├── ToDo.md ├── .gitignore ├── .whitesource ├── Renovate ├── .gitlab-ci.yml ├── bitbucket-pipelines.yml ├── azure-pipelines.yml └── README.md ├── .github └── ISSUE_TEMPLATE │ ├── question.md │ ├── contribution-request.md │ ├── feature-request.md │ └── bug-report.md ├── SAST ├── TeamCity-mend_sast.yml ├── README.md ├── azure-pipelines-mend_sast.yml ├── bitbucket-mend_sast.yml ├── gitlab-mend_sast.yml ├── github-mend_sast.yml ├── jenkins-mend_sast.yml ├── github-mend_sast_sarif.yml └── circleci-mend_sast.yml ├── CI-CD ├── GoogleCloudBuild │ └── cloud_build_npm.yaml ├── AWSCodeBuild │ └── Buildspec ├── Jenkins │ ├── Jenkins_freestyle_maven.sh │ ├── README.md │ ├── Jenkins_pipeline_npm.groovy │ ├── Jenkins_pipeline_maven.groovy │ └── Jenkins_pipeline_maven_multi-org.groovy ├── Bamboo │ └── ws_scan.sh ├── Bitbucket │ └── bitbucket-pipelines-npm.yml ├── CodeFresh │ └── CodeFresh-NPM ├── CircleCI │ ├── circleci-pipline-mvn-scan.yaml │ └── circleci-pipeline-npm-scan ├── GitHub │ ├── github-action-swift.yml │ ├── github-action-go.yml │ ├── github-action-lua.yml │ ├── github-action-NET-nuget.yml │ ├── github-action-NET-dotnet.yml │ ├── github-action-android.yml │ └── github-action-conan.yml ├── AzureDevOps │ ├── azure-pipelines_npm.yml │ ├── azure-pipelines_maven.yml │ ├── azure-pipelines_gradle.yml │ ├── azure-pipelines_dockerscan.yml │ ├── azure-pipelines_dotnet_sbom.yml │ └── azure-pipelines_ECR Image scan.yml ├── GitLab │ ├── gitlab-pip.yml │ ├── gitlab-maven.yml │ ├── gitlab-npm.yml │ └── gitlab-maven-cached-ua.yml ├── TeamCity │ ├── teamcity-pipelines-maven.yml │ └── teamcity-pipelines-npm.yml └── README.md ├── Generic ├── UA-SCA.sh ├── UA-Docker-Image.sh └── UA-ECR-Image.sh ├── Prioritize ├── Java │ ├── Single-Module │ │ ├── Maven │ │ │ ├── gitlab-ci.yml │ │ │ ├── azure-pipelines.yml │ │ │ ├── github-action.yml │ │ │ ├── prioritize.sh │ │ │ └── github-action-workshop.yml │ │ └── Gradle │ │ │ ├── prioritize.sh │ │ │ └── github-action.yml │ └── Multi-Module │ │ ├── Maven │ │ ├── gitlab-ci.yml │ │ ├── azure-pipelines.yml │ │ └── github-action.yml │ │ └── Gradle │ │ └── github-action.yml ├── DotNet │ ├── Multi-Module │ │ ├── azure-pipelines_linux.yml │ │ ├── github-action_linux.yml │ │ └── azure-pipelines_windows.yml │ └── Single-Module │ │ ├── azure-pipelines_linux.yml │ │ ├── azure-pipelines_windows.yml │ │ ├── github-action_linux.yml │ │ └── azure-pipelines_linux-workshop.yml ├── JavaScript │ ├── azure-pipelines.yml │ ├── prioritize.sh │ └── github-action.yml ├── Scala │ └── SBT-Maven │ │ └── github-action.yml ├── Python │ └── github-action.yml └── README.md ├── Scripts ├── cache-ua.sh ├── check-project-state.sh ├── list-policy-violations.sh ├── ghissue-eua.sh ├── whitesource-spdx.yml ├── list-project-alerts.sh ├── prioritize-ignore.sh └── README.md ├── Repo-Integration ├── README.md ├── docker-compose.yaml └── setup.sh ├── README.md ├── whitesource.config └── LICENSE /ToDo.md: -------------------------------------------------------------------------------- 1 | # To Do List 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Excluded IDE Directories 2 | .idea/ 3 | .vs/ 4 | .vscode/ 5 | .ws/ 6 | 7 | # Excluded Local/User Directories 8 | _archive/ 9 | _misc/ 10 | local/ 11 | log/ 12 | target/ 13 | 14 | # Excluded Files - Extensions 15 | *.iml 16 | *.png 17 | *.tar.gz 18 | *.url 19 | 20 | # Excluded Files - Naming Convention 21 | local-env.