Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Release notes are subject to change until the actual release date.

  • This page is "dynamic" and is subject to change between official releases. WhiteSource reserves the right to modify this page retroactively. Please check this page periodically between official releases to ensure you are up-to-date with all hotfixes, changes and additions to WhiteSource's products.

...

Version 21.4.2 (9-May-2021)

New Features and Updates

Unified Agent

  • NPM and Yarn configuration are now optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep = true.

  • Beginning in this version, nuget.runPreStep and nuget.restoreDependencies will be combined. This works the following way: if nuget.runPreStep = true, then dotnet restore will be performed on found .csproj files. As a result of this merge, nuget.restoreDependencies will be deprecated.

Notices

The TeamCity plugin will reach its End Of Life starting November 1, 2021. After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until May 1, 2022. Following this date, the TeamCity plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on November 1, 2021 to maintain full support of your product.

Documentation

  • The following pages were deprecated:

    • Requesting an Arbitrary File 

    • GitHub Related Topics

    • The License Identification page -  its content was merged with Changing a Library’s License

    • TheLicense Analysis page - its content was merged with Understanding Risk Score Attribution

  • The Policies API page has been deprecated, and a new and updated Policies API page has replaced it.

Version 21.4.1 (25-April-2021)

New Features and Updates

Unified Agent

  • The Unified Agent now supports Apache Ivy as part of the Ant dependencies detection.

...

  • Users encountered errors logging in to WhiteSource.

  • Project name or project token were mandatory parameters for Docker scanning unnecessarily.

  • Users were unable to delete roles when there were no roles remaining.

  • When the Inventory Report was exported to MS Excel, there was extra whitespace between the project name and the Direct Dependency.

  • When password complexity validation was enabled, users were unable to reset their passwords.

  • NPM/Yarn downloaded artifacts were not always removed at the end of the Unified Agent scan.

  • In the Unified Agent, a null pointer exception occurred when scanning ANT-based projects with an empty zip file.

Documentation

  • New and updated WhiteSource Prioritization documentation has been released. See here.

  • The R Integration page was deprecated and its content was moved to the Unified Agent Configuration Parameters page.

  • In the next version, the following pages will be deprecated:

    • Requesting an Arbitrary File

    • GitHub Related Topics

    • The License Identification page - its content will be merged with Changing a Library’s License

    • The License Analysis page - its content will be merged with Understanding Risk Score Attribution

    • The New Versions Alerts page - its content will be merged with the Project Page

...

Version 21.3.2 (11-April-2021)

New Features and Updates

Web UI

  • Customers can now configure SAML integration for multiple global organizations with the same Identity Provider (IDP).

  • Product and Library Priority Scoring Reports: New reports provide information on the priority of a library or product, taking different threat and impact factors into account. See here for details.

  • Starting this version, SmartMatch is the default algorithm used for source files matching when a new WhiteSource Organization is created.

  • The name of the Sun license was changed to Sun Public License.

Unified Agent

Major improvements to the Go Modules dependencies detection have been introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. Two separate settings are now supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver detects only the actively-used dependencies and includes the following new parameters:

...

  • Archive extraction of the Zstandard format RPM file failed.

  • A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.

  • Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.

  • Running the Generating the Due Diligence Report resulted in a blank report.

  • When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.

Notices

The following is planned for the next Unified Agent releases:

...

Version 21.3.1 (4-April-2021)

New Features and Updates

Azure DevOps Services Integration:

...

  • Using the Unified Agent’s Archive Extractor when trying to scan the root of the operating system resulted in a null pointer exception.

  • In AVM, a timeout occurred when fetching vulnerabilities information from Fortify.

Documentation

  • The NuGet Plugin page was deprecated.

  • In the next version, 21.3.2, the following changes will be implemented:

    • The Deprecated Features topic will be deprecated and the content will move to the Noticespage

    • The High Severity Bugs Report topic will be deprecated

    • The File Systemtopic will be deprecated

  • Additional modifications will be implemented to the opening documentation sections, beginning with the login/homepage documentation. 

Notices

In the next Unified Agent release, major improvements to the Go Modules dependencies detection will be introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. After this change, two separate settings will be supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver will detect only the actively used dependencies and will enable controlling whether to include test dependencies and duplicate dependencies. 

Version 21.2.2 (14-March-2021)

New Features and Updates

Unified Agent

  • This version introduces support for NPM 7.

