Versions Compared

Old Version 60

changes.mady.by.user Tsur Rothfeld

Saved on

compared with

New Version 66

changes.mady.by.user Tsur Rothfeld

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Overview

This page provides links to WhiteSource notices for its customers.

...

New and/or Modified Documentation

...

Unified Agent

...

Parameter Merging (version

...

21.

...

4.2)

Beginning in version 20.10.2, a modified and updated Unified Agent documentation this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.

New Unified Agent Documentation (version 20.10.2)

Beginning in version 20.10.2, a modified and updated Unified Agent documentation repository has been launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.

...

Notices of Deprecation

Documentation

Version 21.

...

5.2

Beginning in this version the The following pages were archived and are therefore no longer in use:

  • High Severity Bugs Report

  • File System

  • Getting Started

  • Setup Projects

  • Automate the Process by Using the Unified Agent

  • Deprecated Features was deprecated and the content was moved to the Notices page

  • Setting the Home Page was deprecated and the content was moved to the WhiteSource Home Page topic.

...

deprecated:

  • In the Image Registries section:

    • UA - Amazon Elastic Container Registry (ECR) - Docker Integration

    • UA - Azure Container Registry Integration

    • UA - Docker Image Integration

    • UA - Google Container Registry Docker Integration

    • UA - JFrog Artifactory Docker Registry Integration

  • In the AVM section:

    • Migrating Fortify/ThreadFix Agent to the AVM Agent

Version 21.4.2

Beginning in this version the following page was pages were archived and is are therefore no longer in use.

  • WhiteSource Advise for Visual Studio Codespaces

Version 21.2.1

Beginning in this version the following page was archived and is therefore no longer in use.

  • Fortify Software Security Center Integration

...

:

  • Requesting an Arbitrary File 

  • GitHub Related Topics

  • The License Identification page -  its content was merged with Changing a Library’s License

  • TheLicense Analysis page - its content was merged with Understanding Risk Score Attribution

  • The Policies API page has been deprecated, and a new and updated Policies API page has replaced it.

Version 21.3.2

Beginning in this version the following integration pages were archived and are therefore no longer in use. The material contained therein is contained in the Unified Agent parameter documentation.

  • Selecting a Plugin for Integration

  • Providing only a Project name in a Unified Agent Scan

  • Configuration Recommendation Mode

  • Unified Agent Scan Steps and Summary

  • Unified Agent JSON Report Example

The following topics have been completely deprecated and are therefore no longer in use:

...

Documentation Tips

...

Kubernetes FAQ

...

ThreadFix Integration

...

Ruby Plugin

...

Python Plugin

...

NAnt Plugin

...

Gradle Plugin

...

Bower Plugin

...

Bamboo Plugin

...

:

  • High Severity Bugs Report

  • File System

  • Getting Started

  • Setup Projects

  • Automate the Process by Using the Unified Agent

  • Deprecated Features was deprecated and the content was moved to the Notices page

  • Setting the Home Page was deprecated and the content was moved to the WhiteSource Home Page topic.

Version 21.2.2

Beginning in this version the following page was archived and is therefore no longer in use.

  • WhiteSource Advise for Visual Studio Codespaces

Version 21.2.1

Beginning in this version the following page was archived and is therefore no longer in use.

  • Fortify Software Security Center Integration

Version

...

21.

...

1.2

Beginning in this version 20.12.2 the following integration pages were archived and are therefore no longer in use. The material contained therein is contained in the Unified Agent parameter documentation.

  • Gradle

  • Maven

  • Python

Version 20.12.1

Beginning in version 20.12.1 the following integration pages will be archived and therefore no longer be in use. The material contained therein is contained in the Unified Agent parameter documentation.

  • Bower

  • Cargo

  • Cocoapods

  • Haskell

  • Hex (Erlang/Elixir)

  • Ocaml

  • Paket

  • php

  • Poetry

  • Ruby

  • SBT

Additionally, the following pages will be archived:

  • Previous Versions of the Unified Agent

  • Previous GitHub Integration

Features

API Version 1.0 and Below

Beginning on February 15, 2020, WhiteSource will deprecate API version 1.0 and below for new developments to make way for the more advanced and secure versions 1.1, 1.2 and 1.3. Support for 1.0 versions and below will end six months from that date (August 15, 2020).

