This page explains details of the Security and License policy violation issues generated by WhiteSource in your repositories.
Selecting a specific security vulnerability type issue displays its details. The display changes according to the type of library:
NOTE: WhiteSource supports displaying multiple libraries for the same CVE; the libraries will be displayed in the same issue.
Component-based library (e.g., '*.tgz', '*.jar' ): It includes the following information:
Vulnerable library: Includes the path to the dependency file and the path of the library. If the path is of a transitive dependency, then only the path information of the root library is displayed. This section also contains a commit link, which includes the path to the commit link where the vulnerability was found. NOTE: The originating branch of the vulnerability is also displayed in case the baseBranches configuration was used.
Vulnerability details: Description of vulnerability, published date, and link to the vulnerability source website.
CVSS 3 score: Basic CVSS3 score metrics. If this score is not available then the CVSS 2 score is displayed.
Suggested fix: A detailed suggestion that includes type, origin, release date, and fix resolution. Note that a fix may not always be available.
Automatic Remediation is available for this issue - (NOTE: Supported from version 19.9.1.1 in self-managed integrations) Part of WhiteSource Remediate. Displayed only when automatic remediation is available for the issue, and when the issue does not contain more than a single component.
Check this box to open an automated fix PR/MR - (NOTE: Supported from version 20.2.2 in self-managed integrations) Provides the ability to generate fix PR/MRs on-demand without defining workflow rules in advance. This checkbox is displayed only if automatic remediation is available for the issue and no workflow rules were added yet for the repository. Note that after clicking the checkbox, WhiteSource Remediate immediately generates a fix PR/MR to remediate the given issue.
Source file-based component: It includes the following information:
Vulnerable library: Includes a description of the vulnerable source library, a link to the source library home page, a commit link, and the path to the commit link where the vulnerability was found. NOTE: The originating branch of the vulnerability is also displayed in case the baseBranches configuration was used.
Library Source Files - A list of source files found in the vulnerability source library.
Vulnerability Details: Description of vulnerability, published date, and link to the vulnerability source website.
CVSS 3 score: Basic CVSS3 score metrics. If this score is not available then the CVSS 2 score is displayed.
Suggested fix: A detailed suggestion that includes type, origin, release date, and fix resolution. Note that a fix may not always be available.
Selecting a specific license policy violation type issue displays its details:
Library: Includes details of the library containing a license policy violation. It also includes the path to the dependency file and the path of the library. If the path is of a transitive dependency, then only the path information of the root library is displayed. This section also contains a commit link, which includes the path to the commit link where the license policy violation was found. NOTE: The originating branch of the license policy violation is also displayed in case the baseBranches configuration was used.
License Details: Description of the license including the license name, a link to the original license, and a license reference file. NOTE: When a policy violation affects a library containing multiple licenses, all of the library licenses are displayed, including the license violating the policy.
License Policy Violation: The name of the license policy violation as defined in the WhiteSource UI, along with the policy level (Organization/Product/Project).
Selecting a specific IaC violation type issue displays its details:
NOTE: Only supported in WhiteSource for GitHub.com.
Violation detected in file: Includes details of the affected configuration file containing an IaC violation. It also includes the line numbers affected inside the file.
File Type: The type of configuration file. NOTE: Only Terraform configuration files are currently supported.
Details: Additional information regarding the IaC violation.