These release notes are for the WhiteSource cloud solution, and do not apply to the on-premises solution that has its own release notes. Click here to view known issues.
Additionally, we suggest you stay informed by regularly checking the Notices page.
Release notes are subject to change until the actual release date.
This page is "dynamic" and is subject to change between official releases. WhiteSource reserves the right to modify this page retroactively. Please check this page periodically between official releases to ensure you are up-to-date with all hotfixes, changes and additions to WhiteSource's products.
Beginning in version 21.3.2, WhiteSource will be modifying the opening topics of the User Guide section of the documentation. This includes editing and condensing the existing content (therefore archiving certain topics), removing unnecessary content, and restructuring the topic hierarchy. Since this project will be a “work in progress” for an unspecified amount of time, WhiteSource apologizes in advance for any inconvenience this might cause.
Customers can now configure SAML integration for multiple global organizations with the same Identity Provider (IDP).
Product & Library Priority Scoring Reports: New reports provide information on the priority of a library or product, taking different threat and impact factors into account.
Starting this version, SmartMatch is the default algorithm used for source files matching when a new WhiteSource Organization is created.
The name of the Sun license was changed to Sun Public License.
Major improvements to the Go Modules dependencies detection have been introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. Two separate settings are now supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver detects only the actively-used dependencies and includes the following new parameters:
To use the enhanced Modules dependencies detection, it is recommended to turn on the new resolver by setting go.modules.resolveDependencies=true and disable the current Go resolver by setting go.resolveDependencies=false.
Added support for new security advisories which may result in some WhiteSource organizations experiencing a change in vulnerability alerts.
The following documentation changes were implemented:
The Deprecated Features topic was deprecated and the content was moved to the Notices page
The Setting the Home Page topic was deprecated and the content was moved to the WhiteSource Home Page topic.
The High Severity Bugs Report topic was deprecated
The File System topic was deprecated
Structural modifications were implemented to the opening documentation sections, beginning with the login/homepage documentation.
Archive extraction of the Zstandard format RPM file failed.
A problem with missing shields occurred during Prioritize scans with NPM due to incorrect handling of duplicate dependencies.
Some Unified Agent's log messages were not taken into account when setting the logLevel parameter.
Generating the Due Diligence Report resulted in a blank report.
When Jira Server was connected to PostgreSQL, an exception occurred in Jira Plugin when trying to add a new row to the table.
The following is planned for the next Unified Agent releases:
In the next release, NPM and Yarn configuration will be optimized by automatically executing the relevant pre-step (npm install or yarn install) based on the lock file detected (yarn.lock or package-lock.json) when npm.runPreStep=true.
Within the next two releases, the NuGet configuration will be improved by merging the nuget.restoreDependecies into the nuget.preStep flag. After this change, by setting nuget.preStep=true, dependencies found in csproj files will be automatically downloaded.
The following two tags will be added to the build when a pipeline, including a WhiteSource task, is running:
ws_support_token (this tag will contain the support token value)
ws_scan_start_time (this tag will contain the WhiteSource scan start time in UTC time)
The Jira Server Plugin is now available in the Atlassian marketplace. Please note that this is a beta release.
Using the Unified Agent’s Archive Extractor when trying to scan the root of the operating system resulted in a null pointer exception.
In AVM, a timeout occurred when fetching vulnerabilities information from Fortify.
The NuGet Plugin page was deprecated.
In the next version, 21.3.2, the following changes will be implemented:
The Deprecated Features topic will be deprecated and the content will move to the Notices page
The High Severity Bugs Report topic will be deprecated
The File System topic will be deprecated
Additional modifications will be implemented to the opening documentation sections, beginning with the login/homepage documentation.
In the next Unified Agent release, major improvements to the Go Modules dependencies detection will be introduced with the addition of a new optimized resolver for Modules, controlled by a separate set of parameters. After this change, two separate settings will be supported: new parameters for controlling the new Modules resolution and the existing Go parameters for controlling Modules and the other Go package managers. The new Modules resolver will detect only the actively used dependencies and will enable controlling whether to include test dependencies and duplicate dependencies.
This version introduces support for NPM 7.
A new parameter, fileSystemScan, replaces the soon-to-be-deprecated ignoreSourceFiles.
A new API is now available for unmarking manually-assigned in-house libraries - unmarkManualInHouseLibrary.
In some cases, information regarding source libraries was not displayed correctly; for example, empty projects were still displayed in some source libraries, or some source libraries appeared as empty.
Running the gcloud auth command failed during Docker scan on Mac computers.
Users with different roles than admins or alert ignorers were able to ignore alerts in VBA mode.
Exceptions occurred when trying to assign licenses as part of update policy alerts.
In the Unified Agent, when scanning NPM, NPM dependencies were not resolved when package.json did not contain name/version attributes.
When downloading a missing jar file, the Unified Agent incorrectly generated success messages.
Added indication for missing copyright references in the Attribution report summary.
When excluding inner modules (projects) in Gradle, the scan would return the wrong dependencies tree.
Azure DevOps Services Integration: In some cases, adding npm.resolveMainPackageJsonOnly=true to the WhiteSource Configuration task parameter led to a scan failing.
Beginning in this version the following page was archived and is therefore no longer in use.
WhiteSource Advise for Visual Studio Codespaces
Scala dependencies detection was improved, by supporting the sbt-dependency-graph plugin when applicable.
When working in vulnerability-based alerting mode, user roles were not being validated when ignoring/reactivating alerts.
WhiteSource is launching a Beta release of a new generic platform for issue tracker integrations and a plugin for Jira Server. The new platform will provide the ability to integrate with issue tracking systems, in order to automatically create issues when a policy match occurs. The Jira Server Plugin is the first integration developed using the new platform and more out-of-the-box plugins are planned to be released.
The following topic has been deprecated:
Fortify Software Security Center Integration
Fixed an issue whereby scanning a Docker .tar file by the Unified Agent resulted in an exception.
Azure DevOps Services Integration: Running a pipeline build from a self-hosted agent resulted in a WhiteSource-generated .encrypted file not being deleted at the end of each WhiteSource build task run.
NOTE: Self-hosted agent builds triggered before 14 February may still contain traces of WhiteSource-generated .encrypted files. These files must be manually removed from the self-hosted agent work folder.
On rare occasions, library alerts were not created after the vulnerability sync.
Duplicate hashed source files caused the second one to be considered as unmatched.
In Linux, Python scans failed due to a missing space in the execution of one of the commands used for resolution.
In the Unified Agent, there were exceptions when parsing specific pipfile formats.
The following topics have been deprecated and all their content has been merged into the Unified Agent documentation:
Selecting a Plugin for Integration
Providing only a Project name in a Unified Agent Scan
Configuration Recommendation Mode
Unified Agent Scan Steps and Summary
Unified Agent JSON Report Example
The following topics have been completely deprecated:
Fortify Software Security Center Integration
The documentation repository's default color has changed in certain locations to a dark brown. Additionally, in certain locations, the table of contents is only intermittently blue. WhiteSource is aware of the problem and is working with Atlassian to solve the issue. Other than that, the content has not been affected in any way.
Beginning in this version, the Auditor role for service users can be assigned to users from the UI.
Updated the WhiteSource task version from 20 to 21. In order to use the new version(s) of the extension, you will need to update the task from WhiteSource@20 to WhiteSource@21 inside your pipeline definition.
Added ability to map an Azure Project to an existing WhiteSource Product in addition to creating a new WhiteSource Product) via the Project Settings > Extensions > WhiteSource page.
Several issues have been resolved regarding Docker Layers:
Layers with the same SHA1 were represented as one resource.
Layers with a SHA1 already created as “unknown” from previous scans were recognized as that resource, and therefore the display name did not reflect the layer
Layers with SHA1 were unnecessarily looked up in the index
Discrepancies were found between the Alerts Widget and the Library Page.
Vulnerability-based alerting: In the 'Vulnerable Libraries' section on the 'Security Vulnerability' page, the libraries were not filtered by the specific CVE. As a result, the CVEs were ignored and the filter returned all the vulnerable libraries in the organization.
In the Unified Agent’s upcoming releases, major improvements to the Go Modules’ dependencies detection will be introduced. A new optimized resolver for Go Modules, controlled by a separate set of parameters will become active, paving the way for more specific control over Go resolution.
The Unified Agent now supports scanning Google Distroless images.
The optimized NPM resolution method, controlled by the npm.resolveLockFile flag, is now the default dependency detection for NPM.
Azure DevOps Services Integration: When opening the Security vulnerabilities tab in the Open Source Risk report, the data was not sorted by severity.
Azure DevOps Services Integration: Adding the WhiteSource task to a YAML-based pipeline without setting any of its parameters resulted in an error. As part of this fix, a default value was added for the cwd parameter.
Fixed failures of inventory update if artifactVersion exceeded the valid length.
The Unified Agent failed to parse a non-lowercase configuration value.
The Unified Agent failed to resolve NuGet dependencies when the project.assets.json file was not found in its standard location.
A Python direct dependency, which was also used as a transitive dependency by another library, was not listed as a direct dependency by the Unified Agent.
RPM packages installed or deleted without using yum were not identified correctly by the Unified Agent.
Beginning with this version, every new organization will be created in the new Vulnerability-based Alerting mode.
A new and enhanced source files matching algorithm, SmartMatch, can be activated from Advanced Settings in the Integrate tab. The default will remain Weight.
Two new licenses have been added:
A new parameter, python.includePipenvDevDependencies, has been added to provide the ability to manage the dev dependencies. The default value is true.
When searching for a library via global search, then searching for a vulnerability via the same search, the page redirects to the library search page.
When resolving several requirments.txt files, the cache of the dependencies was not cleared between the different resolutions.
When running the Unified Agent, the ArchiveExtractor failed to extract files ending with an empty space.
In the “Source File Inventory” report, if users selected to change the library for files they had no permissions to, the Change Library action had no effect and no message was displayed. Now, this action can only be done by selecting the desired files, then Actions > Change Library menu. The users' permissions are validated and a proper message is displayed.
After repeatedly using "Assign Yourself", the pop-up window appears blank and users need to click "Add License Reference" or "Override All” in order to see the mandatory fields.
When running SBT Coursier, the Unified Agent did not run pre-step commands even though pre-step flags were activated.
Changes to licenses being updated either in the index (libraryDataSync API) or in the Admin Console did not trigger alerts calculation.
The Unified Agent did not support the packages.db RPM database
The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.
In the next Unified Agent release, the optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. In addition to improving the scanning time of NPM projects, more accurate results will be produced by this mechanism. Unmet optional and/or peer dependencies that were not taken into consideration by the previous dependency detection will be part of the results when they are found in the lock file.
Fixed an issue introduced in the latest version (20.11.2) in which unmatched source libraries were missing from the Project/Product page.
Resetting forgotten passwords is now validated with a CAPTCHA test.
A disclaimer has been added to the Library Details page for temporary matches on Go dependencies.
For some libraries, the Impact Analysis page did not display results.
Filtering by library in the Attribution Report did not display all results.
In the Web UI, there was no indication when a library contained no licenses. NOTE: Beginning in this version, an indication that review is required is displayed.
In Azure environments, when saving/updating a SAML integration (Domain and Global Account level), an HTTP error 500 was displayed.
In the Vulnerabilities Report, the screen’s legend was unclear.
The following integration pages have been archived and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.
Additionally, the following pages have been archived:
The following integration pages will be archived in release 20.12.2 and will therefore no longer be in use. All the material contained therein will be included in the Unified Agent parameter documentation.
The Product Page and the Project Page now feature filtering and improved pagination in the Libraries panel, thereby improving performance and user experience for projects with over 1000 libraries.
Attribution Report: It is now possible to exclude versions from an exported Attribution Report via API
Exceptions occurred when saving Global Account policies.
In the Unified Agent’s scan log, certain Gradle configurations were missing.
