The Unified Agent is a Java command-line tool that scans directories' open source components for vulnerable libraries and source files, as well as license compliance, and uploads the results to the WhiteSource web application. The Unified Agent scans 200+ languages (source and binary files), and seamlessly integrates with repositories, multiple package managers, build tools, containerized environments, and CI/CD tools.
The process begins with setting up the Unified Agent to scan. There are several methods (in this order of precedence): Command-line parameters, environment variables, configuration file, or leave the config file's default values. See here for more information.
The Unified Agent scanning works the following way: Directories are scanned using GLOB patterns to identify the open-source components, whereupon the Unified Agent checks each new component against product/project level policies and organizational policies (note that no source code is scanned - only descriptive information is sent to WhiteSource). Policies are created to alert organizations to act based on predetermined actions and criteria, such as rejecting/accepting a component based on its license type. If any components were rejected by a policy, the Unified Agent provides a policy violation exit code, which can be used to fail a build.
At the end of the Unified Agent's scan, it aggregates the information and uploads it to the WhiteSource web application, where it is presented in an Organization/Product/Project hierarchy, enabling you to view and analyze the scan results. Additionally, an informative report of the results can be generated in HTML and JSON formats, located in the 'whitesource' folder. This folder is created in the directory where the Unified Agent ran.
WhiteSource administrators can configure several integrations of the Unified Agent with third-party components.
To use the Unified Agent, refer to the following sections:
- To get started with the Unified Agent, refer here.
- For configuration parameters, refer here.
- For advanced topics, refer here.
- For configuration parameters regarding native integrations (Azure DevOps and Repo integrations), refer here.