Warning | ||
---|---|---|
| ||
All the language-specific WhiteSource plugins have been deprecated in favour of the WhiteSource Unified Agent. |
WhiteSource provides several integrations that can be configured in the build process in order to:
...
Below are listed the integrations that have been currently tested.
Table of Contents |
---|
NPM integration
The NPM integration allows to perform the tasks mentioned above for Javascript projects.
Below are listed the configuration items
Install WhiteSource npm
- Make sure you have npm installed on commandline
- Edit your
package.json
- add
whitesource: 1.0.9
, belowdevDependencies
- add
whitesource: node node_modules/whitesource/bin/whitesource.js run
, belowscripts
- add
Run
npm install
from the root project folder
...
Code Block | ||
---|---|---|
| ||
ws-log* ws-ls* |
Configure WhiteSource metrics upload
Simply add whitesource.config.json
file in the project root folder, using the following configuration.
...
devDep enables the scanning to non-runtime packages; although the majority of license obligations affect distributed artifacts, running devDev
to true
(and checkPolicies
to true
) could be useful to spot possibly harmful licenses.
Testing
Try to add scrollreveal: 4.0.0-beta.14
(a package released under GPL-3.0 license) under dependency
, in your package.json
, then follow the instructions below.
Scan code for WhiteSource policy violations
Simply run
Code Block |
---|
export WHITESOURCE_API_KEY=<WhiteSource API Key> npm install npm run whitesource |
...
Code Block |
---|
OK: Config file is located in: ./whitesource.config.json OK: Running whitesource... OK: Done calculation dependencies! OK: Building dependencies report INFO: Total shasum found: 97 INFO: Missing shasum: 0 INFO: Total project dependencies: 97 OK: Saving dependencies report OK: Getting ready to post report to WhiteSource... OK: Check Policies: Posting to :https://saas.whitesourcesoftware.com:443/agent OK: Code: 200 Message: OK INFO: Checking Policies OK: No policy violations. Posting update request OK: Update: Posting to :https://saas.whitesourcesoftware.com:443/agent OK: Code: 200 Message: OK OK: Build success! ( took: 7.394s ) |
Travis CI integration
The following configuration allows to embed the WhiteSource integration execution in Travis CI, allowing to monitor any commit across the branches in the current repository. The bash code (embedded in YAML format) reported below must be added to a .travis.yml
file, but can also be adapted to run on other CIs.
...
Please note that Travis restricts access to the (encrypted) WhiteSource API Key for security reasons; as such, any Pull Request (PR) coming from other forks cannot run the WhiteSource integration. In order to enforce WhiteSource policies within the PR review mechanism, it is necessary to introduce an intermediate branch, hosted in the repository (ie. whitesource-validation
), where PRs are merged - assuming they pass all other validations - before being merged to the final (ie master
) branch.
Foundation Parent POM (Maven)
Java projects that are using Apache Maven as the build tool can specify ssf-parent-pom as parent POM and inherit a whitesource
build profile that takes care of submitting metrics at build time; other than that, the project pom.xml
doesn't need any further change.
...
-Dwhitesource.org.token
- specifies the WhiteSource API Key to use, which represents the WhiteSource Foundation account; Foundation Staff can configure this field on Travis CI or any other CI environment, but cannot redistribute the key in clear test. If no parameter is specified, the value will be taken fromWHITESOURCE_TOKEN
environment variable-Dwhitesource.product
- specifies the WhiteSource product that contains the currently built project (or repository, in Github terms); default value is${project.artifactId}
-Dwhitesource.checkPolicies
- whether to check the current build against WhiteSource policies; default value istrue
-Dwhitesource.failOnError
- whether to trigger aBUILD ERROR
if any policy violation is found; default value istrue
Testing
Try to add com.github.lalyos:jfiglet:0.0.8
(GPL-3.0 license) to your pom.xml
and run the mvn
command again.
Travis CI configuration
Code Block |
---|
... scripts: ... - "if [[ $TRAVIS_PULL_REQUEST -eq 'false' ]]; then mvn package -Pwhitesource ; fi" |
...
Code Block |
---|
... after_success: ... - "if [[ $TRAVIS_PULL_REQUEST -eq 'false' ]]; then mvn whitesource:update -Pwhitesource ; fi" |
Multiple repositories
If you're managing a (Foundation) project that uses multiple GitHub repositories, you may want to use the same WhiteSource productName
across the different project build configurations, by setting a product token.
...