| Table of Contents | ||
|---|---|---|
|
...
| Info |
|---|
IMPORTANTBeginning in version 21.3.2, WhiteSource will be modifying the opening topics of the User Guide section of the documentation. This includes editing and condensing the existing content (therefore archiving certain topics) for better usability, removing unnecessary and/or duplicate content, and restructuring the topic hierarchy for a logical flow. Since this project will be a “work in progress” for an unspecified amount of time, WhiteSource apologizes in advance for any inconvenience this might cause. |
Version 21.4.2 (9-May-2021)
New Features and Updates
Unified Agent
NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.
Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.
Notices
The TeamCity plugin will reach its End Of Life starting November 1, 2021. After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until May 1, 2022. Following this date, the TeamCity plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on November 1, 2021 to maintain full support of your product.
Documentation
The following pages were deprecated:
Requesting an Arbitrary File
GitHub Related Topics
The License Identification page - its content was merged with Changing a Library’s License
TheLicense Analysis page - its content was merged with Understanding Risk Score Attribution
The Policies API page has been deprecated, and a new and updated Policies API page has replaced it.
Version 21.4.1 (25-April-2021)
New Features and Updates
Unified Agent
The Unified Agent now supports Apache Ivy as part of the Ant dependencies detection.
...
Users encountered errors logging in to WhiteSource.
Project name or project token were mandatory parameters for Docker scanning unnecessarily.
Users were unable to delete roles when there were no roles remaining.
When the Inventory Report was exported to MS Excel, there was extra whitespace between the project name and the Direct Dependency.
When password complexity validation was enabled, users were unable to reset their passwords.
NPM/Yarn downloaded artifacts were not always removed at the end of the Unified Agent scan.
In the Unified Agent, a null pointer exception occurred when scanning ANT-based projects with an empty zip file.
Documentation
New and updated WhiteSource Prioritization documentation has been released. See here.
The R Integration page was deprecated and its content was moved to the Unified Agent Configuration Parameters page.
In the next version, the following pages will be deprecated:
Requesting an Arbitrary File
GitHub Related Topics
The License Identification page - its content will be merged with Changing a Library’s License
The License Analysis page - its content will be merged with Understanding Risk Score Attribution
The New Versions Alerts page - its content will be merged with the Project Page
...
Version 21.3.2 (11-April-2021)
New Features and Updates
Web UI
Customers can now configure SAML integration for multiple global organizations with the same Identity Provider (IDP).
Product and Library Priority Scoring Reports: New reports provide information on the priority of a library or product, taking different threat and impact factors into account. See here for details.
Starting this version, SmartMatch is the default algorithm used for source files matching when a new WhiteSource Organization is created.
The name of the Sun license was changed to Sun Public License.
Unified Agent
Major improvements to the Go Modules dependencies detection have been introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. Two separate settings are now supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver detects only the actively-used dependencies and includes the following new parameters:
...
Archive extraction of the Zstandard format RPM file failed.
A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.
Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.
Running the Generating the Due Diligence Report resulted in a blank report.
When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.
Notices
The following is planned for the next Unified Agent releases:
...
Version 21.3.1 (4-April-2021)
New Features and Updates
Azure DevOps Services Integration:
...
Using the Unified Agent’s Archive Extractor when trying to scan the root of the operating system resulted in a null pointer exception.
In AVM, a timeout occurred when fetching vulnerabilities information from Fortify.
Documentation
The NuGet Plugin page was deprecated.
In the next version, 21.3.2, the following changes will be implemented:
The Deprecated Features topic will be deprecated and the content will move to the Noticespage
The High Severity Bugs Report topic will be deprecated
The File Systemtopic will be deprecated
Additional modifications will be implemented to the opening documentation sections, beginning with the login/homepage documentation.
Notices
In the next Unified Agent release, major improvements to the Go Modules dependencies detection will be introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. After this change, two separate settings will be supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver will detect only the actively used dependencies and will enable controlling whether to include test dependencies and duplicate dependencies.
Version 21.2.2 (14-March-2021)
New Features and Updates
Unified Agent
This version introduces support for NPM 7.
A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.
...
In some cases, information regarding source libraries was not displayed correctly; for example, empty projects were still displayed in some source libraries, or some source libraries appeared as empty.
Running the gcloud auth command failed during Docker scan on Mac computers.
Users with different roles than admins or alert ignorers were able to ignore alerts in VBA mode.
Exceptions occurred when trying to assign licenses as part of update policy alerts.
In the Unified Agent, when scanning NPM, NPM dependencies were not resolved when package.json did not contain name/version attributes.
When downloading a missing jar file, the Unified Agent incorrectly generated success messages.
