Info
This is a Controlled release. For more information, please contact support@whitesourcesoftware.com.

Table of Contents

Introduction

The WhiteSource for GitHub Enterprise is a GitHub Enterprise app, scanning your repositories, as part of your WhiteSource account. It It is an integrated product within GitHub Enterprise that shows a high-level security overview in the GitHub Enterprise repository, detects all open source components and displays all vulnerabilities for these components.

It provides you with information on vulnerable and outdated open source components and generates comprehensive up-to-date reports on the GitHub Enterprise Issues tab of the scanned repository. In addition, you will be able to view the scanned repositories in the WhiteSource portal.

WhiteSource for GitHub Enterprise is part of WhiteSource for DevelopersDeveloper Integrations and includes automated fix Pull Requests as well as Automated Dependency Updates (as part of WhiteSource Renovate) with with WhiteSource Remediate.

Prerequisites

The following requirements must be accommodated before installing the WhiteSource server software.

Access to a working WhiteSource Application and a user with Admin privileges.
The deployment includes two environments:
- Build environment where the image is built.
- Deployment environment where the image is deployed.

Build Environment

Info
The build environment can be the same one as the deployment environment on which the relevant WhiteSource Docker images will be deployed.

The Build Environment has the following requirements:

Hardware Requirements

CPU: Dual Core, 2Ghz or higher (Intel or AMD)
RAM: 16GB
Storage: 16 GB

Environment Requirements

An internet connection for the entire duration of the build procedure.
When using a Container Orchestration Platform (i.e Kubernetes, ECS, Rancher etc.), please make sure you have logs collection in place: ELK, Splunk or similar. If you are not using
an Orchestration
an Orchestration platform for the containers, the logs will be collected in designated folders.
A user with admin privileges: If the operating system is Windows, then you must have administrative privileges. If the operating system is Linux, then you must have root privileges.
Docker server version 18 and above. You can verify the Docker version by entering the following:

Code Block
docker -–version

Software and files delivered by WhiteSource:
- WhiteSource
  Docker distribution
  Docker distribution artifacts that are delivered as a tar.gz or zip file (For example, agent-4-github-enterprise-19.4.2.tar.gz or agent-4-github-enterprise-19.4.2.zip).
- You can obtain these files from WhiteSource Support.

Target Environment

The relevant WhiteSource Docker images are installed on the target environment. This environment requires the following:

Hardware Requirements

CPU: Dual Core, 2Ghz or higher (Intel or AMD)
RAM: 16GB
Storage: 16 GB

Environment Requirements

A user with admin privileges: If the operating system is Windows, then you must have administrative privileges. If the operating system is Linux, then you must have root privileges.
Docker server version 18 and above. You can verify the Docker version by entering the following:

Code Block
docker –-version

Port 5678 must be open at all times. This port will be used to receive webhooks from the GitHub Enterprise Server.
Access to the WhiteSource Application is required at times for operation of the WhiteSource for GitHub Enterprise.

Info

The access to the app can be checked by issuing an HTTP GET request using a web browser or a utility (e.g., cURL, wget):
https://<your-base-url>/healthCheck
(e.g., https://saas.whitesourcesoftware.com/healthCheck)

It is recommended to verify that the returned status is 200 (OK).
This is only a validation URL. Access must be open for all paths and endpoints under the app’s subdomain.

If a proxy server is available, then the following proxy settings need to be obtained:
- URL
- Port number
- Username and password (for authenticated access)
A valid SSL certificate and KeyStore containing the certificate.

User Steps on Build Machine

Prepare for Installation

Download the ‘tar.gz’ file (‘agent-4-github-enterprise-<version>.tar.gz’) for Linux or 'zip' file Windows (‘agent-4-github-enterprise-<version>.zip’)

Installation and Configuration

In Windows, extract 'agent-4-github-enterprise-<version><version>.zip’ to an empty directory. In Linux, extract ‘agent-4-github-enterprise<version>.tar.gz’ to an empty directory.
The extraction creates the following folders:

‘wss
wss-
configuration’
configuration: UI Configuration tool and related configuration file template
'
wss-deployment
'
: Deployment template (for example, deploying the integration using Helm charts)
‘wss
wss-ghe-
app’
app: WhiteSource GitHub Enterprise server application
'
wss-remediate
'
: WhiteSource Remediate worker
‘wss
wss-
scanner’
scanner: WhiteSource GitHub Enterprise repository scanner
‘build
build.
sh’
sh/
’build
build.
bat’
bat (Linux/Windows): The build script that will build the relevant Docker images.

Modifying the Scanner Dockerfile

See here See here for more information on which package managers are part of the scanner image as well as how to add additional package managers.

