Versions Compared

Old Version 71

changes.mady.by.user Michelle Friedman

Saved on

compared with

New Version 85

changes.mady.by.user Tsur Rothfeld

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

resolveAllDependencies 

Whether to enable or disable by default all dependency resolvers for a scan.

For example, when the following parameters are set, only npm dependencies will be resolved in this case: 
resolveAllDependencies=false
npm.resolveDependencies=true
#maven.resolveDependencies=false

When set to True, the default for all package managers' resolveDependencies parameter is set to True, unless explicitly set to False.

When set to False, the default for all package managers' resolveDependencies the parameter is set to False, unless explicitly set to True.

True

-resolveAllDependencies

excludeDependenciesFromNodes=.*commons-io.*,.*maven-model 

Comma-delimited list of regular expressions.

Specify an artifact id or multiple artifact ids (comma-delimited) to exclude the provided tree nodes and their sub-nodes from the scan.

NOTE: These will not be added to your project inventory. 

N/A

N/A

No default

No

Java

Maven

For more information regarding Maven integration, refer here.

Back to top.

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

maven.ignoredScopes 

Define which exact scope names to ignore.

By default, the Unified Agent ignores direct dependencies with scope 'test' and 'provided'.
This value can be overridden to ignore specific scopes.

N/A

N/A

"provided" and "test"

-maven.ignoredScopes

maven.resolveDependencies 

Whether to resolve Maven dependencies, requires "pom.xml".

In case the project is a Maven project, the resolution will start.

The Maven resolution will not start resolution.

True
(except for when resolveAllDependencies=false

-maven.resolveDependencies

maven.ignoreSourceFiles  

When using the dependency resolver, it will only include pom.xml dependencies, not source files and packages.

NOTE: Only relevant when fileSystemScan is true.

Will ignore files from scan, those which have extensions such as:".java", ".class","pom.xml".

Will not ignore the mentioned file extensions.

False


maven.aggregateModules  

Combines all pom modules into a single WhiteSource project with an aggregated dependency flat list (no hierarchy).

Will create a single project for all modules, to be displayed as a flat list.

A project will be created for each module and displayed as a hierarchical tree.

False

-maven.aggregateModules

maven.ignorePomModules  

Whether to ignore dependency resolving of a pom.xml file containing a 'pom' value inside a packaging tag, i.e., '<packaging>pom</packaging>'.

The dependency resolver will ignore all dependencies specified inside a pom.xml file that contains a packaging tag with 'pom' value ('<packaging>pom</packaging>')

The dependency resolver will not ignore all dependencies specified inside a pom.xml file that contains a packaging tag with 'pom' value ('<packaging>pom</packaging>')

True

No

maven.runPreStep 

Whether to run "mvn clean install" command on found pom.xml folder

Will run the "mvn clean install" command

Will not run the "mvn clean install" command

False

No

maven.ignoreMvnTreeErrors 

If the command `mvn dependency:tree` fails, we try to resolve the partial output (of the command) if it exists and parse all the direct dependencies from the pom.xml file.

The scan will end with success and will send a flat list (direct only).

The scan will end with errors.

False

No

maven.environmentPath 

Path to the Maven installation in case it does not match the M2_HOME environment variable

N/A

N/A

No default

No

maven.m2RepositoryPath 

Path to .m2 folder, in case it is not available in the default location.

N/A

N/A

No default

No

maven.downloadMissingDependencies 

Allows users to disable downloading missing dependencies in Maven.

In case there is a missing dependency jar/binary in the repository, the code will try to download the missing dependency.

The downloading of missing dependencies will be disabled.

True

No

maven.additionalArguments 

Provides any parameters starting with '-' or '--', and Unified Agent should add these to the end of the Maven commands.

Example values:

  • -s=path/to/settings.xml

  • -s=path/to/settings.xml --threads=2.0C

N/A

N/A

No default

No

failErrorLevel 

Returns an error code for the following cases:

  • resolver.runPrepStep failed

  • An error occurred in collecting/running dependencies

NOTE: When set to ALL, the Unified Agent returns an error code for all errors in the scan, rather than SUCCESS. This can be useful for customers migrating from the plugins (NPM, MAVEN etc.) to the Unified Agent.

N/A

N/A

DEFAULT

No

maven.projectNameFromDependencyFile 

Whether a project name will be taken from the dependency file.

The project name will be taken from the pom.xml's 'artifactId' field. Works only when the maven resolver is the only active resolver.

If the Unified Agent identifies any additional resolvers besides Maven that are set to True, an error is generated.

The project name will be taken from the CLI/configuration file.


False

No

Gradle

For more information regarding Gradle integration, refer here.

Back to top.

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

gradle.ignoredConfigurations

 

Enables you to determine which dependency configurations to ignore in the scan.

The format is according to the following:

  • Exact configuration names to ignore.
    Values must be space-delimited.

For example: gradle.ignoredConfigurations= testCompileOnly testRuntimeOnly

ignores configurations named “testCompileOnly” and “testRuntimeOnly”.

  • Configurations can use regular expressions.