Added indication for missing copyright references in the Attribution report summary.
When excluding inner modules (projects) in Gradle, the scan would return the wrong dependencies tree.
Azure DevOps Services Integration: In some cases, adding npm.resolveMainPackageJsonOnly=true to the WhiteSource Configuration task parameter led to a scan failing.
Documentation
Beginning in this version the following page was archived and is therefore no longer in use.
...
Version 21.2.1 (28-February-2021)
New Features and Updates
Unified Agent
Scala dependencies detection was improved, by supporting the sbt-dependency-graph plugin when applicable.
...
New Feature Announcements
WhiteSource is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.
Documentation
The following topic has been deprecated:
...
Azure DevOps Services Integration: Running a pipeline build from a self-hosted agent resulted in a WhiteSource-generated .encrypted file not being deleted at the end of each WhiteSource build task run.
NOTE: Self-hosted agent builds triggered before 14 February may still contain traces of WhiteSource-generated .encrypted files. These files must be manually removed from the self-hosted agent work folder.On rare occasions, library alerts were not created after the vulnerability sync.
Duplicate hashed source files caused the second one to be considered as unmatched.
In Linux, Python scans failed due to a missing space in the execution of one of the commands used for resolution.
In the Unified Agent, there were exceptions when parsing specific pipfile formats.
Documentation
The following topics have been deprecated and all their content has been merged into the Unified Agent documentation:
...
Version 21.1.1 (31-January-2021)
New Features and Updates
Web UI
Beginning in this version, the Auditor role for service users can be assigned to users from the UI.
...
Several issues have been resolved regarding Docker Layers:
Layers with the same SHA1 were represented as one resource.
Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer
Layers with SHA1 were unnecessarily looked up in the index
Discrepancies were found between the Alerts Widget and the Library Page.
Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.
Notices
In the Unified Agent’s upcoming releases, major improvements to the Go Modules’ dependencies detection will be introduced. A new optimized resolver for Go Modules, controlled by a separate set of parameters will become active, paving the way for more specific control over Go resolution.
Version 20.12.3 (17-January-2021)
New Features and Updates
The Unified Agent now supports scanning Google Distroless images.
The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.
...
Version 20.12.2 (3-January-2021)
New Features and Updates
Web UI
Beginning with this version, every new organization will be created in the new Vulnerability-based Alerting mode.
A new and enhanced source files matching algorithm, SmartMatch, can be activated from Advanced Settings in the Integrate tab. The default will remain Weight.
Two new licenses have been added:
GLWTPL
ODC-By-1.0
Unified Agent
A new parameter, python.includePipenvDevDependencies, has been added to provide the ability to manage the dev dependencies. The default value is true.
...
When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.
When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.
When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.
In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.
After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.
When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.
Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.
The Unified Agent did not support the packages.db RPM database
Documentation Updates
The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.
...
Version 20.12.1.1 (21-December-2020)
Fixed an issue introduced in the latest version (20.11.2) in which unmatched source libraries were missing from the Project/Product page.
Version 20.12.1 (20-December-2020)
New Features and Updates
Web UI
Resetting forgotten passwords is now validated with a CAPTCHA test.
A disclaimer has been added to the Library Details page for temporary matches on Go dependencies.
...
Version 20.11.2 (6-December-2020)
New Features and Updates
Web UI
The Product Page and the Project Page now feature filtering and improved pagination in the Libraries panel, thereby improving performance and user experience for projects with over 1000 libraries.
...
Version 20.11.1 (22-November-2020)
New Features and Updates
Unified Agent
The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.
...
Version 20.10.2 (8-November-2020)
New Features and Updates
Prioritize
Added support for C# in Prioritize.
Added Fast Scan Analysis mode for Java in Prioritize.
...
Added a WhiteSource Support Token to the WhiteSource task logs.
Documentation Updates
Unified Agent
A modified Unified Agent documentation repository has been launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.
...
Resolved Issues - Azure DevOps Services Integration (added 10-November-2020)
Fixed an issue where in some cases, users with non-admin permissions were not able to view the WhiteSource open-source risk report. All existing WhiteSource for Azure DevOps Services extension users will need to approve the extension permission changes that were applied in this version. To approve the new changes, do as follows:
Go to Organization Settings > Extensions > Installed > WhiteSource for Azure DevOps Services.
Click Review. The Authorize WhiteSource for Azure DevOps Services popup is displayed.
Click Authorize.
Scanning a project based on a GitHub Repository led to a RangeError error.
Version 20.10.1.1 (4-November-2020)
...
