...

For every new library that is added to a project, WhiteSource generates a library approval request (task). The WhiteSource Unified Agent automatically scans the open-source library code for vulnerabilities and security issues, creating an update request.

A By default. a library approval request can be is generated only for new libraries that are added to an existing project; however, this can be changed via the checkbox Apply also to new projects (Integrate > Advanced Settings).

The review process investigates any new library that does not match an In-House or Whitelist rule to determine if they are permitted to be used. Each new library is checked against the policies. The first policy that matches the library will determine the action that will be applied to the request. A library can match only one policy.

...

Applying Actions to a Library

The Action is the operation the policy runs on a matched library.

NOTE: A library or request can be matched to only one type and execute only one action.

You can apply one of the following actions on a matched library:

...

NOTE: A Product Admin has higher permissions than an ORG Admin, as project and product policies are the first policies that WhiteSource will look at for a match.

Managing Policies

Organizational policies are managed via the Policies menu item from the main menu. 

In the Policies page, you can view, add, edit, change the priority of, enable/disable, and remove policies.

Product-level policies are available for products that want to set their own policies which override the organizational ones. Product policies are managed from the product page, under the Policies button.

...

Creating a New Policy

To create a new WhiteSource policy, do as follows:

1. In the Policies page, click the Add Policy button. The Add Policy page is displayed.

2. Match your policy to a library. From the Match drop-down list, select the library type to which you want to match the policy. 

3. Specify the action to be performed on the matched library. In the Action section, click the action you want to apply to the library. 

4. Click the Add button to revert to the Policies page showing the newly-created policy.

5. If required, you can reorder the policy according to priority by selecting it and clicking the Raise Priority/Lower Priority buttons. 

...

1. Reject libraries with vulnerabilities.

   • Any vulnerability can be exploited, so we cannot recommend a “minimum level.” You will need to decide for yourself how to set this, but you can always start with High Severity vulnerabilities and create policies down the line for less severe vulnerabilities.

2. Consult with a legal expert and reject any licenses that are too restrictive.

   • Again, while we cannot provide legal advice, Risk Scores are available for a subset of licenses - determined by legal experts that specialize in open source compliance, so that is a good place to start!

3. Enable tasks to ensure that any new libraries which are introduced are subject to manual review, if they are not resolved by the existing policies. And then…

4. Create a group(s) of users as necessary that should review the tasks and assign the these users to the relevant Products (via Product>>Product Default Approvers) . These groups should be restricted to personnel with the authority to make decisions, such as security experts, managers or team leaders. The more you delegate to reviewers, the more visibility you will have, resulting in fewer neglected tasks. Groups are more easily administered and as such, they are more highly recommended than individual user assignments.

5. Consult with a legal expert and approve any licenses that are deemed permissible. This will help to resolve any tasks for new libraries.

6. Ensure that the order of your policies correctly reflect the Priority you require. The higher the policy on the list, the higher the priority. A library will be subject to the first policy it matches.

7. Establish organization-level policies and only use product and project-level policies where there are exceptions, to limit complexity. 

8. “Issue” policies at the product or project-level that create JIRA or Work Item tickets can be assigned to the relevant team in your organization. This allows you to seamlessly integrate remediation tasks into your development process.   

Unified Agent 

The Unified Agent is a Java command-line tool that scans directories' open source components for vulnerable libraries and source files, as well as license compliance, and uploads the results to the WhiteSource web application. 

...