For example:gradle.ignoredConfigurations=.*test.* ignores all configuration names that contain the string "test".
NOTE: this paramter was previously named gradle.ignoredScopes

N/A

N/A

No default

No

gradle.resolveDependencies 

Whether to resolve Gradle dependencies. Requires build.gradle or build.gradle.kts.

Resolves Gradle dependencies

Will not resolve Gradle dependencies

True
(except for when resolveAllDependencies=false

-gradle.resolveDependencies

gradle.runAssembleCommand

In case of a missing dependency, executes the 'gradle assemble' command 
NOTE: This command is executed only if `gradle.resolveDependencies` is True.

Executes the 'gradle assemble' command

Will not execute the 'gradle assemble' command

True

No

gradle.runPreStep 

The Unified Agent will add additional jars to the customer's global cache.
In most Gradle versions the "gradle dependencies" command we run does this.

For each build.gradle file that the Unified Agent finds:

  1. Unified Agent will copy the Gradle project to a temporary system folder.

  2. Inside of each copied project's build.gradle file, the Unified Agent will add a task (named 'copyDependencies') in order to download the missing dependencies

  3. Unified Agent will run 'gradle copyDependencies' - this step will add the missing dependencies to the user's global cache

Will depend on Gradle dependencies to fill out missing cache dependencies.

False

No

gradle.ignoreSourceFiles 

When using the dependency resolver, it will include only package dependencies, not source files.

NOTE: Only relevant when fileSystemScan is true.

The scan includes only package dependencies, not source files.

When using the dependency resolver, it will include package dependencies, plus source files.

False

No

gradle.aggregateModules 

Whether to create a single project for all modules.

Creates a single project for all modules.

A project will be created for each module. The name of the project will be equal to the name of the module (if so, projectName will be ignored).

False

-gradle.aggregateModules

gradle.preferredEnvironment 

When set to 'wrapper', the Unified Agent will run the 'gradlew' wrapper command. If set to 'gradle', it will use the built-in gradle command.

N/A

N/A

gradle

No

gradle.localRepositoryPath

Paths to the gradle local repository.

For example, in Windows, the path can be defined as the following:
C:\\Users\\JSmith\\.gradle\\caches\\modules-2\\files-2.1

NOTE: From 19.5.3 it can handle a list of paths with comma/space-delimited.

N/A

N/A

No default

No

gradle.wrapperPath 

The path to the gradle wrapper.

N/A

N/A

No default

No

gradle.downloadMissingDependencies 

Enables the user to disable downloading of missing dependencies in Gradle.

Enables the Unified Agent to download missing dependencies.

The Unified Agent will not download missing dependencies.

True

No

gradle.additionalArguments 

Enables users to add additional arguments to the Unified Agent's existing commands. The existing commands are gradle dependencies or gradle wrapper dependencies.  This works the following way:

Users can provide any parameters starting with '-' or '--', and Unified Agent will add these at the end 

For example:

  • -Pbranch=dev -PbuildWithSources=false

  • --no-daemon --info

  • -Pbranch=dev -PbuildWithSources=false --no-daemon --info

N/A

N/A

No default

No

gradle.includedConfigurations

Enables you to determine which dependency configurations to include in the scan.

The format is according to the following:

  • Exact configuration names to include.

Values should be space-delimited.
For example:

gradle.includedConfigurations= compileOnly testCompileOnly

Includes configurations named “compileOnly” and “testCompileOnly”.

  • Configurations can include regular expressions.

For example:

gradle.includedConfigurations=.*Only.*

Includes all configuration names that contain the string "Only"
NOTE: this parameter was previously named gradle.includedScopes 

N/A

N/A

No default

No

gradle.excludeModules 

Enables excluding specific modules in the Gradle scan. 

The format is according to the following:

  • Exact modules to exclude. Values should be space delimited. For example: gradle.excludeModules= Dev Prod - exclude scopes named 'Dev' and 'Prod'.

  • Regular expressions. For example: gradle.excludeModules=.*Dev.* includes all module names that contain (anywhere in their name) the string "Dev".

N/A

N/A

No default

No

gradle.includeModules 

Enables including specific modules in the Gradle scan.

The format is according to the following:

  • Exact modules to include. Values must be space delimited. For example: gradle.includeModules= Dev Prod - include modules named 'Dev' and 'Prod'.

  • Regular expressions. For example: gradle.includeModules=.*Dev.* includes all module names that contains these characters.

N/A

N/A

No default

No

gradle.innerModulesAsDependencies

When set to false, this parameter ignores and excludes all the modules dependencies from the resolution scan.

Includes all the modules dependencies from the resolution scan."

Ignores and excludes all the modules dependencies from the resolution scan.

True

No

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

ant.resolveDependencies 

Whether or to scan Apache Ant-based projects.

In cases where the 'ant.pathIdIncludes' parameter is not provided, the Unified Agent will look for the following extensions in your project: jar, war, ear, par, rar, dll, exe, ko, so, msi, zip, tar, tar.gz, swc, swf.

Scans Apache Ant-based projects.

Will not scan Apache Ant-based projects.

True
(except for when resolveAllDependencies=false

No

ant.pathIdIncludes 

Regular expression or comma/space-delimited list of path ids (specified in the build.xml file) to include in the scan.

NOTE: In order for this parameter's value to have an impact on the scan, the parameter 'ant.resolveDependencies' must be set to True.

