Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

titleUse WhiteSource Unified Agent

All the language-specific WhiteSource plugins have been deprecated in favour of the WhiteSource Unified Agent.

WhiteSource provides several integrations that can be configured in the build process in order to:


Below are listed the integrations that have been currently tested.

Table of Contents

NPM integration

The NPM integration allows to perform the tasks mentioned above for Javascript projects.

Below are listed the configuration items

Install WhiteSource npm

  • Make sure you have npm installed on commandline
  • Edit your package.json
    • add whitesource: 1.0.9, below devDependencies
    • add whitesource: node node_modules/whitesource/bin/whitesource.js run, below scripts
  • Run npm install from the root project folder


Code Block

Configure WhiteSource metrics upload

Simply add whitesource.config.json file in the project root folder, using the following configuration.


devDep enables the scanning to non-runtime packages; although the majority of license obligations affect distributed artifacts, running devDev to true (and checkPolicies to true) could be useful to spot possibly harmful licenses.


Try to add scrollreveal: 4.0.0-beta.14 (a package released under GPL-3.0 license) under dependency, in your package.json, then follow the instructions below.

Scan code for WhiteSource policy violations

Simply run

Code Block
export WHITESOURCE_API_KEY=<WhiteSource API Key>
npm install
npm run whitesource


Code Block
OK: Config file is located in: ./whitesource.config.json
OK: Running whitesource...
OK: Done calculation dependencies!
OK: Building dependencies report
INFO: Total shasum found: 97
INFO: Missing shasum: 0
INFO: Total project dependencies: 97
OK: Saving dependencies report
OK: Getting ready to post report to WhiteSource...
OK: Check Policies: Posting to :
OK: Code: 200 Message: OK
INFO: Checking Policies
OK: No policy violations. Posting update request
OK: Update: Posting to :
OK: Code: 200 Message: OK
OK: Build success! ( took: 7.394s )

Travis CI integration

The following configuration allows to embed the WhiteSource integration execution in Travis CI, allowing to monitor any commit across the branches in the current repository. The bash code (embedded in YAML format) reported below must be added to a .travis.yml file, but can also be adapted to run on other CIs.


Please note that Travis restricts access to the (encrypted) WhiteSource API Key for security reasons; as such, any Pull Request (PR) coming from other forks cannot run the WhiteSource integration. In order to enforce WhiteSource policies within the PR review mechanism, it is necessary to introduce an intermediate branch, hosted in the repository (ie. whitesource-validation), where PRs are merged - assuming they pass all other validations - before being merged to the final (ie master) branch.

Foundation Parent POM (Maven)

Java projects that are using Apache Maven as the build tool can specify ssf-parent-pom as parent POM and inherit a whitesource build profile that takes care of submitting metrics at build time; other than that, the project pom.xml doesn't need any further change.


  • - specifies the WhiteSource API Key to use, which represents the WhiteSource Foundation account; Foundation Staff can configure this field on Travis CI or any other CI environment, but cannot redistribute the key in clear test. If no parameter is specified, the value will be taken from WHITESOURCE_TOKEN environment variable
  • -Dwhitesource.product - specifies the WhiteSource product that contains the currently built project (or repository, in Github terms); default value is ${project.artifactId}
  • -Dwhitesource.checkPolicies - whether to check the current build against WhiteSource policies; default value is true
  • -Dwhitesource.failOnError - whether to trigger a BUILD ERROR if any policy violation is found; default value is true


Try to add com.github.lalyos:jfiglet:0.0.8 (GPL-3.0 license) to your pom.xml and run the mvn command again.

Travis CI configuration

Code Block
	- "if [[ $TRAVIS_PULL_REQUEST -eq 'false' ]]; then mvn package -Pwhitesource ; fi"


Code Block
	- "if [[ $TRAVIS_PULL_REQUEST -eq 'false' ]]; then mvn whitesource:update -Pwhitesource ; fi"

Multiple repositories

If you're managing a (Foundation) project that uses multiple GitHub repositories, you may want to use the same WhiteSource productName across the different project build configurations, by setting a product token.