Versions Compared

Old Version 62

changes.mady.by.user Michelle Friedman

Saved on

compared with

New Version 64

changes.mady.by.user Lena Kleyner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

Info

WhiteSource recommends using the Unified Agent.

Language

Plugin

Java

Unified AgentMaven, Jenkins, TeamCity

.Net

Unified AgentTFS/VSTSJenkins, TeamCity

Scala

Unified AgentMaven , Jenkins, TeamCity

Clojure

Unified AgentMaven , Jenkins, TeamCity

C#

Unified AgentTFS/VSTS, Jenkins, TeamCity

Ruby

Unified Agent

Python

Unified Agent

NPM

Unified AgentNPM

NuGet

Unified Agent

Bower

Unified AgentNPM

C/C++

Unified Agent

Obj-C

Unified Agent

JavaScript

Unified AgentJenkins

PHP

Unified Agent

Go

Unified Agent

RPM/YUM

Unified Agent

Debian

Unified Agent

Swift

Unified Agent

Alpine Linux

Unified Agent

Groovy

Unified Agent

ActionScript

Unified Agent

Arch Linux

Unified Agent

...

Overview and Default Behavior

If a scanned project uses a configuration file that contains only a defined projectName (where projectToken, productName and productToken are left empty), then the Unified Agent adds the results to the first project it finds in the organization that contains the same project name.
If a multi-module project is scanned with the same configuration as described above, and a project with one of the module names already exists, then the Unified Agent adds the module data to this existing project.

Example: Only 'projectName' is defined and 'projectToken’, ‘productName’ and ‘productToken’ are left empty

...

Changing the Default Behavior

In order to avoid overriding an existing project with the same name, from the Advanced Settings section of the Integrate page, select the checkbox Add project to default product when only project name is provided.

When this checkbox is selected, the following rules apply to all future scans:

  • When only projectName is provided in the Unified Agent configuration (as demonstrated in the above example), the Unified Agent adds the project to a default product named 'My Product'. This rule is implemented only when the default product 'My Product' does not already contain a project with the same name.

  • If the default product 'My Product' already contains a project with the name specified in the 'projectName' parameter, then the Unified Agent returns an error to the user with the message "Project <PROJECT_NAME>' already exists in 'My Product'. A 'productToken' or 'productName' value should also be specified".

  • If a multi-module project is scanned, and a project with one of the module names already exists under your product, an error is returned and none of the projects are created as part of the scan.

Configuration Recommended Mode

The detection mode (Configuration Recommendation) identifies the environment that the user wants to scan and creates the configuration file automatically.

Info

The recommendation mode is supported from Unified Agent version 19.7.2 onwards. 

...

Running the Unified Agent in a Docker Container

The Unified Agent can also be executed via Docker container. A Dockerfile template containing different package managers (e.g. maven, npm, etc.) can be found here. The file includes installation commands that enable you to create a customizable run environment for scanning projects/files, plus a basic (editable) set of package managers.

NOTE: This option currently does not support Docker scanning.

Configuration Recommended Mode

The detection mode (Configuration Recommendation) identifies the environment that the user wants to scan and creates the configuration file automatically.

Info

The recommendation mode is supported from Unified Agent version 19.7.2 onwards. 

This mode quickly determines the required folder's environment, such as file extensions and package managers. The output of this mode is a configuration file, which will be automatically created in the folder where the command ran: wss-generated-file.config. 

...

Code Block
languagejava
java -jar <path to wss-unified-agent-*.jar> -wss.url <WhiteSourceInstance/agent> -apiKey <apiKey> -productToken <productToken> -project <newProjectName> -requestFiles <pathToUpdate-request.txt> -noConfig true

Verifying the Integrity of the Unified Agent

...

 <newProjectName> -requestFiles <pathToUpdate-request.txt> -noConfig true

Verifying the Integrity of the Unified Agent

It is recommended to verify the integrity of the downloaded Unified Agent’s JAR file per each release. The following two options are available:

  1. Checksum verification
    Calculate the SHA-256 checksum of the Unified Agent’s JAR file and compare it to the published checksum file (in GitHub or S3).

  2. Signature verification
    Use the JarSigner tool to verify the signature of the Unified Agent's JAR file and ensure that it originated from WhiteSource.

...

  1.  Do as follows:

    1. Download

    JarSigner 

    1. JarSigner (there are multiple sources from where the utility can be downloaded).

    2. From the command line, enter the following command to run JarSigner and view the list of security certificates in the

    .jar

    1. JAR file:

      Code Block
      jarsigner -verify -verbose <UA jar>

After running, ensure that the WhiteSource information appears in the list of security certificates.

Scanning Remote Repositories 

...