Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 57 Next »

Overview

WhiteSource Remediate is a feature of WhiteSource's repository integrations, which automatically opens fix Pull Requests for vulnerable open-source components, upgrading them to the lowest non-vulnerable version.

WhiteSource Remediate is part of WhiteSource for Developers and integrated with WhiteSource for GitHub.comWhiteSource for GitHub EnterpriseWhiteSource for Bitbucket Server, and WhiteSource for GitLab. In addition, Remediate is integrated with WhiteSource Renovate (see below for details). Renovate enables you to save time and reduce risk by automating dependency updates in software projects. 

WhiteSource Remediate provides the following capabilities:

  • Real-time monitoring - Runs continuously to detect the latest available fixes.
  • Single-click fix - Generate automated fix Pull Requests on-demand or using custom workflow rules.
  • Custom workflow rules - Open fix Pull Requests based on vulnerability severity or CVSS score.
  • Annotated - Changelogs and commit histories are extracted and included when available.
  • Dependency file discovery - Discovers and processes all dependency files in a repository.
  • Lock-file support - Update lock files seamlessly in the same commit, including immediately resolving conflicts whenever PRs are merged.

NOTEA fix Pull Request is only generated for security vulnerabilities discovered on your repo's default branch, and for direct dependencies only.

Supported Package Managers

Package ManagerLanguageExtra Details
Maven JavaN/A
GradleJavaN/A
Go ModulesGolangRemediate will update both the go.mod as well as go.sum files, as well as any vendored files found within a vendor/ directory.
npm/YarnJavaScriptWhiteSource Remediate always updates both the package file (e.g. package.json) as well as any lock file (e.g. yarn.lock) in the same commit/fix Pull Request.
If a developer subsequently updates either file on the default branch, causing a git conflict with any of Remediate's Pull Requests, then Remediate will update the fix Pull Request to resolve all conflicts while still remediating the vulnerability.
NuGet .NET

Only SDK-style .csproj files are currently supported. By default, this includes:

  • .NET Core 1.0 and above
  • .NET Standard class libraries
  • Any .csproj in the SDK-style syntax

To convert your .NET Framework .csproj into an SDK-style project, follow this guide.

pip PythonN/A
pipenvPythonN/A
poetryPythonN/A
setuptools PythonN/A
Composer PHPN/A

NOTE: In WhiteSource for GitLab, mirrored repositories are not supported.

WhiteSource Workflow Rules

WhiteSource Remediate is configured via custom Workflow Rules. To set up Workflow Rules for all or a selected list of WhiteSource Products/Projects, do as follows:

  1. From the WhiteSource web application, click the Integrate tab.
  2. Expand the WhiteSource for Developers option.
  3. From within the relevant repo integration settings, click Manage Workflow Rules. The Workflow Rules page is displayed.
  4. Click Add Rule. The Add Rule dialog box is displayed.


  5. Select a Product and/or Project scope from the Scope area or leave at the default (applies to all of your WhiteSource Products and Projects).
  6. Select a rule type from the Type dropdown menu.
  7. Click OK to create the rule.

Once you set up a Workflow Rule, WhiteSource Remediate will start monitoring your selected repositories for vulnerable dependencies and generate corresponding fix Pull Requests.

Configuration of github.com credentials

If you are running Remediate against github.com already, or making use of WhiteSource for GitHub.com, then you don’t need to provision credentials explicitly.

Regardless of which platform you are running on (GitHub.com or GitHub Server), Remediate can locate and embed open source Release Notes from projects hosted on github.com into Pull Requests. When Renovate functionality is enabled, Remediate may also need to fetch lists of tags and releases from github.com for other reasons (such as to check if a particular open source package has any newer versions).

However, GitHub heavily rate limits any unauthenticated API requests to github.com, so if credentials are not available then Remediate will disable Release Notes fetching as well as github-tags, github-releases, and go datasources to ensure predictable behavior. Remediate will log a WARN message on startup if such credentials are missing.

For other use cases (including self-hosted GitHub Enterprise Server), to provide such credentials to the Remediate container, you should configure a github.com Personal Access Token into the environment variable GITHUB_COM_TOKEN. This token can belong to any github.com account and does needs only public read-only permissions. For details on creating such a token, see https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token

WhiteSource cannot provide customers with a token for accessing github.com as that would go against that platform’s Terms of Service.

Proxy Support

WhiteSource Remediate can be configured to work with proxy servers using either the prop.json configuration file or using environment variables.

Proxy configuration in prop.json

When configuring proxies using prop.json, the "no proxy" list will be automatically configured to match the VCS endpoint in use (i.e. the GitHub, GitLab or Bitbucket Server endpoint). Internally Remediate will convert these to HTTP_PROXYHTTPS_PROXY and NO_PROXY environment variables and pass them to child processes such as npm and composer.

Proxy configuration using environment variables

WhiteSource Remediate also supports the industry convention of HTTP_PROXYHTTPS_PROXY and NO_PROXY. This provides more flexibility if you need to also configure any internal/private registries in the no proxy list so is the recommended configuration approach. Such variables will be passed transparently to child processes.

