|Table of Contents|
WhiteSource Bolt is a lightweight open source security and management solution, integrated within Microsoft’s Azure DevOps Services & Azure DevOps Server (formerly TFS) products. It enables you to do the following:
For more information or questions on WhiteSource Bolt for Azure DevOps, please reach out directly to email@example.com.
As of 17 January 2021, The WhiteSource Bolt extension is not available for download installation anymore. A new WhiteSource Bolt extension is available from here. Documentation for the new extension can be found here.
Build Configuration for Azure DevOps Services
Create a new project, provide a name for it, and an optional description (alternatively, use an existing project).
Fill in the registration form:
Setting Up the Job
Go to 'Pipelines' → 'Builds' → 'New' → 'New Build Pipeline'.
Select the source for your code. You can create a pipeline using YAML (option 1), or use the classic editor to create a pipeline without YAML (option 2).
Option 1: Creating a Pipeline Using YAML
In the Where is your code? screen, select a YAML-enabled option.
- task: WhiteSource Bolt@19 displayName: 'WhiteSource Bolt'
Click Save and run.
Option 2: Creating a Pipeline Without YAML (Classic Editor)
Select the type of repository:
You have the option to export the report by clicking the 'Export Report' button.
Build Configuration for Azure DevOps Server
If you are using a proxy server or a self-hosted build agent, make sure to open communication to the domain "whitesourcesoftware.com" and its subdomains. In case your proxy configuration requires authentication, then make sure your Azure DevOps Server build agent is properly configured. For further information, see Deploy an agent on Windows
When you’ve finished with your configurations, click Save on the left side of the screen, followed by clicking OK.
Using WhiteSource Bolt on Azure DevOps Server
Follow these steps to start a new build:
From now on, WhiteSource generates a report each time that you execute a build.
Understanding the Reports
You can view WhiteSource Bolt reports at a build or project level (aggregated report of all your builds). WhiteSource Bolt does not offer an account-level report.
Reports are comprised of five sections: Security Analysis, Security Vulnerabilities, License Risks and Compliance, Outdated Libraries and Inventory.
Section 1: Security Analysis
A summary of detected open source vulnerabilities and the libraries that contain them.
Severity Distribution provides a breakdown of the vulnerable libraries according to their severity level.
Aging Vulnerable Libraries displays the length of time elapsed since detected vulnerabilities were first identified in the open source community.
Section 2: Security Vulnerabilities
A table listing all security vulnerabilities.
The Top Fix column lists the top-rated solution that WhiteSource recommends for each vulnerability. A condensed description of the recommended course of action is given, followed by a link to a broader description.
Section 3: License Risks and Compliance
A summary of open source components’ license types.
The License Risk Distribution histogram breaks down the number of licenses by their risk level. Unknown risk level only means the license risk was not analyzed by WhiteSource legal experts.
Section 4: Outdated Libraries
A table listing libraries that have not been updated to their newest available versions.
The Recommendations column lists the course of action recommended by WhiteSource and a link to the library’s homepage.
Section 5: Inventory
An inventory of all open source components detected.
The Licenses column lists licenses detected for each library, and links to their official license descriptions. The reference site that identifies the library’s license type is also linked to or described.
Upgrading to the Full WhiteSource Platform
We hope you enjoy using WhiteSource Bolt, a lightweight product integrated with Azure DevOps Services/Azure DevOps Server. For even greater control over your open source components, consider upgrading to our full WhiteSource platform.