...
If a package manager you would like to scan is not mentioned above, please contact WhiteSource Mend Support.
Required Open Ports
The wss-scanner Docker Container
The wss-scanner Docker container communicates with the following components using the following ports:
WhiteSource Mend SaaS API → Port 443
Your repository platform’s git protocol → The default is port 9418
Private/public package registries (npmjs/pypi/ruby gems, etc.) which use the standard ports
...
Your repository platform instance API → Check the port number with your repository platform Admin.
The WhiteSource Mend SaaS API → Port 443
The wss-remediate server Docker container port as configured by the user → The default is 8080.
...
Inbound:
Requests are received via a single port (default is 8080) from the wss-app Docker container
Outbound:
Internally:
Your repository platform instance over https (default port is 443)
Externally:
WhiteSource Mend SaaS API → Port 443.
Private/public package registries (npmjs/pypi/ruby gems, etc.) which use the standard ports
...
Upon startup, the app container provides a clear indication of the connectivity status between itself and the remediate container, the repository platform (SCM) API, and the WhiteSource Mend application server. The startup check also validates the activation key provided in the initial configuration. If needed, error messages are displayed. Each check results in one of three status types, as listed here:
...
Check Name | Check Description | Notes |
---|---|---|
Activation Key Parsing | Verifies the activation key is valid. | If this check returns FAILED, the controller will shut down. |
WhiteSource Mend API Connectivity | Checks the connectivity with the WhiteSource Mend application server. | If this check returns FAILED, the controller will shut down. |
Activation Key Validation | Validates the content of the parsed activation key. | If this check returns FAILED, the controller will shut down. |
WhiteSource Mend Credentials | Checks that the WhiteSource Mend service user (generated as part of the integration) has regular and admin access to the integrated WhiteSource Mend organization. | |
Queue Implementation | Checks the WhiteSource Mend application server queue implementation (ability to send and receive messages). | |
SCM API Connectivity | Checks the connectivity with the SCM (Bitbucket, GitHub, or GitLab) API. | |
Controller to Remediate Connectivity | Checks the connectivity from the wss-app container to the Remediate container. | |
Remediate to Controller Connectivity | Checks the connectivity from the Remediate container to the wss-app container. | |
GitHub App Permissions | Checks that the GitHub App has all the required minimal permissions and event subscriptions in place. | Only relevant for WhiteSource Mend for GitHub Enterprise. |
When all checks are finished, a summary table will be written to the log, for example:
...
Environment Variables | Description | Controller | Scanner | Remediate | prop.json property | Notes | Supported from version |
---|---|---|---|---|---|---|---|
WS_ACTIVATION_KEY | Your generated activation key in the WhiteSource Mend application | ✅ | ✅ | ✅ | bolt.op.activation.key | The property should still exist in the prop.json file, its value is disregarded. | 21.7.2 |
WS_CONFIG_ACCOUNT_NAME | The account name that will hold the global whitesouce-config repository. Default: “whitesource-config” | ✅ | ❌ | ❌ | ❌ | 21.6.3 | |
WS_CONFIG_REPO_NAME | The repository name of the global configuration repository. Default: “whitesource-config” | ✅ | ❌ | ❌ | ❌ | 21.6.3 | |
