With the release of the WhiteSource Unified Agent (previously called the File System Agent (FSA)), WhiteSource will no longer provide standard support, including updates and fixes for the NPM plugin after May 4th, 2019. Extended Support (limited to configuration & support/troubleshooting) will be provided until November 1st, 2019. Please migrate to the Unified Agent before this date. This plugin will no longer be supported by WhiteSource on November 2nd, 2019. The WhiteSource Support team is ready to assist with the necessary changes required to use the Unified Agent and can be contacted via the Customer Community. |
The plugin allows Node.js based projects to integrate with WhiteSource open source management.
Once configured and executed the plugin will create or update WhiteSource projects and enforce inventory policies.
The plugin is licensed under the Apache 2.0 license.
Source code and issues are hosted on GitHub and on NPM.
Install WhiteSource Globally:
$ npm install -g whitesource |
If you experience trouble running WhiteSource globally on Ubuntu after installing locate the WhiteSource package by running:
$ which whitesource |
and then create an alias to run WhiteSource globally:
$ alias whitesource="node path/to/whitesource" |
Having trouble finding "node" in Ubuntu?
The node package can be found in several packages in Ubuntu: node and nodejs. Locate the node package by running:
$ which node |
if displayed /usr/sbin/node remove it:
$ sudo rm /usr/sbin/node |
then make a link:
$ sudo ln -s /usr/bin/nodejs /usr/bin/node |
Create a "whitesource.config.json" file in your project root directory and input your WhiteSource API Token found in the Admin Integration API page:
{
"apiKey":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"checkPolicies":true,
"productName":"My Product",
"productVer":"1.0.0",
"projectName":"My Project",
"projectVer":"1.0.0",
"devDep": true
} |
| Attribute | Type | Description | Required |
|---|---|---|---|
| apiKey | String | Unique identifier of the organization to update, can be retrieved from the admin page in your WhiteSource account. | Yes |
| checkPolicies | Boolean | Whether or not to send the check policies request before updating WhiteSource. | No |
| productName | String | Name of the product to update. | No, if not defined matching to existing WhiteSource products is done by productToken |
| productVer | String | Version of the product and project to update. This overrides the project version. | No, only read if productName is defined |
| productToken | String | API token to match an existing WhiteSource product, can be retrieved from the Integration API page in your WhiteSource account. | No, if not defined matching to existing WhiteSource products is done by name. No projectToken is allowed |
| projectName | String | Name of the project to update. | No, if not defined matching to existing WhiteSource projects is done by projectToken |
| projectVer | String | Version of the project. | No, only read if projectName is defined |
| projectToken | String | API token to match an existing WhiteSource project, can be retrieved from the Integration API page in your WhiteSource account. | No, if not defined matching to existing WhiteSource projects is done by name. No productToken is allowed |
| devDep | String | Adds devDependencies to the WhiteSource report. Accepts either "true" or "false" | No |
| baseURL | String | The IP / Name of the destination WhiteSource service | No. Will use the default configuration |
| port | Int | The port number of the destination baseURL | No. Will use the default configuration |
| https | Boolean | Whether or not to use HTTPS secured connection | No. Will use the default configuration |
| proxy | String | The proxy server from which you want to redirect the messages. (e.g - "proxy":"http://10.0.0.1:8080" ) | No |
| forceUpdate | Boolean | If true - updates the project even if the "checkPolicies" step failed. (default is false) | No. Will use the default configuration |
| failOnError | Boolean | If true, fails the process if "checkPolicies" failed (default is false) | No. Will use the default configuration |
| timeoutMinutes | Int | Number of minutes to timeout. (default is one hour) | No. Will use the default configuration |
| debugMode | Boolean | If true, adds to the root folder a new folder with log files. (default is false) | No. Will use the default configuration |
| registryAccessToken | String | Access token to private registries | No |
| connectionRetries | int | Connection retries when unable to connect to WhiteSource service. (default is 1) | No. Will use the default configuration |
| failOnConnectionError | Boolean | Fails the build when unable to connect to WhiteSource service | No, default value is true |
| userKey | String | Unique identifier of the user who updates, can be retrieved from the admin page in your WhiteSource account. | Required if WhiteSource administrator has enabled "Enforce user level access" option |
| ignoreNpmLsErrors | Boolean | Whether or not to ignore errors of the 'npm ls' command. | No, the default value is false |
To resolve NPM dependencies, you should first run "npm install" command on the relevant folders before executing the plugin.
If you scan a private registry that requires an access token, add the property "registryAccessToken" to the WhiteSource config file.
Supported from version 17.12.4 |
Make sure you have package.json and whitesource.config.json files located at project root.
Run the plugin with this command:
$ whitesource run |
WhiteSource dependency report is saved in the project's "whitesource.report.json" auto-generated file and posted to your WhiteSource dashboard.
If you want to use whitesource.config.json file that is not located under the project root please run:
$ whitesource run -c c:\path\to\file\whitesource.config.json |
In order to use multiple build environments (e.g npm and bower) it is recommended to use different whitesource.config.json file for each build environment (i.e each of them in a different location)
Starting with version 18.2.1, the NPM plugin can scan and upload yarn projects as well.
To do so, run the plugin inside your yarn project folder with the following command:
$ whitesource yarn |
First, please try to run "npm ls --json > ./test.json",
Important- The NPM Plugin is dependent on the "ls" command. In order for the NPM to work the command "npm ls" must be completed successfully.
If the "ls" process fails, please investigate your project and fix it.
WhiteSource cannot run when the native npm ls command fails.
This can be a sign of a misconfigured or invalid node project (check your package.json and npm-log file to investigate further).
When encountering issues running the NPM plugin, follow these instructions:
If the issue persists after running the plugin, send the npm-shrinkwrap.json, package.json, npm-debug.log
and the WhiteSource log files (located in the project's root and prefixed with ws-log) to support@whitesourcesoftware.com.
Starting version 1.1.1 and later, the following exit codes are displayed upon scan completion:
SUCCESS: 0,
ERROR: -1,
POLICY_VIOLATION: -2,
CLIENT_FAILURE: -3,
CONNECTION_FAILURE: -4,
SERVER_FAILURE: -5
The exit codes WhiteSource returns in the Bash command language should be treated as 'x' modulo 256:
In order to update the plugin please run it with the following command:
$ [sudo] npm update -g whitesource |
Make sure that you've installed/using the following tools:
WhiteSource NPM plugin is installed:
$ [sudo] npm install -g whitesource |