Azure DevOps Services Integration: In some cases, build artifacts over 200MB resulted in one of the following errors:
##[error]RangeError: Maximum call stack size exceeded
##[error]Error: "toString()" failed
Azure DevOps Services Integration: In some cases, scanning a project containing an npm project resulted in the following error:
##[error]Error: ENOTDIR: not a directory, scandir '/home/....../node_modules/.bin/acorn'
Beginning in version 20.12.1 the following integration pages will be archived and therefore no longer be in use. All the material contained therein will included in the Unified Agent parameter documentation.
Additionally, the following pages will be archived:
The maximal extraction depth, configured in archiveExtractionDepth, has been increased to 10.
Attribution Report: Users now have the ability to exclude versions from the artifacts' names in the attribution report's exported files, by de-selecting the include versions checkbox.
Read-only Permissions: A new auditing role can now be assigned to service users through the setOrganizationAssignments API to give them read-only permissions in the scope of a specific organization.
An unexcepted output received from the SBT sbtVersion command caused the Unified Agent to throw an exception.
The Unified Agent didn't handle correctly a possible output of the SBT organization command.
The Unified Agent failed to extract .tar files created with special characters on Linux.
When executing update inventory requests which create a new project, the getProjectVitals/getProductProjectVitals API requests did not display the Unified Agent's version.
When trying to add a new admin from the global admins page, the users list was empty.
When configuring SCM via JSON files, the Unified Agent scanned the current directory.
Project Association: Limitation on the number of items in the products list was removed.
Added support for C# in Prioritize.
Added Fast Scan Analysis mode for Java in Prioritize.
Added a WhiteSource Support Token to the WhiteSource task logs.
A modified Unified Agent documentation repository has been launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.
The documentation is spread over 4 contiguous topics (pages), in this order:
An Overview page
A Getting Started page, with prereqs, download info, config info, etc.
A Parameters page
Advanced Topics (similar to an appendix)
A modified Policies page will be launched, with the intent to update existing content, fill in missing gaps, and create a linear flow. This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter has been archived and is therefore no longer in use.
The Unified Agent’s Artifactory scanner failed to build a URL from strings that contained non-alphanumeric characters.
Dependencies defined in the gemfile.lock file with an exclamation mark suffix were wrongly resolved.
Policies where Action was defined as Issue failed to create Work Items issues.
Under certain conditions, when working with policies of the Issue type, exceptions occurred while loading Work Items data.
Fixed an issue where in some cases, users with non-admin permissions were not able to view the WhiteSource open-source risk report. All existing WhiteSource for Azure DevOps Services extension users will need to approve the extension permission changes that were applied in this version. To approve the new changes, do as follows:
Go to Organization Settings > Extensions > Installed > WhiteSource for Azure DevOps Services.
Click Review. The Authorize WhiteSource for Azure DevOps Services popup is displayed.
Scanning a project based on a GitHub Repository led to a RangeError error.
Fixed an issue whereby ending a setProductAssignments request resulted in error code 3000, and an Invalid request parameters error message.
Azure DevOps Services Integration: In some cases, when running a pipeline build containing a WhiteSource task, a toString() failed error was displayed in the WhiteSource build task logs, leading to a scan failure.
In order to comply with industry standards, WhiteSource has decided to remove the option of searching a library via drag and drop. Library searching can now only be done by entering the library’s name (added November 1, 2020).
Added the ability to specify custom Unified Agent Configuration parameters to be used by a particular pipeline build. For this, a new field, WhiteSource Configuration, was added to the WhiteSource task. For more information, see here.
Beginning in version 20.10.2 (approximate release - November 8), a modified Unified Agent documentation repository will be launched, with the intent to increase usability, update existing content, fill in missing gaps, and create a linear flow.
The documentation will be spread over 4 contiguous topics (pages), in this order:
An overview page
A Getting Started page, with prereqs, download info, config info, etc.
A Parameters page
Advanced Topics (similar to an appendix)
More details will follow in the next release notes.
Beginning in version 20.10.2 (approximate release - November 8), a modified Policies page will be launched, with the intent to update existing content, fill in missing gaps, and create a linear flow. This page merges the two existing policies topics - Automated Policies and Managing Policies Throughout Your SDLC. The latter will be archived and therefore no longer be in use.
When the project information object did not have a version in its coordinates, the Unified Agent failed to run.
The Unified Agent failed when trying to resolve a large PHP project.
Azure DevOps Services Integration: A pipeline build with the WhiteSource task failed to scan GitHub repositories when using a Linux build agent.
The optimized NPM resolution method, controlled by the npm.resolveLockFile parameter, did not handle duplicate dependencies correctly. This caused an increase in the size of requests sent by the Unified Agent.
When applying Create Issue policies, issues were created incorrectly for all projects in the organization (added November 1, 2020).
When updating group assignments, SAML incorrectly removed users from the domain (added November 1, 2020).
When entering multiple values for either groupAssignments or userAssignments in the setProductAssignments and setOrganizationAssignments API calls, these values were ignored. The fix - from now on, the first value is assigned (added November 1, 2020).
Users were unable to change a source file library if there was already an existing mapping with a comment (added November 1, 2020).
CREATE_ISSUE policies defined in Product scope that were applied to libraries removed from in-house/whitelist, caused tickets creation in all of the organization's projects when there were no CREATE_ISSUE policies in the organization's scope.
The default NPM dependency detection method was changed to running the "npm ls" command due to an anomaly observed in the Unified Agent requests size using the new optimized NPM resolution method.
The optimized NPM resolution method, controlled by the npm.resolveLockFile parameter, is now the default dependency detection method for NPM. This change is introduced by switching the previous default value of npm.resolveLockFile from false to true. This will significantly improve the scanning time of NPM projects and produce more accurate results.
The license name of Oracle Development License (as it previously appeared in the application) will now appear according to its official name, Oracle Technology Network License Agreement.
During Kubernetes agent scanning, when the scanned component included the same image multiple times, irregularities occurred causing an exception.
In the Attribution report, GPL 2.0 with exception licenses was mistakenly displayed as insert GPL v2 license text here.
When scanning PHP, the Unified Agent threw an exception if one (or more) of the packages did not have a "source" element in the lock file.
Currently, when accessing the Custom Attributes report, the report’s data is fetched automatically. This can be time-consuming if the organization has many libraries and many custom attributes defined. Beginning in this version, an Apply button has been added, enabling users to query the data on demand only.
Beginning in this version, the strict requirement of running the Unified Agent with the configuration file has been removed. If the mandatory parameters are passed to the Unified Agent, in any of the supported methods, the Unified Agent can be run without failing even if the configuration file is missing.
Beginning in this version, if the Yarn lock file (yarn.lock) is found during the scan, it will be used for the dependencies detection, without the need to explicitly set the npm.yarnProject flag.
When applying policies to existing inventory from the organizational policies page, the product and project policies were ignored.
When reassigning all of a user’s pending tasks of a user, the inventory request approver was not properly updated.
When two Maven projects were defined with the same name, both projects were created however with partial data. The introduced fix will now add a suffix (_1, _2) to a project name in case there is more than one project with the same name.
Helm version 3 support is officially introduced for the Kubernetes integration.
If hex.ignoreSourceFiles was set to true, the Unified Agent did not ignore .erl source files.
When groups were created via SAML integration and were then deleted manually from the dashboard, an exception occurred.
Within the next two releases of the Unified Agent, a significant improvement to the NPM dependency detection will be introduced. An optimized NPM resolution method, controlled by the npm.resolveLockFile flag, will become the default dependency detection for NPM. This will be applied by changing the current default value of the npm.resolveLockFile flag from false to true. This will significantly improve the scanning time of NPM projects and produce more accurate results.
NuGet packages defined at packages.config and/or .csproj with inaccurate versions according to the NuGet version standard were displayed in the scan results without being recognized ("Requires Review"). Following this fix, these packages will no longer be displayed in the scan results.
A new format of Docker project name is now supported - repositoryName - which is based on the Docker repository name only. This format can be applied by setting the docker.projectNameFormat parameter to repositoryName.
In addition, the already-supported format named repositoryFormat was changed to repositoryNameAndTag (the formal name format is still supported, however it will be deprecated).
There are now three supported formats:
The default format consists of the Docker repository name, tag and ID.
The repositoryNameAndTag (previously known as repositoryFormat) consists of the Docker repository name and tag.
The repositoryName consists of the Docker repository only.
Aggregate Modules mode supported (using the -aggregateModules field).
In the Project Association page, the Product column was changed from a selection column to a text column. The project association is now only available by checking the desired project(s) and choosing “Assign to Product”, then choosing the desired product from the drop-down list.
When using “APPEND” update requests, in the rare case where only a TRANSITIVE dependency has been added - the new transitive dependency will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. This is a change to the current behavior. In order to have the new dependency added as transitive, users can then run another “OVERRIDE” Update Request after the append request.
When running the Gradle resolver, if the dependency is missing the Unified Agent will try to download .jar dependencies only.
In the rare use case of a change in the GAV coordinates of an artifact, Gradle scans didn't produce the correct signature for this artifact.
The Request Resolution Status Report displayed the wrong path on the top of the report.
In the Vulnerability Report, the Locations column was missing from the JSON format.
When scanning the plan.json file in a Haskell project, a nullPointerException would occur when building hierarchies where one child did not have dependencies.
In the application’s home screen, some bulk actions of approval/rejection of pending tasks were timed out. This caused the UI to hang and requests were not marked as reviewed.
When scanning a Docker image with source libraries, the “hierarchy” tree included duplications of the source library matched with those source files.
Layer information was missing when detecting FOSS components in Docker .tar files.
When resolving a Gradle project with a deep dependency hierarchy, an index out-of-bound exception occurred.
Beginning in this version, when creating/editing a policy based on a Jira project with a mandatory field from a type which isn't currently supported, but has a default value defined for it in Jira, the operation will succeed.
When a scan for a project is requested while there is already a scan for the same project being executed simultaneously, the new scan is being skipped. Starting in this version, the JSON file returned for the scan will specify the status SKIPPED instead of FINISHED.
In cases of empty status files in Debian Docker images, the scan resulted in zero dependencies.
In the Policies screens, a popup indicating that changes will not be saved was displayed even though all changes were properly saved.
A TimeoutException was thrown when calling the method updateNodesParentAndMr in the DependencyNodeRepositoryImpl class.
Priority and Assignee fields appeared in Jira-based policy creation, even when those fields were not defined in the Jira project itself.
Following a change in Jfrog Artifactory version 7 whereby the property name haAwareEtcDir was changed to etcDir, exceptions were thrown in the WhiteSource artifactory plugin.
Scanning docker images with source files leads to duplicate appearances of the source libraries in the Hierarchy view.
Within the next two releases, WhiteSource will be improving the Unified Agent configuration by removing the requirement to have a configuration file, if all the mandatory parameters are set (passed as command-line parameters or by environment variables).
SAML session token duration (the time between the IDP authentication and the WhiteSource login) was changed from 10 minutes to 5 minutes.
A new API, setNotice, enables setting the value of the library’s notice.
Improvements were made to the Docker scanning of the Linux RPM-based images.
Users can now configure Unified Agent parameters using environment variables.
The Bazel support for Go projects was extended to Windows. The Unified Agent can now scan on both Linux and Windows Go projects using the go_repository rules generated by Bazel Gazelle (see here).
When organizations were deleted, data was removed, specifically alerts. This caused timeout exceptions if the table was locked.
Under certain scenarios, a null pointer exception occurred when loading the product assignment.
Under certain conditions, there were problems with dependency resolving from yarn.lock
Under certain conditions in Unified Agent Docker scans, exceptions occurred when there were similar file names but different content or formats.
Kubernetes deployment procedure didn't take into consideration initial configured delays.
When running the Prioritize Multi-Module Analyzer for Gradle, modules that did not have build.gradle were not handled correctly.
