...
It facilitates workflows by making critical component vulnerability information available to the software developer from within the code editor, preventing the need to use a separate application for such purpose.
It offers a transparent UX for developers, by seamlessly integrating with the code editor. It highlights open source components found to have reported security vulnerabilities (CVEs), displays information on such vulnerabilities, and offers recommendations for fixing them.
Support for Languages, Package Managers and
...
Proxy
WhiteSource Advise supports NPM and C#-based (SDK and non SDK-style) projects.
...
In certain circumstances where multiple scanned projects have the same vulnerable transitive dependency but each project containing a different versions of the dependency, WhiteSource will provide security results for only one of the dependency versions.
For C# Projects: The intermediate output path (the default is "obj" folder) of a C# project must be located directly inside the project's folder.
Using VS Code behind an authenticated HTTP proxy where credentials are not set as part of the proxy URL is not supported
Prerequisites
Ensure the following:
...
Ensure that you have completed all previous procedures on this page.
Start the editor.
Open View > Command Palette.
In the Command Palette, enter whitesource.
From the suggestion list, select WhiteSource: Activate WhiteSource Advise. The Activate WhiteSource Advise wizard begins.
Enter your organizational email (the email domain must be licensed to use Advise), and click Enter.
Enter your license key (see here for more information on how to obtain a license key), and click Enter.
In the WhiteSource Advise was successfully activatednotification, if you want the extension to remember the license key, click Yes.
Scanning for Security Vulnerabilities
There are two ways to scan for security vulnerabilities, scan your entire workspace or scan one or multiple folders within the workspace.
Enabling Scanning of devDependencies
Configuring WhiteSource Advise
Info |
---|
Changes made to the WhiteSource settings will only apply after running the next scan. |
If you want to enable the scanning of devDependenciesTo configure WhiteSource Advise, do as follows:
From the sidebar on the left, select Extensions. The Extensions panel is displayed.
In the search bar on top, enter whitesource and press Enter. The WhiteSource Advise “widget” is displayed in the panel.
Click the Manage icon.
In the popup that opens, click Extension Settings.
Select the Include Dev Dependencies checkbox.
Displaying Issues for Direct Dependencies Only
Info |
---|
Changes made to the WhiteSource settings will only apply after running the next scan. |
This setting, when enabled, will only display direct dependency vulnerabilities. Do as follows:
From the sidebar on the left, select Extensions. The Extensions panel is displayed.
In the search bar on top, enter whitesource and press Enter. The WhiteSource Advise “widget” is displayed in the panel.
Click the Manage icon.
In the popup that opens, click Extension Settings.
Select the In the WhiteSource screen, review the options and modify if necessary. See here for a list of all options.
Options Table
Option | Description | Default Setting |
---|---|---|
Enable automatic scanning in Workspace | When enabled, WhiteSource Advise will automatically scan after activating the extension or after changes are applied to any of your Workspace folders. | Selected (checked) |
Include dev dependencies | When enabled, WhiteSource Advise will include dev dependencies in a scan. | Unselected (not checked) |
Only show issues for direct dependencies |
...
Automatically Scanning for Security Vulnerabilities
Once you have activated WhiteSource Advise, it automatically scans WhiteSource-supported projects in your entire workspace for open source security vulnerabilities whenever such projects are built.
If you do not want WhiteSource Advise to automatically scan your WhiteSource-supported projects, you can disable this functionality. Do as follows:
From the sidebar on the left, select Extensions. The Extensions panel is displayed.
In the search bar on top, enter whitesource and press Enter. The WhiteSource Advise “widget” is displayed in the panel.
Click the Manage icon.
In the popup that opens, click Extension Settings.
Clear the Enable Automatic Scanning in Workspace checkbox. WhiteSource Advise will no longer automatically scan your workspace projects for vulnerabilities.
...
When enabled, WhiteSource Advise will only return vulnerabilities for direct dependencies defined in your dependency file. | Unselected (not checked) | |
Minimum vulnerability severity level | Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.
| Low |
Scanning for Security Vulnerabilities
There are two ways to scan for security vulnerabilities - scan your entire workspace, or scan one or multiple folders within the workspace.
Info |
---|
Ensure your projects are built before you scan their associated folders with WhiteSource Advise. |
Scanning a Workspace
To scan a workspace, do any of the following:
From the menu bar, Open View > Command Palette,enter whitesource, and from the suggestion list, select WhiteSource: Scan Workspace with WhiteSource Advise.
From your keyboard, press Ctrl + Shift + Q
Scanning Folders Within a Workspace
To scan one or multiple folders within the workspace, do as follows:
...