Build and Tag the Docker Images

There are three different ways of building the Docker images.

Info
A total of 3 three images will be built: 'wss-ghe-app', 'wss-scanner', and 'wss-remediate'.

1. Using an Executable Script File

The suggested way to build all the Docker images is by running the 'build.bat' or 'build.sh' executable script file (Windows/Linux).
Both files are located in the root of the extracted agent-4-github-enterprise-<version><version>.zip or agentor agent-4-github-enterprise-<version><version>.tar.gz files.For

Windows

...

Run
...
build.bat
...
file which is located in the main folder where you extracted the
...
agent-4-github-enterprise
...
zip file.
In order to ensure that the build succeeded, run
...
docker images
...
command and check
...
if wss-ghe-app
...
and
...
wss-scanner
...
and
...
wss-remediate
...
images were created.
...

Linux

...

Run
...
the build.sh
...
file
...
, located in the main folder where you extracted the
...
agent-4-github-enterprise
...
tar.gz file.
In order to ensure that the build succeeded, run
...
the docker images
...
command and check
...
if wss-ghe-app
...
and
...
wss-scanner
...
and
...
wss-remediate
...
images were created.

2. Manually Build the Images

In case you want to run the steps of the ' build ' file manually, you can run the following commands directly:

IMPORTANT: (if If you have already run the ' build ' file, please skip these steps and continue to 'Target machine: Run the Images' step).

Code Block

docker build -t wss-ghe-app:<version> wss-ghe-app/docker
docker build -t wss-scanner:<version> wss-scanner/docker
docker build -t wss-remediate:<version> wss-remediate/docker

# For example:
docker build -t wss-ghe-app:19.5.2 wss-ghe-app/docker
docker build -t wss-scanner:19.5.2 wss-scanner/docker
docker build -t wss-remediate:19.5.2 wss-scanner/docker
docker build .5.2 wss-remediate/docker

NOTE: From version 21.5.1, the Remediate Dockerfile supports both Ubuntu 18.04 and Ubuntu 20.04-compatible images. The base image can be changed using the BASE_IMAGE build argument. e.g.

Code Block
docker build --build-arg BASE_IMAGE=ubuntu:18.04 -t wss-remediate:1921.5.21 wss-remediate/docker

3. Using a Docker Registry

If you are using a private Docker Registrythen , run the following commands to push the images into your registry:

Code Block

docker push <registry>/wss-scanner:<version>
docker push <registry>/wss-scanner:<version>
docker push <registry>/wss-remediate:<version>

# For example:
docker push my-registry/wss-scanner:19.5.2
docker push my-registry/wss-scanner:19.5.2
docker push my-registry/wss-remediate:19.5.2

After executing the commands, you should be able to view the images in your registry.

Create a WhiteSource GitHub App

Go to your GitHub enterprise instance
→
, select Settings
→
> Organization, and then select
'
GitHub Apps
'
from the Developer settings
Click the New GitHub app button.
Enter your GitHub Enterprise password.
The Register new GitHub App page is displayed.
Fill in the fields according to these guidelines:
1. GitHub App name: “WhiteSource App”. NOTE: The name cannot contain an underscore (“__”).
2. Description: WhiteSource for GitHub Enterprise
3. Homepage URL: “https://www.whitesourcesoftware.com”
4. User authorization callback URL: empty
5. Setup URL (optional): empty
6. Webhook URL: A valid URL pattern. This is a temporary value that is changed at a later stage of the installation process.
7. Webhook secret: Generate and enter a secret value (string) and make sure you copy this value somewhere. You will need it for later.
8. Permissions:
  NOTE: Permission fields that are not specified below should be left as is ("No access")
  1. Repository administration: Read-only
  2. Checks: Read & write
  3. Repository contents: Read & write
  4. Deployments: Read-only
  5. Issues: Read & write
  6. Repository metadata: Read-only
  7. Pages: Read & write
  8. Pull requests: Read & write
  9. Repository webhooks: Read-only
  10. Repository projects: Read & write
  11. Security vulnerability alerts: Read-only
  12. Commit statuses: Read & write
  13. Organization members: Read-only
  14. Organization projects: Read & write
  15. Organization hooks: Read-only
9. Subscribe to events: Select the following events:
  i. Check run
  ii. Check suite
  iii. Issues
  iv. Member
  v. Membership
  vi. Organization
  vii. Pull request
  viii. Push
  ix. Team
  x. Team add
10. Where can this GitHub App be installed? It is recommended to select 'Any account', so that any GitHub Organization can install this App. Alternatively, you can limit it to your own organization.
Click the Create GitHub App button.
(Optional) Edit the GitHub App and upload a logo for your App.