Under certain conditions, there were issues with the format of the link field within the policyRejectionSummary file.
Under certain conditions, the Project Associations page loaded slowly and resulted in a 404 error.
Under certain circumstances, the libraries hierarchy view did not work as expected.
Under certain circumstances, deleting organizations/projects worked very slowly and/or ended with errors.
Users scanning docker images can now receive information regarding packages in layer granularity. The new functionality can be enabled by setting the docker.layers parameter to true. The layer granularity can be viewed in the UI under the hierarchical display (Show as Hierarchy).
Improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag are introduced. The improvements include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to True.
A new flag, npm.ignoreDirectoryPatterns, enables users to determine the list of ignored directories.
The Bazel support was extended to Go projects. The Unified Agent can now scan on Linux machines Go projects using the go_repository rules generated by Bazel Gazelle (see here).
Under certain conditions, when an application had no vulnerability, it was not updated by the AVM agent
The "Resolution Request Status" report can now be accessed through the Reports menu.
Under certain conditions, the Unified Agent returns no dependencies after failing to parse the packages database when scanning docker images.
In the Source Files widget, after refreshing the page the Change Library column was not displayed.
Under certain conditions, there were inaccuracies in the Effective Usage Analysis Summary Report.
Under certain conditions, the Unified Agent had an issue following a redirect when trying to download a Gradle dependency.
The Unified Agent’s checkPolicies-json.txt file now includes the system path and manifest file path for each of the components, when this information is available.
A new parameter, python.localPackagePathsToInstall, enables users to configure a list of local package paths that will be installed during the pre-step, if required.
A new response in getProjectVitals, Last Scan Comment, returns users’ scans comments.
Upgraded the following:
WildFly to version 10.1.0
JQuery to version 3.5.0
The Unified Agent’s version is now displayed in the Web Application’s Project Vitals.
The docker image retrieval mechanism was improved resulting in a reduction of the UA scanning time.
In the Risk Report, in the General Overview panel, when selecting a product, an incorrect title and link were displayed.
While handling getOrganizationInHouseLibraries requests, a Null Pointer Exception occurred.
In situations where Requires review is the least common license in organization/product/project, the License dashboard ceases to function.
The Attribution Report had issues with a misplaced header.
There were issues with proxy settings in the HTML dependency resolution.
The TeamCity plugin always failed as a result of a check policy request.
Under certain conditions, scanning SBT dependencies resulted with errors.
Local libraries used by a Python project were not detected. This ability was introduced in this release, controlled by the python.localPackagePathsToInstall flag.
If the field last scan comment contains multiple lines, only the first line will be displayed in the project vitals area.
In the next release, improvements to the optimized NPM resolution method controlled by the npm.resolveLockFile flag will be introduced. The improvements will include a reduction in the scan time, in addition to enhanced accuracy. This functionality can be enabled by setting the npm.resolveLockFile to true.
Under certain circumstances, the NuGet dependency detection of csproj files resulted in an inaccurate version of the dependency.
The Attribution Report has undergone several enhancements, including the following:
select which fields to include/exclude from the report
apply filters to the report
include a custom attribute in the report
export the report to a JSON format
hide fields containing empty values
Beginning in this version, an indication on the vulnerability page displays which vulnerabilities were modified in the previous month.
Beginning in this version, the WhiteSource Expert Fix is the first solution recommended to customers in the list of suggested fixes.
This version introduces a Dockerized Unified Agent. More information can be found here.
Bazel resolution is now enabled by default. The UA now supports Bazel for Java projects. The following two rules are supported: maven_install, maven_jar.
This version introduces support for OpenSUSE leap images via the Unified Agent Docker scan.
Artifactory Docker Virtual Repository scans failed when containing a remote repository.
Under certain conditions, the UA will exit without appropriate log messages.
Under certain circumstances, there was an issue with C# package identification.
In the Library Details page, Only library with effective vulnerability was not displayed.
When trying to create a Jira issue when defining a policy based on vulnerability effectiveness, an exception occurred.
In the Web Application, in the Alerts Report, the EUA “shields” were not displayed.
Jira server issues were not created due to wrong assignee parameters.
During NuGet scans, exceptions were caused following references to missing files.
For customers where Prioritize is installed: Beginning in this version, when creating a policy, you can match by Vulnerability Severity and Efficiency,
A new option in the Change Origin Library screen, Only repositories matching all source files, makes requests more efficient by enabling users to display only libraries where all source files exist.
Custom attributes are now supported in the APIs and the Attribution Report.
For customers where Prioritize is installed: An “effectiveVulnerabilitiesOnly” flag was added to VULNERABILITY_SEVERITY in Policies API.
Under certain circumstances, a specific format of package version in the nuspec file caused a failure in NuGet resolution.
Under certain circumstances, a wrong command was run in NuGet resolution when packages.config is present.
There was no option to provide a full path in a csproj file when referencing other csproj files.
Jira API parameter "query" (which replaced “username”) did not work for all customers.
In the wss_resourceVulnerabilities table, security alerts aren't calculated when there' was no sourceFileHashes mapping.
Under certain circumstances, Ruby scans failed.
In the Unified Agent, when dependencies in Yarn scans had two versions, the scans failed.
In the Library Details page, Only library with effective vulnerability does not appear.
In the ADD/EDIT policy function, mandatory fields of types string, string array, user, number are now also supported. When choosing the issue type in the project, the mandatory fields as displayed and you must fill them in.
In certain reports, the following was added to all panels with multiple selections
A count indicator for the number of selected rows that appear when selecting rows of a data grid panel. This counter updates automatically when selecting/deselecting rows.
Next to the counter, a 'clear selection' button clears all selected rows when clicked.
Beginning this release, the Nuget resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default.
Beginning in this version, the .coffee source files will not be taken into consideration when npm.ignoreSourceFiles is set.
Missing proxy support in one of the HTTP calls of the lambda serverless implementation.
Under certain circumstances in Gradle resolution, a hash was calculated on an empty file.
License links that didn’t contain a protocol were considered relative resources in the site, therefore the base URL were added to the href.
After executing actions in the Inventory Report, the selection wasn’t cleared.
When trying to sync a source library which has a duplicate in the database, it tried to remove the existing source library.
Some reports with multiple selection (such as checkboxes) didn’t have any actions to execute on selected items.
When an assignee existed but didn’t appear in the Unified Agent’s initial list, users were unable to create an issue type policy.
Under certain conditions, the Artifactory Plugin would send product parameters as Repository Name in check policy compliance requests.
In creating Jira-based policies, if the issue type in the selected project does not contain the fields “assignee” or “priority”, the policy will appear as successfully created but no tickets will be generated.
In the Library Details screen, the new Aggregated Data tab displays aggregated data for licenses, policies, vulnerabilities, and library data.
This version introduces support for the npm.ignoreScripts parameter for yarn.
Improvements were made to Go projects scanning.
The license SPDX name and library’s copyrights were added to the getProjectLicenses, getOrganizationLicenses, and getProductLicenses APIs.
Currently, when entering an invalid role in the setProductAssignments API call, the response is "Successfully set product assignments". Beginning in this version, the response is changed to include the assignments that were successfully set by the API call. Also included is an additional list named “warningMessages” (available from API version 1.3 and up), that includes various warning messages.
In the next Unified Agent release, the NuGet resolution will be improved and aligned to the other resolvers by excluding the system packages from the scan results by default.
The License Compatibility report did not recognize licenses that were manually overridden.
Uninstalled OS packages were included in the scan.
Under certain circumstances, the Alert ignorers role was missing from the setProductAssignments API.
The security severity calculations of the "policyStatistics" and "vulnerabilityStatistics" sections of the scan report are not aligned.
Issue with scanned projects including circular symbolic links in Linux.
Unnecessary information printed to the Unified Agent’s log when Azure registry images are scanned
A problem exists where aggregated data is not shown for a library when it appears as both a direct dependency and a transitive dependency.
A risk score was added for license Open LDAP 2.4.
This version provides support for Global Packages for Poetry.
In addition to parsing/collecting yarn dependencies, the Unified Agent now supports adding yarn workspaces with their dependencies (direct and transitive) as a hierarchy tree.
This version introduces support for Bamboo server versions up to 7.0.3.
Beginning in this version, ignoreSourceFiles is taken into account in the top folder for all cases.
Beginning in this version, Maven resolver will not ignore .jar,.war,.ear,.zip files when ignoreSourceFiles is set.
When setting a Reporter for issues that require one, the reporter will now be chosen from a list (same as selecting an assignee) instead of the previous way where there were text boxes for inserting a Reporter name and display name.
The Unified Agent setting maven.ignoredScopes=NONE is no longer a pre-condition for running Prioritize on Maven projects, but remains as the default setting. Regardless of the Unified Agent configuration file parameter setting, Prioritize analysis will ignore test scope dependencies.
Under certain conditions, when the MultiModuleAnalyzer ran on large Gradle multiModule projects, it ignored certain modules.
In Prioritize, the Maven pre-conditions incorrectly used mavenIgnoredScopes.
Under certain conditions, the Unified Agent sent empty dependencies values in offline requests.
Jira projects were not taken into consideration when fetching the mandatory fields to open a Jira issue.
Under certain conditions, some docker image packages (centos) had the same hash value key.
In cases involving the R manager packager, when the match library flag is ON and there is no sha1 for the package, the additional sha1 of this package was ignored.
When fetching the last RVI sync attempt, an OptimisticLockException (AbstractSyncServiceImpl:78) is thrown because another process is updating the same object; hence the version is changed.
When an RVI sync task was created for the first time, it was created without a task name.
Under certain conditions, RedHat libraries were missing from customer databases.
Under certain conditions, after the Docker image (Centos:8) rpm scan ran, there were over 110 items remaining to resolve.
In Jira, under certain conditions, the following occurred due to Jira API changes:
Issues were created without an assignee
When a reporter was defined as mandatory, issues were not created
Adding issue policies via the API failed
This fix applies automatically for new policies. For existing policies, if customers defined a reporter or assignee, they must edit those policies and re-enter the assignee and reporter, and then save.
In the library details page, users can now manually override the license text to their library's specific license text. The new license text will be displayed in the Attribution Report and in the Release Management Dashboard, both in the UI and via APIs.
In the Attribution Report, for manually assigned copyrights with a comment, the comment now appears in a new section called Comments in the library’s Copyrights section.
The Unified Agent now supports Scala sbt-coursier and sbt 1.3.x.
Docker Azure login to ACR Registries is now supported.
A new xModuleAnalyzer command line parameter, EuaMaxTotalMemAlloc, enables users to specify their memory allocation preference for running Multi-Module Analysis, selecting from the following options: custom-specified memory allocation; allocation of all available memory; and a default minimal setting set by WhiteSource.
A new xModuleAnalyzer command line parameter, ignoreEuaNotices, enables users to specify preferences for ignoring EUA codes returned following analysis of modules by xModuleAnalyzer.
A new designated xModuleAnalyzer log file captures an aggregated summary of EUA codes returned following analysis of each module, featuring details previously captured only in independent module logs.
A new xModuleAnalyzer message is displayed and captured if one or more modules in a multi-module setting fail to run/complete not due to an analysis error.
In the Attribution Report, the license text is no longer displayed in the Copyrights section.
In the Plugin Request History report, "fs-agent" has been changed to "unified-agent".
A permissions issue existed where the Source File Inventory Report did not filter projects according to user privileges, i.e. users who weren't members of project A were still able to view source files and libraries of that project.
The All Products drop-down list was not sorted alphabetically.
Under certain conditions on large-scale NPM projects, running two scans led to a StackOverflowError.
Under certain conditions, there were parsing irregularities in the modules.txt file.
Under certain conditions, when parsing a “paket.lock” file, an exception occurred.
Under certain conditions, Paket scan results displayed information regarding NuGet.