N/A

N/A

The default value is ".*"

No

ant.external.parameters 

List of key=value (separated by comma), these values are equal to the ANT <property> XML tag.

N/A

N/A

No default

No

ant.ivy.resolveDependencies

Whether to scan Ivy-based projects.

Scans Ivy-based projects.

Will not scan Ivy-based projects.

False

No

ant.ivy.ignoredConfigurations

Enables you to determine which dependency configurations to ignore in the scan.

The format is according to the following:

  • Exact configuration names to ignore.
    Values must be space-delimited.

  • Configurations can use regular expressions.

N/A

N/A

None (all configurations are included)

No

Bazel

Refer here for Bazel.

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

npm.ignoreDirectoryPatterns

A string parameter that defines the list of directory patterns which will be ignored when searching for the package.json dependency file during the npm resolution. The list of directories is a comma/semi-colon delimited list.

N/A

N/A

example,examples,test,.ws_bower

No

npm.resolveDependencies  

Whether to resolve npm dependencies.

NOTE: 'package.json' dependency files defined within directories defined by the npm.ignoreDirectoryPatterns are not scanned, and therefore dependencies declared in these files are ignored. For example, the default set of directories to ignore will not include the following dependency files:

*/examples/*package.json

*/example/*package.json

*/.ws_bower/*package.json

*/test/*package.json

Resolves npm NPM/yarn dependencies.Will not resolve npm dependencies

  • If a yarn.lock file is identified, then yarn resolution is performed.

  • If package-lock.lock file is identified, then NPM resolution is performed.

  • If both lock files are found or missing, the npm.yarnProject 
    parameter will be used to determine which resolution to perform.

Will not resolve NPM/yarn dependencies.

True
(except for when resolveAllDependencies=false

-npm.resolveDependencies

npm.ignoreSourceFiles 

When using the npm resolver, ignore or include the js files outside the node_modules folder.

NOTE: Only relevant when fileSystemScan is true.

Ignores the js files outside the node_modules folder.

Includes the js files outside the node_modules folder.

True

No

npm.includeDevDependencies 

Whether to include dev dependencies.

Adds devDependencies to the scan

Only the prod dependencies will be scanned.

False

-npm.includeDevDependencies

npm.runPreStep 

Whether to run " npm install or yarn install" on found package.json file.

Runs "npm install" on found package.json file.

Will not run "npm install" on found package.json file.

False

No

npm.ignoreNpmLsErrors 

Whether Installs the NPM/yarn project.

  • If a yarn.lock file is identified, then yarn install is executed.

  • If package-lock.lock file is identified, then npm install is executed.

  • If both lock files are found or missing, the npm.yarnProject 
    parameter will be used to determine which installation command to perform.

Will not Install the NPM/yarn project.

False

No

npm.ignoreNpmLsErrors 

Whether to ignore errors of the 'npm list' command.

The scan will end with SUCCESS status + hierarchy tree.

The scan will end with SUCCESS status + flat list.

False

No

npm.ignoreScripts 

Whether to ignore the scripts in your project's package.json file.

NOTES:

  • Used only if npm.runPreStep = True

  • Since 20.4.2 the flag is also supported for Yarn.

The Unified Agent executes npm executes npm install --ignore-scripts, and the scripts in your project's package.json file will not be run.

The npm install command will run and the scripts in your project's package.json file will be run.

False

No

npm.yarnProject 

Whether this is a yarn project (or not).

Resolves yarn projects

Will not resolve yarn projects

False

No

npm.accessToken

The access token value provided by the relevant environment (Microsoft Visual Studio or Artifactory) to fetch required data from the NPM registry.

N/A

N/A

Empty

No

npm.identifyByNameAndVersion 

Defines whether to fetch package data from npm registry (either private or public).

The Unified Agent will use only the name and the version of the package.

Fetches package data from npm registry (either private or public).

False

No

npm.yarn.frozenLockfile 

Enables running the pre-step with the --frozen.lockfile’ lockfile yarn parameter.
NOTE: If enabled, then the following parameters also need to be set to Trueto Truenpm.runPreStep and  
and npm.yarnProject.

Runs the pre-step with the --frozen.lockfile’ lockfile yarn parameter.

Will not run the pre-step with the --frozen.lockfile’ lockfile yarn parameter.

False

No

npm.resolveMainPackageJsonOnly

In npm projects, more than one package.json file can exist. Therefore, you can decide to resolve only the main package.json file (the one in the root directory) or all package.json files.

The Unified Agent checks if there is a package.json file in the folder passed as the -d parameter. If no such file exists, the scan will fail; otherwise, the Unified Agent will scan only this package.json.

The Unified Agent resolves all package.json files

False

No

npm.removeDuplicateDependencies 

Whether to remove duplicate dependencies during npm dependency resolution.

Removes duplicate dependencies during npm dependency resolution.

Includes duplicate dependencies during npm dependency resolution.

True

No

npm.resolveAdditionalDependencies

Whether to resolve global dependencies and require modules.

NOTE: Require is the equivalent to import in other languages.

Resolves global dependencies and require modules.

Resolves only the dependencies that are declared in the package.json.

