Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Current »

Overview

This integration does not support Azure DevOps Server (TFS) installations.

The WhiteSource Bolt extension enables you to do the following:

  • Detect and remediate vulnerable open source components

  • Generate a comprehensive open-source inventory report per build

  • Enforce open source license compliance, including dependencies’ licenses

NOTE: WhiteSource only stores and generates a report for the latest build data of a particular pipeline definition.

Support for Languages and Package Managers 

WhiteSource Bolt supports languages and package managers that are supported today by the Unified Agent (over 200 languages).

Note the following limitations:

  • Docker image scanning is not supported.

Prerequisites

Ensure the following:

  • Your Azure DevOps organization is connected to an Azure Active Directory via Organization Settings > Azure Active Directory.

  • You do not have any existing WhiteSource extensions installed. If so, these must be uninstalled.

  • An activation key is required for adding this extension to more than one Azure DevOps organization. You can obtain this activation key from the Integrate page within your WhiteSource Essentials trial. This also means that once the Essentials trial is over, you will no longer be able to install Bolt on additional Azure DevOps organizations.

  • If you are using a self-hosted build agent, note that running it behind a web proxy is not currently supported.

Installing the Extension

To install the extension, do as follows:

  1. Click here to access the Visual Studio Marketplace. The WhiteSource Bolt extension page is displayed.

  2. Click Get it free and follow the installation procedure.

Activating the Extension

To activate the extension, do as follows:

  1. Inside your Azure DevOps organization, open any of your projects. If you do not have any projects, create one before proceeding.

  2. In the project page, from the sidebar, click Pipelines. The Pipelines page is displayed.

  3. From the sidebar, click WhiteSource Bolt.

  4. In the WhiteSource Bolt page, an activation form enabling you to create your WhiteSource account is displayed.

  5. Enter the following details:

    • First name

    • Last name

    • Work email

    • Company name

    • Phone Number (optional)

    • Country

  6. Click Create Account.

Adding a WhiteSource Bolt Build Task to Your Pipeline

To add a WhiteSource Bolt build task to your existing pipeline, do as follows:

  1. Go to the relevant Azure DevOps project for which you want WhiteSource Bolt to run.

  2. Inside your Azure DevOps project, from the sidebar, click Pipelines. The Pipelines page is displayed.

  3. Click the relevant pipeline. The specific pipeline page is displayed.

  4. Click Edit. Do one of the following procedures:

This activates the WhiteSource integration on your build pipeline.

NOTE: Adding a pre-step build task is not necessary in order for WhiteSource to successfully scan the build repository. WhiteSource by default runs a pre-step command as part of the WhiteSource Bolt task.

Adding a Build Task to a YAML Pipeline

  1. In the pipeline edit page, from the right side, click Show assistant. The Tasks sidebar is displayed.

  2. In the search bar, enter whitesource. The WhiteSource task is displayed.

  3. Click the WhiteSource Bolt task.

  4. From the bottom right corner, click Add. The WhiteSource Bolt task is added to the pipeline.

    - task: WhiteSource@21
      inputs:
        cwd: '$(System.DefaultWorkingDirectory)'
  5. (Optional) To specify the name of the WhiteSource project to be created in WhiteSource Essentials, add the following to the WhiteSource task. In the following example, replace New_Project_Name with the name you want to give your WhiteSource project:
    NOTE: You cannot change the project name after the first build run.

    - task: WhiteSource@21
      inputs:
        cwd: '$(System.DefaultWorkingDirectory)'
        projectName: 'New_Project_Name'
  6. Click Save & queue.

NOTE: The WhiteSource task can be moved to other locations within the steps section, depending on your preferences.

Adding a Build Task to a Classic Pipeline

  1. To add a task to the Agent Job, click the plus (“+”) sign next to the agent job section. The Add Tasks section is displayed.

  2. In the search bar, enter whitesource. The WhiteSource Bolt task is displayed.

  3. Click the WhiteSource Bolt tab, and then click Add. The WhiteSource Bolt task is added to the pipeline.

  4. (Optional) To specify the name of the WhiteSource project to be created, enter the name in the Project name field.
    NOTE: You cannot change the project name after the first build run.

  5. Click Save & queue.

NOTE: The WhiteSource task can be moved to other locations within the steps section, depending on your preferences.

Viewing the WhiteSource Bolt Report

The WhiteSource Bolt report is available on a pipeline build level and it comprises 3 tabs: Inventory, Security Vulnerabilities, and License Risks. You can view the WhiteSource report at a build or project level (aggregated report of all your builds).

NOTE: There is a current known issue where a fourth tab, Outdated Libraries, is displayed. This issue will be fixed on February 28, 2021.

Viewing the Report

To view the report, do as follows:

  1. Ensure that you followed the procedures in Activating the Extension and Adding a WhiteSource Bolt Build Task to Your Pipeline.

  2. Go to the specific build’s results page for your project, and click the WhiteSource Bolt tab. The WhiteSource open source risk report is displayed.

Understanding the Report

Security Summary

A summary of detected open source vulnerabilities and the libraries that contain them.

Name

Description

Vulnerability Risk

The overall risk level for your inventory. Can be High, Medium, Low, No Risk.

Vulnerable Libraries

Displays the total number of vulnerable libraries.

Severity Distribution

Provides a breakdown of the vulnerabilities according to their severity level.

Inventory Tab

An inventory of all open source libraries detected.

Name

Description

Library

The name of the open-source library linking to the Library Details page in the WhiteSource Essentials application.

Licenses

Lists licenses detected for each library, and links to their license descriptions.

Security Vulnerabilities

A table listing all security vulnerabilities.

Name

Description

Severity

The severity of the vulnerability. Consists of:

  • Severity level- H (high), M (medium), L (low).

  • CVSS score

Vulnerability

The vulnerability identifier linking to the WhiteSource vulnerability lab, containing more information.

Date

The vulnerability publish date.

Library

The name of the open-source library containing the vulnerability, linking to the Library Details page in the WhiteSource Essentials application.

Top Fix 

The top-rated remediation advice that WhiteSource recommends for each vulnerability. A condensed description of the recommended course of action is given, followed by a link to a broader description.

License Risks

The License Risk Table displays a summary of open-source components’ license types and their associated risk including the number of occurrences.

Name

Description

License

The license detected as part of the inventory linking to its license description.

Risk

The risk associated with the license. Values are H (high), M (medium), L (low). In case of unknown risk, no risk is displayed.

Occurrences

In how many libraries this license occurs.

Additionally, the following charts are displayed:

  • The License Distribution chart displays the distribution of licenses across the inventory.

  • The License Risk Distribution chart breaks down the number of licenses by their risk level. Unknown risk level means the license risk was not analyzed by WhiteSource.

  • No labels