...
Table of Contents |
---|
Overview
WhiteSource Diffend allows you to manage the risks that come with using open-source third-party dependencies. It is a platform that provides security scanning for malware detection and risk management solution for your dependencies. We act detects and blocks malicious dependency updates.
Diffend acts as a shield between you and the wild world of open-source libraries, allowing you to define policies around the usage of libraries and their versions. Under the hood, we run WhiteSource runs extensive security checks to find potential vulnerabilities and exploits both for Ruby gems and NPM packages.
When you run your package manager commands with our plugin, all of this knowledge, policies and research is are combined into one easy-to-understand verdict that you or your security team can use to control and mitigate potential problems before they hit production. The Diffend heuristics learn with each package release, and whenever we discover anything is discovered that would could pose a threat to your organization, we WhiteSource will notify you about it.
Info |
---|
WhiteSource Diffend supports Ruby (Bundler) and JavaScript (Yarn, npm, pnpm). |
Configuring a New
...
Project
Prerequisites: Register the account.
We understand, that not everyone feels comfortable executing remote scripts. That is why there are two ways of setting up WhiteSource Diffend and you can choose which one suits you better.
The end result is exactly the same, since the script just automates the files configuration.
Info |
---|
The |
...
Navigate to your organization organization’s projects list.
Click the Setup button.
In the setup view, navigate to the By applying changes manually section.
To set up WhiteSource Diffend, create a .
diffend.yml
file in the main directory of the project and copy-paste the configuration settings from the UI.Follow the remaining instructions specific to the package manager you are using.
Bundler setup
Add our bundler
plugin
and ourgem
right after the source section of yourGemfile
.bundle install
and you are ready to go!
npm setup
Install our Diffend package:
Code Block npm install -g https://my.diffend.io/releases/npm/stable.tgz
Prefix all calls to npm with diffend:
Code Block diffend npm install diffend npm i debug
You can also alias all the npm commands in your shell by putting the presented code in an appropriate file (~/.bash_aliases, ~/.bashrc, ~/.zshrc, ~/.config/fish/config.fish):
Code Block alias npm='diffend npm'
...
Run
npm install
and that is all.
Yarn 1 setup
Add our Yarn plugin to the .yarn directory of 1 plugin into your project by running the following commands:
:Code Block language Add the following lines to your .yarnrc file:
bash mkdir -p .yarn/releases wget https://my.diffend.io/releases/yarn/1/stable.js -O .yarn/releases/diffend-stable.js echo 'yarn-path ".yarn/releases/diffend-stable.js"' >> .yarnrc
Run yarn install and you are ready to go!
Info |
---|
Setting up an account using the UI does not require a big effort. |
With our setup script (Ruby only)
This script will add a .diffend.yml
configuration file and will add our plugin to your Gemfile
.
Navigate to your organization projects list.
Click the Setup button.
In the setup view, navigate to the With our setup script (Ruby only) section.
Copy the displayed command into your shell and press Enter.
...
None of the changes we make will be committed, so you can review them before you add anything to your project.
Info |
---|
Feel free to open the script URL and review all of its content before deciding on running it. |
...
Yarn 2 setup
Add our Yarn 2 plugin into your project by running the following command:
Code Block yarn plugin import https://my.diffend.io/releases/yarn/2/stable.js
Run yarn install and you are ready to go!
Running Diffend Checks
WhiteSource Diffend plugin runs automatically when the following commands are executed:
bundle install
bundle exec (for environments other than test and development)
bundle secure (introduced by the Ruby plugin)
yarn install (yarn1 and yarn2+)
yarn upgrade (yarn1)
yarn remove (yarn1, yarn2+)
yarn check (yarn1)
yarn add (yarn1, yarn2+)
yarn up (yarn2+)
npm install
npm update
npm uninstall
pnpm install
pnpm remove
pnpm add
pnpm update
Whenever you run any of those commands, WhiteSource Diffend will make sure that the packages you are trying to download or use are safe and that they meet all the requirements of the organization. This process is fully automatic and you do not have to do anything.
...
Info |
---|
WhiteSource Diffend works automatically each time you run bundle commands. |
Reviewing and Understanding the Security Verdicts
Security verdicts are an essential part of WhiteSource Diffend. They ensure that all of your organization requirements in the context of each bundle operation are met. That way we can prevent the usage of packages and their versions that could cause engineering and legal harm.
...