Under certain conditions, in the Unified Agent, Gradle failed due to the merging of impactAnalysis with failErrorLevel.
In AVM’s Fortify Client, there was an error parsing clients with URLs that contained “ssc”.
Under certain conditions, the maven.ignoredScopes flag did not work as expected.
Maven scans resulted in missing Maven dependencies.
The License Compatibility Report displayed multiple licenses even after using the override function.
The ignoreSourceFiles affected the "includes/excludes" scan results
The default paket.exe path was mistakenly assigned a wrong path.
Under certain conditions, the NuGet resolver contained the wrong version.
Support for Cabal version 3 is now provided.
A new parameter, ignoreEuaNotices, enables users to specify preferences for ignoring EUA codes in general, or just those implying 'Informational' issues (i.e., not severe errors).
Previously, in the Library Location Report, when a library had no path it was displayed in the UI as "N/A". This has been changed to an empty string.
Within the next two sprints, WhiteSource will be improving the Unified Agent scan results, mostly regarding Maven resolution. Binaries such as .jar,.war,.ear,.zip will be included in the scan when ignoreSourceFiles is set.
In addition, ignoreSourceFiles will be taken into account in the top folder when packaging appears in the pom file.
In some nupkg libraries, libraries which didn’t have a dash ('-') in the display name as the version separator, were not recognized as the same library and therefore did not generate the Multiple Library Versions.
When generated to a .PDF, the Use of Different Versions of Same Library section in the Risk Report had a different title.
Under certain situations, goGradle scans failed with a null pointer exception.
An overlap in the resolvers' bom files resulted in the order of the resolvers being changed.
The Effective Usage Analysis dashboard displayed 0% coverage although vulnerabilities existed.
Under certain conditions, a NoSuchElementException occurred when getting a product approver during update requests.
Under certain conditions, the parsing functionality in Go 1.14 did not work correctly.
Under certain conditions, scans of Docker images resulted in exceptions.
Under certain conditions, new version alerts weren't created.
A new parameter, python.resolvePipEditablePackages, enables the support of pip in editable mode (-e), thus presenting additional dependencies in WhiteSource for Python projects.
New Package Manager support: This version introduces support for Gradle Kotlin DSL.
In the Attribution report, the author’s name is now displayed in the copyright information.
A new API request "getProjectLicensesTextZip" enables project-level scope for the getLicensesTextZip API, providing more granular results for legal business needs.
A new API request "getProjectCopyrightsTextFile" enables project-level scope for the getCopyrightsTextFile API, providing more granular results for legal business needs.
When the Multi-Module Analyzer scanned at least a dozen projects, it sometimes randomly failed on some of them; although when scanning a single project, no such problem existed.
The Library Details page has been redesigned whereby the information is now organized into four separate tabs.
The Unified Agent now supports SBT 1.3.x and above.
In Prioritize, in the Vulnerability Analysis pane, the Analysis Coverage exceeded 100%.
The Unified Agent failed to resolve python dependencies using the virtualenv command.
There were incorrect descriptions for some of the Python libraries.
The Debian importer was unable to download files without release dates.
Under certain situations, CVEs still appeared in the web application even after blacklisting all vulnerable source files.
In Effective Usage Analysis, when the multi-module-analyzer scanned several projects, it sometimes randomly failed some of them, although when it scanned a single project no problem occurred.
"Base directory" was different between the old Unified Agent to the new, thereby causing wrong results to customers.
In the Policies functionality, the bug rating and version activity match types have been removed, and there is no longer a way to add new policies of these types. Existing policies with these types, though, will be editable.
For customers who want to have sources files with associated vulnerabilities identified in WhiteSource when possible, a new optional parameter for getProjectAlertsByType API enables the response to include vulnerable source files.
In Prioritize, the Analysis Coverage exceeded 100% in the Effective Vulnerability widget.
Under certain conditions, Scala project scans failed on SBT dependancies.
Under certain conditions, in the Unified Agent, when the 'gradle' commands failed, the Unified Agent did not execute 'gradlew' commands.
Under certain conditions, library folders appeared in the wrong module.
In the Attribution report, the provided license reference was not necessarily the license text itself.
Under certain conditions, after a customer removed an organization, it remained in the customer’s system.
Alerts for new NPM versions included pre-release versions.
This version introduces support for the DNF Package manager for CentOS.
[Fixed] Under certain conditions, problems occurred when logging in to to the WhiteSource application via Microsoft Azure.
This version introduces support for Poetry, a new package manager for Python.
A License column has been added to the Attribution Report, enabling users to filter libraries by license in the preview screen.
Added report flexibility: The Attribution Report now enables users to select multiple projects for inclusion in the report’s output.
[Fixed] New alerts emails were sent to customers that disabled email notifications.
[Fixed] Under certain circumstances, the License Compatibility Report did not display results.
NPM Resolution: Optimized scanning behavior and reduced scan time. The new functionality relies only on the package.json instead of NPM commands and can be enabled using the flag: npm.resolveLockFile=true.
The Unified Agent has been enhanced to cover more cases of Maven configuration (i.e., for customers using different formats for Maven tree output).
Attribution Report data improvement - When there is no license reference in the library, a generic license will be presented.
Under certain conditions, library names were truncated and thus displayed incorrectly in the interface.
[Fixed] In certain cases, Yarn Dev Dependencies were not excluded from the inventory.
[Fixed] In Bower Projects, some dependencies were missing from results in specific edge cases.
[Fixed] In certain cases on the policies page, an Unexpected Error would appear.
[Fixed] Under certain conditions, Python dependencies were missing from the inventory after a scan.
Release Unified Agent version 19.12.2
Added flexibility for “R” programming language scanning: This version provides support for the R programming language for customers who are not using its main package manager, Packrat.
The Unified Agent has been enhanced to cover more cases of Maven configuration (i.e., for customers using different formats for Maven tree output).
Added flexibility for managing libraries with multiple licenses: In the Web UI, it is now possible to remove a specific license, and add a new license reference to a license.
Beginning in this version, when clicking under each security vulnerability in WhiteSource, instead of pointing the CVE to the NVD, users are redirected to WhiteSource’s vulnerability lab. The URL format is: https://vuln.whitesourcesoftware.com/vulnerability/<vulnerabilityID>
The Alerts panel in the Library Details page has been enhanced in order to display a visual summary count of Alerts per different categories.
Attribution Report data improvement - In various cases, a valid license text will be displayed in the report instead of the previously-used JSON/XML.
Under certain conditions, library names were truncated and thus displayed incorrectly in the interface.
[Fixed] When fetching license references in JPA query with LEFT JOIN FETCH, the query failed with “javax.persistence.EntityNotFoundException”.
[Fixed] Under certain conditions, Docker scans failed due to a Null Pointer Exception error being thrown from the getImageTags method.
[Fixed] In WS Advise for Chrome, a violation issue was displayed when switching between a non-versioned, non-vulnerable component and a vulnerable, versioned component.
[Fixed] Under certain conditions, out-of-memory exceptions occurred when turning the scan results of the attached Podfile.lock file, and turning into a JSON object.
Easier Onboarding for JFrog Artifactory Docker Integration: Beginning in this version, the Unified Agent is now able to download Docker images from artifactory as an archive file, then extract and scan them.
Added flexibility for JFrog Artifactory Docker image scan: Two new parameters, artifactory.includes and artifactory.excludes, provides customers with the ability to filter which images to scan in their repositories.
A new parameter, php.ignoreSourcefiles, provides more extensive results for customers using PHP by enabling users to decide whether to ignore source files scanning.
A new screen option, Nested Licenses, provides added granularity for complex cases where nested licenses are being used in a library's repository, such as 3rd party licenses.
In the Due Diligence report, the range of years for the library's copyright (in from-to format) is now displayed in the Copyright column. Additionally, in the By Copyrights filter, it is now possible to filter according to the from-to values.
[Fixed] After closing a request for a Source Library, a new request was opened again after scanning.
[Fixed] Under certain conditions, Null Pointer Exceptions occurred when the CVSS 3 extraData field was null.
[Fixed] When passing float values to the client, these values changed their original value, causing incorrect data to be presented.
[Fixed] Due to the system path of the Gradle dependencies, the EUA analysis coverage was inaccurate.
[Fixed] When inserting a copyright date range in the Due Diligence report, the report did not filter properly and the results were therefore inaccurate.
[Fixed] When the Unified Agent .jar file was extracted while running, the Unified Agent would cease to function.
Release Unified Agent version 19.11.2
Detect Mode - Enhanced environment-based recommended configuration capability: The generated configuration file now supports the ‘includes’ parameter.
In cases where the Unified Agent execution has an issue (for example, policy violation), the Bitbucket pipe will reflect it and fail the build.
This version introduces better customization and control, where customers can change the default location where Unified Agent logs are saved.
Integration with CircleCI - added flexibility: The Commands file was added to the CircleCI Orbs integration, enabling users to easily add package managers to the resolution.
The enhanced CircleCI Orb now uses the latest version of the WhiteSource Unified Agent.
WhiteSource’s CodeFresh integration in the CodeFresh marketplace has been officially published. It allows WhiteSource customers to easily integrate a WhiteSource scan into their native CodeFresh workflow.
Beginning in this version, WhiteSource for Developers will have its own release notes. Please refer here.
[Fixed] Under certain conditions in app.whitesourcesoftware.com, some libraries were missing although the update request contained them.
[Fixed] Servers received imported licenses that have license names but no license types, resulting in no license creation.
[Fixed] Under certain conditions, the Unified Agent did not collect all the dependencies in yarn projects.
[Fixed] Under certain conditions, it was impossible to create sub-task issues using Jira integration.
[Fixed] When trying to create a new copyright template without years, an error was displayed.
[Fixed] When exporting HTML attribution report by project in partial data organization, an error was displayed.
[Fixed] Under certain conditions, the Unified Agent Docker Hub scan returned no results.
[Fixed] An out-of-memory issue occurred for Yarn.
[Fixed] Detect configurations did not work correctly for GO projects.
The Unified Agent now supports scanning the opam package manager for the OCaml programming language.
Aligning the Unified Agent to the Maven plugin behavior: A new boolean parameter in the Unified Agent, maven.projectNameFromDependencyFile, controls if a project name will be taken from the dependency file.
Aligning the Unified Agent to the NPM plugin behavior: An existing parameter, npm.projectNameFromDependencyFile, controls whether the project name will be taken from the dependency file.
Added flexibility: It is now possible to set project metadata information using a project tag (key and value) via the Unified Agent command line and the Unified Agent configuration file.
When scanning Docker images, and NPM is not available, in order to extract global dependencies, the new npm.resolveGlobalPackages parameter eliminates the need to rely on NPM being installed and available.
CodeFresh users can now scan their open-source directly from their CodeFresh CI/CD pipeline.
The latest release of WhiteSource Kubernetes Agent version 2.0 is available. This version uses the native Kubernetes API, has reduced permissions (better security) and enhanced performance.
The Unified Agent now runs Effective Usage Analysis even if npm.includeDevDependencies is set to false.
[Fixed] After creating an issue, when trying to parse the JSON response from Jira, an exception occurred, resulting in Jira issues created several times for the same libraries in the same projects.
[Fixed] In the Attribution Report, XML was not displayed properly (for example, XML tags were removed).
[Fixed] In specific circumstances, the Gradle resolver did not create a full dependency tree, resulting in missing libraries from Docker image scans.
[Fixed] When trying to upload an offline request with a specific Gradle dependency, the dependency was not found in the inventory.
[Fixed] Uploading a metadata file to the WhiteSource application resulted in errors.
[Fixed] In WhiteSource for Bitbucket Server, WhiteSource for GitHub Enterprise, and WhiteSource for GitHub.com, when an issue for multiple components was created, the Automatic Remediation information was displayed.
Extending auditing capabilities: In the Change Log History Report, there is now support for auditing changes in vulnerability score/severity.