  • A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.

...

  • In some cases, information regarding source libraries was not displayed correctly; for example, empty projects were still displayed in some source libraries, or some source libraries appeared as empty.

  • Running the gcloud auth command failed during Docker scan on Mac computers.

  • Users with different roles than admins or alert ignorers were able to ignore alerts in VBA mode.

  • Exceptions occurred when trying to assign licenses as part of update policy alerts.

  • In the Unified Agent, when scanning NPM, NPM dependencies were not resolved when package.json did not contain name/version attributes.

  • When downloading a missing jar file, the Unified Agent incorrectly generated success messages.

  • Added indication for missing copyright references in the Attribution report summary.

  • When excluding inner modules (projects) in Gradle, the scan would return the wrong dependencies tree.

  • Azure DevOps Services Integration: In some cases, adding npm.resolveMainPackageJsonOnly=true to the WhiteSource Configuration task parameter led to a scan failing.

Documentation

Beginning in this version the following page was archived and is therefore no longer in use.

...

Version 21.2.1 (28-February-2021)

New Features and Updates

Unified Agent

  • Scala dependencies detection was improved, by supporting the sbt-dependency-graph plugin when applicable.

...

  • WhiteSource is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.

Documentation

The following topic has been deprecated:

...

  • Azure DevOps Services Integration: Running a pipeline build from a self-hosted agent resulted in a WhiteSource-generated .encrypted file not being deleted at the end of each WhiteSource build task run.
    NOTE: Self-hosted agent builds triggered before 14 February may still contain traces of WhiteSource-generated .encrypted files. These files must be manually removed from the self-hosted agent work folder.

  • On rare occasions, library alerts were not created after the vulnerability sync.

  • Duplicate hashed source files caused the second one to be considered as unmatched.

  • In Linux, Python scans failed due to a missing space in the execution of one of the commands used for resolution.

  • In the Unified Agent, there were exceptions when parsing specific pipfile formats.

Documentation

The following topics have been deprecated and all their content has been merged into the Unified Agent documentation:

...

Version 21.1.1 (31-January-2021)

New Features and Updates

Web UI

  • Beginning in this version, the Auditor role for service users can be assigned to users from the UI.

...

  • Several issues have been resolved regarding Docker Layers:

    • Layers with the same SHA1 were represented as one resource.

    • Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer

    • Layers with SHA1 were unnecessarily looked up in the index 

  • Discrepancies were found between the Alerts Widget and the Library Page.

  • Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.

Notices

  • In the Unified Agent’s upcoming releases, major improvements to the Go Modules’ dependencies detection will be introduced. A new optimized resolver for Go Modules, controlled by a separate set of parameters will become active, paving the way for more specific control over Go resolution.

Version 20.12.3 (17-January-2021)

New Features and Updates

  • The Unified Agent now supports scanning Google Distroless images.

  • The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.

...

Version 20.12.2 (3-January-2021)

New Features and Updates

Web UI

Unified Agent

  • A new parameter, python.includePipenvDevDependencies, has been added to provide the ability to manage the dev dependencies. The default value is true.

...

Version 20.12.1 (20-December-2020)

New Features and Updates

Web UI

  • Resetting forgotten passwords is now validated with a CAPTCHA test.

  • A disclaimer has been added to the Library Details page for temporary matches on Go dependencies.

...

Version 20.11.2 (6-December-2020)

New Features and Updates

Web UI

  • The Product Page and the Project Page now feature filtering and improved pagination in the Libraries panel, thereby improving performance and user experience for projects with over 1000 libraries.

...

Version 20.11.1 (22-November-2020)

New Features and Updates

Unified Agent

  • The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.

...

Version 20.10.2 (8-November-2020)

New Features and Updates

Prioritize

  • Added support for C# in Prioritize.

  • Added Fast Scan Analysis mode for Java in Prioritize.

...

  • Added a WhiteSource Support Token to the WhiteSource task logs. 

Documentation Updates

Unified Agent

A modified Unified Agent documentation repository has been launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.

...

Version 20.10.1 (25-October-2020)

New Features and Updates

WhiteSource Core

  • In order to comply with industry standards, WhiteSource has decided to remove the option of searching a library via drag and drop. Library searching can now only be done by entering the library’s name (added November 1, 2020).

...

  • Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, WhiteSource Configuration, was added to the WhiteSource task. For more information, see here.