Fill in fields in WhiteSource 'Integrate' Page

Open a separate browser tab or window and log in to WhiteSource

Navigate to the 'Integrate' page of the WhiteSource application. Expand the 'WhiteSource for GitHub Enterprise' bar to view the following fields:
1. GitHub URL: Your GitHub Enterprise instance Destination URL. For example: https://GitHubEnterprisedev.com.
2. GitHub API URL: The GitHub URL value plus '/api/v3' - <GitHub URL>/api/v3
3. GitHub application id: From the GitHub Enterprise server UI, go to Settings > Organization Settings > WhiteSource > GitHub Apps. Click Edit next to the GHE icon.
  Scroll
  Scroll to the About section. Copy the GitHub ID value and paste it as the GitHub application id input field value.
  Leave this page open in Edit mode, as you will need it for the next field (Github webhook secret).
4. Github webhook secret: Paste the webhook secret that you generated as part of the Install the GitHub Application step.
5. GitHub application private key: In the Private key section, click Generate private key. Save the private_key.pem file that is generated. Open this file in any editor and copy its contents. Paste the contents in the GitHub application private key input field. NOTE: The key is encrypted and its value is not revealed to WhiteSource.
Click on Get Activation Key to generate your activation key. A new Service user is
created for
created for this integration inside the WhiteSource Application with a WS prefix. NOTE: Do not remove this Service user and ensure this user remains part of the Admin group.
Copy the generated Activation Key to the clipboard. You will need to use it in the next section.

Configuring Deployment Settings

Run the UI configuration tool from the wss-configuration Directory

The UI Configuration tool enables tool enables you to configure the deployment file according to your specific configuration requirements.

Open the file index.html located inside the wss-configuration directory via a Chrome or Firefox Web browser. The WhiteSource Configuration Editor page is displayed.
Load the template JSON configuration file by clicking Choose File button and selecting the file located at wss-configuration/config/prop.json. The General tab appears in the Editor.
Click the General tab and enter the Activation Key which you copied in the previous section.
To display the Proxy tab, click the Advanced Properties checkbox on the Home tab. Proxy fields that are not mandatory (e.g., user name and password) must be left blank.
Click Export, and save the JSON file with the name prop.json. This file will be used in the next sections.

Info

You can export the JSON file at any time, even if you did not finish editing it in order to save your configurations and to enable assigning the configuration of a specific section to the appropriate professional in your organization (e.g., data source section may be assigned to the DBA of your organization).

When exporting the configuration file, it is important to give it the filename "prop.json".

Details on Attributes of the Configuration File

Section	Label	Name	Type	Mandatory	Description	Sample Value
General	Activation Key	bolt.op.activation.key	String	yes	Your generated activation key in the WhiteSource application
Proxy	HTTP Proxy Host	proxy.host	Host Address	no	HTTP proxy host. Leave blank to disable. Default value: Empty
Proxy	HTTP Proxy Port	proxy.port	Integer	no	HTTP proxy port. Leave blank to disable. Default value: Empty
Proxy	Proxy User	proxy.user	String	no	Proxy Username (if applicable)	user
Proxy	Proxy Password	proxy.password	String	no	Proxy Password (if applicable)	abc123
Advanced	Controller URL	controller.url	String	no	The ability to modify the App container URL in case its default name (wss-ghe-app) was modified. Default value:

http

http://wss-ghe-app:5678	http://wss-ghe-app:5678
Issues	Should Create Issues	bolt4scm.create.issues	Boolean	no	The ability to globally enable/disable Issues creation across all of your organization's repositories. Default value: true (NOTE: Supported from version 20.5.1.3 only)
Issues	Should Create Build Status	bolt4scm.create.check.runs	Boolean	no	The ability to globally enable/disable build statuses across all of your organization's repositories.

Default

Default value: true
(NOTE: Supported from version 20.5.1.3 only)

Target Machine: Run the Containers

Deploying Using Docker

On the target environment, create a directory (e.g., ‘<path/to/config/dir>’) and add to it the the configuration properties JSON file (prop.json) that you previously edited and exported using the Configuration Editor.
Then, you will need to create a network bridge and run the following Docker containers by using Docker or Kubernetes.