False

No

npm.resolveLockFile 

Whether the Unified Agent will rely on the manifest (package.json) and lock file (package-lock.json) for the resolution and not rely on NPM commands. If the lock file is missing, the detection will be based on the node_modules folder.  

The Unified Agent uses the package.json and package-lock.json to get the hierarchy tree. If the package-lock.json is missing, the detection is based on the node_modules folder.

The Unified Agent runs npm commands to get the hierarchy tree.

True

No

npm.projectNameFromDependencyFile 

Whether the project name will be taken from the dependency file. This is a standalone parameter for the NPM resolver only, taking effect only when the npm resolver is the only active resolver.

If the Unified Agent identifies any additional resolvers besides npm that are set to True, an error is generated.

NOTE: If a productVersion was specified, it will override the project version and be part of the project's name.

The project name will be taken from the package.json file.

The project name will be taken from the CLI/configuration file.

False

No

npm.failOnNpmLsErrors 

Whether to fail and exit the scan in case of 'npm ls' errors.

In case an error occurs while running 'npm ls', the following log will be printed and the scan will stop: "Errors found in 'npm ls' command, while flag npm.failOnNpmLsErrors is true program will exit".

In case of an error in 'npm ls' the Unified Agent will continue to run and get as much dependencies information as possible.

NULL (meaning False -  the scan will not fail on npm ls errors)

No

npm.resolveGlobalPackages 

When scanning Docker images, and npm is not available, in order to extract global dependencies, this parameter eliminates the need to rely on NPM being installed and available; , as the Unified Agent identifies all the global npm packages installed on the Docker image. When true - the Unified Agent will scan every package.json file inside 'node_modules' directory. This parameter is mostly relevant when scanning Docker images.

Resolves all package.json files under the node_modules folder.

Will not scan package.json files under the node_modules folder.

False

No

Bower

Back to top.

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

nuget.resolveDependencies

Whether to resolve NuGet packages.config and .csproj files.

Resolves NuGet packages.config and .csproj files.

Will not resolve NuGet packages.config and .csproj files.

True
(except for when resolveAllDependencies=false

No

nuget.resolvePackagesConfigFiles 

Whether to resolve packages.config file at the project's root. 

NOTE: In order for this parameter's value to impact the scan, the parameter nuget.resolveDependencies must be set to True.

Resolves packages.config files.

Will not  resolve packages.config files

True

No

nuget.resolveCsProjFiles 

Whether to resolve *.csproj file at the project's root.

NOTE: In order for this parameter's value to impact the scan, the parameter nuget.resolveDependencies must be set to True.

Resolves *.csproj file at the project's root.

Will not resolve *.csproj file at the project's root.

True

No

nuget.restoreDependencies 

Whether to run dotnet restore on found '.csproj' files in order to download the project's dependencies.

Runs dotnet restore on found '.csproj' files

Will not run dotnet restore on found '.csproj' files

False

No

nuget.preferredEnvironment 

Defines the preferred NuGet restore command. Available values are nuget and dotnet.

NOTE:  This parameter will be used only if the nuget.restoreDepenciesrunPreStep parameter is set to True.

N/A

N/A

No default

No

nuget.packagesDirectory  

Provides a path to the directory where WhiteSource temporary files will be created (and removed at the end of a scan).

NOTE: Provide a short directory, in order to avoid errors related to the path size during the restore command.

N/A

N/A

No default

No

nuget.ignoreSourceFiles 

When using the dependency resolver, whether to include package dependencies or package dependencies + source files.

NOTE: Only relevant when fileSystemScan is true.

Includes only package dependencies

Includes package dependencies and source files

True

No

nuget.runPreStep 

Whether to run nuget restore on found 'found packages.config'  files and dotnet restore on found csprojfiles in order to download the project's dependencies.

Runs dotnet restore on csproj files and nuget restore on found ' packages.config ' files in order to download all dependencies to a temporary folder, scans this folder and deletes it after fetching the dependencies.

Will not run dotnet restore and nuget restore on found ' packages.config ' and csproj files.

False

No

nuget.resolveNuspecFiles 

Indicates whether to resolve *.nuspec file at the project's root.

NOTE: In order for this parameter's value to impact the scan, the parameter nuget.resolveDependencies must be set to True.

Resolves *.nuspec file at the project's root.

Will not resolve *.nuspec file at the project's root.

True

No

nuget.resolveAssetsFiles 

Resolves obj/project.assets.json file for new .NET dependency management structure.

N/A

N/A

True

No

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

paket.resolveDependencies 

Whether to resolve .NET dependencies using the Paket dependency manager.

Paket projects are resolved.

Paket projects will not be resolved.

True
(except for when resolveAllDependencies=false

No

paket.ignoredGroups 

Which Paket scopes to ignore.

Values are comma/semi-colon/space delimited. GLOB patterns are supported, in addition to exact names.

N/A

N/A

No default (empty)

No

paket.ignoreSourceFiles 

When using the Paket resolver, defines whether to ignore the .NET Paket files outside the packages folder.

NOTE: Only relevant when fileSystemScan is true.

Will ignore files from scan, those which have extensions such as: .nupkg, .dll, .exe, .cs, .js

Will not ignore the mentioned file extensions.

