Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



WhiteSource recommends using the Unified Agent.

Analyzing Archives Files


The drill-down hierarchy is limited to a maximum of 10 and can be modified in the configuration file.
By default, the drill-down hierarchy level is zero - no drill down.
Supported archive types are as follows:

  • .aar

  • .car

  • .ear

  • .egg

  • .gem

  • .hpi

  • .jar

  • .nupkg

  • .rar

  • .rpm

  • .sca

  • .sda

  • .tar

  • .tar.bz2

  • .tar.gz

  • .tar.xz

  • .tgz

  • .war

  • .whl

  • .xz

  • .zip


  • In case of Ruby .gem files, only the data.tar.gz file is extracted, and all the other content files are ignored.

  • In Ruby, one hierarchy level is defined to extract Ruby's .gem and data.tar.gz files.

Providing a Project Name Only in a Unified Agent Scan


If a scanned project uses a configuration file that contains only a defined 'projectName' (where 'projectToken’projectToken, ‘productName’ productName and ‘productToken’ productToken are left empty), then the Unified Agent adds the results to the first project it finds in the organization that contains the same project name.
If a multi-module project is scanned with the same configuration as described above, and a project with one of the module names already exists, then the Unified Agent adds the module data to this existing project.


When this checkbox is selected, the following rules apply to all future scans:

  • When only 'projectName ' is provided in the Unified Agent configuration (as demonstrated in the above example), the Unified Agent adds the project to a default product named 'My Product'. This rule is implemented only when the default product 'My Product' does not already contain a project with the same name.

  • If the default product 'My Product' already contains a project with the name specified in the 'projectName' parameter, then the Unified Agent returns an error to the user with the message "Project <PROJECT_NAME>' already exists in 'My Product'. A 'productToken' or 'productName' value should also be specified".

  • If a multi-module project is scanned, and a project with one of the module names already exists under your product, an error is returned and none of the projects are created as part of the scan.


(Linux: $?,  PowerShell:  $LASTEXITCODE,  Batch: %ERRORLEVEL%)

Exit Code

Exit Message




Scan completed successfully.



General error has occurred.



One or more of the scanned components violates an Organization or Product level policy.
Policy summary reports are created and saved in the newly-created whitesource directory, located under the current working directory ($pwd or %cd%).
Only applicable when configured to checkPolicies=true and forceUpdate=false.



Client-side error has occurred.



The agent was unable to establish a connection to the WhiteSource application server (e.g., due to a blocked Internet connection).



Server-side error has occurred (e.g., a malformed request or a request that cannot be parsed was received).



One of the package manager's prerequisite steps (e.g., npm install, bower install, etc.) failed.
Only applicable if the appropriate property is set to true (npm.runPreStep, bower.runPreStep, etc.).



Analysis will commonly display the following EUA code at successful completion: [EUA000] Analysis completed successfully. The Unified Agent returns a [-100] exit code if the analysis reported an exit code other than [EUA000].


Best Practices for Offline Mode (Optional) 


It 's is possible to save the output of the scan into a file instead of sending it directly to WhiteSource by HTTPS. This approach is useful in case there is no connectivity (or limited connectivity) while scanning.

By changing the configuration file to offline mode, any execution of the Unified Agent will store the current configuration and metadata in a JSON .txt file named update-request.txt, located in the newly-created 'whitesource' directory. It is located under the current working directory ($pwd or %cd%). This file can later be manually uploaded to WhiteSource from the Admin Console or via the command line.


  • Only descriptive information is sent to our servers. All of the processing is done locally on your machine.

  • Dimensions CM is also supported by using either Git via Git Connector or Subversion via CM Bridge. 

  • You cannot scan both a local repository and a remote repository simultaneously. If you are intending to scan a local repository and not a repository and not a remote repository, then use the '-d' parameter instead of the SCM parameters that are described below. 


Multiple remote repositories can be scanned by creating a JSON file, similar to the following example:

Code Block




    { "url":"path/to/remotreRepository1", "branch":"ChooseBranch", "tag":"ChooseTag" },


    { "url":"path/to/remotreRepository2", "branch":"master", "tag":"0.2" }





Remote Repository (SSH)

SSH is currently supported only for Git repositories.


Default Behavior 

When the  'failErrorLevel ' parameter is set to 'DEFAULT', the behavior of the exit codes stay stays the same.

Modifying the Default Behavior 

When the  'failErrorLevel ' parameter is set to 'ALL', the Unified Agent returns an error code for all errors in the scan, rather than 'SUCCESS'. This can be useful for customers migrating from the plugins (NPM, MAVEN etc.) to the Unified Agent.

The parameter sets additional scenarios to 'error ' instead of 'success'.The following cases are considered as 'Failure':


  • npm.resolveDependencies=true, but resolve dependencies failed

  • nuget.runPreStep=true, but the pre-step failed

  • mvn dependency:tree failed or partial data was retrieved


When the ignore resolver errors parameters are set to true (e.g., ‘npm.ignoreNpmLsErrors’ is set to true) the scan will not fail. If all of these parameters are set to false, then they will fail the scan.

In case there are multiple revolvers and at least one failed, then all resolvers are considered as a failure.