This page is now hosted on https://odp.finos.org/docs/development-infrastructure/code-validation/whitesource |
WhiteSource is used by FINOS to automate processes around responsible disclosure of security vulnerabilities; read more on /wiki/spaces/FINOS/pages/1230176257 |
WhiteSource runs project scanning in near-real-time: every time a new CVE gets spotted on a library that is used by the project, the vulnerability is notified. Scanning can also happen:
|
WhiteSource provides a dedicated instance to validate and enforce security and legal compliance for all Symphony Software Foundation hosted projects.
Below are listed the main WhiteSource features that have been adopted by Foundation projects.
This page gives an introduction to the WhiteSource Dashboard, see below how to request access; to enable automated scanning, project leads can use the WhiteSource Unified Agent in their build process and configure different type of actions.
To avoid confusion, below are listed some WhiteSource concepts that differ with the definitions used within the Foundation.
WhiteSource provides the following features to Foundation project leads/committers that have been granted access:
Legal policies are currently disabled due to the large amount of false positive generated by dual-licensed libraries. We are working to improve such configuration |
Below are the WhiteSource policies that have been configured by the Foundation and are enforced across all integrated projects; all libraries that are scanned in a project are matched against the following policies, in the order reported below, until a policy is matched.
Every time a policy reassigns an alert (see policies above), a user gets notified with an email by WhiteSource that something needs attention; using the Dashboards > Requests it is possible to check the Pending requests.
WhiteSource generate a wide list of Reports and Dashboards, that can be accessed by the main menu; below are listed the ones that have been used most frequently by Foundation projects.
Reports > Risk, generates a summary a management level 1-Pager, providing a bird's-eye view of all aspects concerning the account's open source libraries; security, quality and compliance. It can be exported to PDF and attached to the project's documentation, to give consumers peace of mind.
Reports > Due Diligence, a list of all libraries and licenses, allowing to filter, drill down and spot unwanted items; it is a useful tool to perform thorough checks and validate that policies have been correctly appied.
Reports > Ignored alerts, the list of alerts that have been ignored and the comments; this list must be periodically checked/updated by project leads and preferably kept empty.
Reports > Effective Licenses, the list of licenses that have been manually defined; this list must be periodically checked/updated by project leads and preferably kept empty.
In order to access the WhiteSource dashboard, you first need to be invited by Foundation Staff; open a HELP issue or send an email to help@finos.org
, with the title Request access to WhiteSource
and in the description specify:
If you login for the first time in WhiteSource and no project have been registered yet, the dashboard will look empty; check how to configure your build in order to upload your first project metrics.