Integration with WhiteSource Renovate

WhiteSource Renovate functionality can be enabled in WhiteSource Remediate, currently for WhiteSource for GitHub Enterprise and WhiteSource for GitLab only.

With Renovate functionality enabled, Remediate will then raise PRs/MRs not only for vulnerable dependencies but also for outdated dependencies too.

Renovate is designed for users who aim to keep their dependencies up-to-date, primarily for the reasons of:

  • Keeping up with all bug-fixes from open source libraries
  • Reducing the risk of updating vulnerable versions in a hurry, because small jumps in versions are easier to test than large

Renovate itself is well-documented via its own documentation site. The Renovate docs are automatically generated based off the open source Renovate repository, so are unnecessary to duplicate here in full, however examples and clarifications will be provided below specifically for users of WhiteSource Remediate.

Renovate Configuration

Renovate supports a range of different filenames, however for WhiteSource Remediate integration only the .whitesource configuration file is used. Renovate is disabled by default so enabled by setting remediateSettings.enableRenovate = true like so:

{
  "remediateSettings": {
    "enableRenovate": true
  }
}

Any configuration you place within the remediateSettings object will be used by Remediate similarly to how Renovate usually uses a renovate.json configuration file. Therefore, if you have an existing renovate.json file in a repository but are migrating to WhiteSource Remediate then you'd copy paste its contents inside remediateSettings before removing the renovate.json file.

Recommended Starting Config

If you are new to Renovate, we recommend you start with the config:base preset config, which enables functionality such as maximum two dependency update PRs per hour as well as grouping well-known monorepo dependencies together:

{
  "remediateSettings": {
    "enableRenovate": true,
    "extends": ["config:base"]
  }
}

What Happens When Remediations Are Available

It's useful to understand how Remediate works if you have Renovate enabled with updates available while vulnerability fixes are also required at the same time. If a package dependency needs vulnerability remediation then Remediate reads the list of fixed versions and determines the minimum version that solves all known CVEs. It then uses a package rule to enforce that the remediation PR/MR for that package does not propose to update to the latest and instead updates to the lowest version that can resolve all open CVEs for the package. If an existing PR/MR exists proposing an update to the latest version but the minimum fix is lower, the existing PR/MR may be auto-closed by Remediate and replaced with the minimum fix PR/MR instead. This is intentional so that (a) teams can focus on the high priority remediation PR/MR, and (b) remediations cause the least changes possible so that they are simpler to verify and test.

Common Configuration Options and Examples

Renovate is highly configurable with many options, so here are the most commonly used ones to take a look at first:

  • schedule: use this is you want to raise dependency update PRs during limited times, such as weeknights and weekends. Combine with timezone so that schedules can be written in your local time instead of UTC.
  • packageRules with groupName: matching multiple packages and assigning a groupName will mean they will be grouped into a single PR. This can be useful if certain packages must always be upgraded together, or if you wish to reduce the total number of PRs.
  • assignees and reviewers: use these fields to configure who is assigned or requested to review PRs (note: will apply to remediation PRs/MRs too)
  • automerge: enable this (ideally using packageRules) on dependencies you trust to be merged automatically by Remediate once they pass tests.

If you have questions about any particular configuration option or are looking for examples of its use, you may find it useful to search existing Issues in Renovate's Config Help Repository on GitHub

Merge Confidence

For more information Merge Confidence, see here.

Merge Confidence is a beta feature for Renovate which embeds visual "badges" in Pull Requests to show statistics on upgrade age, adoption, compatibility and ultimately "confidence". 

To enable it for Renovate within WhiteSource Remediate, add the following configuration within the remediateSettings section of your .whitesource file:

{
  "remediateSettings": {
    "enableRenovate": true,
    "extends": ["github>whitesource/merge-confidence:beta"]
  }
}

NOTE: the above configuration is supported only in version 21.2.2 or later of the Repo integration.


If you are using version 21.2.1 or earlier of the Repo integration, add the following configuration within the remediateSettings section of your .whitesource file:

{
  "remediateSettings": {
    "enableRenovate": true,
    "prBodyDefinitions": {
      "Age": "![age](https://badges.renovateapi.com/packages/npm/{{replace '/' '%2f' depName}}/{{{toVersion}}}/age-slim)",
      "Adoption": "![adoption](https://badges.renovateapi.com/packages/npm/{{replace '/' '%2f' depName}}/{{{toVersion}}}/adoption-slim)",
      "Passing": "![passing](https://badges.renovateapi.com/packages/npm/{{replace '/' '%2f' depName}}/{{{toVersion}}}/compatibility-slim/{{{fromVersion}}})",
      "Confidence": "![confidence](https://badges.renovateapi.com/packages/npm/{{replace '/' '%2f' depName}}/{{{toVersion}}}/confidence-slim/{{{fromVersion}}})"
    },
    "packageRules": [
      {
        "datasources": [
          "maven", "npm", "pypi"
        ],
        "updateTypes": [
          "patch",
          "minor",
          "major"
        ],
        "prBodyColumns": [
          "Package",
          "Change",
          "Age",
          "Adoption",
          "Passing",
          "Confidence"
        ]
      }
    ]
  }
}



  • No labels

Copyright © 2024 Mend.io (White Source Ltd.) | All rights reserved.