Documentation Updates

Unified Agent

Beginning in version 20.10.2 (approximate release - November 8), a modified Unified Agent documentation repository will be launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.

...

Version 20.9.2.1 (15-October-2020)

Unified Agent

  • The default NPM dependency detection method was changed to running the "npm ls" command due to an anomaly observed in the Unified Agent requests size using the new optimized NPM resolution method.

...

Version 20.9.1 (4-October-2020)

New Features and Updates

WhiteSource Core

  • Currently, when accessing the Custom Attributes report, the report’s data is fetched automatically. This can be time-consuming if the organization has many libraries and many custom attributes defined. Beginning in this version, an Apply button has been added, enabling users to query the data on demand only.

Unified Agent

  • Beginning in this version, the strict requirement of running the Unified Agent with the configuration file has been removed. If the mandatory parameters are passed to the Unified Agent, in any of the supported methods, the Unified Agent can be run without failing even if the configuration file is missing.

  • Beginning in this version, if the Yarn lock file (yarn.lock) is found during the scan, it will be used for the dependencies detection, without the need to explicitly set the npm.yarnProject flag.

...

Version 20.8.2 (13-September-2020)

New Features and Updates

  • Helm version 3 support is officially introduced for the Kubernetes integration.

...

  • If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.

  • When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.

Notices

  • Within the next two releases of the Unified Agent, a significant improvement to the NPM dependency detection will be introduced. An optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. This will significantly improve the scanning time of NPM projects and produce more accurate results. 

...

Version 20.8.1 (30-August-2020)

New Features and Updates

Unified Agent

A new format of Docker project name is now supported - repositoryName - which is based on the Docker repository name only. This format can be applied by setting the docker.projectNameFormat parameter to repositoryName.

...

Version 20.7.3 (16-August-2020)

New Features and Updates

Web UI

  • Beginning in this version, when creating/editing a policy based on a Jira project with a mandatory field from a type which isn't currently supported, but has a default value defined for it in Jira, the operation will succeed.

...

  • Scanning docker images with source files leads to duplicate appearances of the source libraries in the Hierarchy view.

Notices

  • Within the next two releases, WhiteSource will be improving the Unified Agent configuration by removing the requirement to have a configuration file, if all the mandatory parameters are set (passed as command-line parameters or by environment variables).

Version 20.7.2 (2-August-2020)

New Features and Updates

WhiteSource Core

  • SAML session token duration (the time between the IDP authentication and the WhiteSource login) was changed from 10 minutes to 5 minutes.

...

  • A new API, setNotice, enables setting the value of the library’s notice.

Unified Agent

  • Improvements were made to the Docker scanning of the Linux RPM-based images.

  • Users can now configure Unified Agent parameters using environment variables.

  • The Bazel support for Go projects was extended to Windows. The Unified Agent can now scan on both Linux and Windows Go projects using the go_repository rules generated by Bazel Gazelle (see here).

...

Version 20.7.1 (19-July-2020)

New Features and Updates

Unified Agent

  • Users scanning docker images can now receive information regarding packages in layer granularity. The new functionality can be enabled by setting the docker.layers parameter to true. The layer granularity can be viewed in the UI under the hierarchical display (Show as Hierarchy).

  • Improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag are introduced. The improvements include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to True.

  • A new flag, npm.ignoreDirectoryPatterns, enables users to determine the list of ignored directories.

  • The Bazel support was extended to Go projects. The Unified Agent can now scan on Linux machines Go projects using the go_repository rules generated by Bazel Gazelle (see here).

...

Version 20.6.2 (5-July-2020)

New Features and Updates

WhiteSource Core

Unified Agent

  • The Unified Agent’s checkPolicies-json.txt file now includes the system path and manifest file path for each of the components, when this information is available.

  • A new parameter, python.localPackagePathsToInstall, enables users to configure a list of local package paths that will be installed during the pre-step, if required.

...

  • If the field last scan comment contains multiple lines, only the first line will be displayed in the project vitals area.

Notices

  • In the next release, improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag will be introduced. The improvements will include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to true. 

...

Version 20.6.1 (21-June-2020)

New Features and Updates

WhiteSource Core

Web UI

  • The Attribution Report has undergone several enhancements, including the following:

    • select which fields to include/exclude from the report

    • apply filters to the report

    • include a custom attribute in the report

    • export the report to a JSON format

    • hide fields containing empty values 

  • Beginning in this version, an indication on the vulnerability page displays which vulnerabilities were modified in the previous month.