Version 20.10.1 (25-October-2020)
New Features and Updates
WhiteSource Core
In order to comply with industry standards, WhiteSource has decided to remove the option of searching a library via drag and drop. Library searching can now only be done by entering the library’s name (added November 1, 2020).
Azure DevOps Services Integration
Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, WhiteSource Configuration, was added to the WhiteSource task. For more information, see here.
Documentation Updates
Unified Agent
Beginning in version 20.10.2 (approximate release - November 8), a modified Unified Agent documentation repository will be launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.
...
Version 20.9.2.1 (15-October-2020)
Unified Agent
The default NPM dependency detection method was changed to running the "npm ls" command due to an anomaly observed in the Unified Agent requests size using the new optimized NPM resolution method.
...
Version 20.9.1 (4-October-2020)
New Features and Updates
WhiteSource Core
Currently, when accessing the Custom Attributes report, the report’s data is fetched automatically. This can be time-consuming if the organization has many libraries and many custom attributes defined. Beginning in this version, an Apply button has been added, enabling users to query the data on demand only.
Unified Agent
Beginning in this version, the strict requirement of running the Unified Agent with the configuration file has been removed. If the mandatory parameters are passed to the Unified Agent, in any of the supported methods, the Unified Agent can be run without failing even if the configuration file is missing.
Beginning in this version, if the Yarn lock file (yarn.lock) is found during the scan, it will be used for the dependencies detection, without the need to explicitly set the npm.yarnProject flag.
...
Version 20.8.2 (13-September-2020)
New Features and Updates
Helm version 3 support is officially introduced for the Kubernetes integration.
...
If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.
When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.
Notices
Within the next two releases of the Unified Agent, a significant improvement to the NPM dependency detection will be introduced. An optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. This will significantly improve the scanning time of NPM projects and produce more accurate results.
...
Version 20.8.1 (30-August-2020)
New Features and Updates
Unified Agent
A new format of Docker project name is now supported - repositoryName - which is based on the Docker repository name only. This format can be applied by setting the docker.projectNameFormat parameter to repositoryName.
...
Fixed CVE-2020-2213
Prioritize
Aggregate Modules mode supported (using the -aggregateModules field).
Functionality Changes
In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.
When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.
...
Version 20.7.3 (16-August-2020)
New Features and Updates
Web UI
Beginning in this version, when creating/editing a policy based on a Jira project with a mandatory field from a type which isn't currently supported, but has a default value defined for it in Jira, the operation will succeed.
...
Scanning docker images with source files leads to duplicate appearances of the source libraries in the Hierarchy view.
Notices
Within the next two releases, WhiteSource will be improving the Unified Agent configuration by removing the requirement to have a configuration file, if all the mandatory parameters are set (passed as command-line parameters or by environment variables).
Version 20.7.2 (2-August-2020)
New Features and Updates
WhiteSource Core
SAML session token duration (the time between the IDP authentication and the WhiteSource login) was changed from 10 minutes to 5 minutes.
...
A new API, setNotice, enables setting the value of the library’s notice.
Unified Agent
Improvements were made to the Docker scanning of the Linux RPM-based images.
Users can now configure Unified Agent parameters using environment variables.
The Bazel support for Go projects was extended to Windows. The Unified Agent can now scan on both Linux and Windows Go projects using the go_repository rules generated by Bazel Gazelle (see here).
...
Version 20.7.1 (19-July-2020)
New Features and Updates
Unified Agent
Users scanning docker images can now receive information regarding packages in layer granularity. The new functionality can be enabled by setting the docker.layers parameter to true. The layer granularity can be viewed in the UI under the hierarchical display (Show as Hierarchy).
Improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag are introduced. The improvements include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to True.
A new flag, npm.ignoreDirectoryPatterns, enables users to determine the list of ignored directories.
The Bazel support was extended to Go projects. The Unified Agent can now scan on Linux machines Go projects using the go_repository rules generated by Bazel Gazelle (see here).
...
Version 20.6.2 (5-July-2020)
New Features and Updates
WhiteSource Core
Unified Agent
The Unified Agent’s checkPolicies-json.txt file now includes the system path and manifest file path for each of the components, when this information is available.
A new parameter, python.localPackagePathsToInstall, enables users to configure a list of local package paths that will be installed during the pre-step, if required.
...
Upgraded the following:
WildFly to version 10.1.0
JQuery to version 3.5.0
The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.
The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.
Resolved Issues
In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.
While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.
In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.
The Attribution Report had issues with a misplaced header.
There were issues with proxy settings in the HTML dependency resolution.
The TeamCity plugin always failed as a result of a check policy request.
Under certain conditions, scanning SBT dependencies resulted with errors.
Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.
...
If the field last scan comment contains multiple lines, only the first line will be displayed in the project vitals area.