WS_HTTPS_CERT_FILE_PATH | If using a certificate file - path to the certificate file | ✅ | ❌ | ❌ | ❌ | 21.6.3 | |
WS_HTTPS_KEY_FILE_PATH | If using a certificate file - path to the private key file | ✅ | ❌ | ❌ | ❌ | 21.6.3 | |
WS_KEYSTORE_FILE_PATH | If using a Java keystore - path to the keystore file. | ✅ | ❌ | ❌ | ❌ | 21.6.3 | |
WS_KEYSTORE_PASSWORD | If using a Java keystore - password for the keystore file | ✅ | ❌ | ❌ | ❌ | 21.6.3 | |
WS_CREATE_ISSUES | The ability to globally enable/disable Issues creation across all of your organization's repositories. Default: true | ✅ | ❌ | ✅ | bolt4scm.create.issues | 21.7.1 | |
WS_CREATE_CHECK_RUNS | The ability to globally enable/disable build statuses across all of your organization's repositories. Default: true | ✅ | ❌ | ❌ | bolt4scm.create.check.runs | It is strongly recommended not to set this value to false, since the diff functionality relies on the check run, and this is one of the important means to update on the status of a scan. With this feature disabled there is no way of knowing what's going on if a scan failed, succeeded, found vulnerabilities, etc. | 21.6.3 |
WS_REMEDIATE_WEBHOOK_URL | The destination of the Remediate network endpoint to intercept webhooks. Default: http://remediate-server:8080/webhook | ✅ | ❌ | ❌ | webhook.remediate.url | Must include the “/webhook” suffix | 21.6.3 |
WS_UA_LOG_IN_CONSOLE | If set to true the UA logs will also be printed to the stdout, like the scanner logs. | ❌ | ✅ | ❌ | ❌ | The UA logs can be very long. | 21.7.2 |
WS_LOG_DIRECTORY | Configure the path to both the scanner and the UA log files. Using this property will also append a partial request token to the log filenames. | ❌ | ✅ | ❌ | ❌ | 21.7.2 | |
WS_REMEDIATE_SERVER_ONLY | Indicates whether a Remediate container is marked as server. The Remediate server enques jobs for the Remediate workers. | ❌ | ❌ | ✅ | ❌ | There can be only 1 Remediate server | 21.7.1 |
WS_REMEDIATE_SERVER_URL | The url of the Remediate server. This indicates that the Remediate container is a worker and pulls jobs from the Remediate server. | ❌ | ❌ | ✅ | ❌ | Ignored if WS_REMEDIATE_SERVER_ONLY is specified. | 21.7.1 |
WS_PROP_JSON_FILE_PATH | Path to the prop.json file. | ❌ | ❌ | ✅ | ❌ | 21.7.1 | |
WS_CONTROLLER_DESTINATION_URL | The url of the Controller network endpoint. | ❌ | ❌ | ✅ | ✅ | 21.7.1 | |
WS_HOST_RULES_PRIVATE_KEY | The PGP private key generated for the Private Registry support. | ✅ | ✅ | ✅ | ❌ | Cannot be used at the same time with WS_HOST_RULES_PRIVATE_KEY_FILE_PATH | 21.9.1 |
WS_HOST_RULES_PRIVATE_KEY_FILE_PATH | The PGP private key generated for the Private Registry support. | ✅ | ✅ | ✅ | ❌ | This file should be mapped to the running containers. | 21.9.1 |
WS_GIT_CONNECTOR | Enable cloning project files through Git shell commands. To enable, set value to true. Default: false | ❌ | ✅ | ❌ | ❌ | By default, the Scanner uses JGit library for any Git-related operations. | 21.9.1 |
LOG_FORMAT | If set to | ❌ | ❌ | ✅ | ❌ | ||
WS_CACHE_TYPE | Defines one of three available caching mechanisms:
| ✅ | ❌ | ❌ | ❌ | 22.2.1 | |
WS_REDIS_HOST | The host address (e.g., “localhost”). Mandatory if WS_CACHE_TYPE=REDIS | ✅ | ❌ | ❌ | ❌ | 22.2.1 | |
WS_REDIS_PORT | (Optional) The Redis port on the host. Default: 6379. | ✅ | ❌ | ❌ | ❌ | 22.2.1 | |
WS_REDIS_PASSWORD | Password to the Redis cluster. Default: null. | ✅ | ❌ | ❌ | ❌ | 22.2.1 | |
WS_REDIS_SSL_ENABLED | Set to true if the Redis Cluster works with the SSL protocol. Default: false. | ✅ | ❌ | ❌ | ❌ | 22.2.1 | |
GITHUB_COM_TOKEN | GitHub Personal Access Token to eliminate GitHub’s rate limit of unauthenticated API requests.
| ❌ | ❌ | ✅ | ❌ | 21.3.1 |
...