Versions Compared

Old Version 41

changes.mady.by.user Tsur Rothfeld

Saved on

compared with

New Version 42

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

  • A valid license for WhiteSource for Developers

  • A license key for WhiteSource Advise for IDE, available via one of the following options:

    • If you do not have direct access to the WhiteSource Application, obtain the license key from your WhiteSource Administrator.

    • If you have access to the WhiteSource Application, do as follows (NOTE: This option is only available when using version 20.12.1 or later of WhiteSource Advise):

      1. Go to the WhiteSource Application.

      2. Open the Profile page.

      3. In the WhiteSource Advise - IDE Integration section at the bottom, select your organization.

      4. Copy your personal license key to be used later in Activating WhiteSource Advise.

  • PyCharm is installed and you are familiar with its basic functionality

  • Ensure the relevant package manager (Poetry/Pip/Pipenv) is installed depending on the project type. 

  • Ensure the pipdeptree package  package version 0.12.0 or later is installed in your Python environment.

    • In case this package is missing, WhiteSource Advise will automatically try to install it before a triggered scan occurs and remove it after a triggered scan completes (thereby slowing down the scanning process).

    • If you have configured a proxy, you must allow access to the PyPi public repository. Alternatively, if you are using a private registry, you must add to it this package so that it can be successfully installed.

  • If you are using the Requirements or Toml plugin for PyCharm, ensure you perform one of the following before installing WhiteSource Advise.:

    • Uninstall the plugin(s) from PyCharm. 

    • From the Project sidebar, right-click your project dependency file (requirements.txt, Pipfile, or pyproject.toml) and click Mark as Plain Text.

...

  1. Start PyCharm.

  2. From the menu bar, select File > Settings. The Settings screen is displayed.

  3. From the left sidebar, click Plugins.

  4. In the Search box, enter whitesource and then press Enter from your keyboard. The WhiteSource Advise plugin information is displayed.

  5. Click Install and then click Restart IDE.

  6. In the pop-up dialog box, click Restart.

Activating WhiteSource Advise

...

  1. From the menu bar, select File > Settings. The Settings screen is displayed.

  2. Select Tools > WhiteSource > Project Settings. The Project Settings screen is displayed.

  3. In Scan Results Settings, review the options and modify if necessary. See here for a list of all options.

  4. By default, all settings are inherited from the global-level configuration. To override the specific configuration on project level, clear the Inherit from global settings checkbox.

  5. Click OK.

Options Table

Option

Description

Default Setting

Only show issues for direct dependencies

When enabled, WhiteSource Advise will only return vulnerabilities for direct dependencies defined in your dependency file.

Unselected (not checked)

Minimum vulnerability severity level

Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.

  • Low - Vulnerability alerts for all severities (Low, Medium, High) are displayed.

  • Medium- Vulnerability alerts only for Medium or High severities are displayed.

  • High - Vulnerability alerts only for High severities are displayed.

Low

Include dev dependencies

Whether to alert on vulnerabilities detected in dev dependencies.

Unselected (not checked)

Diff operation to be performed on a base branch

Enables developer focus mode functionality. 

  • The dropdown will include all locally available git branches for this project. 

  • It will allow to choose the base branch which will be the base for comparing security alerts from feature branches. 

Unselected (not checked)

Scanning a Project for Security Vulnerabilities

...

Developer Focus Mode

The developer focus mode will allow Focus Mode allows developers to see only vulnerability alerts that are new in their feature branches compared to a predefined base branch. This will promote promotes the security shift left approach and will empower empowers developers to fix newly introduced vulnerabilities immediately, as part of their feature development efforts and prior to merging vulnerable code into production branches.

In order to enable focus modeTo enable Focus Mode, do as follows:

  • In the WhiteSource Advise project-level configuration enable the “Diff Diff operation to be performed on a base branch” branch checkbox.

  • Choose the base branch to which all other branch scans will be compared to.

  • Make sure your base branch is checked out and trigger a WhiteSource Advise scan either manually or by building your project.

...

Info

Every time the base branch configuration changes, a WhiteSource Advise scan must be triggered on that branch prior to seeing new security results.   

Vulnerable Commit Alert

An alert can be enabled to notify about newly added vulnerabilities when committing the code inside the PyCharm. This alert will appear only if the committed feature branches have new vulnerabilities compared to a preconfigured base branch.

To enable a Vulnerable Commit Alert, do as follows:

  • Enable the Focus Mode (enable the Diff operation, choose the base branch, and trigger a WhiteSource Advise scan).

  • Go to Setting > Version Control > Commit > Before Commit and make sure that Notify on new OS vulnerabilities is enabled.

In case the feature branch contains new vulnerabilities (that were not presented in the base branch), a pop up will suggest reviewing the found vulnerabilities or commit anyway.

Reviewing Scan Results

To review scan results, open one of the following windows:

...