Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

WhiteSource bot scans devDependencies, but shouldn't

Description

See https://github.com/finos/cla-bot/issues/153

eslint-5.2.0 is part of devDependencies and therefore this should not trigger the creation of an issue.

The .whitesource configuration in the cla-bot project is the default one, therefore npm.includeDevDependencies should be false (as default).

Acceptance Criteria

None

Attachments

3
  • 17 Sep 2019, 10:19 AM
  • 17 Sep 2019, 10:08 AM
  • 12 Sep 2019, 10:37 AM

blocks

Activity

Show:

Maurizio Pillitu September 17, 2019 at 10:19 AM
Edited

It worked! Thanks a lot .

I've scanned through the full WhiteSource library inventory, and dev dependencies are not being pulled.

Marking this issue as solved.

Ronen Soreq September 15, 2019 at 3:35 PM
Edited

Hi ,

Update the NPM to run the pre-step (npm install), so the NPM gets built before the scan

#npm.runPreStep=true > npm.runPreStep=true

Share the debug log so I can have a better view : add “log.Level=debug” to WS configuration file

Ronen

James McLeod September 13, 2019 at 1:19 PM

Hi all - I suggest setting up a WebEx and debugging whilst sharing the screen. Let me know if this is acceptable and I’ll setup the session?

Maurizio Pillitu September 12, 2019 at 10:38 AM

Thanks !

GitHub default configuration includes Dev Dependencies (UA configuration excludes Dev Dep)

Ok, that explains. But at this point, I'm unsure about the default configuration of the agent. Are these commented values representing the agent default values? Or the opposite values?

I updated https://github.com/finos/cla-bot/blob/develop/.whitesource to reflect the changes you proposed and the agent config points to a location on https://github.com/finos/contrib-toolbox/blob/master/finos-whitesource-agent.config .

As soon as I updated it, the WhiteSource scanning was triggered on the CLA Bot, which now shows 1 library in the WhiteSource dashboard (see screenshot), however, there are 7 direct dependencies in the project, see https://github.com/finos/cla-bot/blob/develop/package.json#L29-L37

Do you know why? Can you help us debugging this, maybe reproducing the issue by forking the repo and playing with configuration?

Thanks!

Ronen Soreq September 12, 2019 at 9:57 AM

Hi

GitHub default configuration includes Dev Dependencies (UA configuration excludes Dev Dep)

You may change the default behavior by updating the configuration (link below)

https://whitesource.atlassian.net/wiki/spaces/WD/pages/697696422/WhiteSource+for+GitHub.com#WhiteSourceforGitHub.com-Parameters

Parameter

Description

configMode

The configuration mode to be used for each scan. There are three options:

  • AUTO - Automatic mode. This will use the default WhiteSource configuration.

  • LOCAL - Local mode. This will look for a local 'whitesource.config' file to be provided in the root folder of the current repository. The configuration file should be in the same format as the Unified Agent configuration file.

  • EXTERNAL - External mode. This will look for a configuration file specified according to the configExternalURL parameter.

configExternalURL

The URL of the external configuration file (you can choose any filename). The configuration file should be in the same format as the Unified Agent configuration file.
The following protocols are supported: 'file://', 'ftp://', 'http://', 'https://'.
For example: 'https://mydomain.com/whitesource-settings/wss-unified-agent.config'
Note: This parameter is relevant only if configMode was set to EXTERNAL.

projectToken

Adds the ability to map a GitHub repository to an existing WhiteSource project. The parameter used needs to be the WhiteSource project token.

Unresolved
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Components

Priority

Created August 28, 2019 at 2:34 PM
Updated September 17, 2019 at 10:22 AM
Configure