...
WhiteSource Remediate automatically opens fix Pull Requests for vulnerable open-source components, upgrading them to the lowest non-vulnerable version. WhiteSource Remediate is part of WhiteSource for DevelopersDeveloper Integrations and integrated with WhiteSource for GitHub.com, WhiteSource for GitHub Enterprise, WhiteSource for Bitbucket Server, and WhiteSource for GitLab. Providing additional capabilities for project dependency health, Remediate is integrated with WhiteSource Renovate (see below for details). Renovate enables you to save time and reduce risk by automating dependency updates in software projects.
...
Supported Package Managers
Package Manager | Language | Extra Details |
|---|---|---|
Maven | Java | N/A |
Gradle | Java | N/A |
Go Modules | Golang | Remediate will update both the |
npm/Yarn | JavaScript | WhiteSource Remediate always updates both the package file (e.g. package.json) as well as any lock file (e.g. yarn.lock) in the same commit/fix Pull Request. |
NuGet | .NET | Only SDK-style
To convert your .NET Framework .csproj into an SDK-style project, follow this guide. |
pip | Python | N/A |
pipenv | Python | N/A |
poetry | Python | N/A |
setuptools | Python | N/A |
Composer | PHP | N/A |
NOTE: In WhiteSource for GitLab, mirrored repositories are not supported.
...
| Code Block | ||
|---|---|---|
| ||
{
"remediateSettings": {
"enableRenovate": true,
"prBodyDefinitions": {
"Age": "",
"Adoption": "",
"Passing": "",
"Confidence": ""
},
"packageRules": [
{
"datasources": [
"maven", "npm", "pypi"
],
"updateTypes": [
"patch",
"minor",
"major"
],
"prBodyColumns": [
"Package",
"Change",
"Age",
"Adoption",
"Passing",
"Confidence"
]
}
]
}
} |
Remediate Worker Horizontal Scalability
To scale Remediate to allow it to utilize additional containers, in order to process multiple repositories concurrently, you can enable Remediate Worker Horizontal Scalability. In this mode, the Remediate “worker” logic (which processes repositories) is separated from the Remediate “server” logic (scheduler, job queue and webhook handling) in a many-to-one relationship.
The same Remediate Docker image is used for both Server and Worker functionality, as they are differentiated/configured using environment variables.
If you have already been running Remediate, you can keep that existing node as the new “Remediate Server”. All that is needed is to pass it the environment variable REMEDIATE_SERVER_ONLY: 'true' and that will be enough for it to know it should be in server-only mode and not run any worker jobs itself. This container will still be the one that the W4D controller needs to reach, e.g. to pass on webhooks.
Next, you should configure one or more Remediate Worker containers. To do so, start up a Remediate image and configure the environment variable REMEDIATE_SERVER_URL to point to the above Remediate Server’s API.
Here is a simple example of two Worker containers and one Server container using Docker Compose syntax:
| Code Block |
|---|
remediate-server:
image: wss-remediate
restart: always
ports:
- '8080:8080'
volumes:
- './conf/:/etc/usr/local/whitesource/conf/'
environment:
REMEDIATE_SERVER_ONLY: 'true'
remediate-worker:
image: wss-remediate
scale: 2
depends_on:
- remediate-server
restart: always
volumes:
- './conf/:/etc/usr/local/whitesource/conf/'
environment:
REMEDIATE_SERVER_URL: http://remediate-server:8080 |