Table of Contents |
---|
Overview
...
WhiteSource Remediate is part of WhiteSource for Developers and integrated with WhiteSource for GitHub.com, WhiteSource for GitHub Enterprise, WhiteSource for Bitbucket Server, and WhiteSource for GitLab. In addition, Remediate is integrated with WhiteSource Renovate (see below for details). Renovate enables you to save time and reduce risk by automating dependency updates in software projects.
WhiteSource Remediate provides the following capabilities:
...
Supported Package Managers
Package Manager | Language | Extra Details |
---|---|---|
Maven | Java | N/A |
Gradle | Java | N/A |
Go Modules | Golang | Remediate will update both the go.mod as well as go.sum files, as well as any vendored files found within a vendor/ directory. |
npm/Yarn | JavaScript | WhiteSource Remediate always updates both the package file (e.g. package.json) as well as any lock file (e.g. yarn.lock) in the same commit/fix Pull Request. If a developer subsequently updates either file on the default branch, causing a git conflict with any of Remediate's Pull Requests, then Remediate will update the fix Pull Request to resolve all conflicts while still remediating the vulnerability. |
NuGet | .NET | Only SDK-style
To convert your .NET Framework .csproj into an SDK-style project, follow this guide. |
pip | Python | N/A |
pipenv | Python | N/A |
poetry | Python | N/A |
setuptools | Python | N/A |
Composer | PHP | N/A |
NOTE: In WhiteSource for GitLab, mirrored repositories are not supported.
...
- From the WhiteSource web application, click the Integrate tab.
- Expand the WhiteSource for Developers option.
- From within the relevant repo integration settings, click Manage Workflow Rules. The Workflow Rules page is displayed.
- Click Add Rule. The Add Rule dialog box is displayed.
- Select a Product and/or Project scope from the Scope area or leave at the default (applies to all of your WhiteSource Products and Projects).
- Select a rule type from the Type dropdown menu.
- Click OK to create the rule.
Once you set up a Workflow Rule, WhiteSource Remediate will start monitoring your selected repositories for vulnerable dependencies and generate corresponding fix Pull Requests.
Configuration of github.com credentials
...
WhiteSource cannot provide customers with a token for accessing github.com as that would go against that platform’s Terms of Service.
Providing the Integration Activation Key
WhiteSource Remediate can be configured to work with the integration activation key using either the prop.json
configuration file or using environment variables.
NOTE: The environment variable takes precedence over an activation key value specified inside a prop.json file.
Providing the Integration Activation Key in prop.json
You can provide the integration's activation key to the Remediate container using a prop.json file.
Providing the Integration Activation Key using environment variables
You can provide the integration activation key by using the W4D_BOLT_OP_ACTIVATION_KEY environment variable inside the Remediate container.
Proxy Support
WhiteSource Remediate can be configured to work with proxy servers using either the prop.json
configuration file or using environment variables.
Proxy
...
Configuration in prop.json
When configuring proxies using prop.json
, the "no proxy" list will be automatically configured to match the VCS endpoint in use (i.e. the GitHub, GitLab or Bitbucket Server endpoint). Internally Remediate will convert these to HTTP_PROXY
, HTTPS_PROXY
and NO_PROXY
environment variables and pass them to child processes such as npm
and composer
.
Proxy
...
Configuration Using Environment Variables
WhiteSource Remediate also supports the industry convention of HTTP_PROXY
, HTTPS_PROXY
and NO_PROXY
. This provides more flexibility if you need to also configure any internal/private registries in the no proxy list so is the recommended configuration approach. Such variables will be passed transparently to child processes.
Integration with WhiteSource Renovate
WhiteSource Renovate functionality can be enabled in WhiteSource Remediate.
With Renovate functionality enabled, Remediate will then raise PRs/MRs not only for vulnerable dependencies but also for outdated dependencies too.
Renovate is designed for users who aim to keep their dependencies up-to-date, primarily for the reasons of:
...