True

No

paket.runPreStep 

Runs "paket install" on found Paket folder.

Will run the "paket install" command

Will not run the command.

False

No

paket.exePath 

The path to the paket.exe file used to run "paket install".

N/A

N/A

No default (empty)

No

Python 

...

Note the following:

  • Make sure that the project directory contains at least one Python extension file (it can be located in any directory, not only in the root directory).

  • The Unified Agent runs the command 'pip download  -r requirements.txt' for every 'requirements.txt' file that it finds within the project directories (the file can reside either in the root or in a nested directory).

Back to top.

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

python.resolveDependencies 

Whether to resolve python dependencies.

"requirements.txt"  or "pipfile" are required.

Resolves python dependencies

Will not resolve python dependencies.

True
(except for when resolveAllDependencies=false

No

python.ignoreSourceFiles 

When using the dependency resolver, it will only include package dependencies, not source files.

NOTE: Only relevant when fileSystemScan is true.

Ignores *.py files in scan.

Will not ignore files which have ".py" extension.

True

No

python.ignorePipInstallErrors 

Whether to ignore errors of 'pip download -r requirements.txt' command.

Ignores download errors, and try to download packages one by one

Will consider such errors and react accordingly

False

No

python.installVirtualenv 

Whether to install the pip 'virtualenv' on --user.

Installs a virtual environment by running "python -m pip install --user virtualenv"

Will not run the command 

False

No

python.resolveHierarchyTree 

Whether to resolve the hierarchy tree or a flat list of dependencies, requires "requirements.txt" like files.

Will install pipdeptree and use it to resolve and find the dependency hierarchy tree

Will resolve a flat list only

True

No

python.requirementsFileIncludes 

Space-delimited list of dependency filenames specifying which files to be scanned for dependencies, instead of "requirements.txt", when using pip package manager.

N/A

N/A

requirements.txt

No

python.resolveSetupPyFiles 

Whether to resolve python dependencies in setup.py files, and if so, it executes the setup.py script in order to install and resolve dependencies.

Executes setup.py in order to install and resolve dependencies

Will ignore setup.py files

False

No

python.runPipenvPreStep 

Whether to run pipenv install command. If so, it requires "pipfile".

Runs the 'pipenv install' command.

Will not run the command

False

No

python.pipenvDevDependencies 

Whether or not to install "dev" dependencies, if so it requires "python.runPipenvPreStep=true"

Adds --dev to the command, resulting in: "pipenv install --dev"

Will not adds --dev to the command

False

No

python.IgnorePipenvInstallErrors 

Whether to ignore errors of the 'pipenv run pip download' command.

Ignores download errors, and try to download packages one by one

Will consider such errors and react accordingly

False

No

python.resolveGlobalPackages 

Whether to resolve global packages or not. If so, it requires global package folders called site-packages or dist-packages in your scan directory.

If set to True and there is a site-packages or dist-packages folder, the resolution will be based on the packages under those folders. 

Will not resolve global packages

False

No

python.resolvePipEditablePackages

The parameter handles requirements.txt files with rows (packages) with the -e flag.
Additionally, it resolves the dev dependencies of the package itself 
NOTE: Currently supported only for pip.

Resolves the dev dependencies on the first scan.

Will not resolve the dev dependencies on the first scan.

False

No

python.path

Points to the python executable path.

If the executable path is already set in the environment variables, then just the executable name can be defined, e.g. in Linux  "python2.7".

NOTE: This parameter replaces "python" executable with the value defined.

N/A

N/A

python

No

python.pipPath

Enables you to use different versions of pip. If set to pip3, will run "pip3" and "python -m pip3" instead of "pip" and "python -m pip".

N/A

N/A

pip

No

python.runPoetryPreStep

Whether to run "poetry install" command.

Will run the "poetry install" command

Will not run the "poetry install" command

False

No

python.includePoetryDevDependencies

Whether to scan Poetry project dev dependencies.

Scans Poetry project dev dependencies

Will ignore dev dependencies

False

No

python.localPackagePathsToInstall

A space-delimited list of local package paths that will be installed during the pre-step, if is required.

N/A

N/A

Empty

No

python.indexUrl

The local Pypi repository url, besides the official Pypi repository. Use if you have dependencies downloaded from a different source than the default pypi.

N/A

N/A

pypi.org

No

python.includePipenvDevDependencies

Enables you to include or exclude dev dependencies.

Include dev dependencies in the resolution.

Exclude dev dependencies in the resolution.

True

No

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

go.resolveDependencies 

Whether to resolve Go dependencies.

Will resolve Go projects.

Will not resolve Go projects.

True
(except for when resolveAllDependencies=false

No

go.collectDependenciesAtRuntime 

Whether to collect Go dependencies at runtime (similar to the 'runPreStep' parameter for the other languages).

When set to True, refer here for an explanation.

Will run the command relevant to the select dependency manager.

Will not run the command

False

No

go.dependencyManager 

Determines the Go dependency manager for use when scanning a Go project. Valid values are:

  • dep

  • godep

  • vndr

  • gogradle

  • govendor

  • gopm

  • glide

  • vgo

  • modules

If left empty, the Unified Agent will first try to resolve the dependencies using the first package manager from this list. If it fails, it continues and tries the next one until it succeeds.