Notices
In the next release, improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag will be introduced. The improvements will include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to true.
...
Version 20.6.1 (21-June-2020)
New Features and Updates
WhiteSource Core
Web UI
The Attribution Report has undergone several enhancements, including the following:
select which fields to include/exclude from the report
apply filters to the report
include a custom attribute in the report
export the report to a JSON format
hide fields containing empty values
Beginning in this version, an indication on the vulnerability page displays which vulnerabilities were modified in the previous month.
Beginning in this version, the WhiteSource Expert Fix is the first solution recommended to customers in the list of suggested fixes.
Unified Agent
This version introduces a Dockerized Unified Agent. More information can be found here.
Bazel resolution is now enabled by default. The UA now supports Bazel for Java projects. The following two rules are supported: maven_install, maven_jar.
This version introduces support for OpenSUSE leap images via the Unified Agent Docker scan.
...
Version 20.5.1 (24-May-2020)
New Features and Updates
WhiteSource Core
Web UI
In the ADD/EDIT policy function, mandatory fields of types string, string array, user, number are now also supported. When choosing the issue type in the project, the mandatory fields as displayed and you must fill them in.
In certain reports, the following was added to all panels with multiple selections
A count indicator for the number of selected rows that appear when selecting rows of a data grid panel. This counter updates automatically when selecting/deselecting rows.
Next to the counter, a 'clear selection' button clears all selected rows when clicked.
Unified Agent
Beginning this release, the Nuget resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default.
Beginning in this version, the .coffee source files will not be taken into consideration when npm.ignoreSourceFiles is set.
...
In the Library Details screen, the new Aggregated Data tab displays aggregated data for licenses, policies, vulnerabilities, and library data.
Unified Agent
This version introduces support for the npm.ignoreScripts parameter for yarn.
Improvements were made to Go projects scanning.
...
A risk score was added for license Open LDAP 2.4.
Unified Agent
This version provides support for Global Packages for Poetry.
In addition to parsing/collecting yarn dependencies, the Unified Agent now supports adding yarn workspaces with their dependencies (direct and transitive) as a hierarchy tree.
...
This version introduces support for Bamboo server versions up to 7.0.3.
Functionality Changes
Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.
Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.
When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.
The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.
...
In the library details page, users can now manually override the license text to their library's specific license text. The new license text will be displayed in the Attribution Report and in the Release Management Dashboard, both in the UI and via APIs.
In the Attribution Report, for manually assigned copyrights with a comment, the comment now appears in a new section called Comments in the library’s Copyrights section.
Unified Agent
The Unified Agent now supports Scala sbt-coursier and sbt 1.3.x.
Docker Azure login to ACR Registries is now supported.
...
New Features & Updates
WhiteSource Core
Unified Agent
Support for Cabal version 3 is now provided.
...
Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.
Within the next two sprints, WhiteSource will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.
In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.
Resolved Issues
In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.
When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.
Under certain situations, goGradle scans failed with a null pointer exception.
An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.
The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.
Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.
Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.
Under certain conditions, scans of Docker images resulted in exceptions.
Under certain conditions, new version alerts weren't created.
...
New Features & Updates
WhiteSource Core
Unified Agent
A new parameter, python.resolvePipEditablePackages, enables the support of pip in editable mode (-e), thus presenting additional dependencies in WhiteSource for Python projects.
New Package Manager support: This version introduces support for Gradle Kotlin DSL.
...
New Features & Updates
WhiteSource Core
Unified Agent
The Library Details page has been redesigned whereby the information is now organized into four separate tabs.
The Unified Agent now supports SBT 1.3.x and above.
...
New Features & Updates
WhiteSource Core
Unified Agent
In the Policies functionality, the bug rating and version activity match types have been removed, and there is no longer a way to add new policies of these types. Existing policies with these types, though, will be editable.
...
New Features & Updates
WhiteSource Core
Unified Agent
This version introduces support for the DNF Package manager for CentOS.
...
New Features & Updates
WhiteSource Core
Unified Agent
This version introduces support for Poetry, a new package manager for Python.
...
New Features & Updates
WhiteSource Core
Unified Agent
NPM Resolution: Optimized scanning behavior and reduced scan time. The new functionality relies only on the package.json instead of NPM commands and can be enabled using the flag: npm.resolveLockFile=true.
The Unified Agent has been enhanced to cover more cases of Maven configuration (i.e., for customers using different formats for Maven tree output).
...
New Features & Updates
WhiteSource Core
Unified Agent
Added flexibility for “R” programming language scanning: This version provides support for the R programming language for customers who are not using its main package manager, Packrat.
