General Information

The plugin integrates automatic open source management with Jenkins

Once set up, all usage of open-source software in the organization will be continuously and automatically synchronized with WhiteSource:

Supported since version 1.7. For previous versions of Jenkins plugin click here

The plugin currently supports maven, freestyle jobs and maven pipeline jobs.


The plugin is licensed under the Apache 2.0 license. Source code and issues are hosted on github.

Before you begin, note the following:


How it Works

Once the build is finished, the plugin will determine which open source is currently used by your project and send it to WhiteSource.

No source code is scanned. Only descriptive information is sent to WhiteSource.

Normal Flow

WhiteSource uses the collected information to create new projects or update existing ones.

Policy Check Flow

The plugin checks each new library against the organizational policies. If a library is automatically rejected by a policy then the build fails. Otherwise, your account is updated.

An informative report of the results is generated, regardless of the outcome.

The report files are saved in:

$JENKINS_HOME\jobs\<job name>\\builds\<build YYYY-MM-DD_HH-mm-ss>\whitesource

Installing The Plugin

Go to Manage Jenkins → Manage Plugins → Available.

Search for WhiteSource → Select the checkbox → Press Install

Using The Plugin

Start by configuring the global settings. These settings will apply across all jobs on this Jenkins master. Then setup the jobs which should interact with WhiteSource.

Global WhiteSource Configuration

Once the plugin is installed, go to Manage Jenkins →  Configure System.

Go to the WhiteSource section.

API Token

A unique identifier of the organization. You can receive an API token in the administration section of your WhiteSource account.

Service url

URL to where the request is sent. 

Use the 'WhiteSource Server URL' which can be retrieved from your 'Profile' page on the 'Server URLs' panel. For example: "https://saas.whitesourcesoftware.com".

Check policy compliance

Check that the introduced open source libraries conform with organization policies.

Check only new libraries - Check that the newly introduced open source libraries conform with organization policies.

Force check all libraries - Check that all introduced open source libraries conform with organization policies. 

Disable - Disable policies check when updating WhiteSource.

The plugin uses the same proxy configuration used by Jenkins to send information to WhiteSource.

Job Specific Settings

For each job you want to use the plugin for, you need to add a post build action. In job configuration 

Common Configuration

These fields are common to all job types. They are mainly here to allow different values for global settings.


ParameterMeaning

Environment variable support

Product name or Token

Name or token to uniquely identify the product to update.

Yes
Product versionVersion of the product to update.Yes
Check only new librariesOptionally override this property from global configuration.Yes
Force check all librariesOptionally override this property from global configuration.No
Force updateUpdates organization inventory regardless of policy violations. No
Override API tokenOptionally override this property from Global WhiteSource Configuration.Yes
Override userKeyUnique identifier of user, can be generate from the profile page in your whitesource account.Yes
Project tokenUnique identifier of the White Source project to update. If omitted, default naming convention will apply.Yes
Requester emailEmail of the WhiteSource user that requests to update WhiteSource.Yes
Connection RetriesConnection retries when unable to connect to WhiteSource service.Yes
Connection Retries IntervalWait time between connection retries.Yes

* Environment variable support from version 1.8.1

Maven Jobs

Normally, for maven 2/3 jobs, no extra configuration is required.

However, if you do need more control on the plugin behavior, click on Advanced to show more options.

ParameterMeaning
Module tokensMap of module artifactId to WhiteSource project token.
Modules to includeOnly modules with an artifactId matching one of these patterns will be processed by the plugin.
Modules to excludeModules with an artifactId matching any of these patterns will not be processed by the plugin.
Ignore pom modulesSet to true to ignore this maven modules of type pom.
Connection RetriesConnection retries when unable to connect to WhiteSource service (default value is 1).
Connection Retries IntervalConnection interval in seconds between two connection retries to WhiteSource service (default value is: 3 seconds).

Freestyle Jobs

Projects with no concise system for managing dependencies, like maven, require different configuration.

What we're looking for is descriptive information about each library used. What we need to know is which libraries to include and where we can find them, that is the sole purpose of the configuration.

ParameterMeaningEnvironment variable support
IncludesComma, space or line separated list of Ant style GLOB patterns specifying which files to include in scan.Yes
ExcludesComma, space or line separated list of Ant style GLOB patterns specifying which files to exclude form scan.Yes

*Environment variable support from version 1.8.1

Supported Extension Types

Currently we support the following file extensions:

Binary File Extensions

jar, aar, dll, tar.gz, egg, whl, rpm, tar.bz2, tgz, deb, gzip, gem, swf, swc

Source File Extensions

c, cc, cp, cpp, cxx, c++, go, goc, h, hpp, hxx, m, mm, c#, cs, csharp, java, js, php, py, rb, swift

Pipeline Support

In order to use the WhiteSource Jenkins plugin, the following is required:

The Pipeline support also consists of Global WhiteSource Configuration:

And the job configuration, which is available when selecting the WhiteSource plugin inside the snippet generator:

Add the Generated Script

After filling the desired fields, press the "Generate Groovy" button, and a groovy script will be generated, according to the specific job configuration.

Add the generated script to any build step inside your Jenkins Pipeline script file:

Maven pipeline 


node {
   stage ('Build') {
   withMaven(
       maven: 'maven',
       mavenSettingsFilePath: 'path-to/settings.xml',
       mavenLocalRepo:'~/.m2/repository') {
     whitesource jobApiToken: 'api-token', jobUserKey:'user-key', libIncludes: '**/*.jar **/*.js', libExcludes: '', product: 'FT', productVersion: '', projectToken: '', requesterEmail: ''
   } 
 }
}

Link to known versions of whitesource jenkins plugin 

https://updates.jenkins.io/download/plugins/whitesource/

Change Log


Version
Features
Release Date
Comments
20.8.1
19.1.1
  • Update agents version
 
18.10.2
  • Minor bug fixes

18.10.1
  • Minor bug fix - fix text message
  • Support both service URL with and without "/agent"  

18.8.2
  • Minor bug fixes

18.6.3
  • Minor bug fixes

18.6.2
  • Resume Build upon failed communication to server

18.5.2
  • Bug fix - using project token as identifier.

18.5.1
  • Added support for user-level access control in integrations
  • Minor fixes.
 
18.1.3Add support for Jenkins 2.102 
18.1.1Bug fix - Freestyle job runinng 
17.12.1

Add support  for maven pipeline job

 


17.11.4

Minor fixes

 
1.8.2

Bug fix - NPE exception on enviroment variables

 
1.8.1

Add support for enviroment variables

 
1.8.0

Minor fixes - remove jelly importing

 
1.7.9

Add support for generic pipeline job

 
1.7.8

Enable build failure on policy violation (even when force update is enabled)

 
1.7.7Bug fix - ignore for pom modules field 
1.7.6Add force update option 
1.7.5Bug fix - save proxy port 
1.7.4Bug fix - fixing possible NPEs

 


1.7.3Minor fixes 
1.7.2Move to JDK 1.7 
1.7.1Bug fix - includes/excludes parameter in generic job 
1.7Add check policies for all libraries 
1.5.2Add fail on error param to global config 
1.5.1Update latest version of maven-release-plugin 
1.4Fix for proxy configuration 
1.3
  • Product identification
  • Well known file extensions are now scanned by default in free style jobs
  • Bug fixes
 
1.2Shelved version. Disregard 
1.1

Minor changes:

  • Communication with White Source servers is now encrypted using SSL by default
  • Several bug fixes in policy check report
 
1.0First release of the plugin