N/A

N/A

No default (empty)

No

go.ignoreSourceFiles 

When using the dependency resolver, it will only include package dependencies, not source files.

NOTE: Only relevant when fileSystemScan is true.

Will ignore .go. files from scan.

Will not ignore .go. files from the scan.

False

No

go.glide.ignoreTestPackages 

When using the Glide resolver, whether to ignore test packages defined in the 'testImport' section of the 'glide.yaml' file.

Ignore test packages from the scan.Does not ignore the mentioned test packages from the scanpackages from the scan.

Does not ignore the mentioned test packages from the scan.

True

No

go.gogradle.enableTaskAlias 

Enables/disables task aliasing for gogradle. 

Set to True when using gogradle dependency manager and the gradle argument (in 'gradle.properties') includes 'gograld.alias=true'. 

Enables task aliasing for gogradle.

Disables task aliasing for gogradle.

False

No

Modules

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

go.modules.resolveDependencies

Whether to resolve Go Modules dependencies.

NOTE: To enable this, you must also set go.resolveDependencies to false.

Resolves Go Modules dependencies.

Will not resolve Go Modules dependencies.

False

No

go.modules.ignoreSourceFiles

Will perform package manager based dependencies resolution only or include source files as well.

NOTE: Only relevant when fileSystemScan is true.

Will ignore Go source files during the scan.

Will not ignore Go source file.

True

No

go.modules.removeDuplicateDependencies

Whether to remove duplicate dependencies during Go Modules dependency resolution.

Removes duplicate dependencies during Go Modules dependency resolution.

Includes duplicate dependencies during Go Modules dependency resolution.

True

No

go.gogradlemodules.enableTaskAlias 

Enables/disables task aliasing for gogradle. 

Set to True when using gogradle dependency manager and the gradle argument (in 'gradle.properties') includes 'gograld.alias=true'. 

Enables task aliasing for gogradle.

Disables task aliasing for gogradleincludeTestDependencies

Whether to scan Go Modules project test dependencies.

Scans Go Modules project test dependencies.

Will not scan Go Modules project test dependencies.

False

No

Bazel

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

bazel.resolveDependencies

Whether to resolve Bazel dependencies

Resolves Bazel dependencies

Will not resolve Bazel dependencies

True

No

bazel.runPreStep

Indicates whether to perform a pre-step - install dependencies in case they are not installed.

Prior to scanning, the Unified Agent will run the Bazel build and Bazel sync.

Prior to scanning, the Unified Agent will not run the Bazel build and Bazel sync.

False

No

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

sbt.resolveDependencies 

Whether to resolve Scala dependencies (using sbt).

Will resolve Scala dependencies.

The Scala dependencies will not be resolved.

True
(except for when resolveAllDependencies=false)

No

sbt.ignoreSourceFiles 

When using the dependency resolver, it will include only package dependencies, not source files (file extensions .scala and .sbt).

NOTE: Only relevant when fileSystemScan is true.

Will ignore such source files in the scan.

Will scan such source files.

True

No

sbt.aggregateModules 

Whether to create a single project for all modules.

Will gather all Scala modules' scanned dependencies into one project in the WhiteSource application.

A project will be created individually for each module. The name of the project will be equal to the name of the module (projectName will be ignored in this case).

False

No

sbt.runPreStep 

Whether to run "sbt compile" on found in the Scala project folder.

Will run the "sbt compile" command.

Will not run the command.

False

No

sbt.includedScopes

Describes which scopes should be scanned in the Scala resolver. Users can define additional scopes.

N/A

N/A

The default values are "compile" and "runtime"

No

...

" and "runtime"

No

R

WhiteSource supports integration with R via the Packrat package manager, but can also be used by customers not using Packrat. The configuration parameters that are specifically related to the R programming language include the following:

Back to top.

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

r.resolveDependencies

Whether to resolve R dependencies defined in the DESCRIPTION file.

Resolves R dependencies.

Will not resolve R dependencies

True
(except for when resolveAllDependencies=false

No

r.runPreStep

Whether to run the Rscript command.

Runs the Rscript command

Will not run the Rscript command

False

No

r.ignoreSourceFiles

When using the dependency resolver, it will include only package dependencies, not source files.

NOTE: Only relevant when fileSystemScan is true.

Includes only package dependencies.

The scan will include package dependencies + source files.

True

No

r.cranMirrorUrl

The repository for downloading the R packages while running the pre-step.

NOTE: Required when r.runPreStep is True.

N/A

N/A

No default

No

r.packageManager

Describes which type of R package manager the UA should use. The default value is packrat. Setting the value to 'None' will scan R dependencies without using any package manager - it will only use basic R commands e.g. Rscript -e "installed.packages()".


N/A

N/A

'packrat'

No

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

bazel.resolveDependencies

Whether to resolve Bazel dependencies

Resolves Bazel dependencies

Will not resolve Bazel dependencies

True

No

bazel.runPreStep

Indicates whether to perform a pre-step - install dependencies in case they are not installed.

Prior to scanning, the Unified Agent will run the Bazel build and Bazel sync.