  • Beginning in this version, the WhiteSource Expert Fix is the first solution recommended to customers in the list of suggested fixes.

Unified Agent

  • This version introduces a Dockerized Unified Agent. More information can be found here.

  • Bazel resolution is now enabled by default. The UA now supports Bazel for Java projects. The following two rules are supported: maven_install, maven_jar.

  • This version introduces support for OpenSUSE leap images via the Unified Agent Docker scan.

...

Version 20.5.1 (24-May-2020)

New Features and Updates

WhiteSource Core

Web UI

  • In the ADD/EDIT policy function, mandatory fields of types string, string array, user, number are now also supported. When choosing the issue type in the project, the mandatory fields as displayed and you must fill them in.

  • In certain reports, the following was added to all panels with multiple selections

    • A count indicator for the number of selected rows that appear when selecting rows of a data grid panel. This counter updates automatically when selecting/deselecting rows.

    • Next to the counter, a 'clear selection' button clears all selected rows when clicked.

Unified Agent

  • Beginning this release, the Nuget resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default.

  • Beginning in this version, the .coffee source files will not be taken into consideration when npm.ignoreSourceFiles is set.

...

  • In the Library Details screen, the new Aggregated Data tab displays aggregated data for licenses, policies, vulnerabilities, and library data.

Unified Agent

  • This version introduces support for the npm.ignoreScripts parameter for yarn.

  • Improvements were made to Go projects scanning.

...

  • A risk score was added for license Open LDAP 2.4.

Unified Agent

  • This version provides support for Global Packages for Poetry.

  • In addition to parsing/collecting yarn dependencies, the Unified Agent now supports adding yarn workspaces with their dependencies (direct and transitive) as a hierarchy tree.

...

  • In the library details page, users can now manually override the license text to their library's specific license text. The new license text will be displayed in the Attribution Report and in the Release Management Dashboard, both in the UI and via APIs.

  • In the Attribution Report, for manually assigned copyrights with a comment, the comment now appears in a new section called Comments in the library’s Copyrights section.

Unified Agent

  • The Unified Agent now supports Scala sbt-coursier and sbt 1.3.x.

  • Docker Azure login to ACR Registries is now supported.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • Support for Cabal version 3 is now provided.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • A new parameter, python.resolvePipEditablePackages, enables the support of pip in editable mode (-e), thus presenting additional dependencies in WhiteSource for Python projects.

  • New Package Manager support: This version introduces support for Gradle Kotlin DSL.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • The Library Details page has been redesigned whereby the information is now organized into four separate tabs.

  • The Unified Agent now supports SBT 1.3.x and above.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • In the Policies functionality, the bug rating and version activity match types have been removed, and there is no longer a way to add new policies of these types. Existing policies with these types, though, will be editable.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • This version introduces support for the DNF Package manager for CentOS.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • This version introduces support for Poetry, a new package manager for Python.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • NPM Resolution: Optimized scanning behavior and reduced scan time. The new functionality relies only on the package.json instead of NPM commands and can be enabled using the flag: npm.resolveLockFile=true.

  • The Unified Agent has been enhanced to cover more cases of Maven configuration (i.e., for customers using different formats for Maven tree output).

...

New Features & Updates

WhiteSource Core

Unified Agent

  • Added flexibility for “R” programming language scanning: This version provides support for the R programming language for customers who are not using its main package manager, Packrat. 

  • The Unified Agent has been enhanced to cover more cases of Maven configuration (i.e., for customers using different formats for Maven tree output).

...

New Features & Updates

WhiteSource Core

Unified Agent

  • Easier Onboarding for JFrog Artifactory Docker Integration: Beginning in this version, the Unified Agent is now able to download Docker images from artifactory as an archive file, then extract and scan them.

  • Added flexibility for JFrog Artifactory Docker image scan: Two new parameters, artifactory.includes and artifactory.excludes, provides customers with the ability to filter which images to scan in their repositories.

  • A new parameter, php.ignoreSourcefiles, provides more extensive results for customers using PHP by enabling users to decide whether to ignore source files scanning.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • Detect Mode - Enhanced environment-based recommended configuration capability: The generated configuration file now supports the ‘includes’ parameter.

  • In cases where the Unified Agent execution has an issue (for example, policy violation), the Bitbucket pipe will reflect it and fail the build.