Create a network bridge (this will create a private network between the different containers, since all containers need to run within the same network):

Code Block
docker network create -d bridge my_bridge

Run the 'wss-ghe-app' app container:

Code Block

docker run --name wss-ghe-app --network my_bridge -p 9494:9494 -p 5678:5678 -v <path/to/config/directory>:/etc/usr/local/whitesource/conf wss-ghe-app:<version>

# For example:
docker run --name wss-ghe-app --network my_bridge -p 9494:9494 -p 5678:5678 -v c:/tmp/ghe/:/etc/usr/local/whitesource/conf/ wss-ghe-app:19.5.2

Run the ‘wss-scanner’ scanner container:

Code Block

docker run --name wss-scanner-ghe --restart=always --network my_bridge -p 9393:9393 -v <path/to/config/directory>:/etc/usr/local/whitesource/conf/ wss-scanner:<version>

# For example:
docker run --name wss-scanner-ghe --restart=always --network my_bridge -p 9393:9393 -v c:/tmp/ghe/:/etc/usr/local/whitesource/conf/ wss-scanner:19.5.2

...

Code Block

docker run --name remediate-server --network my_bridge -e LOG_LEVEL=debug -p 8080:8080 -v <path/to/config/directory>/prop.json:/etc/usr/local/whitesource/conf/prop.json -v /tmp:/tmp wss-remediate:<version>

# For example:
docker run --name remediate-server --network my_bridge -e LOG_LEVEL=debug -p 8080:8080 -v c:/tmp/ghe/prop.json:/etc/usr/local/whitesource/conf/prop.json -v /tmp:/tmp wss-remediate:19.5.2

title

Info

Changing Remediate Server Port

If port 8080 is not available, you can use a different port by modifying only the first port entry in the 'docker run' command. For example:

docker run --name remediate-server --network my_bridge -e LOG_LEVEL=debug -p 8082:8080 -v c:/tmp/ghe/prop.json:/etc/usr/local/whitesource/conf/prop.json -v /tmp:/tmp wss-remediate:19.5.2

Deploying Using Helm Charts

The wss-deployment folder consists of the following structure:

helm
- configs
- templates
  - config.yaml
  - wssScmIntegration.yaml
- Chart.yaml
- values.yaml

Copy the helm folder from wss-deployment to your target environment. Inside the helm/configs folder, add the add the configuration properties JSON file (prop.json) that you previously edited and exported using the Configuration Editor.

Chart.yaml

This file contains information about the chart.

NOTE: Do not edit this file.

Values.yaml

This file represents the WhiteSource integration image names and versions.

Code Block
wsscanner:

...


  image: {image}

...


  version: {version}

...



wsscontroller:

...


  image: {image}

...


  version: {version}

...



wssremediate:

...


  image: {image}

...


  version: {version}

For each image declaration (wssscanner, wsscontroller, wssremediate), replace {image} and {version} with the actual built image name and version. NOTE: For wsscontroller, use the name and version of the wss-ghe-app image.

An optional parameter, imagePullSecrets imagePullSecrets, can be added to this file in case Docker repository authentication is required.

configs/prop.json

In the helm folder, create a new folder named configs, and and add to it the the configuration properties JSON file (prop.json) that you previously edited and exported using the Configuration Editor.

templates/config.yaml

This is a configuration file pointing to the configs/prop.json file.

NOTE: Do not edit this file.

templates/wssScmIntegration.yaml

This is a configuration file containing all the parameters for deploying the integration.

NOTE: In this file, there there are 3 dashes ("- - - ") that separate the services Do not remove them.

In order for the webhook URL to be accessible publicly by the integration, a load balancer service must be added to the file. An example of such a service is provided below:

Code Block
apiVersion: v1

...


kind: Service

...


metadata:

...


  name: lb1

...


  namespace: acme

...


  annotations:

...


    external-dns.alpha.kubernetes.io/hostname: helm.acme.io

...


    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http

...


    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"

...


    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"

...


    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-7:834027593108:certificate/4720e07a-a231-4fd5-9c4a-12ab1450567d

...


spec:

...


  type: LoadBalancer

...


  ports:

...


  - port: 443

...


    name: https

...


    targetPort: 5678

...


  selector:

...


    app: wss-controller

Provide GitHub App Webhook URL

At this stage you should replace the temporary webhook URL with the permanent webhook URL.

Edit the App settings.
1. Enter the webhook URL in the following format:
  http://<docker-wss-ghe-app-destinationURL>:5678/payload.
2. Click on the 'Save Changes' button.

Select Accounts and Repositories

Copy and navigate to the "public link" of the created app and click the Configure button.
Select Accounts to scan.
If you are integrating multiple repositories and want to apply global configurations, refer here before continuing in this procedure.
Select repositories to scan in each selected account.
Select
Select one of the following options:
1. All Repositories (Default): An option to scan all the repositories of the account.
2. Selected repositories only: Select specific repositories that you would like to scan.
Click Save. Unless specified otherwise via the global configuration, an onboarding pull request is created for the selected repositories. This request contains a WhiteSource configuration file (.whitesource) that can be customized before merging the pull request. Once the pull request is merged, a WhiteSource scan will be initiated.

