource Mend Advise - IDE Integration section at the bottom, select your organization.

      4. Copy your personal license key to be used later in Activating WhiteSource Mend Advise.

  • Java JDK 1.8 and up (see here for instructions) or OpenJDK 1.8 and up is installed

  • Depending on whether scanning Maven or Gradle applications, note the following guidelines:

    • Apache Maven application is installed and the Maven path and all environment variables are set up (see here for instructions).

    • Gradle application is installed and the Gradle path and all environment variables are set up. NOTE: Gradle version 4.8 or above must be installed.

  • IntelliJ IDEA is installed and you are familiar with its basic functionality

Proxy settings

WhiteSource Mend Advise for IntelliJ supports proxy settings (Appearance and Behavior → System Settings → HTTP Proxy).

...

Limitation - Gradle support for the following IntelliJ IDEA versions are not supported on macOS:

  • 2019.3

Installing

...

Mend Advise

To install WhiteSource Mend Advise, do as follows:

  1. Start IntelliJ IDEA.

  2. From the menu bar, select File > Settings. The Settings screen is displayed.

  3. From the left sidebar, click Plugins.

  4. In the Search box, enter whitesource and then press Enter from your keyboard. The WhiteSource Mend Advise plugin information is displayed.

  5. Click Install and then click Restart IDE.

  6. In the pop-up dialog box, click Restart.

Activating

...

Mend Advise

To activate WhiteSource Mend Advise, do as follows:

  1. Start IntelliJ IDEA, specifying the preferred project.

  2. From the sidebar on the right, click WhiteSource (if you do not see the sidebar, select View >Tool Windows > WhiteSourceMend). The Welcome screen is displayed.

  3. In Email, enter your organizational email (the email domain must be licensed to use Advise).

  4. In License Key, enter your license key (See here for more information on how to obtain a license key). 

  5. Click Connect.

NOTE: If you check Remember Token, the login credentials will be stored for later use. Once stored, the WhiteSource Mend Advise login credentials will be used for all projects.

Configuring

...

Mend Advise

Info

Changes made to the WhiteSource Mend settings will only apply after running the next scan.

You can configure the WhiteSource Mend settings on a global or a project level. See the following sections.

Global-Level Configuration

To configure WhiteSource Mend Advise on a global level, do as follows:

...

Project-Level Configuration

To configure WhiteSource Mend Advise on a project-level, do as follows:

...

Option

Description

Default Setting

Only show issues for direct dependencies

When enabled, WhiteSource Mend Advise will only return vulnerabilities for direct dependencies defined in your dependency file.

Unselected (not checked)

Minimum vulnerability severity level

Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.

  • Low - Vulnerability alerts for all severities (Low, Medium, High) are displayed.

  • Medium- Vulnerability alerts only for Medium or High severities are displayed.

  • High - Vulnerability alerts only for High severities are displayed.

Low

...

  • From the menu bar, select Tools > WhiteSource Advise

  • From the top toolbar, click the WhiteSource icon

  • Do as follows:

    1. From the sidebar on the right, click WhiteSource.

    2. From the top, click Advise.

    3. Click Run WhiteSource  Mend Advise.

Developer Focus Mode

...

To enable Focus Mode, do as follows::

  • In the WhiteSource Mend Advise project-level configuration, enable the Diff operation to be performed on a base branch checkbox.

  • Choose the base branch to which all other branch scans will be compared.

  • Make sure your base branch is checked out, then trigger a WhiteSource Mend Advise scan either manually or by building your project.

...

Info

Every time the base branch configuration changes, a WhiteSource Mend Advise scan must be triggered on that branch prior to seeing new security results.   

...

  • Enable the Focus Mode (enable the Diff operation, choose the base branch, and trigger a WhiteSource Mend Advise scan).

  • Go to Setting > Version Control > Commit > Before Commit and make sure that Notify on new OS vulnerabilities is enabled.

...

This section describes how WhiteSource Mend Advise can be used to display security vulnerability details for a project, via IntelliJ's main code view.

...

  • To quickly locate the component referenced by a reported vulnerability in the project’s pom.xml or build.gradle view, double-click the component in the WhiteSource security check tab. The referenced component description in the pom.xml or build.gradle file will be displayed and highlighted in the main code view.

  • To quickly locate vulnerability analysis results for a component in the pom.xml or build.gradle view, click the WhiteSource Mend Advise severity icon displayed to the left of that component reference in the pom.xml. Note that the icon denotes the severity of the vulnerability (yellow: low severity; orange: medium severity; red: high severity). A tooltip featuring relevant analysis details including a dependency path from the proprietary code to the open-source component will be displayed. Vulnerability details are also displayed as part of the tooltip and include the vulnerability identifier (e.g., CVE), severity, and a fix suggestion if available. A Details link is displayed which leads to the WhiteSource Mend Vulnerability Database, providing more information on the specific vulnerability.

  • To quickly display an analysis summary for a component in the pom.xml or build.gradle view, hover the mouse pointer over the code for the component in that view; a tooltip will be displayed, featuring a list of the highest severity vulnerabilities found within the particular component. To display a list of all the vulnerabilities, press Alt+Enter.

...

To view version information about WhiteSource about Mend Advise, do as follows:

  • From the sidebar on the right, click WhiteSource (if you do not see the sidebar, select View >Tool Windows > WhiteSource). The Welcome screen is displayed.

  • From the Welcome screen, click About. 

The About screen displays information about the Advise plugin's version, general information on your IDE, along with links for Privacy policy and Terms and Conditions.

Generating Debug Logs for

...

Mend Support

To generate debug logs, do as follows:

...

Debug logs will now be generated for the integration. To access them you need to click on Show Log in Explorer/Finder in the Help menu.

Upgrading

...

Mend Advise 

To upgrade the WhiteSource Mend Advise plugin, do as follows:

  1. From the menu bar, select File > Settings > Plugins. Ensure that you are in the Installed tab. A list of installed plugins is displayed.

  2. In the Downloaded section, search for WhiteSource Mend Advise, and on the right-hand side, click Update.
    NOTE: If there is no new version, the Update button will not appear, and there is no need to continue this procedure. 

  3. Select WhiteSource Mend Advise.

  4. If you are prompted to restart, do so.

...

Uninstalling Mend Advise

To uninstall the plugin, do as follows: 

  1. From the menu bar, select File > Settings > Plugins. Ensure that you are in the Installed tab. A list of installed plugins is displayed. 

  2. In the Downloaded section, search for WhiteSource Mend Advise and click it. The WhiteSource Mend Advise plugin page is displayed.

  3. On the right-hand side, click the drop-down box, and then click Uninstall. The Plugin Uninstall dialog box is displayed. 

  4. Click Yes to confirm.

  5. If you are prompted to restart, do so.