| Table of Contents |
|---|
...
WhiteSource Advise for IntelliJ IDEA supports Java, Kotlin and Scala projects using Maven (pom.xml dependency files), and supports Java projects using Gradle (build.gradle dependency files).
NOTES:
Gradle Kotlin projects are not supported in WhiteSource Advise.
When using the the "apply from" script plugin in Gradle projects, remote script location is not supported.
...
A valid license for WhiteSource for Developers
A license key for WhiteSource Advise for IDE, available via one of the following options:
If you do not have direct access to the WhiteSource Application, obtain the license key from your WhiteSource Administrator.
If you have access to the WhiteSource Application, do as follows (NOTE: This option is only available when using version 20.11.1 or later of WhiteSource Advise):
Go to the WhiteSource Application.
Open the Profile page.
In the WhiteSource Advise - IDE Integration section at the bottom, select your organization.
Copy your personal license key to be used later in Activating WhiteSource Advise.
Java JDK 1.8 and up (see here for instructions) or OpenJDK 1.8 and up is installed
Depending on whether scanning Maven or Gradle applications, note the following guidelines:
Apache Maven application is installed and the Maven path and all environment variables are set up (see here for instructions).
Gradle application is installed and the Gradle path and all environment variables are set up. NOTE: Gradle version 4.8 or above must be installed.
IntelliJ IDEA is installed and you are familiar with its basic functionality
Supported Versions
The plugin supports
...
IntelliJ IDEA
...
2020.3
2020.2
2020.1
2019.3
2019.2
2019.1
2018.3
2018.2
2018.1
2017.3
2017.2
2017.2 and above (both Community and Ultimate versions). The last tested version is 2021.2.2.
Limitation - Gradle support for the following IntelliJ IDEA versions are not supported on macOS:
2019.1
2018.3
2018.2
2018.1
2017.3
2017.2
Installing WhiteSource Advise
...
Start IntelliJ IDEA.
From the menu bar, select File > Settings. The Settings screen is displayed.
From the left sidebar, click Plugins.
In the Search box, enter whitesource and then press Enter from your keyboard. The WhiteSource Advise plugin information is displayed.
Click Install and then click Restart IDE.
In the pop-up dialog box, click Restart.
Activating WhiteSource Advise
...
Start IntelliJ IDEA, specifying the preferred project.
From the sidebar on the right, click WhiteSource (if you do not see the sidebar, select View >Tool Windows > WhiteSource). The Welcome screen is displayed.
In Email, enter your organizational email (the email domain must be licensed to use Advise).
In License Key, enter your license key (See here for more information on how to obtain a license key).
Click Connect.
...
From the menu bar, select File > Settings. The Settings screen is displayed.
Select Tools > WhiteSource > Project Settings. The Project Settings screen is displayed.
In Scan Results Settings, review the options and modify if necessary. See here for a list of all options.
By default, all settings are inherited from the global-level configuration. To override the specific configuration on project level, clear the Inherit from global settings checkbox.
Click OK.
Options Table
Option | Description | Default Setting |
|---|---|---|
Only show issues for direct dependencies | When enabled, WhiteSource Advise will only return vulnerabilities for direct dependencies defined in your dependency file. | Unselected (not checked) |
Minimum vulnerability severity level | Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.
| Low |
Scanning a Project for Security Vulnerabilities
...
From the menu bar, select Tools > WhiteSource Advise
From the top toolbar, click the WhiteSource icon
Do as follows:
From the sidebar on the right, click WhiteSource.
From the top, click Advise.
Click Run WhiteSource Advise.
Developer Focus Mode
The Developer Focus Mode allows developers to see only vulnerability alerts that are new in their feature branches compared to a predefined base branch. This promotes the security shift left approach and empowers developers to fix newly introduced vulnerabilities immediately, as part of their feature development efforts and prior to merging vulnerable code into production branches.
To enable Focus Mode, do as follows::
In the WhiteSource Advise project-level configuration, enable the Diff operation to be performed on a base branch checkbox.
Choose the base branch to which all other branch scans will be compared.
Make sure your base branch is checked out, then trigger a WhiteSource Advise scan either manually or by building your project.
In case there was no scan on the predefined base branch after its initial configuration, all branches will show all the scan results, not just the newly created security alerts.
| Info |
|---|
Every time the base branch configuration changes, a WhiteSource Advise scan must be triggered on that branch prior to seeing new security results. |
Vulnerable Commit Alert
An alert can be enabled to notify about newly added vulnerabilities when committing the code inside the IntelliJ. This alert will appear only if the committed feature branches have new vulnerabilities compared to a preconfigured base branch.
To enable a Vulnerable Commit Alert, do as follows:
Enable the Focus Mode (enable the Diff operation, choose the base branch, and trigger a WhiteSource Advise scan).
Go to Setting > Version Control > Commit > Before Commit and make sure that Notify on new OS vulnerabilities is enabled.
In case the feature branch contains new vulnerabilities (that were not presented in the base branch), a pop up will suggest to review the found vulnerabilities or commit anyway.
Reviewing Scan Results
To view scan results, do as follows:
...