  • This version introduces better customization and control, where customers can change the default location where Unified Agent logs are saved.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • The Unified Agent now supports scanning the opam package manager for the OCaml programming language.

  • Aligning the Unified Agent to the Maven plugin behavior: A new boolean parameter in the Unified Agent, maven.projectNameFromDependencyFile, controls if a project name will be taken from the dependency file.

  • Aligning the Unified Agent to the NPM plugin behavior: An existing parameter, npm.projectNameFromDependencyFile, controls whether the project name will be taken from the dependency file.

  • Added flexibility: It is now possible to set project metadata information using a project tag (key and value) via the Unified Agent command line and the Unified Agent configuration file.

  • When scanning Docker images, and NPM is not available, in order to extract global dependencies, the new npm.resolveGlobalPackages parameter eliminates the need to rely on NPM being installed and available.

...

  • Extending auditing capabilities: In the Change Log History Report, there is now support for auditing changes in vulnerability score/severity.

  • This version brings the following enhancements:

    • Added granularity -  Support for changing a library to a source file in the Product level and not only in the Organization level.

    • Alignment with API - The user must be a Product or Organization Administrator as required in the API of the change library and not a regular user.

  • New auditing enhancement that extends existing functionality to the Change Log History Report: When changing a library, customers can now track when the changes occurred, according to new records in the ChangeLog.

Unified Agent

  • For easier debugging and maintenance, the Unified Agent log now contains all the Unified Agent configuration parameters in a more organized manner.

  • A new optional NPM parameter, npm.failOnNpmLsErrors, enables a smoother transition between the NPM plug-in and the Unified Agent when handling “npm ls” errors.

  • The SBT resolver now supports additional scopes such as `test`, `runtime`, `provided` etc.

...

  • The following improvements have been made to the License Compatibility Report:

    • As part of ongoing enhancements to this report, the accuracy has been improved,  and the results are more detailed.

    • “Type” (the library’s programming language) has been removed in favor of “Incompatibility Type” (the type of conflict between two library’s licenses).

    • A new Incompatibility Type, Potential Incompatibility, has been added. Potential Incompatibility indicates that the library being evaluated is licensed under multiple licenses, indicating that the user must choose under which license the library will be licensed. 

  • Better customization for the Attribution Report:

    • Users can now select whether to include licensing text in the existing Licensing section, or in a new dedicated section “Appendix: License Details” section.

    • Users can now select whether Primary Attributes (a.k.a. custom attributes) will be featured in the Attribution report.

Unified Agent

  • The Unified Agent now supports Python global packages resolution.

  • New enhancements for the Serverless Plugin enable running additional parameters from a YAML file and passing them to the Unified Agent configuration.

  • For customers without a Docker installation in their user environment, the Unified Agent now performs a scan (based on docker.scanTarFiles=true) of tar.gz files that represent a saved Docker image.

...

  • The Dashboard view has undergone the following changes:

    • The Top Alerts pane now displays a dedicated summary count of system category alerts reported for a given organization, product or project. This includes the total count of policy violations, versions, licenses, quality and security alerts.

    • A detailed listing of alerts reported for an alert category is now displayed by clicking on the category name or count, displaying an Alert View corresponding to the category of the clicked item, thus enabling the user to perform tasks on the listed alerts.

  • Marking libraries as in-house enhancements:

    • Auditing enhancement: Rules added or removed through In-House Rules are now tracked and can be displayed in Change Log History.

    • It is now possible to create an in-house rule whose name matches that of the selected library.

    • The help text on the In-House page has been revised and improved.

  • It is now possible to disable all email notifications for administrators.

Unified Agent

  • Improvements in Kubernates integration: The Kubernates SDK is now used to retrieve information.

  • Parameter names additions: Gradle.ignoredScopes can be used in addition to gradle.ignoredConfiguration, and gradle.includedScopes can be used in addition to gradle.includedConfiguration.

  • Each successive scan of the same library generates its own folder (relevant only for logs).

  • The Unified Agent now supports the extraction of .hpi files.

  • Improvements in SBT dependency resolving have resulted in more accurate output.

...

New Features & Updates

WhiteSource Core

Unified Agent

  • Docker Artifactory integration is now enabled with a read-only user via the new configuration parameter docker.artifactory.dockerAccessMethod.