The Unified Agent has been enhanced to cover more cases of Maven configuration (i.e., for customers using different formats for Maven tree output).
...
New Features & Updates
WhiteSource Core
Unified Agent
Easier Onboarding for JFrog Artifactory Docker Integration: Beginning in this version, the Unified Agent is now able to download Docker images from artifactory as an archive file, then extract and scan them.
Added flexibility for JFrog Artifactory Docker image scan: Two new parameters, artifactory.includes and artifactory.excludes, provides customers with the ability to filter which images to scan in their repositories.
A new parameter, php.ignoreSourcefiles, provides more extensive results for customers using PHP by enabling users to decide whether to ignore source files scanning.
...
New Features & Updates
WhiteSource Core
Unified Agent
Detect Mode - Enhanced environment-based recommended configuration capability: The generated configuration file now supports the ‘includes’ parameter.
In cases where the Unified Agent execution has an issue (for example, policy violation), the Bitbucket pipe will reflect it and fail the build.
This version introduces better customization and control, where customers can change the default location where Unified Agent logs are saved.
...
New Features & Updates
WhiteSource Core
Unified Agent
The Unified Agent now supports scanning the opam package manager for the OCaml programming language.
Aligning the Unified Agent to the Maven plugin behavior: A new boolean parameter in the Unified Agent, maven.projectNameFromDependencyFile, controls if a project name will be taken from the dependency file.
Aligning the Unified Agent to the NPM plugin behavior: An existing parameter, npm.projectNameFromDependencyFile, controls whether the project name will be taken from the dependency file.
Added flexibility: It is now possible to set project metadata information using a project tag (key and value) via the Unified Agent command line and the Unified Agent configuration file.
When scanning Docker images, and NPM is not available, in order to extract global dependencies, the new npm.resolveGlobalPackages parameter eliminates the need to rely on NPM being installed and available.
...
Extending auditing capabilities: In the Change Log History Report, there is now support for auditing changes in vulnerability score/severity.
This version brings the following enhancements:
Added granularity - Support for changing a library to a source file in the Product level and not only in the Organization level.
Alignment with API - The user must be a Product or Organization Administrator as required in the API of the change library and not a regular user.
New auditing enhancement that extends existing functionality to the Change Log History Report: When changing a library, customers can now track when the changes occurred, according to new records in the ChangeLog.
Unified Agent
For easier debugging and maintenance, the Unified Agent log now contains all the Unified Agent configuration parameters in a more organized manner.
A new optional NPM parameter, npm.failOnNpmLsErrors, enables a smoother transition between the NPM plug-in and the Unified Agent when handling “npm ls” errors.
The SBT resolver now supports additional scopes such as `test`, `runtime`, `provided` etc.
...
The following improvements have been made to the /wiki/spaces/WD/pages/710575608:
As part of ongoing enhancements to this report, the accuracy has been improved, and the results are more detailed.
“Type” (the library’s programming language) has been removed in favor of “Incompatibility Type” (the type of conflict between two library’s licenses).
A new Incompatibility Type, Potential Incompatibility, has been added. Potential Incompatibility indicates that the library being evaluated is licensed under multiple licenses, indicating that the user must choose under which license the library will be licensed.
Better customization for the Attribution Report:
Users can now select whether to include licensing text in the existing Licensing section, or in a new dedicated section “Appendix: License Details” section.
Users can now select whether Primary Attributes (a.k.a. custom attributes) will be featured in the Attribution report.
Unified Agent
The Unified Agent now supports Python global packages resolution.
New enhancements for the Serverless Plugin enable running additional parameters from a YAML file and passing them to the Unified Agent configuration.
For customers without a Docker installation in their user environment, the Unified Agent now performs a scan (based on docker.scanTarFiles=true) of tar.gz files that represent a saved Docker image.
...
Release Unified Agent version 19.9.1
Release WhiteSource Advise for Chrome 19.9.1
Version 19.8.1 (8-September-2019)
...
The Dashboard view has undergone the following changes:
The Top Alerts pane now displays a dedicated summary count of system category alerts reported for a given organization, product or project. This includes the total count of policy violations, versions, licenses, quality and security alerts.
A detailed listing of alerts reported for an alert category is now displayed by clicking on the category name or count, displaying an Alert View corresponding to the category of the clicked item, thus enabling the user to perform tasks on the listed alerts.
Marking libraries as in-house enhancements:
Auditing enhancement: Rules added or removed through In-House Rules are now tracked and can be displayed in Change Log History.
It is now possible to create an in-house rule whose name matches that of the selected library.
The help text on the In-House page has been revised and improved.
It is now possible to disable all email notifications for administrators.
Unified Agent
Improvements in Kubernates integration: The Kubernates SDK is now used to retrieve information.
