automatically identiﬁes all the open source components and dependencies in your build by constant and automatic cross-referencing of your open source components against WhiteSource’s deﬁnitive database of open source repositories.
WhiteSource provides a dedicated instance to validate and enforce security and legal compliance for all Symphony Software Foundation hosted projects.
Below are listed the main WhiteSource features that have been adopted by Foundation projects.
- Check libraries for outdated versions
- Check libraries for security vulnerabilities
- Check libraries for bugs
- Check libraries for problematic/undefined licenses
- Check libraries for release activity
- Integration with CI environments
This page gives an introduction to the WhiteSource Dashboard, see below how to request access; to enable automated scanning, project leads can use the WhiteSource Unified Agent in their build process and configure different type of actions.
To avoid confusion, below are listed some WhiteSource concepts that differ with the definitions used within the Foundation.
- A Foundation repository is a Github repository hosted by the Foundation; in WhiteSource terms, this is called a project
- A Foundation project is a logical entity that includes
- one or more project leaders
- a project team
- one or more Foundation repositories; if one, project and repository will have the same name.
- In WhiteSource terms, this is called a product and can be accessed directly by the WhiteSource main menu; each WhiteSource product will list below the projects included.
- Foundation WhiteSoure dashboard - WhiteSource provides a dedicated instance for the Foundation projects that can be accessed
- by all project leaders, to check and export project metrics
- by Foundation Staff, to configure Foundation WhiteSource policies
- Foundation WhiteSource policies - A collection of rules and workflows implemented in the WhiteSource dashboard by the Foundation team to enforce security and legal compliance; below are reported the details.
- Alert - The visual notification that WhiteSource shows in the main dashboard when a policy violation is found
WhiteSource provides the following features to Foundation project leads/committers that have been granted access:
- Access the WhiteSource dashboard for one or more projects
- Access WhiteSource Due Diligence and Risk reports
- Browse (and drill down) through project libraries
- Browse (and drill down) through licenses found in the project
- Check alerts and warnings triggered by policy violations
- Configure WhiteSource build plugins to upload project metrics
- Configure Travis CI (or other CI environments) to continuously
- validate code against Foundation policies enforced by WhiteSource
- fail the build, if any policy violation is found
- upload project metrics to the WhiteSource Foundation dashboard
Legal policies disabled
Legal policies are currently disabled due to the large amount of false positive generated by dual-licensed libraries. We are working to improve such configuration
Below are the WhiteSource policies that have been configured by the Foundation and are enforced across all integrated projects; all libraries that are scanned in a project are matched against the following policies, in the order reported below, until a policy is matched.
- [SECURITY] Reject High Security Vulnerability Severity - any library that contains high level CVEs is marked as Rejected,
- [SECURITY] Reject High Security Vulnerability Score - any library that contains CVEs with score higher than 7 is marked as Rejected,
- [QUALITY] Reject High Bug Rating - any library high bug rating is marked as Rejected,
- [LEGAL] Licenses that require review - any library with unknown license is marked as Rejected,
- [QUALITY] Reassign Low Version Activity - any library with a low amount of versions released is Reassigned to the project lead for validation,
- [QUALITY] Reassign Stale (5 years) Library - any library without a release for more than 5 years is Reassigned to the project lead for validation,
- [LEGAL] Reject Problematic (Category X license) libraries - any library using a Category X license, as indicated in our contribution legal requircontribution legal requirementsements, are marked as Rejected.