Table of Contents |
---|
...
WhiteSource Advise supports JavaScript projects using npm (package.json dependency files) that include a package-lock.json file.
NOTE: Yarn projects are not supported.
Prerequisites
Ensure the following:
...
Start WebStorm.
From the menu bar, select File > Settings. The Settings screen is displayed.
From the left sidebar, click Plugins.
In the Search box, enter whitesource and then press Enter from your keyboard. The WhiteSource Advise plugin information is displayed.
Click Install and then click Restart IDE.
In the pop-up dialog box, click Restart.
Activating WhiteSource Advise
...
From the menu bar, select File > Settings. The Settings screen is displayed.
Select Tools > WhiteSource > Project Settings. The Project Settings screen is displayed.
In Scan Results Settings, review the options and modify if necessary. See here for a list of all options.
By default, all settings are inherited from the global-level configuration. To override the specific configuration on project level, clear the Inherit from global settings checkbox.
Click OK.
Options Table
Option | Description | Default Setting |
---|---|---|
Only show issues for direct dependencies | When enabled, WhiteSource Advise will only return vulnerabilities for direct dependencies defined in your dependency file. | Unselected (not checked) |
Minimum vulnerability severity level | Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.
| Low |
Scanning a Project for Security Vulnerabilities
...
The developer focus mode will allow developers to see only vulnerability alerts that are new in their feature branches compared to a predefined base branch. This will promote the security shift left approach and will empower developers to fix newly introduced vulnerabilities immediately as part of their feature development efforts and prior to merging vulnerable code into production branches.
In order to enable focus modeTo enable the Focus Mode, do as follows:
In the WhiteSource Advise project-level configuration, enable the “Diff Diff operation to be performed on a base branch” branch checkbox.
Choose the base branch to which all other branch scans will be compared to.
Make sure your base branch is checked out and , then trigger a WhiteSource Advise scan either manually or by building your project.
...
Info |
---|
Every time the base branch configuration changes, a WhiteSource Advise scan must be triggered on that branch prior to seeing new security results. |
Vulnerable Commit Alert
An alert can be enabled to notify about newly added vulnerabilities when committing the code inside the WebStorm. This alert will appear only if the committed feature branches have new vulnerabilities compared to a preconfigured base branch.
To enable a Vulnerable Commit Alert, do as follows:
Enable the Focus Mode (enable the Diff operation, choose the base branch, and trigger a WhiteSource Advise scan).
Go to Setting > Version Control > Commit > Before Commit and make sure that Notify on new OS vulnerabilities is enabled.
In case the feature branch contains new vulnerabilities (that were not presented in the base branch), a pop up will suggest to review the found vulnerabilities or commit anyway.
Reviewing Scan Results
To review scan results, open one of the following windows:
...