Prior to scanning, the Unified Agent will not run the Bazel build and Bazel sync.

False

No

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

docker.scanImages

Runs scans on all or specified images. 

When set to True, only the Docker container Docker image scan and Linux packages scan will occur.
General scan using local resolvers (package manager) will only take place if the resolvers are installed and available locallyThis will include the detection of Linux packages, and a general scan of the image file system for package managers' based resolution and identification of source files/binaries.

See here for more information on scanning Docker images.

Only the Docker Image scan and Linux packages scan image scan will occur.

Image Docker image scan will not take place.

False

-docker.scanImages

docker.includes 

Comma, space or line-delimited list specifying which images to include in the scan.

Values provided should come from either of the following:

  • Repository (image name)

  • Tag

  • Image ID

N/A

N/A

The default value is ".*.*"

(All images will be scanned)

No

docker.excludes 

Comma, space or line-delimited list specifying which images to exclude in the scan.

Values provided should come from either of the following:

  • Repository (image name)

  • Tag

  • Image ID

N/A

N/A

The default value is ""

(No images will be excluded)

No

docker.pull.enable 

Whether to execute "pull" from all from all relevant registries

Executes 'pull' from all relevant registries

Will not pull anything

False

No

docker.pull.images 

Pull Docker images that match the specified filter (string).

Can include regular expressions or a list of space-delimited values.

N/A

N/A

The default value is ""

(all images will be pulled)


No

docker.pull.maxImages 

Defines the maximum number of images to be pulled. When this number of pulled images is reached, no more images are pulled.

N/A

N/A

10

No

docker.pull.tags 

Pulls Docker images whose tags match the specified filter (string).

Can include regular expressions or a list of space-delimited values.

N/A

N/A

The default value is ""

(all images will be pulled)

No

docker.pull.digest 

Pull Docker images whose digests match the specified filter (string).

Can include regular expressions or a list of space-delimited values.

N/A

N/A

The default value is ""

(all images will be pulled)



No

docker.delete.force 

Enables WhiteSource to use Docker to delete images via the 'force' flag. This is required if the user pulled images that are related to other images, so in this case a regular delete may not work. 

NOTE: Use this parameter with caution.

WhiteSource uses Docker to delete images via the 'force' flag.

WhiteSource will not use Docker to delete images via the 'force' flag.

False

No

docker.login.sudo 

Whether the Unified Agent will run 'sudo docker login'.

The Unified Agent will run 'sudo docker login'.

The Unified Agent will not run 'sudo docker login'.

True

No

docker.projectNameFormat 

Determine's the Docker project's name's format.

  • If the value is set to default, the project name created in WhiteSource comprises the Docker repository name, tag and ID, in the following format:

Code Block
<Image Name> <Image Tag> <Image ID>

  • If the value is set to repositoryNameAndTag, then the project name created in WhiteSource comprises the Docker repository name and tag, in the following format:

Code Block
<Image Name> <Image Tag>

  • If the value is set to repositoryName,  the project name comprises only the Docker repository name:

Code Block
<Image Name>

N/A

N/A

"DEFAULT"

No

docker.aws.enable 

Enables pulling Docker Images from Amazon Elastic Container Registry (ECR).

NOTE: If set to True, the  'docker.scanImages' and 'docker.pull.enable' parameter values are also set to True.

Pulls Docker Images from Amazon Elastic Container Registry (ECR).

Will not pull Docker Images from Amazon Elastic Container Registry (ECR).

False

No

docker.aws.registryIds 

The Registry IDs list on Amazon Web Services (the AWS 12-digit account IDs that correspond to the Amazon ECR registries). The  list must include the following:

  • Full registry IDs and no GLOB patterns. 

  • At least one registry ID. Values are space-delimited.

NOTE: Required if docker.aws.enable=true.

N/A

N/A

No default

No

docker.azure.enable 

Enables pulling Docker Images from Azure Container registry. 

NOTE: If set to True, the  'docker.scanImages' and 'docker.pull.enable' parameter values must also be set to True.

Pulls Docker Images from Azure Container registry. 

Will not pull Docker Images from Azure Container registry. 

False

No

docker.azure.userName 

Username for Azure Container registry. 

NOTE: Required if docker.azure.enable is True.

N/A

N/A

No default

No

docker.azure.userPassword 

Password for Azure Container registry.

NOTE: Required if if docker.azure.enable=true. However, it is not mandatory if you already logged in manually to your Azure account via the Azure Client CLI.

N/A

N/A

No default

No

docker.azure.registryNames 

Docker registry names in Azure Container registry, space-delimited.

NOTE: Required if docker.azure.enable=true.

N/A

N/A

No default

No

docker.azure.authenticationType

Whether to use “containerRegistry” or "userAccount" as the authentication type.

Using  "userAccount" login method requiere setting should be filled "docker.azure.userName" and "docker.azure.userPassword"

Using  "containerRegistry", login method  will login to each registry using registry username and password provided in config file in the param docker.azure.registryAuthenticationParameters

N/A

N/A

userAccount

No

docker.azure.registryAuthenticationParameters

Registry authentication parameters should contain username and password for each registry in the following format <registryUsername>:<registryPassword>. If there are more than one registry contain in docker.azure.registryNames param then username and password should be provided separated by space:

<registry1UserName>:<registry1Password> <registry2UserName>:<registry2Password>

N/A

N/A

No default

No

docker.artifactory.enable 

Enables pulling Docker Images from the Artifactory Pro Docker registry. 