Additionally, on February 15, 2020, WhiteSource will begin enforcing the quota limits for API usage per customer according to the contract. Please prepare accordingly for these changes. For any questions or concerns, contact WhiteSource support. 

IntelliJ Old Plugin End of Life

On July 12, 2020, WhiteSource will deprecate the old plugin version of WhiteSource Advise for IntelliJ (see here).

A new WhiteSource Advise plugin is already available directly from the IntelliJ IDEA Marketplace (see here), which besides offering the same features as the old plugin, includes functionality improvements as well as performance-related enhancements.

Please make sure to migrate to the new plugin by deleting the old plugin and then only installing the new one. See our documentation for more information.

NuGet Plugin End of Life

With the wide functionality of the WhiteSource Unified Agent providing support for more than 200 languages, the NuGet plugin will reach its End Of Life starting October 1, 2020.

After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until April 1, 2021. Following this date, the NuGet plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on October 1, 2020 to maintain full support of your product.  

Jfrog Xray Integration Support

JFrog's vulnerability data integration strategy has changed: Integration with third-party providers of solutions that scan open-source libraries will no longer be available. Therefore, WhiteSource’s Xray Integration will be deprecated.

Shared customers integrating Xray with WhiteSource will no longer be supported or maintained by JFrog. Note that existing integrations with JFrog Artifactory (independent of JFrog Xray) are not affected.WhiteSource invites you to continue to use its variety of supported integrations for detecting vulnerabilities in open-source software. For more information, contact support@whitesourcesoftware.com.

NPM and Maven GitHub Repositories - Visibility Change

Following the deprecation of NPM and Maven Plugins, the visibility of existing GitHub repositories was changed to 'private'.

Deprecation of the Vulnerable Methods

In some cases, vulnerabilities are fixed by the deprecation of the vulnerable classes or methods. To that extent, WhiteSource, as other official advisories, will mark the vulnerabilities as fixed with the relevant version. In these cases, the vulnerabilities are fixed by adding "@Deprecated" to the vulnerable method.

Example:

Parameters

...

Scan Results

GO Scan Results

There are three main challenges that should be taken into consideration in order to understand WhiteSource’s support for GO projects:

  • Commits are pushed to GO repositories at a high rate (several times per day).

  • GO repositories are relatively large in size.

  • GO provides an option to use the “latest” package, meaning the latest commit pushed to the repository.

The combination of these three factors create difficulty when scanning GO projects, and retrieving the exact commit that was used would cause WhiteSource scans for GO projects to take an exceptionally long time.

In order to overcome the challenges described above, whenever the given SHA-1 isn’t immediately recognized by WhiteSource, an approximate result is provided while WhiteSource imports the exact requested commit. Whenever a library displayed in the WhiteSource UI as an approximated result, it will be displayed as such with a disclaimer in the library details page while the exact commit is imported in the background. Once the exact commit is imported, it will automatically replace the approximate result in your inventory.

Unified Agent

Notice for Customers Using the Direct Link to Download the Unified Agent .jar File

Note that beginning in release 19.7.1 only the new Unified Agent .jar download link will be operational.

  • If you are using PowerShell, you might encounter an issue where downloading files from GitHub.com fails with HTTP 403 when going through BITS, and a signed URL is required. Refer here for a description of the issue and the solution.

  • If you are using Linux, use this command and link to the .jar file: curl-Selecting a Plugin for Integration

  • Providing only a Project name in a Unified Agent Scan

  • Configuration Recommendation Mode

  • Unified Agent Scan Steps and Summary

  • Unified Agent JSON Report Example

The following topics have been completely deprecated and are therefore no longer in use:

  • Documentation Tips

  • Kubernetes FAQ

  • ThreadFix Integration

  • Ruby Plugin

  • Python Plugin

  • NAnt Plugin

  • Gradle Plugin

  • Bower Plugin

  • Bamboo Plugin

  • Ant Plugin

  • Fortify Software Security Center Integration

Version 20.12.2

Beginning in version 20.12.2 the following integration pages were archived and are therefore no longer in use. The material contained therein is contained in the Unified Agent parameter documentation.

  • Gradle

  • Maven

  • Python

Version 20.12.1

Beginning in version 20.12.1 the following integration pages will be archived and therefore no longer be in use. The material contained therein is contained in the Unified Agent parameter documentation.

