Table of Contents |
---|
Overview
...
A valid license for WhiteSource for Developers
A license key for WhiteSource Advise for IDE, available via one of the following options:
If you do not have direct access to the WhiteSource Application, obtain the license key from your WhiteSource Administrator.
If you have access to the WhiteSource Application, do as follows (NOTE: This option is only available when using version 20.12.1 or later of WhiteSource Advise):
Go to the WhiteSource Application.
Open the Profile page.
In the WhiteSource Advise - IDE Integration section at the bottom, select your organization.
Copy your personal license key to be used later in Activating WhiteSource Advise.
PyCharm is installed and you are familiar with its basic functionality
Ensure the relevant package manager (Poetry/Pip/Pipenv) is installed depending on the project type.
Ensure the pipdeptree package version 0.12.0 or later is installed in your Python environment.
In case this package is missing, WhiteSource Advise will automatically try to install it before a triggered scan occurs and remove it after a triggered scan completes (thereby slowing down the scanning process).
If you have configured a proxy, you must allow access to the PyPi public repository. Alternatively, if you are using a private registry, you must add to it this package so that it can be successfully installed.
If you are using the Requirements or Toml plugin for PyCharm, ensure you perform one of the following before installing WhiteSource Advise.:
Uninstall the plugin(s) from PyCharm.
From the Project sidebar, right-click your project dependency file (requirements.txt, Pipfile, or pyproject.toml) and click Mark as Plain Text.
Supported Versions
The plugin supports the following PyCharm versions:
2020.3
2020.2
2020.1
2019.3
2019.2
2019.1
2018.3
Installing WhiteSource Advise
...
Start PyCharm.
From the menu bar, select File > Settings. The Settings screen is displayed.
From the left sidebar, click Plugins.
In the Search box, enter whitesource and then press Enter from your keyboard. The WhiteSource Advise plugin information is displayed.
Click Install and then click Restart IDE.
In the pop-up dialog box, click Restart.
Activating WhiteSource Advise
...
Start PyCharm, specifying the preferred project.
From the sidebar on the right, click WhiteSource (if you do not see the sidebar, select View >Tool Windows > WhiteSource). The Welcome screen is displayed.
In Email, enter your organizational email (the email domain must be licensed to use Advise).
In License Key, enter your license key (See here for more information on how to obtain a license key).
Click Connect.
...
Option | Description | Default Setting |
---|---|---|
Only show issues for direct dependencies | When enabled, WhiteSource Advise will only return vulnerabilities for direct dependencies defined in your dependency file. | Unselected (not checked) |
Minimum vulnerability severity level | Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.
| Low |
Include dev dependencies | Whether to alert on vulnerabilities detected in dev dependencies. | Unselected (not checked) |
Diff operation to be performed on a base branch | Enables developer focus mode functionality.
| Unselected (not checked) |
Scanning a Project for Security Vulnerabilities
...
From the menu bar, select Tools > WhiteSource Advise
From the top toolbar, click the WhiteSource icon
Do as follows:
From the sidebar on the right, click WhiteSource.
From the top, click Advise.
Click Run WhiteSource Advise.
Developer Focus Mode
The developer focus mode will allow developers to see only vulnerability alerts that are new in their feature branches compared to a predefined base branch. This will promote the security shift left approach and will empower developers to fix newly introduced vulnerabilities immediately as part of their feature development efforts and prior to merging vulnerable code into production branches.
In order to enable focus mode:
In the WhiteSource Advise project-level configuration enable the “Diff operation to be performed on a base branch” checkbox.
Choose the base branch to which all other branch scans will be compared to
Make sure your base branch is checked out and trigger a WhiteSource Advise
.
...
scan either manually or by building your project.
In case there was no scan on the predefined base branch after its initial configuration, all branches will show all the scan results, not just the newly created security alerts.
Info |
---|
Every time the base branch configuration changes, a WhiteSource Advise scan must be triggered on that branch prior to seeing new security results. |
Reviewing Scan Results
To review scan results, open one of the following windows:
...
The About screen displays information about the Advise plugin's version, general information on your IDE, along with links for Privacy policy and Terms and Conditions.
Generating Debug Logs for WhiteSource Support
To generate debug logs, do as follows:
From the menubar, click Help. A menu is displayed.
Select Diagnostic Tools > Debug Log Settings. The Custom Debug Log Configuration dialog box is displayed.
Enter this text: #org.whitesource.intellij.plugin
Click OK.
Debug logs will now be generated for the integration.
Upgrading WhiteSource Advise
...