Parameter names additions: Gradle.ignoredScopes can be used in addition to gradle.ignoredConfiguration, and gradle.includedScopes can be used in addition to gradle.includedConfiguration.
Each successive scan of the same library generates its own folder (relevant only for logs).
The Unified Agent now supports the extraction of .hpi files.
Improvements in SBT dependency resolving have resulted in more accurate output.
...
New Features & Updates
WhiteSource Core
Unified Agent
Docker Artifactory integration is now enabled with a read-only user via the new configuration parameter docker.artifactory.dockerAccessMethod.
The new configuration parameters log.files.level, log.files.maxFileSize, and log.files.maxFilesCount enable you to store logs by default. Storing logs is useful, for example, to avoid situations when users have issues with certain scans, and therefore will not need to redo those scans in order to provide logs to the Support team. Note that this feature is enabled by default. Customers who do not need these logs can manually disable it.
Enhanced Detection: This version introduces the automatic identification of Maven libraries with multiple instances of SHA-1.
It is now possible to include/exclude specific Gradle modules to scan.
The Unified Agent now supports scanning the Cabal package manager for the Haskell programming language.
...
WhiteSource for GitHub.com and WhiteSource for GitHub Enterprise: Using the new projectToken configuration parameter in the .whitesource configuration file, it is now possible to map a GitHub repository to an existing WhiteSource project. This provides added flexibility in terms of organizing projects in WhiteSource originating from various integrations.
Unified Agent
The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.
Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.
This version provides support for Serverless Framework via a dedicated plugin.
...
WhiteSource for GitHub Enterprise and WhiteSource for GitHub.com:
Improved usability and enhanced control over the WhiteSource scanning. An onboarding Pull Request is now generated on each selected repository during the GitHub App installation. The .whitesource configuration file will only be used and WhiteSource will only start scanning the repository once the Pull Request is merged.
The .whitesource configuration file now includes a parameter minSeverityLevel, which lets you decide whether to open a new GitHub Issue only if a certain Security Vulnerability Severity level is available, or not open a GitHub Issue at all.
The .whitesource configuration file now includes a parameter configMode, which lets you use an existing Unified Agent configuration file. This can be done by providing either a local Unified Agent configuration file, or fetching the config file from an external location using the configExternalURL parameter.
Unified Agent
Unified Agent Improvements - Provide more accurate results by scanning, creating and updating empty projects. The Unified Agent will create an empty project in WhiteSource for all scans which do not contain any dependencies. In addition, when updating an existing WhiteSource project with empty data via the Unified Agent, the project in WhiteSource will be updated to reflect the latest project state.
This version introduces support for mapping support files to NuGet packages.
This version introduces improved results when scanning NuGet packages by checking the project target framework (Note: Some customers might experience fewer dependencies as a result.)
Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the maven 'dependencies:tree‘ command which runs when the maven.resolveDependencies configuration parameter is enabled. A new configuration parameter was added for this purpose, maven.additionalArguments.
The Unified Agent now supports scanning the Cargo package manager for the Rust programming language.
...
New added flexibility: The Due Diligence report now enables you to select an existing custom attribute as part of the report’s filtering.
Unified Agent
A new CLI parameter, detect, automatically creates a configuration file based on your scanned libraries and files (relevant for all package managers). NOTE: This is the first step in new configuration recommendations. Future versions will contain additional features.
Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the gradlew and gradle ‘dependencies’ command. A new configuration parameter was added for this purpose, gradle.additionalArguments.
This version adds support for scanning Go 1.11 projects without the need for a dependency manager.
...
Enhanced usability: The Attribution report now provides better usability by requiring the user to first select/enter a requested product/project, and therefore avoid displaying default non-relevant product/project information.
Enhanced usability: The copyright in the Attribution report now includes a range of years and the copyright’s author.
Unified Agent
Enhanced usability and debugging: When running the Unified Agent, the CLI output now displays the current Unified Agent’s version.
Enhanced security: In the Unified Agent, Docker Hub authentication is now enabled via token, instead of user and password.
Added flexibility in Maven and Gradle Projects scanning: New configuration parameters, maven.downloadMissingDependencies and gradle.downloadMissingDependencies allow controlling and hastening the downloading of missing dependencies.
In multi-module Maven and Gradle projects, the Unified Agent automatically detects if a Maven or Gradle project should be scanned, eliminating the need to manually enter a project name.
An existing parameter, gradle.localRepositoryPath, now has the ability to look for more than one Gradle local repository path in case of Gradle resolution.
Improved configuration time: The Unified Agent configuration file now saves configuration time and prevents incorrect URLs by listing predefined URLs for each possible SaaS system, in “commented out” status. Users need only to select the relevant one.