  • The new configuration parameters log.files.level, log.files.maxFileSize, and log.files.maxFilesCount enable you to store logs by default. Storing logs is useful, for example, to avoid situations when users have issues with certain scans, and therefore will not need to redo those scans in order to provide logs to the Support team. Note that this feature is enabled by default. Customers who do not need these logs can manually disable it.

  • Enhanced Detection: This version introduces the automatic identification of Maven libraries with multiple instances of SHA-1.

  • It is now possible to include/exclude specific Gradle modules to scan.

  • The Unified Agent now supports scanning the Cabal package manager for the Haskell programming language.

...

  • WhiteSource for GitHub.com and WhiteSource for GitHub Enterprise: Using the new projectToken configuration parameter in the .whitesource configuration file, it is now possible to map a GitHub repository to an existing WhiteSource project. This provides added flexibility in terms of organizing projects in WhiteSource originating from various integrations.

Unified Agent

  • The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.

  • Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.

  • This version provides support for Serverless Framework via a dedicated plugin.

...

  • WhiteSource for GitHub Enterprise and WhiteSource for GitHub.com

    • Improved usability and enhanced control over the WhiteSource scanning. An onboarding Pull Request is now generated on each selected repository during the GitHub App installation. The .whitesource configuration file will only be used and WhiteSource will only start scanning the repository once the Pull Request is merged.

    • The .whitesource configuration file now includes a parameter minSeverityLevel, which lets you decide whether to open a new GitHub Issue only if a certain Security Vulnerability Severity level is available, or not open a GitHub Issue at all.

    • The .whitesource configuration file now includes a parameter configMode, which lets you use an existing Unified Agent configuration file. This can be done by providing either a local Unified Agent configuration file, or fetching the config file from an external location using the configExternalURL parameter. 

Unified Agent

  • Unified Agent Improvements - Provide more accurate results by scanning, creating and updating empty projects. The Unified Agent will create an empty project in WhiteSource for all scans which do not contain any dependencies. In addition, when updating an existing WhiteSource project with empty data via the Unified Agent, the project in WhiteSource will be updated to reflect the latest project state.

  • This version introduces support for mapping support files to NuGet packages.

  • This version introduces improved results when scanning NuGet packages by checking the project target framework (Note: Some customers might experience fewer dependencies as a result.)

  • Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the maven 'dependencies:tree‘ command which runs when the maven.resolveDependencies configuration parameter is enabled. A new configuration parameter was added for this purpose, maven.additionalArguments.  

  • The Unified Agent now supports scanning the Cargo package manager for the Rust programming language.

...

  • New added flexibility: The Due Diligence report now enables you to select an existing custom attribute as part of the report’s filtering.

Unified Agent

  • A new CLI parameter, detect, automatically creates a configuration file based on your scanned libraries and files (relevant for all package managers). NOTE: This is the first step in new configuration recommendations. Future versions will contain additional features.

  • Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the gradlew and gradle ‘dependencies’ command. A new configuration parameter was added for this purpose, gradle.additionalArguments.

  • This version adds support for scanning Go 1.11 projects without the need for a dependency manager.

...

  • Enhanced usability: The Attribution report now provides better usability by requiring the user to first select/enter a requested product/project, and therefore avoid displaying default non-relevant product/project information.

  • Enhanced usability: The copyright in the Attribution report now includes a range of years and the copyright’s author.

Unified Agent

  • Enhanced usability and debugging: When running the Unified Agent, the CLI output now displays the current Unified Agent’s version.

  • Enhanced security: In the Unified Agent, Docker Hub authentication is now enabled via token, instead of user and password.

  • Added flexibility in Maven and Gradle Projects scanning: New configuration parameters, maven.downloadMissingDependencies and gradle.downloadMissingDependencies allow controlling and hastening the downloading of missing dependencies.

  • In multi-module Maven and Gradle projects, the Unified Agent automatically detects if a Maven or Gradle project should be scanned, eliminating the need to manually enter a project name.

  • An existing parameter, gradle.localRepositoryPath, now has the ability to look for more than one Gradle local repository path in case of Gradle resolution.

  • Improved configuration time: The Unified Agent configuration file now saves configuration time and prevents incorrect URLs by listing predefined URLs for each possible SaaS system, in “commented out” status. Users need only to select the relevant one.

  • The Unified Agent can fetch dependencies and provide a hierarchy tree for projects which do not contain the ‘vendor’ folder. This provides improved results when scanning Go projects using the VNDR, GoDep, and Dep package managers.

...

