Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • In the Security Alerts reports, there were no checks to determine if the organization had partial data property.

  • Jira Server Plugin: instead of assigning the WhiteSource issue type only to the relevant project, it was added to all the screens in the user's Jira environment.


  • New and updated documentation has been published for the Reports APIs and the License and Library APIs.

Azure DevOps Integration Version 21.6.31 (14-July 2021)


  • Starting August 1, 2021, Unified Agent versions will be available for a year after their release.  

  • Within the next two releases of the Unified Agent, the default value of the php.removeDuplicateDependencies parameter will be changed from false to true.

  • Within the next two releases of the Unified Agent, the gradle.additionalArguments parameter for specifying additional arguments to be added to the Gradle commands executed by the agent - will be applied to all Gradle commands (not only to the gradle dependencies command). 

  • Within the next two releases of the Unified Agent, the Maven, OCaml, Modules and the R resolvers will be aligned to the behavior of the other detectors when failErrorLevel is set to ALL by failing the scan if the relevant package manager is not installed.


  • New and updated AVM documentation has been published

  • New and updated API documentation has been published for 1) Alerts and 2) Groups and Users

  • The contents of the following topics will be moved. The pages of those topics will be deprecated. Note that after being moved, no changes to the information contained will be made

    • The contents of Triggering a new Scan in Bitbucket will be moved to WhiteSource for Bitbucket Server.


The TeamCity plugin will reach its End Of Life starting November 1, 2021. After this date, WhiteSource will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until May 1, 2022. Following this date, the TeamCity plugin will no longer be supported by WhiteSource. Please make sure to migrate to the Unified Agent before the end of standard support on November 1, 2021 to maintain full support of your product.


  • The following pages were deprecated:

    • Requesting an Arbitrary File 

    • GitHub Related Topics

    • The License Identification page -  its content was merged with Changing a Library’s License

    • TheLicense Analysis page - its content was merged with Understanding Risk Score Attribution

  • The Policies API page has been deprecated, and a new and updated Policies API page has replaced it.


  • Users encountered errors logging in to WhiteSource.

  • Project name or project token were mandatory parameters for Docker scanning unnecessarily.

  • Users were unable to delete roles when there were no roles remaining.

  • When the Inventory Report was exported to MS Excel, there was extra whitespace between the project name and the Direct Dependency.

  • When password complexity validation was enabled, users were unable to reset their passwords.

  • NPM/Yarn downloaded artifacts were not always removed at the end of the Unified Agent scan.

  • In the Unified Agent, a null pointer exception occurred when scanning ANT-based projects with an empty zip file.


  • New and updated WhiteSource Prioritization documentation has been released. See here.

  • The R Integration page was deprecated and its content was moved to the Unified Agent Configuration Parameters page.

  • In the next version, the following pages will be deprecated:

    • Requesting an Arbitrary File

    • GitHub Related Topics

    • The License Identification page - its content will be merged with Changing a Library’s License

    • The License Analysis page - its content will be merged with Understanding Risk Score Attribution

    • The New Versions Alerts page - its content will be merged with the Project Page


  • Using the Unified Agent’s Archive Extractor when trying to scan the root of the operating system resulted in a null pointer exception.

  • In AVM, a timeout occurred when fetching vulnerabilities information from Fortify.


  • The NuGet Plugin page was deprecated.

  • In the next version, 21.3.2, the following changes will be implemented:

    • The Deprecated Features topic will be deprecated and the content will move to the Noticespage

    • The High Severity Bugs Report topic will be deprecated

    • The File Systemtopic will be deprecated

  • Additional modifications will be implemented to the opening documentation sections, beginning with the login/homepage documentation. 


  • In some cases, information regarding source libraries was not displayed correctly; for example, empty projects were still displayed in some source libraries, or some source libraries appeared as empty.

  • Running the gcloud auth command failed during Docker scan on Mac computers.

  • Users with different roles than admins or alert ignorers were able to ignore alerts in VBA mode.

  • Exceptions occurred when trying to assign licenses as part of update policy alerts.

  • In the Unified Agent, when scanning NPM, NPM dependencies were not resolved when package.json did not contain name/version attributes.

  • When downloading a missing jar file, the Unified Agent incorrectly generated success messages.

  • Added indication for missing copyright references in the Attribution report summary.

  • When excluding inner modules (projects) in Gradle, the scan would return the wrong dependencies tree.

  • Azure DevOps Services Integration: In some cases, adding npm.resolveMainPackageJsonOnly=true to the WhiteSource Configuration task parameter led to a scan failing.


Beginning in this version the following page was archived and is therefore no longer in use.


  • WhiteSource is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.


The following topic has been deprecated:


  • Azure DevOps Services Integration: Running a pipeline build from a self-hosted agent resulted in a WhiteSource-generated .encrypted file not being deleted at the end of each WhiteSource build task run.
    NOTE: Self-hosted agent builds triggered before 14 February may still contain traces of WhiteSource-generated .encrypted files. These files must be manually removed from the self-hosted agent work folder.

  • On rare occasions, library alerts were not created after the vulnerability sync.

  • Duplicate hashed source files caused the second one to be considered as unmatched.

  • In Linux, Python scans failed due to a missing space in the execution of one of the commands used for resolution.

  • In the Unified Agent, there were exceptions when parsing specific pipfile formats.


The following topics have been deprecated and all their content has been merged into the Unified Agent documentation:


  • The new Containers dashboard enables you to pinpoint security vulnerabilities at various levels, providing a clear view of Kubernetes resources along with the ability to filter, sort, and view the vulnerabilities per pod and image in the cluster. See also The Containers Dashboard.

Unified Agent

  • Improved csontainer scanning coverage: Added the option to scan a Docker image from a Google Container Registry.  See also Google Container Registry Docker Integration

  • NPM: Added the ability to fetch the project name from the ‘package.json’ dependency file via the Boolean configuration parameter ‘npm.projectNameFromDependencyFile’.

  • Added support for Julia source files with the file extension ‘.jl’. 

  • Added support for car archive files with the file extension ‘.car’. 

  • Added a behavior rule to the existing 'failErrorLevel' parameter in order to enhance the precision of the scanning policy: If this parameter is ‘ALL’, then scan fails when ‘productName’ and ‘productToken’ are missing, and no ‘projectToken’ is defined in the configuration file. See also The failErrorLevel Parameter of the Unified Agent.

  • Yarn dependency management: Added the new parameter ‘npm.yarn.frozenLockfile' that enables to run the pre-step with the ‘--frozen.lockfile’ yarn parameter.

  • Scan report in JSON Format:

  • Accurate reporting time frames: In addition to a date, a timestamp was also added to the JSON based scan report’s filename. For example, ‘ProjectA-2019-03-01T130102+0200-scan_report.json’.

    • Added custom attributes data. For each library, the relevant custom attribute values are displayed.

    • Added policy and vulnerability statistics data to local scan report. See also Unified Agent JSON Report Example