NOTE: Verify that the  'docker.scanImages' and 'docker.pull.enable' parameter values are also set to True.

Pulls Docker Images from the Artifactory Pro Docker registry. 

Will not pull Docker Images from the Artifactory Pro Docker registry.

False

No

docker.artifactory.url 

Artifactory URL including http:// or https:// and contextpath (Artifactory default contextPath is “/artifactory" )

NOTE:

  • Required if if docker.artifactory.enable=true.

  • Where read-only users are created via docker.artifactory.dockerAccessMethod, this must consist of http/s://<public server name>:<HTTP/S port>/<public context path>.

N/A

N/A

No default

No

docker.artifactory.pullUrl 

  • If ‘docker.artifactory.pullUrl’ is empty, use original behavior of 'docker.artifactory.url'

  • If ‘docker.artifactory.pullUrl’ is not empty use it as URL to docker [login/pull] commands while ‘docker.artifactory.url’ is used to run REST API command for artifactory.

N/A

N/A

No default

No

docker.artifactory.userName 

Username for Artifactory Pro Docker registry

NOTE: Required if docker.artifactory.enable=true.

N/A

N/A

No default

No

docker.artifactory.userPassword 

Password for Artifactory Pro Docker registry.

NOTE: Required if docker.artifactory.enable=true.

N/A

N/A

No default

No

docker.artifactory.repositoriesNames 

Repository names in Artifactory Pro Docker registry, space-delimited list.

NOTE: Required if docker.artifactory.enable=true.

N/A

N/A

No default

No

docker.artifactory.dockerAccessMethod 

Required when the user has read-only access.

Values are: repopathsubdomainport.

In case customers use port method 'docker.artifactory.dockerAccessMethod=port', 'repository port' must be added to each repository in ‘docker.artifactory.repositoriesNames' in this format: <repositoryName>:<repositoryPort>

N/A

N/A

No default

No

docker.hub.enabled 

Enables pulling Docker Images from the Docker Hub registry. 

NOTE: Verify that the 'docker.scanImages' and 'docker.pull.enable' parameter values are also set to True.

Pulls Docker Images from the Docker Hub registry. 

Will not pull Docker Images from the Docker Hub registry. 

False

No

docker.hub.userName 

Username for Docker Hub registry.

NOTE: Required if docker.hub.enable=true

N/A

N/A

No default

No

docker.hub.userPassword 

Password required for Password for Azure Container registry.

NOTE: Required if docker.hub.enable=true

N/A

N/A

No default

No

docker.hub.organizationsNames 

Space-delimited list of organizations under the user to be scanned.

NOTE: Required if docker.hub.enable=true.

N/A

N/A

No default

No

docker.scanTarFiles

Used when the user supplies the tar file of a Docker image.

The Unified Agent will scan the .tar file as a Docker image.

The Unified Agent will not scan the .tar file as a Docker image.

False

No

docker.gcr.repositories

A list of repositories, comma-delimited.
If empty, the Unified Agent will use the default repository.

Example value:
gcr.io/whitesource-main,gcr.io/whitesource-johnsmith

N/A

N/A

Empty

No

docker.gcr.enable

Enables pulling Docker Images from Google Container Registry with Docker.

NOTE: Verify that the  docker.scanImages and docker.pull.enable parameter values are also set to 'true'

Pulls Docker Images from Google Container Registry with Docker.

Will not pull Docker Images from Google Container Registry with Docker.

False

No

docker.gcr.account

Email of Google Container Registry account.

N/A

N/A

Empty

No

docker.layers

Enables users scanning docker images to receive information regarding packages in layer granularity.  The layer granularity can be viewed in the interface under the hierarchical display.

Provides information packages in layer granularity. The scan will split the result into layers, each layer contains all packages/libraries and files found under the layer (in case a package was added at layer 2 and deleted from 3, it will not appear at all in the result, since its not part of the final result). 

Will not provide the aforementioned information.

False

No

...

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

docker.scanContainers 

Scan all or specified containers. 
When set to True, only the Docker Docker container scan and Linux packages scan will occur. General scan using local resolvers (package managers) will only occur if the resolvers are installed and available locallyThis will include the detection of Linux packages, and a general scan of the container file system for package managers' based resolution and identification of source files/binaries.

Before starting a container scan, run the command "docker ps -a" to check for listed containers.
See here for more information on scanning Docker images.

Only the Docker container scan and Linux packages scan will occur.

Container Docker container scan will not take place.

False

No

docker.containerIncludes 

Comma, space or line-delimited list specifying which containers to include in the scan.

Values provided should come from any of the following:

  • Container ID

  • Container name

  • Image name

N/A

N/A

The default value is "*" (all containers will be scanned)

No

docker.containerExcludes 

Comma, space or line separated list specifying which containers to exclude in the scan.

Values provided should come from any of the following:

  • Container ID

  • Container name

  • Image name

N/A

N/A

The default value is "" (no container will be excluded)

No

...