  • Inventory report: Minimize the time to execute an action (such as “assign license”) on a list of selected libraries by supporting bulk actions menu.

Unified Agent

  • Extended JFrog Artifactory Integration -

  • Support updating JFrog Artifactory “properties” tab of an artifact with vulnerabilities and licensing information from WhiteSource scan.

  • Support accessing JFrog Artifactory repository using a token for enhanced security. The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’. 

  • Support more informative summary statistics at the end of a scan - displaying different language extensions for which binary/source files were found and for each extension how many source/binary files were scanned. 

...

  • Compare Products report: Minimize the time to search for a product (both source & target) to compare in the dropdown which is now sorted alphabetically.

  • Compare Projects report: Support more flexibility of projects comparison by providing the ability to compare a project in one product to a project in a different product. 

Unified Agent

  • UA Extended Coverage:

    • Added support for the ‘R’ language ‘RStudio’ and ‘Packrat’ packages. The following configuration parameters were added: ‘r.resolveDependencies’, ‘r.runPreStep’, ‘r.ignoreSourceFiles’,’r.cranMirrorUrl’

    • Support scanning JFrog Artifactory using Artifactory APIs (will be an alternative to the Artifactory plugin in the future). The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’, ‘artifactory.repoKeys’ ,  ‘artifactory.enableScan’.

  • Support more readable structure of UA configuration file by organizing the configuration parameters per relevant topics. The new template file can be downloaded from here

  • Corrected behavior of UA scan failure when scanning empty projects and using the parameter failErrorLevel=ALL.

  • Enhanced GoDep package manager by providing the ability to display more accurate hierarchy tree. 

  • Support creating empty projects in WhiteSource for scanned empty projects by using a new configuration parameter ‘updateEmptyProject’. This behavior refers to all resolvers.

...

  • Change Log History report: Extended auditing capabilities in policies by providing data on any change in policy management activities related to the Organization, Product, and Project scopes.

Unified Agent

  • Support for integrating Apache Ant based projects including modules. 

  • Added the configuration parameter ‘python.indexUrl’, which enables to define the local Pypi repository URL, instead of the official Pypi repository (default value is null).

  • The Unified Agent is able to read ‘userKey’ and ‘apiKey’ values from environment variables. 

  • Improved NPM resolve functionality when downloading from a registry: If the HTTP response is 401 or 403 (authentication/authorization) then the downloading of additional dependencies from this repository is canceled.

...

  • Enhanced auditing for administrative actions: Extended auditing capabilities for tracking product/project deletion. For each of the actions there will be a new record written in the Change Log History report.

  • Enhancement to Attribution report: If copyright data is not available then it is explicitly noted as missing in Summary table.

Unified Agent

  • Support for the scanning of Apache Ant based projects including all their dependencies. Related configuration parameters have been added: ‘ant.resolveDependencies’ and  ‘ant.pathIdIncludes’ (by default, both parameters are commented out).

  • Dep package manager for Go: The display of the hierarchy tree has been optimized.

...

Version 19.3.2 (7-April-2019)

New Features & Updates

Unified Agent

  • Simplified scope configuration when many scopes are ignored in the project: The ‘gradle.ignoredScopes’ configuration parameter now supports regular expressions.

  • More details in logs: The log file includes more information about ignored scopes of Gradle/Maven projects. This allows the user to quickly verify that all the ‘ignored_scopes’ dependencies are not parsed.

  • Added flexibility: When the new ‘npm.resolveMainPackageJsonOnly’ configuration parameter is set to ‘true’ (default is ‘false’), a scan is initiated only if a JSON package is defined in the ‘-d’ folder parameter.  

  • Enhanced Security: From this version and on, all Unified Agent JAR files will be digitally signed.

  • The configuration parameter ‘scanReportFilenameFormat’ indicates whether or not to add a timestamp to the JSON report filename.

...

  • The new Containers dashboard enables you to pinpoint security vulnerabilities at various levels, providing a clear view of Kubernetes resources along with the ability to filter, sort, and view the vulnerabilities per pod and image in the cluster. See also The Containers Dashboard.

Unified Agent

  • Improved csontainer scanning coverage: Added the option to scan a Docker image from a Google Container Registry.  See also Google Container Registry Docker Integration

  • NPM: Added the ability to fetch the project name from the ‘package.json’ dependency file via the Boolean configuration parameter ‘npm.projectNameFromDependencyFile’.

  • Added support for Julia source files with the file extension ‘.jl’. 

