Versions Compared

Old Version 68

changes.mady.by.user Avinoam Weitman

Saved on

compared with

New Version 69

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

Selecting a Plugin for Integration

Info

WhiteSource Mend recommends using the Unified Agent.

Language

Plugin

Java

Unified AgentMaven, Jenkins, TeamCity

.Net

Unified AgentTFS/VSTSJenkins, TeamCity

Scala

Unified AgentMaven , Jenkins, TeamCity

Clojure

Unified AgentMaven , Jenkins, TeamCity

C#

Unified AgentTFS/VSTS, Jenkins, TeamCity

Ruby

Unified Agent

Python

Unified Agent

NPM

Unified AgentNPM

NuGet

Unified Agent

Bower

Unified AgentNPM

C/C++

Unified Agent

Obj-C

Unified Agent

JavaScript

Unified AgentJenkins

PHP

Unified Agent

Go

Unified Agent

RPM/YUM

Unified Agent

Debian

Unified Agent

Swift

Unified Agent

Alpine Linux

Unified Agent

Groovy

Unified Agent

ActionScript

Unified Agent

Arch Linux

Unified Agent

...

Overview and Default Behavior

If a scanned project uses a configuration file that contains only a defined projectName (where projectToken, productName and productToken are left empty), then the Unified Agent adds the results to the first project it finds in the organization that contains the same project name.
If a multi-module project is scanned with the same configuration as described above, and a project with one of the module names already exists, then the Unified Agent adds the module data to this existing project.

Example: Only 'projectName' is defined and 'projectToken’, ‘productName’ and ‘productToken’ are left empty

...

Changing the Default Behavior

In order to avoid overriding an existing project with the same name, from the Advanced Settings section of the Integrate page, select the checkbox Add project to default product when only project name is provided.

When this checkbox is selected, the following rules apply to all future scans:

...

The includes parameter is supported by this feature, enabling WhiteSource Mend to automatically identify the environment that the user wants to scan and create the configuration file automatically.

...

Exit Code

Exit Message

Description

0

SUCCESS

Scan completed successfully.

-1

ERROR

General error has occurred.

-2

POLICY_VIOLATION

One or more of the scanned components violates an Organization or Product level policy.
Policy summary reports are created and saved in the newly-created whitesourceMend directory, located under the current working directory ($pwd or %cd%).
Only applicable when configured to checkPolicies=true and forceUpdate=false.

-3

CLIENT_FAILURE

Client-side error has occurred.

-4

CONNECTION_FAILURE

The agent was unable to establish a connection to the WhiteSource Mend application server (e.g., due to a blocked Internet connection).

-5

SERVER_FAILURE

Server-side error has occurred (e.g., a malformed request or a request that cannot be parsed was received).

-6

PRE_STEP_FAILURE

One of the package manager's prerequisite steps (e.g., npm install, bower install, etc.) failed.
Only applicable if the appropriate property is set to true (npm.runPreStep, bower.runPreStep, etc.).

-100

EUA NOTICE

Analysis will commonly display the following EUA code at successful completion: [EUA000] Analysis completed successfully. The Unified Agent returns a [-100] exit code if the analysis reported an exit code other than [EUA000].

Exit Codes in Bash

The exit codes WhiteSource Mend returns in the Bash command language should be treated as 'x' modulo 256: 

...

Info

Example

java -jar /path/to/jar/wss-unified-agent-<x.x.x.>.jar -c "https://raw.githubusercontent.com/whitesourceMend/unified-agent-distribution/master/standAlone/wss-unified-agent.config" -proxy http://hm:hm@192.168.1.233:808/

...

It is possible to save the output of the scan into a file instead of sending it directly to WhiteSource Mend by HTTPS. This approach is useful in case there is no connectivity (or limited connectivity) while scanning.

By changing the configuration file to offline mode, any execution of the Unified Agent will store the current configuration and metadata in a JSON .txt file named update-request.txt, located in the newly-created 'whitesourceMend' directory. It is located under the current working directory ($pwd or %cd%). This file can later be manually uploaded to WhiteSource Mend from the Admin Console or via the command line.

...

Code Block
languagejava
java -jar <path to wss-unified-agent-*.jar> -wss.url <WhiteSourceInstance<MendInstance/agent> -apiKey <apiKey> -productToken <productToken> -project <newProjectName> -requestFiles <pathToUpdate-request.txt> -noConfig true

...

  1. Checksum verification
    Calculate the SHA-256 checksum of the Unified Agent’s JAR file and compare it to the published checksum file (in GitHub or S3).

  2. Signature verification
    Use the JarSigner tool to verify the signature of the Unified Agent's JAR file and ensure that it originated from WhiteSourceMend. Do as follows:

    1. Download JarSigner (there are multiple sources from where the utility can be downloaded).

    2. From the command line, enter the following command to run JarSigner and view the list of security certificates in the JAR file:

      Code Block
      jarsigner -verify -verbose <UA jar>

After running, ensure that the WhiteSource Mend information appears in the list of security certificates.

...

The scm client must be installed on your machine in order to successfully connect to your repository:

WhiteSource Mend also supports on-premises installations of repositories. 

...

A summary report in JSON format can be automatically generated locally, in the 'whitesourceMend' folder (created in the directory where the Unified Agent ran), at the end of each scan, using the 'generateScanReport' configuration parameter when running the Unified Agent.
This report includes information on vulnerabilities, policy violations, top fixes and inventory details.

...