The .whitesource File

A WhiteSource configuration file (.whitesource) is a JSON file added to each repository that is enabled for a scan. It provides configurable parameters for the WhiteSource scan. The .whitesource file is only added in the default branch of the repository (unless modified, it is the master branch).

.whitesource file

Code Block

language	js

...

{
  "scanSettings": {
    "configMode": "AUTO",
	"configExternalURL": "" 
    "projectToken": "",
	"baseBranches": []
  },
  "checkRunSettings": {
    "displayMode": "diff",
    "vulnerableCheckRunConclusionLevel": "failure"
  },
  "issueSettings": {
    "minSeverityLevel": "LOW"
  }
}

Parameters

Global Settings

Parameter

Type

Description

Required

Default

settingsInheritedFrom

String

When the global configuration is enabled, this parameter will specify the location of the whitesource-config repository from which it will inherit its configuration. It must contain the GitHub user name, repository name and branch (optional) of the repo-config.json file location. The default branch is 'master', but can be modified according to the location of the repo-config.json file in the whitesource-config repo.

NOTE: You can override specific parameters that are relevant only in the specific repository by adding these after this parameter.

Examples:

Using only values defined in the global configuration:

Code Block

language	js

"settingsInheritedFrom": "whitesource/whitesource-config@master"

Using values defined in the global configuration and overriding the scan settings parameters:

Code Block

language	js

"settingsInheritedFrom": "whitesource/whitesource-config@master", 
"scanSettings": {
  "projectToken": "12345",
  "baseBranches": ["master","integration"]
}

No

N/A

Scan Settings (scanSettings)

Parameter	Type	Description	Required	Default
configMode	String	The configuration mode to be used for each scan. There are three options: AUTO - Automatic mode. This will use the default WhiteSource configuration. LOCAL - Local mode. This will look for a local 'whitesource.config' file to be provided in the root folder of the current repository. The configuration file should be in the same format as the Unified Agent configuration file. NOTE: Not supported in the Global Configuration. EXTERNAL - External mode. This will look for a configuration file specified according to the configExternalURL parameter.	No	Auto
configExternalURL	String	The URL of the external configuration file (you can choose any filename). The configuration file content should be in the same format as the Unified Agent configuration file. The following protocols are supported: 'ftp://', 'http://', 'https://'. For example: 'https://mydomain.com/whitesource-settings/wss-unified-agent.config' Note: This parameter is relevant only if configMode was set to EXTERNAL.	No	Empty
projectToken	String	Adds the ability to map a GitHub repository to a WhiteSource project. The parameter used needs to be the WhiteSource project token. NOTE: Not supported in the Global Configuration.	No	Empty
baseBranches	Array	Adds the ability to specify one or more base branches for which scanning results will be sent to a new WhiteSource project. Example usage: ["master", “integration"] This will set both master and integration branches as base branches. Note the following: An Issue will only be created for the specified branch names. Repositories which do not contain the baseBranches parameter will have issues generated for all branches. For each specified branch, a WhiteSource project will be created. The name of the project will contain a suffix "_branchname". For example, MyApp_dev. This suffix will not apply to the default branch. NOTE:

This

This parameter is available only from version 20.7.1.

No

Empty

In this case, the base branch only consists of the default branch.

enableLicenseViolations

Boolean

When enabled, a

new

new WhiteSource License Check

will

will be generated for each valid push.

NOTES:

This parameter is available only from version 20.11.2.
You must have it least one policy of match

type

type By License Group defined with

a Reject action in the WhiteSource UI.The policy name in the WhiteSource UI must start with a "[License] " prefix.
For example, "[License] PolicyName"

a Reject action in the WhiteSource UI.
The policy name in the WhiteSource UI must start with a "[License] " prefix.
For example, "[License] PolicyName".

No

false

enableIaC

Boolean

When enabled, a new WhiteSource IaC Check will be generated for each valid push. This will scan cloud infrastructure configurations to find misconfigurations before they are deployed, and alert on these via the creation of issues.

NOTES:

Only Terraform configuration files are currently supported.
When enabled, after every valid push, a branch (ws-iac-scan-results/{whitesource_scan_token}) is temporarily created and deleted after the scan has completed.