The Unified Agent can fetch dependencies and provide a hierarchy tree for projects which do not contain the ‘vendor’ folder. This provides improved results when scanning Go projects using the VNDR, GoDep, and Dep package managers.
...
Inventory report: Minimize the time to execute an action (such as “assign license”) on a list of selected libraries by supporting bulk actions menu.
Unified Agent
Extended JFrog Artifactory Integration -
Support updating JFrog Artifactory “properties” tab of an artifact with vulnerabilities and licensing information from WhiteSource scan.
Support accessing JFrog Artifactory repository using a token for enhanced security. The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’.
Support more informative summary statistics at the end of a scan - displaying different language extensions for which binary/source files were found and for each extension how many source/binary files were scanned.
...
Compare Products report: Minimize the time to search for a product (both source & target) to compare in the dropdown which is now sorted alphabetically.
Compare Projects report: Support more flexibility of projects comparison by providing the ability to compare a project in one product to a project in a different product.
Unified Agent
UA Extended Coverage:
Added support for the ‘R’ language ‘RStudio’ and ‘Packrat’ packages. The following configuration parameters were added: ‘r.resolveDependencies’, ‘r.runPreStep’, ‘r.ignoreSourceFiles’,’r.cranMirrorUrl’
Support scanning JFrog Artifactory using Artifactory APIs (will be an alternative to the Artifactory plugin in the future). The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’, ‘artifactory.repoKeys’ , ‘artifactory.enableScan’.
Support more readable structure of UA configuration file by organizing the configuration parameters per relevant topics. The new template file can be downloaded from here
Corrected behavior of UA scan failure when scanning empty projects and using the parameter failErrorLevel=ALL.
Enhanced GoDep package manager by providing the ability to display more accurate hierarchy tree.
Support creating empty projects in WhiteSource for scanned empty projects by using a new configuration parameter ‘updateEmptyProject’. This behavior refers to all resolvers.
...
Change Log History report: Extended auditing capabilities in policies by providing data on any change in policy management activities related to the Organization, Product, and Project scopes.
Unified Agent
Support for integrating Apache Ant based projects including modules.
Added the configuration parameter ‘python.indexUrl’, which enables to define the local Pypi repository URL, instead of the official Pypi repository (default value is null).
The Unified Agent is able to read ‘userKey’ and ‘apiKey’ values from environment variables.
Improved NPM resolve functionality when downloading from a registry: If the HTTP response is 401 or 403 (authentication/authorization) then the downloading of additional dependencies from this repository is canceled.
...
Enhanced auditing for administrative actions: Extended auditing capabilities for tracking product/project deletion. For each of the actions there will be a new record written in the Change Log History report.
Enhancement to Attribution report: If copyright data is not available then it is explicitly noted as missing in Summary table.
Unified Agent
Support for the scanning of Apache Ant based projects including all their dependencies. Related configuration parameters have been added: ‘ant.resolveDependencies’ and ‘ant.pathIdIncludes’ (by default, both parameters are commented out).
Dep package manager for Go: The display of the hierarchy tree has been optimized.
...
Version 19.3.2 (7-April-2019)
New Features & Updates
Unified Agent
Simplified scope configuration when many scopes are ignored in the project: The ‘gradle.ignoredScopes’ configuration parameter now supports regular expressions.
More details in logs: The log file includes more information about ignored scopes of Gradle/Maven projects. This allows the user to quickly verify that all the ‘ignored_scopes’ dependencies are not parsed.
Added flexibility: When the new ‘npm.resolveMainPackageJsonOnly’ configuration parameter is set to ‘true’ (default is ‘false’), a scan is initiated only if a JSON package is defined in the ‘-d’ folder parameter.
Enhanced Security: From this version and on, all Unified Agent JAR files will be digitally signed.
The configuration parameter ‘scanReportFilenameFormat’ indicates whether or not to add a timestamp to the JSON report filename.
...
Enhanced resolution for Maven projects that include multiple libraries with the same SHA-1. In these cases, the library page displays a new hyperlink stating "This SHA-1 has multiple matches: Click here to override the original match". Clicking the hyperlink will open a pop-up window, enabling a user to manually select alternative GAV coordinates from a list.
Optimized accuracy of data in Security Trends Dashboard:
After clicking on a chart, the related Alerts report only displays security vulnerability alerts.
The dashboard keeps its predefined context after navigating to another GUI page.
...
The new Containers dashboard enables you to pinpoint security vulnerabilities at various levels, providing a clear view of Kubernetes resources along with the ability to filter, sort, and view the vulnerabilities per pod and image in the cluster. See also The Containers Dashboard.
