Versions Compared

Old Version 18

changes.mady.by.user Michael Hollander

Saved on

compared with

New Version 19

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

  • A Windows machine is being used (Linux and Mac are not supported)

  • A license key for WhiteSource Advise for IDE, available via one of the following options:

    • If you do not have direct access to the WhiteSource Application, obtain the license key from your WhiteSource Administrator.

    • If you have access to the WhiteSource Application, do as follows (NOTE: This option is only available when using version 20.11.1 or later of WhiteSource Advise):

      1. Go to the WhiteSource Application.

      2. Open the Profile page.

      3. In the WhiteSource Advise - IDE Integration section at the bottom, select your organization.

      4. Copy your personal license key to be used later in Activating WhiteSource Advise.

  • Visual Studio 2019 (any edition) is installed and you are familiar with its basic functionality

  • NuGet Package Manager must be installed

...

  1. Start Visual Studio.

  2. From the menu bar, select Extensions > Manage Extensions. The Manage Extensions screen is displayed.

  3. In the Manage Extensions screen, open the Online section from the sidebar and click Visual Studio Marketplace.

  4. In the Search area on the right, enter whitesource and press Enter.

  5. Select the WhiteSource Advise extension, and click Download.  

  6. Click Close and restart Visual Studio so that the extension can be installed.

Activating WhiteSource Advise

...

  1. Start Visual Studio, specifying the preferred project.

  2. From the menu bar, click Extensions > WhiteSource > Activate WhiteSource Advise. The Activate WhiteSource Advise screen is displayed.

  3. In Email, enter your organizational email (the email domain must be licensed to use Advise).

  4. In License Key, enter your license key (See here for more information on how to obtain a license key). 

  5. Click Activate.

...

  1. From the menu bar, click Extensions > WhiteSource > Options→ OptionsThe Options screen is displayed.

  2. Review the options and modify if necessary. See here for a list of all options.

  3. Click OK.

Options Table

Option

Description

Default Setting

Automatically scan after build or rebuild action

When enabled, WhiteSource will trigger a scan after a Build or Rebuild action is performed on any of your solutions/projects.

Selected (checked)

Only show issues for direct dependencies

When enabled, WhiteSource Advise will only return vulnerabilities for direct dependencies defined in your dependency file.

Unselected (not checked)

Minimum vulnerability severity level

Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.

  • Low - Vulnerability alerts for all severities (Low, Medium, High) are displayed.

  • Medium- Vulnerability alerts only for Medium or High severities are displayed.

  • High - Vulnerability alerts only for High severities are displayed.

Low

Include dev dependencies

Whether to alert on vulnerabilities detected in dev dependencies.

Unselected (not checked)

Scanning for Security Vulnerabilities

...

  • From the menu bar, click Extensions > WhiteSource > Scan → Scan Solution with WhiteSource Advise

  • From the Solution Explorer pane, right-click the solution and from the context menu, click Scan Solution with WhiteSource Advise 

...

  1. Select one or multiple projects from the Solution Explorer pane.

  2. Do one of the following options:

    • From the menu bar, click Extensions > WhiteSource > Scan → Scan Project(s) with WhiteSource Advise

    • From the Solution Explorer pane, right-click a project (or a selection of projects) and from the context menu, click Scan Project(s) with WhiteSource Advise Solution Explorer pane, right-click a project (or a selection of projects) and from the context menu, click Scan Project(s) with WhiteSource Advise 

Developer Focus Mode

The Developer Focus Mode allows developers to see only vulnerability alerts that are new in their feature branches compared to a predefined base branch. This promotes the security shift left approach and empowers developers to fix newly-introduced vulnerabilities immediately as part of their feature development efforts and prior to merging vulnerable code into production branches.

To enable Focus Mode, do as follows:

  1. In the ExtensionsWhiteSourceFocus Mode, enable the Diff operation to be performed on a base branch checkbox.

  2. Choose the base branch to which all other branch scans will be compared.

  3. Make sure that your base branch is checked out, and trigger a WhiteSource Advise scan either manually or by building your project.

If there was no scan on the predefined base branch after its initial configuration, all branches will show all the scan results, not just the newly created security alerts. 

Info

Every time the base branch configuration changes, a WhiteSource Advise scan must be triggered on that branch prior to seeing new security results.   

Vulnerable Commit Alert

An alert can be enabled to notify about newly added vulnerabilities when committing the code inside the Visual Studio. This alert will appear only if the committed feature branches have new vulnerabilities compared to a preconfigured base branch.

To enable a Vulnerable Commit Alert, do as follows:

  • Enable the Focus Mode (enable the Diff operation, choose the base branch, and trigger a WhiteSource Advise scan).

  • Enable the Notify on new OS vulnerabilities checkbox.

In case the commit has new vulnerabilities, a txt file will open with a notification. If you close this file, the new changes won’t be committed and you will be able to review new vulnerabilities in the feature branch. To commit anyway, type y and close the file.

Advanced information about the Vulnerable Commit Alert

For this feature, the Advise extension is using git hooks to block a commit when new vulnerabilities are presented in the feature branch (this is a script that will run before each commit).

The Advise extension will check if you have an active hook named pre-commit (all hooks are stored in the project directory in .git/hooks; if they have .sample extension it means that they are not used). If such a file isn't already used, Advise will update it so it can block vulnerable commits as described above.

If such a file already exists and doesn’t have a .sample extension (meaning, this script runs before each commit), Advise will not update this file or create a new one. In order for Vulnerable Commit Alert to work, you have to manually update the pre-commit file so it has the required script. For the script, please contact WhiteSource Support.

Reviewing Scan Results

The WhiteSource window comprises three sections:

...

  • From the menu bar, click Extensions > WhiteSource → WhiteSource About WhiteSource Advise. The About screen is displayed.

...

  1. From the menu bar, select Extensions > Manage Extensions. The Manage Extensions screen is displayed.

  2. In the Manage Extensions screen, open the Updates section from the sidebar and click Visual Studio Marketplace.

  3. Select the WhiteSource Advise extension, and click Update.  
    NOTE: If the WhiteSource Advise extension is not displayed, a new version is not available.

  4. Click Close and restart Visual Studio so that the extension can be updated.

Uninstalling WhiteSource Advise 

...

  1. From the menu bar, select Extensions > Manage Extensions. The Manage Extensions screen is displayed.

  2. In the Manage Extensions screen, open the Installed section from the sidebar and click Visual Studio Marketplace.

  3. In the Search area on the right, enter whitesource and press Enter.

  4. Select the WhiteSource Advise extension, and click Uninstall.

  5. In the popup, click Yes.

  6. Click Close and restart Visual Studio so that the extension can be uninstalled.