No

false

Check Run Settings (checkRunSettings)

Parameter

Type

Description

Required

Default

displayMode

String

How to display WhiteSource security information for a scan performed on a non-base branch:

When set to diff - Only the diff of detected vulnerabilities between the current commit and its base branch commit will be displayed. NOTE: This value is only supported when using the baseBranches configuration.
When set to baseline - A summary of all detected vulnerabilities in the full repository inventory will be displayed.

No

diff

vulnerableCheckRunConclusionLevel

String

The app utilizes the GitHub Checks API that provides checks in commits and pull requests on any repository branch. This parameter defines

the conclusion status for

the conclusion status for when a WhiteSource Security Check is completed.

When the parameter is set to 'success', the conclusion status of

a WhiteSource Security Check will

a WhiteSource Security Check will always be 'Success', even if the check fails. This way, any repository member is able to merge a pull request, even if a WhiteSource Security Check found security vulnerabilities.

When the parameter is set to 'failure' (default),

the

the conclusion status of a WhiteSource Security

Check will

Check will be 'Failure' in cases

where WhiteSource

where WhiteSource Security Check found security vulnerabilities or an error occurred during the scan. When this configuration is defined, and a branch protection rule has been added, a policy for approving a pull request is enforced. In this setting, only the administrator of the repository can approve the merging of a pull request that contains one or more checks with a 'Failure' status.

Issue Settings (issueSettings)

Parameter

Type

Description

Required

Default

minSeverityLevel

String

Enables users to decide whether to open a new GitHub Issue only if a certain severity level is available on a detected vulnerability.

Available values for minSeverityLevel:

NONE - No GitHub Issues will be generated.
LOW - Any Low/Medium/High vulnerabilities found will generate a GitHub Issue.
MEDIUM - Any Medium/High vulnerabilities found will generate a GitHub Issue.
HIGH - Any High vulnerabilities found will generate a GitHub Issue.

NOTE: The WhiteSource Security Check summary is also affected by this parameter.

No

LOW

displayLicenseViolations

Boolean

Whether to generate an Issue for every detected license policy violation.

NOTE: This parameter is relevant only if

enableLicenseViolations

enableLicenseViolations (scanSettings) is set to true.

No

true

(only if

enableLicenseViolations

enableLicenseViolations (scanSettings) is set to true)

Remediate Settings (remediateSettings)

Parameter

Type

Description

Required

Default

enableRenovate

Boolean

When enabled, Remediate will raise automated Pull Requests for outdated dependencies in addition to Pull Requests remediating vulnerable dependencies. Remediate will then perform all the functionality and support all the configuration options available in WhiteSource Renovate.

See Renovate configuration options

for

for all configuration options.

Refer here for parameter usage.

No

false

transitiveRemediation

Boolean

Whether to enable transitive remediation for NPM repos.

When npm v6 (npm v7 is not currently supported) is used with a package-lock.json file, and vulnerabilities are found within transitive dependencies in the file, then in most cases Remediate is able to successfully remediate the vulnerability. Sometimes it may not be possible to successfully remediate because a parent dependency does not yet have a new release that allows the necessary fixed-in version of the transitive dependency.

No

false

Providing a Global .whitesource Configuration File

NOTE: Supported from version 20.5.1.3 only

You can provide a custom .whitesource configuration file as part of the wss-ghe-app container, in order to apply it globally to all of your organization's repositories. Doing so will apply the file to all onboarding pull requests for newly-selected repos. Repos which were already selected and activated before this change will not be affected by this global configuration. Only newly onboarded repos will be affected.

To apply this global change, do as follows:

Stop the wss-ghe-app container.
In the "wss-ghe-app/conf" folder, add your custom “.whitesource” file (where the prop.json file is located).
Start the wss-ghe-app container.

Initiating a Scan

A WhiteSource scan is initiated via a valid GitHub push command . A valid push command meets meets at least one of the following requirements:

One of the commits in the push command added/removed a source file(s) that has an extension supported by WhiteSource.
Refer to the WhiteSource Languages page in order to find out whether or not a specific language and its extensions are supported.
One of the commits in the push command includes an addition/modification of the package manager dependency file(s).
Refer to the list of supported dependency files to find out whether your dependency files are supported.

NOTE: a push command

...

may consist of multiple commits.

Viewing Details of the Scan

Results can be viewed in the following places:

The Issues tab within the GitHub project.
The WhiteSource Security/License/IaC Check within the GitHub project's Commits tab.
The WhiteSource UI.
Via email notifications.

Viewing the Issues Tab

If you are performing Pull Requests or push commands via the Web browser, refresh your Web browser in order to view the issues that were generated by WhiteSource. NOTE: It may take a number of minutes for the issues to be scanned and displayed after a valid push command is initiated.

...

Viewing Details of an Issue

See here for more information.