  • Added support for car archive files with the file extension ‘.car’. 

  • Added a behavior rule to the existing 'failErrorLevel' parameter in order to enhance the precision of the scanning policy: If this parameter is ‘ALL’, then scan fails when ‘productName’ and ‘productToken’ are missing, and no ‘projectToken’ is defined in the configuration file. See also The failErrorLevel Parameter of the Unified Agent.

  • Yarn dependency management: Added the new parameter ‘npm.yarn.frozenLockfile' that enables to run the pre-step with the ‘--frozen.lockfile’ yarn parameter.

  • Scan report in JSON Format:

  • Accurate reporting time frames: In addition to a date, a timestamp was also added to the JSON based scan report’s filename. For example, ‘ProjectA-2019-03-01T130102+0200-scan_report.json’.

    • Added custom attributes data. For each library, the relevant custom attribute values are displayed.

    • Added policy and vulnerability statistics data to local scan report. See also Unified Agent JSON Report Example

...

  • A new ‘getProjectRiskReport’ API request has been added to retrieve the Risk report in PDF format for a specific Project scope.

  • The new ‘getOrganizationContainerVulnerabilityReport’ and ‘getClusterVulnerabilityReport’ API requests have been added to retrieve the Containers Vulnerability report. These requests support Excel and JSON formats.

Unified Agent

  • Improved integrations and automation: A summary report in JSON format can be automatically generated locally at the end of each scan. This report includes information on vulnerabilities, policy violations, top fixes and inventory details. The new ‘generateScanReport’ configuration parameter enables generating this report when it is set to true (default is false). 

  • Enhanced automation and ability to call additional API requests: When the new configuration parameter ‘generateProjectDetailsJson’ is set to ‘true’, the Unified Agent generates a JSON file named ‘scanProjectDetails.json’ containing the projectToken(s) and projectName(s) from the last scan that ran (default value is false). 

  • Improved scanning granularity: Added the ability to run a scan that excludes specific direct or transitive dependencies via the parameter 'excludeDependenciesFromNodes'. Values for this parameter can include one or more artifact IDs, and regular expressions can also be used to define which artifact IDs to exclude.

  • Scanning transparency and predictability: Easily view the steps that ran as part of a scan, and understand how long each step took. A start/end indication is displayed for each scan step. A summary at the end of scan with all the relevant information on each step is also displayed. See also Unified Agent Scan Steps & Summary

  • The new configuration parameter for NuGet named ’nuget.packagesDirectory’ enables providing a path to the directory where the WhiteSource temporary files are created.

  • Artifactory: Added the option to scan Docker images stored in the Artifactory Docker Registry. The following related Unified Agent configuration parameters were added: ‘docker.artifactory.url’, ‘docker.artifactory.userName’, ‘docker.artifactory.userPassword’, ‘docker.artifactory.repositoriesNames’.

  • A new configuration parameter ‘nuget.preferredEnvironment’ enables the user to define the preferred ‘restore’ command for performing the nuget dependency resolution. Available values are 'nuget' and 'dotnet'.

...

  • Added an indication for the number of requests and conditions a specific user requested. The Admin users page includes an option to change the assignment of requests.

Unified Agent

  • Added support for the ‘vgo’ (‘Go Modules’) package manager for ‘Go’. See also related documentation.

  • Serverless scanning: Added support to include and exclude components when scanning serverless functions (‘serverless.includes’ and ‘serverless.excludes’).

  • Added the ability to run the Effective Usage Analysis (EUA) feature without the need to maintain a configuration file.

...

  • Project & Product pages: Added a ‘View Inventory’ link in the Libraries pane that will open the Inventory report while keeping the Project/Product context.

  • Product navigation menu: When hovering over a specific product, the list of associated projects are displayed in the order that they were used (last used is displayed on top of the list).

Unified Agent

  • Added support for scanning containers. The following related configuration parameters have been added: ‘docker.scanContainers’, ‘docker.containerIncludes’, ‘docker.containerExcludes’. Note that the ‘Includes’ and ‘Excludes’ parameter values may be one or more of the following: Container ID, Container name, Image name.

  • Added hierarchy tree support for the ‘Glide’, ‘GoDep’, and ‘GoPm” package managers that enables you to view direct and transitive dependencies.

  • NuGet Packages: Added support for viewing the hierarchy of the package(s). This feature includes the ability to view direct and transitive dependencies.

...