Versions Compared

Old Version 35

changes.mady.by.user Michael Hollander

Saved on

compared with

New Version 36

changes.mady.by.user Tsur Rothfeld

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

WhiteSource launched a new WhiteSource Bolt extension on 17 January 2021. Click here for more information.


Table of Contents
exclude.*17 January.*


Introduction

WhiteSource Bolt is a lightweight open source security and management solution, integrated within Microsoft’s Azure DevOps Services & Azure DevOps Server (formerly TFS) products. It enables you to do the following:

...

For more information or questions on WhiteSource Bolt for Azure DevOps, please reach out directly to boltazure@whitesourcesoftware.com.

Installation

As of 17 January 2021, The WhiteSource Bolt extension is not available for download installation anymore.  A new WhiteSource Bolt extension is available from here. Documentation for the new extension can be found here.

Build Configuration for Azure DevOps Services

Create Project

Create a new project, provide a name for it, and an optional description (alternatively, use an existing project).

...

Fill in the registration form:

Setting Up the Job

Go to 'Pipelines' → 'Builds' →  'New' → 'New Build Pipeline'.

Select the source for your code. You can create a pipeline using YAML (option 1), or use the classic editor to create a pipeline without YAML (option 2).

Option 1: Creating a Pipeline Using YAML

In the Where is your code? screen, select a YAML-enabled option.

Image Modified

In the Select a repository screen, select your repository.

Image Modified

In Configure your pipeline, select the relevant pipeline configuration.

In Review your pipeline YAML, add the following text as a post-build step. This activates WhiteSource integration on your build pipeline.

Code Block
- task: WhiteSource Bolt@19
  displayName: 'WhiteSource Bolt'

Image Modified

Click Save and run.

Option 2: Creating a Pipeline Without YAML (Classic Editor)

Select the type of repository:

Image Modified

Select an Empty job:

...

You have the option to export the report by clicking the 'Export Report' button.

Build Configuration for Azure DevOps Server


Warning
titleAzure DevOps Server Users

If you are using a proxy server or a self-hosted build agent, make sure to open communication to the domain "whitesourcesoftware.com" and its subdomains. In case your proxy configuration requires authentication, then make sure your Azure DevOps Server build agent is properly configured. For further information, see Deploy an agent on Windows

...

When you’ve finished with your configurations, click Save on the left side of the screen, followed by clicking OK.

Using WhiteSource Bolt on Azure DevOps Server

Follow these steps to start a new build:

  1. Click Queue new build on the top right of your screen,followed by clicking OK.
  2. As soon as the build process completes, you’ll see a new tab in the Build Summary page called WhiteSource Bolt Build Report:



    If you receive an error message rather than the above build confirmation, then contact boltazure@whitesourcesoftware.com.

  3. Click on the WhiteSource Bolt Build Report tab to view the WhiteSource Bolt analysis.

    Info

    WhiteSource Bolt only displays results for each build execution that postdates WhiteSourceBolt’s installation. If you try to access a build that predates WhiteSource Bolt’s installation, then no results will be displayed.


From now on, WhiteSource generates a report each time that you execute a build.

Understanding the Reports

You can view WhiteSource Bolt reports at a build or project level (aggregated report of all your builds). WhiteSource Bolt does not offer an account-level report.

Reports are comprised of five sections: Security Analysis, Security Vulnerabilities, License Risks and Compliance, Outdated Libraries and Inventory.

Section 1: Security Analysis

A summary of detected open source vulnerabilities and the libraries that contain them.

...

Severity Distribution provides a breakdown of the vulnerable libraries according to their severity level.

Aging Vulnerable Libraries displays the length of time elapsed since detected vulnerabilities were first identified in the open source community.

Section 2: Security Vulnerabilities

A table listing all security vulnerabilities.

...

The Top Fix column lists the top-rated solution that WhiteSource recommends for each vulnerability. A condensed description of the recommended course of action is given, followed by a link to a broader description.

Section 3: License Risks and Compliance

A summary of open source components’ license types.

...

The License Risk Distribution histogram breaks down the number of licenses by their risk level. Unknown risk level only means the license risk was not analyzed by WhiteSource legal experts.

Section 4: Outdated Libraries

A table listing libraries that have not been updated to their newest available versions.

...

The Recommendations column lists the course of action recommended by WhiteSource and a link to the library’s homepage.

Section 5: Inventory

An inventory of all open source components detected.

...

The Licenses column lists licenses detected for each library, and links to their official license descriptions. The reference site that identifies the library’s license type is also linked to or described.

Upgrading to the Full WhiteSource Platform

We hope you enjoy using WhiteSource Bolt, a lightweight product integrated with Azure DevOps Services/Azure DevOps Server. For even greater control over your open source components, consider upgrading to our full WhiteSource platform.

Feel free to reach out to us to learn more about the platform's expanded functionality and our simple upgrade process.