Selecting a Plugin for Integration
WhiteSource Mend recommends using the Unified Agent.
The includes parameter is supported by this feature, enabling WhiteSource Mend to automatically identify the environment that the user wants to scan and create the configuration file automatically.
Scan completed successfully.
General error has occurred.
One or more of the scanned components violates an Organization or Product level policy.
Client-side error has occurred.
The agent was unable to establish a connection to the WhiteSource Mend application server (e.g., due to a blocked Internet connection).
Server-side error has occurred (e.g., a malformed request or a request that cannot be parsed was received).
One of the package manager's prerequisite steps (e.g., npm install, bower install, etc.) failed.
Analysis will commonly display the following EUA code at successful completion: [EUA000] Analysis completed successfully. The Unified Agent returns a [-100] exit code if the analysis reported an exit code other than [EUA000].
Exit Codes in Bash
The exit codes WhiteSource Mend returns in the Bash command language should be treated as 'x' modulo 256:
java -jar /path/to/jar/wss-unified-agent-<x.x.x.>.jar -c "https://raw.githubusercontent.com/whitesourceMend/unified-agent-distribution/master/standAlone/wss-unified-agent.config" -proxy http://hm:firstname.lastname@example.org:808/
It is possible to save the output of the scan into a file instead of sending it directly to WhiteSource Mend by HTTPS. This approach is useful in case there is no connectivity (or limited connectivity) while scanning.
By changing the configuration file to offline mode, any execution of the Unified Agent will store the current configuration and metadata in a JSON .txt file named update-request.txt, located in the newly-created 'whitesourceMend' directory. It is located under the current working directory ($pwd or %cd%). This file can later be manually uploaded to WhiteSource Mend from the Admin Console or via the command line.
java -jar <path to wss-unified-agent-*.jar> -wss.url <WhiteSourceInstance<MendInstance/agent> -apiKey <apiKey> -productToken <productToken> -project <newProjectName> -requestFiles <pathToUpdate-request.txt> -noConfig true
Use the JarSigner tool to verify the signature of the Unified Agent's JAR file and ensure that it originated from WhiteSourceMend. Do as follows:
Download JarSigner (there are multiple sources from where the utility can be downloaded).
From the command line, enter the following command to run JarSigner and view the list of security certificates in the JAR file:
jarsigner -verify -verbose <UA jar>
After running, ensure that the WhiteSource Mend information appears in the list of security certificates.
The scm client must be installed on your machine in order to successfully connect to your repository:
WhiteSource Mend also supports on-premises installations of repositories.
A summary report in JSON format can be automatically generated locally, in the 'whitesourceMend' folder (created in the directory where the Unified Agent ran), at the end of each scan, using the 'generateScanReport' configuration parameter when running the Unified Agent.
This report includes information on vulnerabilities, policy violations, top fixes and inventory details.