WhiteSource automatically identifies all the open source components and dependencies in your build by constant and automatic cross-referencing of your open source components against WhiteSource’s definitive database of open source repositories.
WhiteSource provides a dedicated instance to validate and enforce security vulnerabilities (CVEs) across all FINOS hosted projects, making use of the WhiteSource for Github.com integration, providing:
- Automatic (and configurable) scanning of all commits and Pull Requests
- Support for most of languages and build tools currently used in FINOS projects
- Creation of GitHub issues with CVE description and meta
| Note | ||
|---|---|---|
| ||
Since GitHub Issues for public repositories are all public (and permissions cannot be altered), all CVE reporting would be publicly available, posing a security risk for deployed installations of FINOS projects. We are working with WhiteSource to figure out a way to enable email notifications, disable GitHub issues and keep the rest of the workflow as it is. |
FINOS default configuration
Below is the default configuration suggested by FINOS, which is the same provided by default; more parameters and configurations can be found on WhiteSource integration docs page.
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"scanSettings": {
"configMode": "AUTO",
"configExternalURL": "",
"projectToken" : ""
},
"checkRunSettings": {
"vulnerableCheckRunConclusionLevel": "failure"
},
"issueSettings": {
"minSeverityLevel": "LOW"
}
} |
How to enable WhiteSource scanning
- Read the WhiteSource for Github.com integration, to know what it does and how
- Email help@finos.org to request the activation of WhiteSource integration on a FINOS hosted project
- When enabled, the app will create a Puill Request to add a
.whitesourcefile in the codebase root
- When enabled, the app will create a Puill Request to add a
- Merge the Pull Request raised on point #2
How to test WhiteSource scanning
The easiest and less invasive way to test is to create a new branch, add a dependency with security vulnerabilities and commit the change; few minutes later (time depends on build complexity), the app will have created one GitHub Issue for each CVE found.
If no issues are created, and want to know if the scan was performed, email help@finos.org and FINOS team will help you debugging bot's execution
Glossary
To avoid confusion, below are listed some WhiteSource concepts that differ with the definitions used within the Foundation.
- A Foundation repository is a Github repository hosted by the Foundation; in WhiteSource terms, this is called a project
- A Foundation project is a logical entity that includes
- one or more project leaders
- a project team
- one or more Foundation repositories; if one, project and repository will have the same name.
- In WhiteSource terms, this is called a product and can be accessed directly by the WhiteSource main menu; each WhiteSource product will list below the projects included.