This version brings the following enhancements:
Added granularity - Support for changing a library to a source file in the Product level and not only in the Organization level.
Alignment with API - The user must be a Product or Organization Administrator as required in the API of the change library and not a regular user.
New auditing enhancement that extends existing functionality to the Change Log History Report: When changing a library, customers can now track when the changes occurred, according to new records in the ChangeLog.
For easier debugging and maintenance, the Unified Agent log now contains all the Unified Agent configuration parameters in a more organized manner.
A new optional NPM parameter, npm.failOnNpmLsErrors, enables a smoother transition between the NPM plug-in and the Unified Agent when handling “npm ls” errors.
The SBT resolver now supports additional scopes such as `test`, `runtime`, `provided` etc.
As of API version 1.3, you can now refer to a specific ignored alert by using the getProjectIgnoredAlert, getProductIgnoredAlert, and getOrganizationIgnoredAlert API calls.
Enhanced security: As of API version 1.1, only Organization Administrators can execute API requests for managing users and groups. These are:
This version introduces the ability to generate fix PRs on-demand in WhiteSource for GitHub.com and WhiteSource for GitHub Enterprise without defining workflow rules in advance.
In WhiteSource for GitHub Enterprise and WhiteSource for Bitbucket Server, a Health Check API endpoint was added to the wss-scanner Docker image.
In the EUA Detailed Analysis report, the analysis time is now featured in addition to the date, as follows: dd-mm-yyyy hh:mm.
In the EUA reports that feature IA Status and IA Results, the names have been changed to, respectively, Impact Analysis Status and Impact Analysis Results.
The GPL 2.0, MPL 1.0, MPL 1.1, and MPL 2.0 licenses now have a copyright risk score of 65.
Risk analysis information was added for the GPL 1.0 and OpenSSL licenses.
[Fixed] An error in the RVI sync process caused the alert creation to fail.
[Fixed] A null pointer exception occurred while calculating the check policy hash.
[Fixed] In the Risk Report, when a project had duplicate dependencies in the hierarchy, negative values were displayed.
[Fixed] WhiteSource for GitHub Enterprise, WhiteSource for GitHub.com - Duplicate GitHub Issues were generated for the same library and CVE when multiple scans were triggered in parallel for a commit.
The following improvements have been made to the License Compatibility Report:
As part of ongoing enhancements to this report, the accuracy has been improved, and the results are more detailed.
“Type” (the library’s programming language) has been removed in favor of “Incompatibility Type” (the type of conflict between two library’s licenses).
A new Incompatibility Type, Potential Incompatibility, has been added. Potential Incompatibility indicates that the library being evaluated is licensed under multiple licenses, indicating that the user must choose under which license the library will be licensed.
Better customization for the Attribution Report:
Users can now select whether to include licensing text in the existing Licensing section, or in a new dedicated section “Appendix: License Details” section.
Users can now select whether Primary Attributes (a.k.a. custom attributes) will be featured in the Attribution report.
The Unified Agent now supports Python global packages resolution.
New enhancements for the Serverless Plugin enable running additional parameters from a YAML file and passing them to the Unified Agent configuration.
For customers without a Docker installation in their user environment, the Unified Agent now performs a scan (based on docker.scanTarFiles=true) of tar.gz files that represent a saved Docker image.
An indicator has been added to WhiteSource for GitHub Enterprise, WhiteSource for GitHub.com and WhiteSource for BitBucket Server indicating when automatic remediation is available for the specific vulnerability.
WhiteSource is launching the WhiteSource for GitLab Core beta version, enabling GitLab users to access WhiteSource security alerts within GitLab’s native environment.
[Fixed] The getChangesReport API request was disregarding the time specified in the "startDateTime" field, fetching results from 00:00 on the specified date.
[Fixed] In an EUA-enabled organization, under certain conditions in 'Library Security Vulnerabilities' view, projects referencing the vulnerability were not filtered by the projects to which the user has privileges, resulting in errors.
[Fixed] In some cases, the Containers dashboard did not display any results.
[Fixed] WhiteSource for GitHub Enterprise - When upgrading to image version 19.8.1, a Java error in the wss-ghe-app logs is displayed.
The Dashboard view has undergone the following changes:
The Top Alerts pane now displays a dedicated summary count of system category alerts reported for a given organization, product or project. This includes the total count of policy violations, versions, licenses, quality and security alerts.
A detailed listing of alerts reported for an alert category is now displayed by clicking on the category name or count, displaying an Alert View corresponding to the category of the clicked item, thus enabling the user to perform tasks on the listed alerts.
Marking libraries as in-house enhancements:
Auditing enhancement: Rules added or removed through In-House Rules are now tracked and can be displayed in Change Log History.
It is now possible to create an in-house rule whose name matches that of the selected library.
The help text on the In-House page has been revised and improved.
It is now possible to disable all email notifications for administrators.
Improvements in Kubernates integration: The Kubernates SDK is now used to retrieve information.
Parameter names additions: Gradle.ignoredScopes can be used in addition to gradle.ignoredConfiguration, and gradle.includedScopes can be used in addition to gradle.includedConfiguration.
Each successive scan of the same library generates its own folder (relevant only for logs).
The Unified Agent now supports the extraction of .hpi files.
Improvements in SBT dependency resolving have resulted in more accurate output.
The API requests getProductLicenses, getOrganizationLicenses, and getProjectLicenses have an optional new field, excludeProjectOccurrences (default value = false) which enables getting product/domain licenses without project occurrences.
[Fixed] In the Risk Report PDF, in the Policy Name field, Chinese characters were omitted.
[Fixed] In selected instances when Prioritize’s multi-module setup failed, the log reported it as successful.
[Fixed] The response of the "getAllOrganizations" API request yields a "Success" message in scenarios where it should fail.
[Fixed] When resolving Yarn dependencies, the wrong line was printed in the log.
[Fixed] The Unified Agent did not identify all SBT dependencies in the *compile.xml file.
Docker Artifactory integration is now enabled with a read-only user via the new configuration parameter docker.artifactory.dockerAccessMethod.
The new configuration parameters log.files.level, log.files.maxFileSize, and log.files.maxFilesCount enable you to store logs by default. Storing logs is useful, for example, to avoid situations when users have issues with certain scans, and therefore will not need to redo those scans in order to provide logs to the Support team. Note that this feature is enabled by default. Customers who do not need these logs can manually disable it.
Enhanced Detection: This version introduces the automatic identification of Maven libraries with multiple instances of SHA-1.
It is now possible to include/exclude specific Gradle modules to scan.
The Unified Agent now supports scanning the Cabal package manager for the Haskell programming language.
WhiteSource now maintains SAML identity provider parameters in each SAML request provided when logging in to WhiteSource using SAML.
WhiteSource Prioritize can now be configured to work in offline mode.
WhiteSource Advise for Chrome now detects licensing and vulnerabilities information on Rust packages found in Rust-related websites.
WhiteSource Advise for Chrome now detects licensing and vulnerabilities information on Haskell packages found in Haskell-related websites.
WhiteSource Advise for Chrome now detects licensing and vulnerabilities information on OCaml packages found in OCaml-related websites.
[Fixed] If SAML has been configured, under certain conditions login failed with a NullPointerException.
[Fixed] On a Go project using the Godep dependency manager, the Unified Agent did not find all GO dependencies.
In the Library Details page, a new widget enables users to view library security trends for a specific library across different versions, color-coded according to severity.
In the Alerts report, new versions no longer include “Dev” versions.
In the Assign Copyrights functionality, in order to reflect that specific years are not defined for the copyrights, the ability to set a "None" value in the Years range is now possible.
The Library Vulnerability wheel now displays vulnerable libraries first, before other metrics.
WhiteSource for GitHub.com and WhiteSource for GitHub Enterprise: Using the new projectToken configuration parameter in the .whitesource configuration file, it is now possible to map a GitHub repository to an existing WhiteSource project. This provides added flexibility in terms of organizing projects in WhiteSource originating from various integrations.
The new Configuration Recommendation mode identifies the environment that the user wants to scan and creates the configuration file automatically.
Added flexibility in Gradle projects scanning: New configuration parameter 'gradle.includedScopes' enables defining which scopes will be included in the scan.
This version provides support for Serverless Framework via a dedicated plugin.
[Fixed] Users were unable to create a policy with an 'Issue' action linking to their 'Work Items' tracker type.
[Fixed] Under certain conditions, after a project was updated, a server failure message was displayed.
[Fixed] In the Security section in the Risk Report, large numbers did not display correctly.
[Fixed] When a request was assigned to a group, conditions did not appear in Pending Tasks.
[Fixed] Under certain conditions, the Unified Agent failed to retrieve projects from Artifactory.Releases.
New Advanced search option: In the Web application, a new dialog box makes it easy to select and display a library.
Improved visibility of resolution request statuses: A new Request Resolution Status Report enables admins to view the status of their requests to WhiteSource.
This version introduces support for bulk actions on copyrights request resolutions, thereby minimizing the request time to send a request for bulk of libraries.
In the Admin console, in NuGet alerts, previews for non-major versions are now included.
WhiteSource for GitHub Enterprise and WhiteSource for GitHub.com:
Improved usability and enhanced control over the WhiteSource scanning. An onboarding Pull Request is now generated on each selected repository during the GitHub App installation. The .whitesource configuration file will only be used and WhiteSource will only start scanning the repository once the Pull Request is merged.
The .whitesource configuration file now includes a parameter minSeverityLevel, which lets you decide whether to open a new GitHub Issue only if a certain Security Vulnerability Severity level is available, or not open a GitHub Issue at all.
The .whitesource configuration file now includes a parameter configMode, which lets you use an existing Unified Agent configuration file. This can be done by providing either a local Unified Agent configuration file, or fetching the config file from an external location using the configExternalURL parameter.
Unified Agent Improvements - Provide more accurate results by scanning, creating and updating empty projects. The Unified Agent will create an empty project in WhiteSource for all scans which do not contain any dependencies. In addition, when updating an existing WhiteSource project with empty data via the Unified Agent, the project in WhiteSource will be updated to reflect the latest project state.
This version introduces support for mapping support files to NuGet packages.
This version introduces improved results when scanning NuGet packages by checking the project target framework (Note: Some customers might experience fewer dependencies as a result.)
Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the maven 'dependencies:tree‘ command which runs when the maven.resolveDependencies configuration parameter is enabled. A new configuration parameter was added for this purpose, maven.additionalArguments.
The Unified Agent now supports scanning the Cargo package manager for the Rust programming language.
The getOrganizationIgnoredAlerts API now supports JSON format.
For customers using Application Vulnerability Management platforms such as ThreadFix or Fortify, this version introduces the synchronization of Open Source Software scanning results from WhiteSource to the aforementioned platforms.
[Fixed] In the Users page, the names do not sort correctly in alphabetical order.
[Fixed] In the Risk Report, in the Security area, when displaying data with a large number of libraries, the last digit was displayed in a line of its own.
[Fixed] Users received errors when trying to approve their library requests.
[Fixed] The Library Details page was stuck indefinitely with a “Loading Data” message.
[Fixed] When trying to approve tasks from the Pending Tasks screen, users received a message stating insufficient permissions.
[Fixed] Using the Unified Agent on Windows 10 via command line led to “illegal operations” warnings.
[Fixed] When configuring ‘excludeDependenciesFromNodes’, the wrong dependency was excluded.
[Fixed] File paths with special characters caused the Unified Agent to crash.
[Fixed] When activating WhiteSource Advise, using the wrong regular expression in the URL caused the activation process to fail.
Vulnerability Search functionality: In the WhiteSource application, a new search mechanism enables users to search their files for CVEs, and proceed accordingly based on whether CVEs are found or not.
New added flexibility: The Due Diligence report now enables you to select an existing custom attribute as part of the report’s filtering.
