WhiteSource Advise allows your developers to view a snapshot of a component’s details before they download it to their repository, and incorporate it in the codebase. It is delivered as a Chrome or Microsoft Edge (from version 83) extension.
WhiteSource Advise quickly identifies open source component installation references on Web pages such as StackOverflow, Maven Central, and RubyGems. See also Supported Repositories.
When in the page, a simple click on the icon enables developers to view important details to help them decide whether or not to add a new component. Details include known vulnerabilities, quality scores, and whether the component is currently in use within your organization.
The WhiteSource account administrator has the option to invite users to download and use WhiteSource Advise by doing the following:
Invited (external) users will receive a link via an email invitation in order to complete the installation.
For Admins to Know: Ensure that the email link is opened in the relevant browser (Chrome / Microsoft Edge). The browser also marks these references in the relevant web pages. If Chrome or Microsoft Edge are not the default browser, then you must copy and paste the email link in either Chrome / Microsoft Edge. WhiteSource Advise scans web pages for open-source installation references. To perform these functions, it requires permissions to read and write on web pages. You must approve these permissions (no browsing history information is saved). |
Existing WhiteSource users can activate the WhiteSource Advise from their 'Profile' page without having an administrator send an invitation. This option is done via the following steps:
WhiteSource Advise is supported out of the box for on-premises installations. If the destination URL then it can be manually changed to point to the on-premises installation. This is done by going to settings → 'modify' and entering the updated destination. |
The following are the methods used for maximizing the WhiteSource Advise functionality. For a list of repositories and platforms supported by each of these methods, refer to the table in Supported Repositories and Platforms.
For example, go here for a MVN repository library.
You can view the WhiteSource selection plugin red mark when a library is identified.
You can scan any Web page for open source component installation references, by clicking on the WhiteSource Advise extension icon.
It will scan the page and detect all package references where/when available.
Any open source component installation reference (such as "pypi install", "gem install", etc.) will be highlighted.
WhiteSource Advise searches for the following text patterns in these languages:
pip install {package name}=={version} |
One of the following
gem install {package name}={version} |
gem install {package name}:{version} |
npm install {package name}@{version} |
One of the following:
install-package {package name} –package {version} |
update-package {package name} –package {version} |
nuget install {package name} –package {version} |
nuget update {package name} –package {version} |
One of the following:
<dependency> <groupId>{group}</groupId> <artifactId>{artifact}</artifactId> <versionId>{version}</versionId> </dependency> |
<plugin> … </plugin> |
<parent> … </parent> |
import ( “github.com/{owner1}/{repository1}” “github.com/{owner2}/{repository2}” ... ) |
One of the following:
"require": { “{group}/{artifact}”: “{version}” } |
"require-dev": { “{group}/{artifact}”: “{version}” } |
One of the following:
librarydependencies += "{group}" % "{artifact}" % "{version}" |
libraryDependencies ++= Seq( "{group-1}" % "{artifact-1}" % "{version-1}", "{group-2}" % "{artifact-2}" % "{version-2}" % "test" ) |
One of the following:
cargo install --version {version} {package name} |
cargo install --vers {version} {package name} |
cargo update -p {package name} |
cargo update --package {package name} |
cargo update -p {package name} --precise {version} |
cargo update --package {package name} --precise {version} |
One of the following:
Legacy:
cabal install {package name} |
cabal install {package name}-{version} |
Version 2:
cabal v2-install {package name} |
cabal v2-install {package name}-{version} |
One of the following:
opam install {package name} |
opam install {package name}.{version} |
opam pin add {package name} |
Scan any of the supported code references from the previous section by highlighting it, right-clicking, and then selecting Scan with WhiteSource Advise option.
The WhiteSource Advise searches for the same patterns that were displayed in the previous section and provides a single result:
WhiteSource Advise displays the following information:
In the following sample screenshot, WhiteSource Advise found two vulnerabilities with a high score. Clicking on the 'Take me to the first component' link forwards you to the first icon of the vulnerability.
WhiteSource Advise provides you with the option to select a language:
WhiteSource Advise currently supports the following repositories:
URL Scanning | Text Pattern Search | Code Snippet Highlighting | |
---|---|---|---|
opam | |||
Rust Package Registry | |||
Go Search | |||
CDNJS (on library URLs with and without a specific version) | |||
NpmJs |
WhiteSource Advise supports the detection of open source components installation references in the following programming languages:
Java, Scala (SBT), .NET, JavaScript, Ruby, Python, Go, PHP, Rust, Haskell, OCaml
The code snippet scanning option currently supports the following package managers: Maven (Java), SBT (Scala), NuGet (.NET), npm (JavaScript), Bundler (Ruby), Pip (Python), Go, and Composer (PHP). |