Viewing WhiteSource Security Checks

Status Check indicators are displayed for each head commit on the Commits sub-tab of the Code tab. Clicking a specific indicator opens a pop-up window that displays further details on the status:

Clicking the Details link in the popup window displays the WhiteSource Security Check page for the selected head commit. The page includes the conclusion status of the head commit along with a Security Report.

The security report displays all the vulnerabilities that were found in descending order according to the severity and CVSS score. The following information is displayed for each vulnerability:

CVE: A link to the related CVE page for the vulnerability. Displayed in a collapsible format (click the arrow to expand/collapse for more information regarding the vulnerability).
Severity: Overall score of the severity (High, Medium or Low).
CVSSScore
Vulnerable Library
Suggested Fix
Issue - A link to the relevant issue generated by WhiteSource (when available)

Types of Indicators

The following Checks API status indicators are available as a feedback on the head commits:

Queued:
Scan
Scan has not begun and is scheduled to begin.
- In progress:
  Scan
  Scan is in progress.
- Completed:
  Scan
  Scan completed with one of the following conclusions:
  - Success: When the parameter 'vulnerable.check.run.conclusion.level' is set to 'success', the status of the head commit is always success A 'Success' status is displayed for the commit even when it fails.
  - Failure: Default for all completed scans.
    When
    When the parameter 'vulnerable.check.run.conclusion.level' is set to 'failure' (default), the status of a 'failed' head commit is 'failure', and a policy for approving merging pull requests that include failed head commits with
    the another
    the another branch in the
    repository is
    repository is enforced. Note that a 'failed' status can be caused due to security vulnerabilities or due to an error that occurred during the scan.
  - Neutral: Conclusion Conclusion occurs when the push command was not valid.

...

The following is a sample of a 'Queued' status, which indicates that the security check is about to start scanning the head commit's vulnerabilities.Image Removed

...

In Progress

The following is a sample of an 'In-Progress' status, which indicates that the security check is currently scanning the head commit.Image Removed

...

Completed with Success Conclusion

This status can be displayed in two scenarios:

When the parameter 'vulnerable.check.run.conclusion.level' is set to 'success' or 'failure', and a 'success' status is provided for the scan, since no vulnerabilities were found and no errors occurred during the scan for this head commit. In this case, the merging of a pull request that includes this commit to another branch in the repository is automatically approved.

Image Modified
When the parameter 'vulnerable.check.run.conclusion.level' is set to 'success'. In this configuration, even a 'failed' status for a head commit's scan is converted to 'success'. In this case, the merging of a pull request that includes this head commit to another branch in the repository is automatically approved.

The following screenshot displays a 'success' indicator for a commit that includes an error that occurred during the scan, since the parameter 'vulnerable.check.run.conclusion.level' is set to 'success'. In this case, the merging of a pull request that includes this head commit to another branch in the repository is automatically approved.

Image Modified

Completed with Failure Conclusion

When the parameter 'vulnerable.check.run.conclusion.level' is set to ''failure', all head commits that fail the scan due to the security check or due to an error that occurred during the scan display a 'failure' status. In this case, only the administrator of the repository can approve merging a pull request that includes this head commit to another branch in the repository, and therefore, it will not be automatically merged.

The following screenshot is a sample of the display in a pull request page when a 'failure' policy is enforced and one or more of its head commits have a 'failure' status. Only the administrator of the repository can approve the merging of a pull request with a 'failure' status:Image Removed

...

Completed with Neutral Conclusion

A neutral conclusion occurs in the following scenario:

The push command was not valid. See the Initiating a Scan section for more information on valid commands.

Image Modified

Viewing WhiteSource License Checks

In the Commits tab you can view the status and results of each scan. Click a specific build icon in order to view the Builds page.

Types of Indicators

The following commit status indicators are available as feedback on the head commits:

Success: No license policy violations were detected.
Failed: One or more license policy violations were detected during the WhiteSource scan.

Viewing WhiteSource IaC Checks

In the Code > commits page you can view the status and results of each scan. Click a specific check icon in order to view the WhiteSource check.

Types of Indicators

The following commit status indicators are available as feedback on the head commits:

Success: No license policy violations were detected.
Failed: One or more license policy violations were detected during the WhiteSource scan.

Viewing Details in the WhiteSource UI

In the WhiteSource UI, WhiteSource projects will have the same name as the corresponding GitHub repository, with a "GH_" prefix, unless otherwise specified in the .whitesource file using a project token.
The name of the WhiteSource product will be the same as that of the GitHub organization preceded by a "GH_" prefix if the GitHub repository is under a GitHub organization. Otherwise, the name will be your GitHub username preceded by "GH_".