A new CLI parameter, detect, automatically creates a configuration file based on your scanned libraries and files (relevant for all package managers). NOTE: This is the first step in new configuration recommendations. Future versions will contain additional features.
Added flexibility by supporting custom build environments: The Unified Agent now has the ability to pass arguments to the gradlew and gradle ‘dependencies’ command. A new configuration parameter was added for this purpose, gradle.additionalArguments.
This version adds support for scanning Go 1.11 projects without the need for a dependency manager.
[Fixed] Projects were limited to exporting 32766 lines.
[Fixed] In the Users page, when the page was reduced, the column names were hidden.
[Fixed] When generating a Risk Report with a large number of libraries, the last digit was displayed in its own line.
[Fixed] Under certain conditions, failures occurred when trying to resolve Python dependencies.
[Fixed] The Unified Agent took an excessively long time to run.
[Fixed] When trying to approve requests and clicking Override and Approve, administrators were sent back to the Home page with a message notifying insufficient permissions.
[Fixed] When an API request for the getProjectAlertsReport was sent, the output was an .xlsx file in which the last title, Library Type, and the entries underneath it were not in the same column.
Users: In the Administration Users page, there is an improved UI indication to distinguish between 'regular' users and service users.
Improved user experience: In the Library Details page, when there are many source files to display, the system will display first X files immediately, and users can see all related source files by clicking ‘View all source files’.
Product-level customization: In the Product Administration page, it is now possible to define product tags (or product-level tags) that enable you to define additional metadata for WhiteSource products.
Enhanced usability: The Attribution report now provides better usability by requiring the user to first select/enter a requested product/project, and therefore avoid displaying default non-relevant product/project information.
Enhanced usability: The copyright in the Attribution report now includes a range of years and the copyright’s author.
Enhanced usability and debugging: When running the Unified Agent, the CLI output now displays the current Unified Agent’s version.
Enhanced security: In the Unified Agent, Docker Hub authentication is now enabled via token, instead of user and password.
Added flexibility in Maven and Gradle Projects scanning: New configuration parameters, maven.downloadMissingDependencies and gradle.downloadMissingDependencies allow controlling and hastening the downloading of missing dependencies.
In multi-module Maven and Gradle projects, the Unified Agent automatically detects if a Maven or Gradle project should be scanned, eliminating the need to manually enter a project name.
An existing parameter, gradle.localRepositoryPath, now has the ability to look for more than one Gradle local repository path in case of Gradle resolution.
Improved configuration time: The Unified Agent configuration file now saves configuration time and prevents incorrect URLs by listing predefined URLs for each possible SaaS system, in “commented out” status. Users need only to select the relevant one.
The Unified Agent can fetch dependencies and provide a hierarchy tree for projects which do not contain the ‘vendor’ folder. This provides improved results when scanning Go projects using the VNDR, GoDep, and Dep package managers.
Added flexibility: The API calls saveProductTag, getProductTags, removeProductTag, and getOrganizationProductTags have added the ability to define tags on the product level.
There is a new added ability to ignore alerts via API. Additionally, to all the alerts-related APIs (Alerts and Alerts by Type), a unique identifier (alertUuid) has been added to each alert (relevant for API version 1.2 only).
Multiple instances of the same package dependency will now appear in the getProjectLibraryDependencies API. NOTE: The format of this API has been changed.
Added flexibility to Bitbucket integration: A new parameter, fail.builds=true, was added whereupon users can configure at which stage BitBucket builds will succeed even if vulnerabilities are found.
In WhiteSource Advise for Chrome, CDNJS URL scans are now supported.
New streamlined multi-module process - In the multi-module Prioritize, a new command-line parameter, overrideExistingSetup = true, enables users to remove the pause between multi-module steps.
[Fixed] In the Inventory report, when match by filename was not selected, a filename match still occurred.
[Fixed] Under certain conditions, alerts weren't removed for deleted vulnerabilities.
[Fixed] Handling changed paths and vulnerability traces tasks took over 10 hours to complete.
[Fixed] After performing the Apply to Pending Requests action on product-level policies, a “server error” message was displayed.
[Fixed] Several identical licenses were assigned to the same library.
[Fixed] The API call getProductRiskReport took an excessively long time to run.
[Fixed] In the Dashboard, in License Analysis, clicking Facebook BSD + Patents displayed an empty report even though the relevant license exists.
[Fixed] When retrieving Gitta cached results under certain conditions, a NullPointerException was displayed.
[Fixed] When handling update requests, an exception occurred.
[Fixed] The Unified Agent experienced memory issues.
[Fixed] When scanning a GitLab repository using Source Control Management (SCM) configuration, an error message was received.
[Fixed] WhiteSource Bolt for Azure report was not available in the Azure DevOps multi-stage pipelines preview.
[Fixed] When integrating Prioritize with Gradle, the log analysis process failed for sub-modules.
[Fixed] Under certain conditions, the config file mistakenly created a new WhiteSource directory instead of including all configuration settings in the build directory.
[Fixed] R resolvers-library name is not according to DESCRIPTION dependency file package.
[Fixed] Docker scans would hang when retrieving images.
[Fixed] In the Unified Agent, in the log, different parameters had the same name.
[Fixed] The Library WhiteList did not block Reject policy violations.
[Fixed] After the Unified Agent scanned .js files, some of the files were replaced by other versions with a different SHA-1 version.
[Fixed] Under certain conditions, the WhiteSource Application did not identify NuGet packages.
[Fixed] Under certain conditions, when the Unified Agent ran on NuGet, it did not clear the packages directory and failed on a second run.
[Fixed] The Unified Agent log displayed thousands of attempts to access irrelevant URLs.
[Fixed] A proper error message for the Python errors in the debug log level was not generated.
[Fixed] Python dependencies were not resolved in hierarchical mode.
A new link is provided for GitHub.com integration App to differentiate it from the existing registration flow for Bolt for GitHub App. Refer to https://github.com/apps/whitesource-for-github-com
WhiteSource Advise for Chrome - Added support for displaying licensing & vulnerabilities information for “R” language packages.
Support more flexible scanning of Kubernetes resources using webhooks - ability to control if to include/exclude from a scan new pods which the customer would like to create in a cluster.
Added flexibility: For customers using automatic CI tools (like Jenkins CI) when WhiteSource Prioritize (EUA) runs without a configuration file, the following parameters are now supported through CLI: maven.ignoreMvnTreeErrors, maven.runPreStep false, gradle.runPreStep false, analyzeFrameworksReference, npm.resolveMainPackageJsonOnly, npm.identifyByNameAndVersion, npm.ignoreNpmLsErrors=false, viaDebug.
Extended support for multi-module analysis:
The following parameters are now supported through CLI: productName, Mode.
Extended Notification: Support enabling a new email notification rule upon major audit log events generation such as policy modification/creation/deletion/re-order or product/project deletion. Available through Admin → Notification Settings page.
Inventory report: Minimize the time to execute an action (such as “assign license”) on a list of selected libraries by supporting bulk actions menu.
Extended JFrog Artifactory Integration -
Support updating JFrog Artifactory “properties” tab of an artifact with vulnerabilities and licensing information from WhiteSource scan.
Support accessing JFrog Artifactory repository using a token for enhanced security. The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’.
Support more informative summary statistics at the end of a scan - displaying different language extensions for which binary/source files were found and for each extension how many source/binary files were scanned.
[Fixed] In certain scenarios in alerts report when using a filter on the report the screen was hanging with “Loading Data” message.
[Fixed] JIRA integration - An error was returned while trying to create a JIRA ticket as part of a policy action due to missing JIRA credentials set.
[Fixed] In certain scenarios request processing time of the application was very long in Azure EU system.
[Fixed] In certain scenarios when manually changing the origin library of two different libraries consecutively the "Show me some options" results of the second library are refreshed only after few seconds.
[Fixed] HTML resolver - In certain scenarios an error occurred when resolving HTML dependencies.
[Fixed] In some cases when scanning Android projects there were created duplicated entries in the inventory.
[Fixed] WhiteSource Bolt activation for Azure DevOps Server 2019 failed due to registration phase error.
[Fixed] In certain scenarios archive extraction didn’t work correctly for some jar & war files.
[Fixed] WhiteSource For Containers - Docker image which was configured in the ‘docker.includes’ parameter wasn’t scanned.
[Fixed] When running a scan using UA with debug mode the reported path in the log was the executable path instead of file path.
[Fixed] When running UA with command line parameters which include “.” in their names using PowerShell a parsing error was returned.
[Fixed] In certain scenarios when a proxy is configured in the UA configuration file an error was returned from a scan.
WhiteSource for Developers is a new paid bundle that augments WhiteSource Core offering and includes four enhanced capabilities:
WhiteSource Remediate - Continuously track repositories to identify vulnerable open source components and generate fix pull requests (PR) automatically thus automating the remediation process.
IDE Integration - Alerts developers on vulnerable open source components while coding within the IDE UI so developers don’t have to switch between applications or wait until they’ve committed the code.
Repo Integration - A native integration detecting all open source components in the repos, providing alerts, enforcing compliance, failing builds and pull requests and automating remediation guidance.
Browser Integration (formerly called Web Advisor) - A Chrome extension that allows developers to view a snapshot of a component’s details while browsing on web pages such as StackOverflow, Maven Central, GitHub and many more before they download it and incorporate it into the product.
For more information click here
Integration with Docker Hub - Support seamless scanning of Docker images from Docker Hub by pulling selected list of Docker images. The following configuration parameters were added: ‘docker.hub.enabled’, ‘docker.hub.userName’, ‘docker.hub.userPassword’, ‘docker.hub.organizationsNames’, ‘docker.pull.images’.
Support more flexible scanning of Kubernetes resources by providing the ability to scan entire cluster or more specific context.
Support the ability to enforce vulnerability verification on an entire Kubernetes cluster or on a specific context.
Support Role Based Access Control when using Affinity on Kubernetes nodes.
Support more flexible image name to scan in order to use same project in WhiteSource (as imageID changes between builds). A new configuration parameter added ‘docker.projectNameFormat’.
Compare Products report: Minimize the time to search for a product (both source & target) to compare in the dropdown which is now sorted alphabetically.
Compare Projects report: Support more flexibility of projects comparison by providing the ability to compare a project in one product to a project in a different product.
UA Extended Coverage:
Added support for the ‘R’ language ‘RStudio’ and ‘Packrat’ packages. The following configuration parameters were added: ‘r.resolveDependencies’, ‘r.runPreStep’, ‘r.ignoreSourceFiles’,’r.cranMirrorUrl’
Support scanning JFrog Artifactory using Artifactory APIs (will be an alternative to the Artifactory plugin in the future). The following configuration parameters were added: ‘artifactory.accessToken’, ‘artifactory.url’, ‘artifactory.repoKeys’ , ‘artifactory.enableScan’.
Support more readable structure of UA configuration file by organizing the configuration parameters per relevant topics. The new template file can be downloaded from here
Corrected behavior of UA scan failure when scanning empty projects and using the parameter failErrorLevel=ALL.
Enhanced GoDep package manager by providing the ability to display more accurate hierarchy tree.
Support creating empty projects in WhiteSource for scanned empty projects by using a new configuration parameter ‘updateEmptyProject’. This behavior refers to all resolvers.
Maven Plugin: Support creating empty projects in WhiteSource for maven projects with multi-modules when some of the modules are empty by using a new configuration parameter ‘updateEmptyProject’.
[Fixed] In certain scenarios when the request with source files to match is very large (over 1M source files) there was an error from Gitta lookup.
[Fixed] In certain scenarios there were several issues with libraries incorrectly identified with security vulnerabilities or ignore comments were deleted.
[Fixed] Attribution Report - extra separation lines added when adding Header text.
[Fixed] Informative text on Alert Ignorers is missing in the Admin → Assignments page in Product level.
[Fixed] In certain scenarios when applying in house rules on pending requests the process took a long time. Performance improvement was done.
