WhiteSource Advise for Visual Studio is an extension for Visual Studio that is designed to empower developers with important, valuable information on security vulnerabilities concerning open-source components employed in their development projects.
WhiteSource Advise for Visual Studio does the following:
It facilitates workflows by making critical component vulnerability information available to the software developer from within the IDE, preventing the need to use a separate application for such purpose.
It offers a transparent UX for developers, by seamlessly integrating with the IDE environment. It provides a dedicated view including reported security vulnerabilities (CVEs) as well as recommendations for fixing them.
WhiteSource Advise supports C#-based projects of the following types:
SDK-style projects based on .NET Core 2.0 and above
Non-SDK-style projects based on .NET Framework 4.5.2 and above
Ensure the following:
A Windows machine is being used (Linux and Mac are not supported)
A license key for WhiteSource Advise for IDE, available via one of the following options:
If you do not have direct access to the WhiteSource Application, obtain the license key from your WhiteSource Administrator.
If you have access to the WhiteSource Application, do as follows (NOTE: This option is only available when using version 20.11.1 or later of WhiteSource Advise):
Go to the WhiteSource Application.
Open the Profile page.
In the WhiteSource Advise - IDE Integration section at the bottom, select your organization.
Copy your personal license key to be used later in Activating WhiteSource Advise.
Visual Studio 2019 (any edition) is installed and you are familiar with its basic functionality
NuGet Package Manager must be installed
To install WhiteSource Advise, do as follows:
Start Visual Studio.
From the menu bar, select Extensions > Manage Extensions. The Manage Extensions screen is displayed.
In the Manage Extensions screen, open the Online section from the sidebar and click Visual Studio Marketplace.
In the Search area on the right, enter whitesource and press Enter.
Select the WhiteSource Advise extension, and click Download.
Click Close and restart Visual Studio so that the extension can be installed.
To activate WhiteSource Advise, do as follows:
Start Visual Studio, specifying the preferred project.
From the menu bar, click Extensions > WhiteSource > Activate WhiteSource Advise. The Activate WhiteSource Advise screen is displayed.
In Email, enter your organizational email (the email domain must be licensed to use Advise).
In License Key, enter your license key (See here for more information on how to obtain a license key).
Click Activate.
NOTE: If you check Remember license key, the activation credentials will be stored for later use. Once stored, the WhiteSource Advise activation credentials will be used for all projects.
Changes made to the WhiteSource settings will only apply after running the next scan. |
To configure WhiteSource Advise, do as follows:
From the menu bar, click Extensions > WhiteSource > Options. The Options screen is displayed.
Review the options and modify if necessary. See here for a list of all options.
Click OK.
Option | Description | Default Setting |
|---|---|---|
Automatically scan after build or rebuild action | When enabled, WhiteSource will trigger a scan after a Build or Rebuild action is performed on any of your solutions/projects. | Selected (checked) |
Only show issues for direct dependencies | When enabled, WhiteSource Advise will only return vulnerabilities for direct dependencies defined in your dependency file. | Unselected (not checked) |
Minimum vulnerability severity level | Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.
| Low |
Include dev dependencies | Whether to alert on vulnerabilities detected in dev dependencies. | Unselected (not checked) |
To scan for security vulnerabilities, do one of the following:
Scanning a Solution
Scanning Projects
To manually scan a solution, do any of the following:
From the menu bar, click Extensions > WhiteSource > Scan Solution with WhiteSource Advise
From the Solution Explorer pane, right-click the solution and from the context menu, click Scan Solution with WhiteSource Advise
To manually scan one or more projects, do as follows:
Select one or multiple projects from the Solution Explorer pane.
Do one of the following options:
From the menu bar, click Extensions > WhiteSource > Scan Project(s) with WhiteSource Advise
From the Solution Explorer pane, right-click a project (or a selection of projects) and from the context menu, click Scan Project(s) with WhiteSource Advise
The WhiteSource window comprises three sections:
Statistics regarding the most recent scan
A table regarding vulnerability details
Statistics regarding the vulnerability distribution
Statistics regarding the most recent scan:
Last scanned projects - The total count of projects from the most recent scan
Last scan timestamp - The time the most recent scan began
Last scan result- The status of the most recent scan
A table regarding vulnerability details:
The WhiteSource window expands on the vulnerability details detected by WhiteSource. The window features the following columns:
Project - The scanned project where a vulnerability was found
Component - The scanned component reported to have a vulnerability
Version - The version of the scanned component reported to contain a vulnerability
Target Framework - The target .NET version of the component
Vulnerability - The identifier of the vulnerability. Clicking the identifier (link) opens the WhiteSource Vulnerability Lab providing more information.
CVSS - The security vulnerability's Common Vulnerability Scoring System (CVSS) score. If a CVSS 3 score is available, it will be displayed; otherwise, the CVSS 2 score will be displayed.
Severity - Reported severity for the vulnerability: High, Medium, Low
Dependency - Whether the vulnerable component is a Direct dependency (as defined directly in the pom.xml file) or a Transitive dependency
Description - The description of the security vulnerability
Top Fix- The top-rated remediation advice that WhiteSource recommends for each vulnerability. A condensed description of the recommended course of action is given
Additionally, you may do the following:
To sort the displayed WhiteSource Advise results based on a preferred column, click the corresponding column header where possible.
Statistics regarding the vulnerability distribution:
Security vulnerability scan summary - The number of High, Medium, and Low severity vulnerabilities in the table, plus the total number of vulnerabilities
To view version information about WhiteSource Advise, do as follows:
From the menu bar, click Extensions > WhiteSource About WhiteSource Advise. The About screen is displayed.
The About screen displays information about the extension version, along with links for Terms and Conditions and Privacy policy.
To upgrade the WhiteSource Advise extension, do as follows:
From the menu bar, select Extensions > Manage Extensions. The Manage Extensions screen is displayed.
In the Manage Extensions screen, open the Updates section from the sidebar and click Visual Studio Marketplace.
Select the WhiteSource Advise extension, and click Update.
NOTE: If the WhiteSource Advise extension is not displayed, a new version is not available.
Click Close and restart Visual Studio so that the extension can be updated.
To uninstall the extension, do as follows:
From the menu bar, select Extensions > Manage Extensions. The Manage Extensions screen is displayed.
In the Manage Extensions screen, open the Installed section from the sidebar and click Visual Studio Marketplace.
In the Search area on the right, enter whitesource and press Enter.
Select the WhiteSource Advise extension, and click Uninstall.
In the popup, click Yes.
Click Close and restart Visual Studio so that the extension can be uninstalled.