...

After a WhiteSource scan is performed, a separate email message is sent for each generated Issue, with information on the vulnerability or license policy violation that was detected.

NOTE: The information in the email message is identical to the displayed information on the Issues tab.

Accessing Scan Statistics via API

...

Initiating a Merge Policy

Overview

A merge policy utilizes the app's integration with GitHub Checks API. It enables the repository's administrator to approve the merging of a pull request with 'Failed' commit statuses to a target branch target branch in the repository.
For more information on Checks API, see the related GitHub Checks API introduction page.

NOTE: This integration supports merge policies for PRs created either from a branch in the same repository or originating from a different repository.

Adding a Branch Protection Rule

In order to enable a merge policy based on the conclusion of a WhiteSource Security Check, you must initially add the following GitHub rule for branch protection:

Go to the repository 'Settings' → 'Branches'.
Click on the 'Add Rule' button.
Apply the rule to a specific branch or enter '*' to apply the rule to all branches:
Select the following checkboxes:
1. 'Require status checks to pass before merging'.
2. If you cannot view this setting, then modify the '.whitesource' file, and perform a commit. Wait for the scan to complete and then refresh the GitHub settings page until you can view this setting.

Upgrading to the Latest Docker Images

Get the latest WhiteSource for GitHub Enterprise version from WhiteSource Support.
Build these three Docker images from the new version - see here.
- wss-ghe-app
- wss-scanner
- remediate-server
Stop currently-running Docker containers from the previous version:
Code Block
docker stop <wss-ghe-app> <wss-scanner> <remediate-server>
Remove the Docker containers from the previous version:
Code Block
docker rm <wss-ghe-app> <wss-scanner> <remediate-server>
Fetch the activation key from the existing prop.json file (the propertyValue associated to the property "bolt.op.activation.key") and copy it to the clipboard.
Generate and save the new prop.json file by following the steps here and using the activation key value that was just copied.
Run the containers - see here.
(Optional) If the new wss-ghe-app container has a different URL than the previous container, then follow the guidelines here to update the GitHub App webhook URL.

NOTE: From version 20.4.2. the remediate-db image and container are not required anymore. If you are upgrading from a previous version, you can stop the container and remove the image as part of step 3.

...

You can easily uninstall this app by doing the following:

Go to the 'Applications' section of your GitHub's account settings, and click on the 'Configure' button next to the 'WhiteSource App' application.
The 'WhiteSource Bolt for GitHub' page opens. Scroll down in order to view the 'Uninstall WhiteSource App' button.
Click on the 'Uninstall' button. Uninstalling WhiteSource
App removes
App removes it from all your repositories.
Optionally, go to 'Authorized GitHub apps' tab, and click the 'Revoke' button next to the 'WhiteSource App' app.

Page Comparison

Versions Compared

Old Version 196

New Version 204

Key

Introduction

Prerequisites

Build Environment

Hardware Requirements

Environment Requirements

Target Environment

Hardware Requirements

Environment Requirements

User Steps on Build Machine

Prepare for Installation

Installation and Configuration

Modifying the Scanner Dockerfile

Build and Tag the Docker Images

1. Using an Executable Script File

Windows

Linux

2. Manually Build the Images

3. Using a Docker Registry

Create a WhiteSource GitHub App

Fill in fields in WhiteSource 'Integrate' Page

Configuring Deployment Settings

Run the UI configuration tool from the wss-configuration Directory

Details on Attributes of the Configuration File

Target Machine: Run the Containers

Deploying Using Docker

Changing Remediate Server Port

Deploying Using Helm Charts

Chart.yaml

Values.yaml

configs/prop.json

templates/config.yaml

templates/wssScmIntegration.yaml

Provide GitHub App Webhook URL

Select Accounts and Repositories

The .whitesource File

.whitesource file

Parameters

Global Settings

Scan Settings (scanSettings)

Check Run Settings (checkRunSettings)

Issue Settings (issueSettings)

Remediate Settings (remediateSettings)

Providing a Global .whitesource Configuration File

Initiating a Scan

Viewing Details of the Scan

Viewing the Issues Tab

Viewing Details of an Issue

Viewing WhiteSource Security Checks

Types of Indicators

In Progress

Completed with Success Conclusion

Completed with Failure Conclusion

Completed with Neutral Conclusion

Viewing WhiteSource License Checks

Types of Indicators

Viewing WhiteSource IaC Checks

Types of Indicators

Viewing Details in the WhiteSource UI

Accessing Scan Statistics via API

Initiating a Merge Policy

Overview

Adding a Branch Protection Rule

Upgrading to the Latest Docker Images