[Fixed] UA fails to resolve Ant dependencies due to external Ant parameters. New configuration parameter was added: ‘ant.external.parameters’ which should contain comma separated list of <key=value> pairs.
Easier maintenance for managing service users: A link enables to rotate the service user key. Once used successfully, the message ‘User token changed successfully’ is displayed on the top of the screen.
Pending tasks for organization, product, and project scopes: Minimized the handling time to process multiple tasks that have a mutual library by adding the ability to sort and filter via all fields.
Change Log History report: Extended auditing capabilities in policies by providing data on any change in policy management activities related to the Organization, Product, and Project scopes.
Support for integrating Apache Ant based projects including modules.
Added the configuration parameter ‘python.indexUrl’, which enables to define the local Pypi repository URL, instead of the official Pypi repository (default value is null).
The Unified Agent is able to read ‘userKey’ and ‘apiKey’ values from environment variables.
Improved NPM resolve functionality when downloading from a registry: If the HTTP response is 401 or 403 (authentication/authorization) then the downloading of additional dependencies from this repository is canceled.
Added the APIs calls ‘getOrganizationServiceUsers’ and ‘getProductServiceUsers’ for retrieving service user tokens on an organizational or product level.
The API call ‘getOrganizationDetails’ retrieves the Organization name, creation date, number of Products, number of Projects, number of groups, and number of users.
GitHub integration: Added the ability to enable/disable the creation of open issues after the scan has been completed.
[Fixed] In certain scenarios the number of libraries displayed on the ‘Top 10 Products’ panel may be different than the number of libraries displayed on the specific product page.
[Fixed] Ignored Alerts report: Comments are not displayed after the project is filtered.
[Fixed] Unified Agent: In certain scenarios when the configuration parameter ‘npm.includeDevDependencies’ is set to ‘true’, the scan ignores this setting.
[Fixed] Unified Agent Go code with Gogradle environment: Issue may occur when passing information to the Unified Agent while using a custom build file ('build-inner.gradle') and settings file ('settings-inner.gradle')
[Fixed] Informative text on Alert Ignorers is missing in the Admin → Assignments page.
Granular notification settings: Advanced notification management - Added the option to configure notifications based on Project tags.
Project page: Enabled granular comparisons. Customers who maintain a project per scan can compare different scans by choosing two projects for comparison via a new button, and a report.
Enhanced auditing for administrative actions: Extended auditing capabilities for tracking product/project deletion. For each of the actions there will be a new record written in the Change Log History report.
Enhancement to Attribution report: If copyright data is not available then it is explicitly noted as missing in Summary table.
Support for the scanning of Apache Ant based projects including all their dependencies. Related configuration parameters have been added: ‘ant.resolveDependencies’ and ‘ant.pathIdIncludes’ (by default, both parameters are commented out).
Dep package manager for Go: The display of the hierarchy tree has been optimized.
Release management automation: Added the ability to obtain an attribution report via the API requests ‘getProductAttributionReport’ and ‘getProjectAttributionReport’.
The ‘getProjectComparisonReport’ API provides a project comparison report in an Excel format.
[Fixed] Alerts report may not always be updated after the source files are moved to a new source library.
[Fixed] Classification of specific Microsoft ASP.NET libraries may be erroneous.
[Fixed] Library Details page: Library type column of Alerts table is not always populated.
[Fixed] Requests may occasionally pause when a JIRA issue is created during a request update.
[Fixed] When the 'go.dependencyManager' parameter is not defined, the Unified Agent may not go through all the supported resolvers.
Simplified scope configuration when many scopes are ignored in the project: The ‘gradle.ignoredScopes’ configuration parameter now supports regular expressions.
More details in logs: The log file includes more information about ignored scopes of Gradle/Maven projects. This allows the user to quickly verify that all the ‘ignored_scopes’ dependencies are not parsed.
Added flexibility: When the new ‘npm.resolveMainPackageJsonOnly’ configuration parameter is set to ‘true’ (default is ‘false’), a scan is initiated only if a JSON package is defined in the ‘-d’ folder parameter.
Enhanced Security: From this version and on, all Unified Agent JAR files will be digitally signed.
The configuration parameter ‘scanReportFilenameFormat’ indicates whether or not to add a timestamp to the JSON report filename.
Enhanced resolution for Maven projects that include multiple libraries with the same SHA-1. In these cases, the library page displays a new hyperlink stating "This SHA-1 has multiple matches: Click here to override the original match". Clicking the hyperlink will open a pop-up window, enabling a user to manually select alternative GAV coordinates from a list.
Optimized accuracy of data in Security Trends Dashboard:
After clicking on a chart, the related Alerts report only displays security vulnerability alerts.
The dashboard keeps its predefined context after navigating to another GUI page.
EUA was extended to support finding vulnerabilities in open source development frameworks. This feature is useful for customers using frameworks such as Spring, Hibernate, Struts, etc. The new parameter ‘analyzeFrameworks’ enables/disables analyzing framework code for reported vulnerabilities.
‘Alert Resolution Duration’, ‘Alerts’, and ‘Ignored Alerts’ reports: Added a timeframe menu that enables to select an interval: ‘All time’, ‘last month’, ‘last 3 months’, ‘last 6 months’, and ‘last 12 months’.
Dynamic notification setup: The API call ‘setProjectSetupNotificationConfig’ enables to define rules for sending email notifications regarding new tasks, requests closed by policy, and project setup completion.
Flexibility for service users: The ‘regenerateUserKey’ API call enables regenerating a user key for an existing service user. This API call enables you to keep each service user as part of a group, and when required, reassign their permissions when you want to revoke/add credential(s).
The ‘getProjectDueDiligenceReport’ API call enables you to retrieve a project level Due Diligence report.
The ‘getRequestState’ API call can also be used by the Product Integrator.
GitHub integration: Added information on the path of the dependency file from the vulnerable library in cases where it originates from a package dependency.
Artifactory Plugin: The ‘archiveExtractionDepth’ parameter enables to define the maximum drill down hierarchy level in Java, Ruby and Python archive files (The default value is 2, and the maximum value is 7).
Optimization of user roles: Users may assign licenses/copyrights only if they are one of the following:
License and Copyright Assigner
Organization Default Approver
Note: The ability as a 'Product Default Approver' or 'Product Administrator' to assign licenses/copyrights has been removed.
[Fixed] In specific settings the ‘getVulnerabilitiesBetweenDates’ API call may not function properly.
[Fixed] Attribution report: In certain browsers, the 'Library' column may not be properly displayed.
[Fixed] 'Set as Home Page' option does not work with SAML.
[Fixed] Project Page: The Library pane size may change when switching between ‘Flat list’ and ‘Hierarchy’ views.
[Fixed] Attribution report: Occasionally, issues may occur while exporting the report as a ‘.txt’ file.
[Fixed] Gradle based projects: Issues may occur during the scan in specific cases when no source files are in the project.
The WhiteSource Library Search feature will be deprecated as of this release.
The new Containers dashboard enables you to pinpoint security vulnerabilities at various levels, providing a clear view of Kubernetes resources along with the ability to filter, sort, and view the vulnerabilities per pod and image in the cluster. See also The Containers Dashboard.
Improved csontainer scanning coverage: Added the option to scan a Docker image from a Google Container Registry. See also Google Container Registry Docker Integration
NPM: Added the ability to fetch the project name from the ‘package.json’ dependency file via the Boolean configuration parameter ‘npm.projectNameFromDependencyFile’.
Added support for Julia source files with the file extension ‘.jl’.
Added support for car archive files with the file extension ‘.car’.
Added a behavior rule to the existing 'failErrorLevel' parameter in order to enhance the precision of the scanning policy: If this parameter is ‘ALL’, then scan fails when ‘productName’ and ‘productToken’ are missing, and no ‘projectToken’ is defined in the configuration file. See also The failErrorLevel Parameter of the Unified Agent.
Yarn dependency management: Added the new parameter ‘npm.yarn.frozenLockfile' that enables to run the pre-step with the ‘--frozen.lockfile’ yarn parameter.
Scan report in JSON Format:
Accurate reporting time frames: In addition to a date, a timestamp was also added to the JSON based scan report’s filename. For example, ‘ProjectA-2019-03-01T130102+0200-scan_report.json’.
Added custom attributes data. For each library, the relevant custom attribute values are displayed.
Added policy and vulnerability statistics data to local scan report. See also Unified Agent JSON Report Example
Quicker navigation and bookmarking: Added the ability to set the 'Home' or 'All Products' page as the default home page after the user logs in. See also Setting the Homepage.
Improved libraries license assignment workflow: A clear message explains that a multiple license library automatically changes to a single license library after one of its licenses is manually modified. In addition, the ‘change’ link for each license was changed to a single ‘override’ button on the relevant panel.
Security Trends Dashboard: A drill down option is offered on any of the displayed charts in order to enhance granular data on security management views. After a user clicks on a chart, the relevant report is displayed with the same scope and interval settings as in the chart.
Policies: Improved granularity of policies in order to allow enforcing compliance on project levels.
A new Effective Usage Analysis summary report provides information on the Projects inspected with Effective Usage Analysis (EUA). See also Effective Usage Analysis Summary Report.
Enhanced service user automation: The new API call 'createServiceUser' enables adding a service user.
The following API calls enable fetching a list of all custom attributes along with their set of values for each library on a Project/Product/Organization level: ‘getOrganizationCustomAttributeValues’, ‘getProductCustomAttributeValues’, ‘getProjectCustomAttributeValues’.
Improved automation for granular policy enforcement: Added API calls to manage policies on a Project level. These API calls include ‘getProjectPolicies’, ‘addProjectPolicy’, ‘updateProjectPolicy’, ‘removeProjectPolicies’, ‘reorderProjectPolicyPriorities’.
[Fixed] Library Version Comparison page: An error in loading the page may occur for specific libraries.
[Fixed] In specific libraries, the alert on a library is marked as ‘ignored’, but the scan still fails.
[Fixed] Inventory report: Sorting by license may not always display the report in the desired order.
[Fixed] An error related to the stopwatch class has been fixed.
[Fixed] In certain cases, the temporary WhiteSource directory names may be too long and their paths may exceed 260 characters.
New level of automation is available by defining ‘Service Users’. These programmatic users are only allowed to access WhiteSource via APIs. Service Users cannot log into the GUI, and they can communicate with WhiteSource via the API for automation and CI/CD purposes. The Organization Administrator can manage service users (Home Page → Admin → Users). See also Managing Service Users.
Improved navigation in Project Page:
Added a 'View Licenses' link to access the Due Diligence report directly from the Licenses widget while maintaining the Project scope.
Added a 'View Vulnerabilities' link to access the Vulnerabilities report directly from the 'Library Vulnerability' widget while maintaining the Project scope.
A new ‘getProjectRiskReport’ API request has been added to retrieve the Risk report in PDF format for a specific Project scope.
The new ‘getOrganizationContainerVulnerabilityReport’ and ‘getClusterVulnerabilityReport’ API requests have been added to retrieve the Containers Vulnerability report. These requests support Excel and JSON formats.
Improved integrations and automation: A summary report in JSON format can be automatically generated locally at the end of each scan. This report includes information on vulnerabilities, policy violations, top fixes and inventory details. The new ‘generateScanReport’ configuration parameter enables generating this report when it is set to true (default is false).
Enhanced automation and ability to call additional API requests: When the new configuration parameter ‘generateProjectDetailsJson’ is set to ‘true’, the Unified Agent generates a JSON file named ‘scanProjectDetails.json’ containing the projectToken(s) and projectName(s) from the last scan that ran (default value is false).
Improved scanning granularity: Added the ability to run a scan that excludes specific direct or transitive dependencies via the parameter 'excludeDependenciesFromNodes'. Values for this parameter can include one or more artifact IDs, and regular expressions can also be used to define which artifact IDs to exclude.