Unified Agent
Improved csontainer scanning coverage: Added the option to scan a Docker image from a Google Container Registry. See also Google Container Registry Docker Integration
NPM: Added the ability to fetch the project name from the ‘package.json’ dependency file via the Boolean configuration parameter ‘npm.projectNameFromDependencyFile’.
Added support for Julia source files with the file extension ‘.jl’.
Added support for car archive files with the file extension ‘.car’.
Added a behavior rule to the existing 'failErrorLevel' parameter in order to enhance the precision of the scanning policy: If this parameter is ‘ALL’, then scan fails when ‘productName’ and ‘productToken’ are missing, and no ‘projectToken’ is defined in the configuration file. See also The failErrorLevel Parameter of the Unified Agent.
Yarn dependency management: Added the new parameter ‘npm.yarn.frozenLockfile' that enables to run the pre-step with the ‘--frozen.lockfile’ yarn parameter.
Scan report in JSON Format:
Accurate reporting time frames: In addition to a date, a timestamp was also added to the JSON based scan report’s filename. For example, ‘ProjectA-2019-03-01T130102+0200-scan_report.json’.
Added custom attributes data. For each library, the relevant custom attribute values are displayed.
Added policy and vulnerability statistics data to local scan report. See also Unified Agent JSON Report Example
...
A new ‘getProjectRiskReport’ API request has been added to retrieve the Risk report in PDF format for a specific Project scope.
The new ‘getOrganizationContainerVulnerabilityReport’ and ‘getClusterVulnerabilityReport’ API requests have been added to retrieve the Containers Vulnerability report. These requests support Excel and JSON formats.
Unified Agent
Improved integrations and automation: A summary report in JSON format can be automatically generated locally at the end of each scan. This report includes information on vulnerabilities, policy violations, top fixes and inventory details. The new ‘generateScanReport’ configuration parameter enables generating this report when it is set to true (default is false).
Enhanced automation and ability to call additional API requests: When the new configuration parameter ‘generateProjectDetailsJson’ is set to ‘true’, the Unified Agent generates a JSON file named ‘scanProjectDetails.json’ containing the projectToken(s) and projectName(s) from the last scan that ran (default value is false).
Improved scanning granularity: Added the ability to run a scan that excludes specific direct or transitive dependencies via the parameter 'excludeDependenciesFromNodes'. Values for this parameter can include one or more artifact IDs, and regular expressions can also be used to define which artifact IDs to exclude.
Scanning transparency and predictability: Easily view the steps that ran as part of a scan, and understand how long each step took. A start/end indication is displayed for each scan step. A summary at the end of scan with all the relevant information on each step is also displayed. See also /wiki/spaces/WD/pages/723813398
The new configuration parameter for NuGet named ’nuget.packagesDirectory’ enables providing a path to the directory where the WhiteSource temporary files are created.
Artifactory: Added the option to scan Docker images stored in the Artifactory Docker Registry. The following related Unified Agent configuration parameters were added: ‘docker.artifactory.url’, ‘docker.artifactory.userName’, ‘docker.artifactory.userPassword’, ‘docker.artifactory.repositoriesNames’.
A new configuration parameter ‘nuget.preferredEnvironment’ enables the user to define the preferred ‘restore’ command for performing the nuget dependency resolution. Available values are 'nuget' and 'dotnet'.
...
Added an indication for the number of requests and conditions a specific user requested. The Admin users page includes an option to change the assignment of requests.
Unified Agent
Added support for the ‘vgo’ (‘Go Modules’) package manager for ‘Go’. See also related documentation.
Serverless scanning: Added support to include and exclude components when scanning serverless functions (‘serverless.includes’ and ‘serverless.excludes’).
Added the ability to run the Effective Usage Analysis (EUA) feature without the need to maintain a configuration file.
...
Project & Product pages: Added a ‘View Inventory’ link in the Libraries pane that will open the Inventory report while keeping the Project/Product context.
Product navigation menu: When hovering over a specific product, the list of associated projects are displayed in the order that they were used (last used is displayed on top of the list).
Unified Agent
Added support for scanning containers. The following related configuration parameters have been added: ‘docker.scanContainers’, ‘docker.containerIncludes’, ‘docker.containerExcludes’. Note that the ‘Includes’ and ‘Excludes’ parameter values may be one or more of the following: Container ID, Container name, Image name.
Added hierarchy tree support for the ‘Glide’, ‘GoDep’, and ‘GoPm” package managers that enables you to view direct and transitive dependencies.
NuGet Packages: Added support for viewing the hierarchy of the package(s). This feature includes the ability to view direct and transitive dependencies.
...