Info |
---|
You should review any non-allow verdicts that we tell you about. |
Setting up maximum verdict for particular commands
When using WhiteSource Diffend in a legacy system, you may notice, that getting things to a stable and secure state may take a while.
...
Info |
---|
You can use our Quality Score to keep track of the improvement of your dependencies setup. |
Understanding Quality Score
The Quality Score is a numeric value in between 0
and 100
that is supposed to give you provides a quick overview of the state of your Gemfile.It is built based on Gem file. The score is a composite of the sub-scores from each of the Guards . By looking at it, you can see the trend in which your project is going and you can make decisions and provides a convenient way to monitor trends in so you can take action whenever you see quality degradation.
...
Info |
---|
You can use our the Quality Score to keep track of the improvements of your GemfileGem file. |
Re-running checks from the UI
When you apply changes to your configuration, you may want to check how it affects the bundling process you were running. You can either run the given command you were interested in again to see a new verdict or you can re-run the checks directly from the UI, by clicking on the Re-run checks button.
...
Info |
---|
Re-running checks is the easiest way to see how your changes will affect execution of the given command. |
Continuous Integration and Delivery environment setup
WhiteSource Diffend protects every crucial bundle
command out of the box, but you can still easily set it up as a separate step within your Continuous Integration and Delivery system.
...
To set it up, please follow the instructions for the appropriate CI/CD system.
Github Actions
...
CircleCI
...
Other
If you are using a different CI system, the setup should be similar. Please contact us if you have examples of other CI systems.
Deployment and production environment setup
WhiteSource Diffend requires minimal effort to make it work with the majority of ways you can deploy your applications. If there are no hints below for your way of deployment, it means, that all you need to do is:
...
You need to remember about setting the DIFFEND_ENV
to match your environment.
...
Capistrano
Please make sure, to always run bundle install
instead of running bundle check
. To do so, put the following code in your deploy.rb
file:
...
Info |
---|
The changes you need to make, come from limitations of the Bundler plugin system. |
Docker
Please make sure, that the .diffend.yml
file is included before you run any bundle
commands during the container build process.
...
Info |
---|
|
Heroku
When using Heroku, please make sure, that the .diffend.yml
file is included before you run any bundle
commands during the container build process.
...
Info |
---|
Heroku Buildpack for Ruby requires you to set the three environment variables mentioned above. |
Notifications
Diffend monitor
gem keeps track of the state of your deployment environments automatically.
...
Info |
---|
Notifications are a great way to make sure, that your team becomes aware of emerging vulnerabilities the moment they are detected. |
Connecting WhiteSource Diffend to Slack
Navigate to the Notifications settings page of your organization.
Press the
here
link visible in the information box. You will be redirected to the Slack platform settings page.Select a channel where you want WhiteSource Diffend to post security notifications and press the Allow button.
You will be redirected back to the WhiteSource Diffend notification settings page and a Slack welcome message will be sent to your workspace channel.
Notifications events
WhiteSource Diffend sends messages based on events that occur while protecting your applications. Below you can find a list of the events that trigger notifications, together with their short descriptions and other useful details.
Event name | Event type | Command | Environment | Description |
---|---|---|---|---|
New bundle state detected | Information |
| Other than | WhiteSource Diffend emits message based on this event whenever you deploy changed to your Awareness of newly updated libraries deployed can help you debug when your new code presents unexpected behaviors. |
New verdict detected | Warning |
| Other than | WhiteSource Diffend emits a message based on this event whenever the verdict associated with your deployment has changed. |
Bundle secure execution alert | Warning |
| Any | WhiteSource Diffend emits a message based on this event whenever there is anything in your |
Uninstalling
While we are sorry to see you go, we won't make things hard for you. We just kindly ask you to provide us with any feedback you might have on the reasons.
Removing Bundler plugin and gem
Due to some Bundler limitations, you will have to re-bundle your project after removing appropriate files. Just run the code below inside of your project main directory.
...
Removing Yarn 2 plugin
Due to some Yarn 2 limitations, you will have to re-run the install
command after removing appropriate files. Just run the code below inside of your project main directory.
...
Questions and answers
Can the .diffend.yml file be committed into our repository version control system?
...
Is it safe to have diffend-monitor running in production environment?
Yes. diffend-monitor
never executes any code in response to our platform replies. It does not rely on the response content for operations. Its primary purpose is to ping our servers periodically, so we know that the given process is running. We need this information for our real-time monitoring services.
Bundler plugin is not working as expected. What should I do?
...