  • Bower

  • Cargo

  • Cocoapods

  • Haskell

  • Hex (Erlang/Elixir)

  • Ocaml

  • Paket

  • php

  • Poetry

  • Ruby

  • SBT

Additionally, the following pages will be archived:

  • Previous Versions of the Unified Agent

  • Previous GitHub Integration

Features

TeamCity Plugin End-of-Life

The TeamCity plugin will reach its End Of Life starting November 1, 2021. After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until May 1, 2022. Following this date, the TeamCity plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on November 1, 2021 to maintain full support o

API Version 1.0 and Below

Beginning on February 15, 2020, WhiteSource will deprecate API version 1.0 and below for new developments to make way for the more advanced and secure versions 1.1, 1.2 and 1.3. Support for 1.0 versions and below will end six months from that date (August 15, 2020).

Additionally, on February 15, 2020, WhiteSource will begin enforcing the quota limits for API usage per customer according to the contract. Please prepare accordingly for these changes. For any questions or concerns, contact WhiteSource support. 

IntelliJ Old Plugin End of Life

On July 12, 2020, WhiteSource will deprecate the old plugin version of WhiteSource Advise for IntelliJ (see here).

A new WhiteSource Advise plugin is already available directly from the IntelliJ IDEA Marketplace (see here), which besides offering the same features as the old plugin, includes functionality improvements as well as performance-related enhancements.

Please make sure to migrate to the new plugin by deleting the old plugin and then only installing the new one. See our documentation for more information.

NuGet Plugin End of Life

With the wide functionality of the WhiteSource Unified Agent providing support for more than 200 languages, the NuGet plugin will reach its End Of Life starting October 1, 2020.

After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until April 1, 2021. Following this date, the NuGet plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on October 1, 2020 to maintain full support of your product.  

Jfrog Xray Integration Support

JFrog's vulnerability data integration strategy has changed: Integration with third-party providers of solutions that scan open-source libraries will no longer be available. Therefore, WhiteSource’s Xray Integration will be deprecated.

Shared customers integrating Xray with WhiteSource will no longer be supported or maintained by JFrog. Note that existing integrations with JFrog Artifactory (independent of JFrog Xray) are not affected.WhiteSource invites you to continue to use its variety of supported integrations for detecting vulnerabilities in open-source software. For more information, contact support@whitesourcesoftware.com.

NPM and Maven GitHub Repositories - Visibility Change

Following the deprecation of NPM and Maven Plugins, the visibility of existing GitHub repositories was changed to 'private'.

Deprecation of the Vulnerable Methods

In some cases, vulnerabilities are fixed by the deprecation of the vulnerable classes or methods. To that extent, WhiteSource, as other official advisories, will mark the vulnerabilities as fixed with the relevant version. In these cases, the vulnerabilities are fixed by adding "@Deprecated" to the vulnerable method.

Example:

Parameters

  • In version 21.2.2, a newparameter, fileSystemScan, replaces the deprecated ignoreSourceFiles.

Scan Results

GO Scan Results

There are three main challenges that should be taken into consideration in order to understand WhiteSource’s support for GO projects:

  • Commits are pushed to GO repositories at a high rate (several times per day).

  • GO repositories are relatively large in size.

  • GO provides an option to use the “latest” package, meaning the latest commit pushed to the repository.

The combination of these three factors create difficulty when scanning GO projects, and retrieving the exact commit that was used would cause WhiteSource scans for GO projects to take an exceptionally long time.

In order to overcome the challenges described above, whenever the given SHA-1 isn’t immediately recognized by WhiteSource, an approximate result is provided while WhiteSource imports the exact requested commit. Whenever a library displayed in the WhiteSource UI as an approximated result, it will be displayed as such with a disclaimer in the library details page while the exact commit is imported in the background. Once the exact commit is imported, it will automatically replace the approximate result in your inventory.

Unified Agent

Notice for Customers Using the Direct Link to Download the Unified Agent .jar File

Note that beginning in release 19.7.1 only the new Unified Agent .jar download link will be operational.

...

  • CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
    CVSS 3.x Score7.5 HIGH

  • CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
    CVSS 3.x Score7.5 HIGH

  • CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
    CVSS 3.x Score7.5 HIGH

  • CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
    CVSS 3.x Score7.5 HIGH

  • CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
    CVSS 3.x Score7.5 HIGH

  • CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
    CVSS 3.x Score7.5 HIGH

  • CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
    CVSS 3.x Score7.5 HIGH

  • CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
    CVSS 3.x Score7.5 HIGH

Vulnerable Projects

Project

Vulnerabilities

Vulnerable Versions

Mitigation

Apache Traffic Server

CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518.

6.x: 6.0 - 6.2.3
7.x: 7.0 - 7.1.6
8.x: 8.0 -  8.1.3

6.x: No fix available.
7.x: Upgrade to 7.1.7 (patch).
8.x: Upgrade to 8.1.4 (patch).

Go

CVE-2019-9512, CVE-2019-9514. Official Website Advisory

1.11.x: 1.11.0 - 1.11.12
1.12.x: 1.12.0 - 1.12.7

1.11.x: Upgrade to 1.11.13 (patch).
1.12.x: Upgrade to 1.12.8 (patch).

H2O

CVE-2019-9512, CVE-2019-9514, CVE-2019-9515. Official Website Advisory

2.2.x: 2.2.0 - 2.2.5
2.3.x: 2.3.0-beta1

2.2.x: Upgrade to 2.2.6 (patch).
2.3.x: Upgrade to 2.3.0-beta2 (patch).

Eclipse Jetty

CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. Official Website Advisory

9.3.x - 9.4.20

Upgrade to 9.4.21 (patch).

Netty

CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518. Official Website Advisory

4.1.0-beta4 - 4.1.38

Upgrade to 4.1.39 (patch-1 [9512, 9514, 9515], patch-2 [9518]).

Nghttp2

CVE-2019-9511, CVE-2019-9513. Official Website Advisory

0.1.0 - 1.39.1

Upgrade to 1.39.2 (patch-1patch-2).

NGINX

CVE-2019-9511, CVE-2019-9513, CVE-2019-9516. Official Website Advisory

NOTE: The releases (X.Y.Z) splitted into two types: if Y is divisible by 2 - stable, otherwise - mainline.
Stable: 0.2.x - 1.16.0
Mainline:  0.1.x - 1.17.2

Stable: Upgrade to 1.16.1 (patch-1 [9511], patch-2 [9513], patch-3 [9516]).
Mainline: Upgrade to 1.17.3 (patch-1 [9511], patch-2 [9513], patch-3 [9516]).

NodeJS

CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. Official Website Advisory

8.x: 8.0.0 - 8.16.0
10.x: 10.0.0 - 1.16.2
12.x: 12.0.0 - 12.8.0 

8.x: Upgrade to 8.16.1 (patch-1 [9511, 9517], patch-2 [9511, 9517], patch-3 [9512, 9515], patch-4 [9512, 9515], patch-5 [9513], patch-6 [9513], patch-7 [9514], patch-8 [9514], patch-9 [9516], patch-10 [9518]).
10.x: Upgrade to 10.16.3 (patch-1 [9511, 9517], patch-2 [9511, 9517], patch-3 [9512, 9515], patch-4 [9512, 9515], patch-5 [9513], patch-6 [9513], patch-7 [9514], patch-8 [9514], patch-9 [9516], patch-10 [9518]).
12.x: Upgrade to 12.8.1 (patch-1 [9511, 9517], patch-2 [9511, 9517], patch-3 [9512, 9515], patch-4 [9512, 9515], patch-5 [9513], patch-6 [9513], patch-7 [9514], patch-8 [9514], patch-9 [9516], patch-10 [9518]).

...

Azure DevOps

Major improvements to the Azure DevOps integration will be introduced in July 2021. The underlying scanning mechanism will be modified to allow a direct WhiteSource scan from within the Azure DevOps pipeline. As part of this change, the following updates will be introduced:

  • The extension activation procedure will be moved to the Organization settings section by navigating to Organization settings > Extensions > WhiteSource page.

  • The WhiteSource tab under Project > Pipelines will be deprecated.

  • The WhiteSource Open Source Risk Report will be available at the Azure DevOps build level only, deprecating the project level aggregated report.

  • The direct WhiteSource scan from within the Azure DevOps pipeline will be the only scanning option.