Scanning transparency and predictability: Easily view the steps that ran as part of a scan, and understand how long each step took. A start/end indication is displayed for each scan step. A summary at the end of scan with all the relevant information on each step is also displayed. See also Unified Agent Scan Steps & Summary
The new configuration parameter for NuGet named ’nuget.packagesDirectory’ enables providing a path to the directory where the WhiteSource temporary files are created.
Artifactory: Added the option to scan Docker images stored in the Artifactory Docker Registry. The following related Unified Agent configuration parameters were added: ‘docker.artifactory.url’, ‘docker.artifactory.userName’, ‘docker.artifactory.userPassword’, ‘docker.artifactory.repositoriesNames’.
A new configuration parameter ‘nuget.preferredEnvironment’ enables the user to define the preferred ‘restore’ command for performing the nuget dependency resolution. Available values are 'nuget' and 'dotnet'.
The new Effective Usage Analysis Detailed Results report allows to obtain comprehensive details about EUA analysis for the organization, product, and project levels. It includes high-level risk and EUA scores for Products and Projects, and supports exporting details on analysis in XML and Excel formats.
The Containers Vulnerabilities report can be exported in Excel and JSON formats.
Enhanced granularity in Risk report: Added the ability to generate the report for the project level
The ‘productName’ parameter is now supported in the CLI when running the xModuleAnalyzer. See also related documentation.
[Fixed] Ignored Alerts report: Manual comments may not be displayed properly.
[Fixed] Attribution report: Issues may occur when exporting a report with the ‘Reference generic license’ option selected.
[Fixed] Security Trends Dashboard: The entire organizational data is displayed for all users, including the users who do not have permissions to view all of the Products.
[Fixed] Effective Usage Analysis (EUA): A Java exception may occur when running the Unified Agent with both Gradle and Maven related parameters enabled.
The new WhiteSource Kubernetes Controller is a designated pod in the Kubernetes cluster. When installed, it scans the entire cluster as a baseline for future changes and displays the full picture of libraries, images, alerts, vulnerabilities, and licenses. This pod then tracks changes in the cluster (for example, a new deployment or image modification), scans the container images, and reports security-related cluster information, such as vulnerabilities per pod. See also the documentation page
Note: This feature is currently a controlled release. For more information, please contact email@example.com
Added an indication for the number of requests and conditions a specific user requested. The Admin users page includes an option to change the assignment of requests.
Added support for the ‘vgo’ (‘Go Modules’) package manager for ‘Go’. See also related documentation.
Serverless scanning: Added support to include and exclude components when scanning serverless functions (‘serverless.includes’ and ‘serverless.excludes’).
Added the ability to run the Effective Usage Analysis (EUA) feature without the need to maintain a configuration file.
The ‘getProjectHierarchy’ and ‘getProjectInventory’ API requests: Added a new (optional) Boolean parameter 'includeInHouseData'. When set to ‘false’, in-house libraries data is not returned in the API response (default is ‘true’).
The following API requests include a new optional parameter called 'format'. The format is 'xlsx' by default, and valid options include 'json' and 'xlsx': ‘getOrganizationAlertsReport’, ‘getProductAlertsReport’, ‘getProjectAlertsReport’, ‘getOrganizationVulnerabilityReport’, ‘getProductVulnerabilityReport’, ‘getProjectVulnerabilityReport’.
The new Containers vulnerabilities report displays the vulnerabilities per pod, namespace, and cluster. It enables the user to filter specific resources according to their context in the cluster. See also related documentation
Attribution report: Missing copyright references are now marked with an asterisk (‘*’) character.
It is possible to export the following reports in JSON format via the GUI or via an API request: Alerts report, and Vulnerabilities report.
Due Diligence report: Added option to view the report data only for a specific project, in addition to a particular product.
[Fixed] Unified Agent: Microsoft TFS Integration: An ‘Invalid diff JSON structure’ error may be displayed in specific configuration settings.
[Fixed] An error message is not displayed when trying to create a user via the 'Create User' functionality, and providing an email address of a user that already exists with the same email address.
[Fixed] The ‘Primary Attribute’ is not included in the export output of the report.
[Fixed] A number of options in the search dropdown menu are not displayed when searching by product name.
[Fixed] In certain scenarios the ‘Suspected unspecified license’ filter erroneously displays no records in the results.
[Fixed] Risk report: PDF output may include issues when exporting the report for a selected product.
[Fixed] Occasional pauses may occur while submitting new libraries via the Drag and Drop UI.
[Fixed] ‘Admin’ → ‘Users’ page → ‘Invite Users’ button: Email addresses that include a space as the last character of the address are not processed, and an error message is displayed.
[Fixed] The process of renaming a project may occasionally require a relatively long interval, and no indication is displayed on when the process will be completed.
[Fixed] SAML: Single Sign On (SSO) may not work properly after a certificate update.
[Fixed] In specific configurations a source library may be uploaded without its source files after the scan.
[Fixed] Security Trends Dashboard: Issues may occur in the output when selecting 3 months and 6 months time frames.
[Fixed] In certain configurations libraries may be matched by their name although the ‘Match libraries by filename’ checkbox is cleared.
Release NPM Plugin version 19.2.1
Release TFS /VSTS Integration version 19.2.1
Release Nuget plugin version 19.2.1
Project & Product pages: Added a ‘View Inventory’ link in the Libraries pane that will open the Inventory report while keeping the Project/Product context.
Product navigation menu: When hovering over a specific product, the list of associated projects are displayed in the order that they were used (last used is displayed on top of the list).
Added support for scanning containers. The following related configuration parameters have been added: ‘docker.scanContainers’, ‘docker.containerIncludes’, ‘docker.containerExcludes’. Note that the ‘Includes’ and ‘Excludes’ parameter values may be one or more of the following: Container ID, Container name, Image name.
Added hierarchy tree support for the ‘Glide’, ‘GoDep’, and ‘GoPm” package managers that enables you to view direct and transitive dependencies.
NuGet Packages: Added support for viewing the hierarchy of the package(s). This feature includes the ability to view direct and transitive dependencies.
A new ‘inviteUserToWebAdvisor’ API request has been added to enable inviting users to download and use the Web Advisor. It allows organizations to self-provision Web Advisor users and integrate this self-provisioning into their self-service portals. This API request is available only in the API version 1.1
The ‘getProjectLibraryLocations’ API request: Added a 'dependencyFile' parameter that stores the manifest file path for each library.
It is possible to export the following reports in JSON format via the GUI or via an API request: Inventory report, Source File Inventory report, and Due Diligence report. The following API requests include a new optional parameter called 'format'. The format is 'xlsx' by default, and valid options include 'json' and 'xlsx': ‘getOrganizationInventoryReport’, ‘getProductInventoryReport’, ‘‘getProjectInventoryReport’, ‘getOrganizationSourceFileInventoryReport’, ‘getProductSourceFileInventoryReport’, ‘getProjectSourceFileInventoryReport’, ‘getOrganizationDueDiligenceReport’, ‘getProductDueDiligenceReport’.
Risk Report: Added an ‘Apply’ button for the selected scope (Organizational or Product) that generates the report only after it is pressed.
Attribution Report: A new option enables the user to select one of the following outputs in cases where the license reference cannot be obtained:
Leave license blank
Reference a generic license
[Fixed] Unclear error message is displayed when the Issue Tracker URL is invalid.
[Fixed] In certain scenarios, exceptions may occur when fetching Jira mandatory fields.
[Fixed] Manual Comments: The ‘&’ and ‘%’ characters are classified as illegal characters, and therefore, some URLs cannot be entered.
[Fixed] The Attribution report does not fully support foreign language characters in Unicode.
[Fixed] The ’getOrganizationProjectVitals’ API request may require a relatively long time to complete.
[Fixed] When scanning a remote repository (using SCM settings), the Unified Agent also scans the directory where the Unified Agent was executed.
[Fixed] In certain Yarn based projects, dev dependencies are resolved even though the parameter ‘npm.includeDevDependencies’ is set to ‘false’.
[Fixed] The ‘productToken’ parameter is always ignored when running the Unified Agent with the ‘-requestFiles’ CLI parameter.
[Fixed] A returned output message is out of context when the Unified Agent runs on an SBT project without a defined target folder.
Effective Usage Analysis (EUA): Multi-Module Analysis can now include exclusion rules to support automatic/default and manual exclusion of files that should not be considered by the Unified Agent as valid ‘appPath’ candidates. The new Unified Agent CLI parameter ‘-analyzeMultiModuleExclusions’ allows the user to specify patterns for file names that should not be analyzed.
Checks API support for GitHub Integration: Added support for the Completed with 'Neutral' conclusion. See also related documentation. This conclusion is displayed when a 'push' command is not valid. See also related documentation.
Attribution Report: Added custom attributes specified for the component in the summary report for both HTML and Text export formats.
Risk report: Added the ‘How Do We Compare?’ section to the PDF export of this report.
License compatibility report: Added an option to export the report in Excel and XML formats.
The following updates were made as part of the overall plan to move to a single scanning interface:
JAR file changed to ‘wss-unified-agent-<x.x.x>.jar’
Configuration file changed to ‘wss-unified-agent-<x.x.x>.config’
License changed from Open Source (Apache) to a WhiteSource Commercial license.
New distribution repo on GitHub (unified-agent-distribution)
The checkbox ‘Add project to default product when only project name is provided’ has been added to the ‘Integrate’ tab.
If only 'projectName' is provided in the configuration file (‘projectToken’, ‘productName’, ‘productToken’ are left empty), and the checkbox is not selected (default), then the first found project with the identical name is overridden. If the checkbox is selected in the same scenario, then the project is added by default to the product named 'My Product'.
Added the configuration parameter 'failErrorLevel', which sets additional scenarios to 'error' instead of 'success'.
[Fixed] Issues may occur while scanning a multi-module SBT project.
[Fixed] Issues may occur while scanning multiple projects on Bamboo.
Effective Usage Analysis (EUA):
[Fixed] While using the multi-module feature, sub modules are being overridden due to identical names. See also related documentation on updates to the setup file.
[Fixed] The summary of the Effective and non Effective libraries may not always match when comparing them on a Product vs. Project level.
[Fixed] High Severity Bugs report: An error may occur in the generation of the report in specific scenarios.
[Fixed] Attribution report: HTML export of report does not support Chinese characters.
[Fixed] It is not possible to create a product with a name that includes non-Latin characters.
[Fixed] A fetched Due Diligence report in Excel format may not be properly formatted.
A Security Trends Dashboard presents users with a view of the organizational security posture over time. The dashboard is mainly intended for the organization's administrators, security officers, and application R&D managers. See also related documentation.
Risk report: Added a ‘How Do We Compare?’ section that displays how select measurements of your organization's risk and compliance levels compare to overall average statistics calculated for WhiteSource customers. See also related documentation.
WhiteSource Serverless Integration: Enables you to scan and monitor deployed FaaS, utilizing the Unified Agent and Effective Usage Analysis technologies. WhiteSource is capable of understanding the effective references from the serverless functions to the vulnerable code in the called open source components. WhiteSource serverless integration enables you to scan and monitor deployed Lambda functions. See also related documentation.
License Compatibility Report: This report provides information on the compatibility issues of library licenses in a project or product level. See also related documentation.
Effective Usage Analysis (EUA):
Policies: Added an option to create a policy based on Effective Usage Analysis shields. See also related documentation.
CVE detail displayed on the Security Vulnerabilities screen features a 'Top Fix' column that includes EUA analysis results.
Due Diligence report: Added a ‘License Type’ column that indicates one of the following license types: ‘Open Source’, ‘Commercial’, ‘Closed Source’, and ‘Unknown’.
The Attribution report now includes an option to export the report data by project as well as by component (library).
Dependency resolution is performed even when no binary or source file extension exists on a repository.
Support has been added for the Visual Studio 2017 new format of ‘.csproj’ files.