How to Enable Renovate for WhiteSource for Developers Integrations

This article explains what Renovate does, how to enable it and how to configure it for your WhiteSource for Developers integrations.

What does Renovate do?

Renovate is a proactive tool that monitors your dependencies (vulnerable or otherwise) and creates a pull request when a new version is available. It does not scan your project for vulnerabilities or licenses, but instead monitors the version and opens pull requests to update your outdated dependencies.

How do I enable Renovate?

Renovate supports a range of different filenames for configuration, however for WhiteSource Remediate (WS-4-Devs) integration only the .whitesource configuration file is used. Renovate is disabled by default and can be enabled by setting remediateSettings.enableRenovate = true like so:

1 2 3 4 5 { "remediateSettings": { "enableRenovate": true } }

How do I configure Renovate?

Any configuration you place within the remediateSettings object will be used by Remediate similarly to how Renovate usually uses a renovate.json configuration file. Therefore, if you have an existing renovate.json file in a repository but are migrating to WhiteSource Remediate then you should copy and paste its contents inside remediateSettings before removing the renovate.json file. You can find all of the configuration options for Renovate on Renovate’s documentation site.

Frequently asked questions:

What is the difference between Renovate and Remediate?

Renovate creates a pull request for outdated libraries (regardless of vulnerabilities). Remediate creates a pull request only for direct dependencies with vulnerabilities.

Do my WhiteSource scan settings impact Renovate?

When you enable Renovate it will check all of your libraries on a schedule (specified by you in the configuration) and will open pull requests to update any outdated libraries. This will occur regardless of whether the outdated library is vulnerable or not.

Remediate will only create pull requests for vulnerable libraries. Therefore, even though neither Renovate or Remediate directly look at your WhiteSource scan configuration (whitesource.config), Remediate is impacted by the configuration since it creates pull requests based on the vulnerabilities the WhiteSource scan identifies. If your WhiteSource scans exclude scanning Gradle packages for example, no vulnerabilities associated with dependencies included in your project via a build.gradle file will be found. Therefore, Remediate will not open pull requests for any dependencies included in your build.gradle file.

The configuration in your .whitesource file will impact the Renovate and Remediate processes, however, these configurations are included in the Remediate block and therefore don't affect your WhiteSource scan.

Additional Resources:

You can find more information about Renovate in the following documents:

WhiteSource Remediate

Renovate