* 22 | -------------------------------------------------------------------------------- /.whitesource: -------------------------------------------------------------------------------- 1 | { 2 | "scanSettings": { 3 | "configMode": "AUTO", 4 | "configExternalURL": "", 5 | "projectToken": "", 6 | "baseBranches": [] 7 | }, 8 | "checkRunSettings": { 9 | "vulnerableCheckRunConclusionLevel": "failure", 10 | "displayMode": "diff" 11 | }, 12 | "issueSettings": { 13 | "minSeverityLevel": "LOW" 14 | } 15 | } -------------------------------------------------------------------------------- /Renovate/.gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | include: 2 | - project: 'renovate-bot/renovate-runner' 3 | file: '/templates/renovate-dind.gitlab-ci.yml' 4 | 5 | renovate: 6 | variables: 7 | RENOVATE_EXTRA_FLAGS: --autodiscover=true --onboarding=true --autodiscover-filter=group1/* 8 | rules: 9 | - if: '$CI_PIPELINE_SOURCE == "schedule"' 10 | - if: '$CI_PIPELINE_SOURCE == "push"' 11 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: General question/how-to 4 | title: "[Question] [ws-tool-name] Question Topic" 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Question** 11 | Ask your question here. Please be as specific as possible. 12 | 13 | **Environment Details** 14 | - OS: [e.g. Ubuntu 18.04] 15 | - Browser [e.g. chrome, safari] 16 | - Version [e.g. 22] 17 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/contribution-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Contribution Request 3 | about: Discuss potential changes you wish to contribute 4 | title: "[CR] [ws-tool-name] Contribution Request Topic" 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Tool:** wss-tool-name 11 | 12 | **Planned Changes:** 13 | Describe the changes you wish to contribute, to initiate a discussion with WhiteSource-FT team. 14 | -------------------------------------------------------------------------------- /SAST/TeamCity-mend_sast.yml: -------------------------------------------------------------------------------- 1 | # Runner Type: Command Line 2 | # Step Name: Mend SAST Scan 3 | # Run: Custom Script 4 | # Environment variables should be pre-provided at the "Parameters" section: 5 | # SASTCLI_TOKEN 6 | # SAST_ORGANIZATION 7 | # SAST_SERVER 8 | 9 | curl -LJO https://downloads-sast.mend.io/sast-cli/linux/mendsastcli && chmod +x mendsastcli 10 | ./mendsastcli --dir %system.teamcity.build.workingDir% --name=%system.teamcity.buildType.id% --app=%system.teamcity.projectName% --baseline=true -------------------------------------------------------------------------------- /SAST/README.md: -------------------------------------------------------------------------------- 1 | # Examples by CI/CD Tool 2 | This repository contains tool specific examples of how to scan using the [Mend SAST Command Line Client](https://docs.mend.io/bundle/mend_sast/page/command_line_client.html) within the CI/CD pipeline. 3 | 4 | * [AzureDevOps](azure-pipelines-mend_sast.yml) 5 | * [Bitbucket](bitbucket-mend_sast.yml) 6 | * [CircleCI](circleci-mend_sast.yml) 7 | * [GitHub](github-mend_sast.yml) 8 | * [GitLab](gitlab-mend_sast.yml) 9 | * [Jenkins](jenkins-mend_sast.yml) 10 | * [TeamCity](TeamCity-mend_sast.yml) 11 | -------------------------------------------------------------------------------- /SAST/azure-pipelines-mend_sast.yml: -------------------------------------------------------------------------------- 1 | trigger: 2 | - main 3 | 4 | pool: 5 | vmImage: ubuntu-latest 6 | 7 | steps: 8 | - script: curl -LJO https://downloads-sast.mend.io/sast-cli/linux/mendsastcli && chmod +x mendsastcli 9 | displayName: 'Downloading Mend SAST Tool' 10 | 11 | - script: ./mendsastcli --dir ./ --name=$(Build.Repository.Name)$(Build.SourceBranchName) --app AZ$(System.TeamProject) 12 | displayName: 'Run Mend SAST' 13 | env: 14 | SAST_ORGANIZATION: $(SAST_ORGANIZATION) 15 | SASTCLI_TOKEN: $(SASTCLI_TOKEN) 16 | SAST_SERVER: https://saas.mend.io/sast/ 17 | -------------------------------------------------------------------------------- /CI-CD/GoogleCloudBuild/cloud_build_npm.yaml: -------------------------------------------------------------------------------- 1 | steps: 2 | - name: 'gcr.io/cloud-builders/npm' 3 | args: ['install'] 4 | 5 | - name: 'gcr.io/cloud-builders/curl' 6 | args: ['-J', '-L', '-O', 'https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar'] 7 | 8 | - name: 'docker.io/openjdk' 9 | env: 10 | - 'WS_APIKEY=$APIKEY' #add your apiKey here 11 | - 'WS_USERKEY=$USERKEY' #add your userKey here 12 | - 'WS_WSS_URL=https://saas.whitesourcesoftware.com/agent' 13 | - 'WS_PRODUCTNAME=$PROJECT_ID' 14 | - 'WS_PROJECTNAME=$BUILD_ID' 15 | args: ['java','-jar','wss-unified-agent.jar'] 16 | -------------------------------------------------------------------------------- /CI-CD/AWSCodeBuild/Buildspec: -------------------------------------------------------------------------------- 1 | version: 0.2 2 | 3 | env: 4 | shell: bash 5 | variables: 6 | WS_WSS_URL: "https://saas.whitesourcesoftware.com/agent" 7 | secrets-manager: # for more information: https://aws.amazon.com/about-aws/whats-new/2019/11/aws-codebuild-adds-support-for-aws-secrets-manager/ 8 | WS_APIKEY: "SecretName:Value" 9 | 10 | phases: 11 | build: 12 | commands: 13 | - export WS_PRODUCTNAME=AWS_$AWS_REGION-$CODEBUILD_INITIATOR 14 | - export WS_PROJECTNAME=$CODEBUILD_BUILD_ID 15 | - curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 16 | - java -jar wss-unified-agent.jar 17 | -------------------------------------------------------------------------------- /SAST/bitbucket-mend_sast.yml: -------------------------------------------------------------------------------- 1 | # All environment variables are defined per: https://support.atlassian.com/bitbucket-cloud/docs/variables-and-secrets/#User-defined-variables 2 | # The required parameters are: 3 | # SASTCLI_TOKEN 4 | # SAST_ORGANIZATION 5 | # SAST_SERVER 6 | 7 | image: atlassian/default-image:3 8 | 9 | pipelines: 10 | default: 11 | - step: 12 | name: 'Mend SAST Scan' 13 | script: 14 | - curl -LJO https://downloads-sast.mend.io/sast-cli/linux/mendsastcli && chmod +x mendsastcli 15 | - ./mendsastcli --dir $BITBUCKET_CLONE_DIR --name="$BITBUCKET_REPO_FULL_NAME-$BITBUCKET_BRANCH" --app=$BITBUCKET_REPO_FULL_NAME --baseline=true -------------------------------------------------------------------------------- /SAST/gitlab-mend_sast.yml: -------------------------------------------------------------------------------- 1 | # add SAST_ORGANIZATION and SASTCLI_TOKEN as an environment variable - https://gitlab.com/help/ci/variables/README 2 | default: 3 | image: ubuntu:latest 4 | 5 | stages: 6 | - scan 7 | 8 | ws_scan: 9 | stage: scan 10 | variables: 11 | SAST_ORGANIZATION: $SAST_ORGANIZATION 12 | SASTCLI_TOKEN: $SASTCLI_TOKEN 13 | SAST_SERVER: "https://saas.mend.io/sast/" 14 | script: 15 | - echo "Downloading Mend SAST Tool" 16 | - curl -LJO https://downloads-sast.mend.io/sast-cli/linux/mendsastcli && chmod +x mendsastcli 17 | - echo "Run Mend SAST" 18 | - ./mendsastcli --dir ./ --name=$CI_PROJECT_NAME_$CI_COMMIT_BRANCH --app=$CI_PROJECT_NAME 19 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Jenkins_freestyle_maven.sh: -------------------------------------------------------------------------------- 1 | echo "Downloading WS" 2 | if ! [ -f ./wss-unified-agent.jar ]; then 3 | curl -fSL -R -JO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 4 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]]; then 5 | echo "Integrity Check Failed" 6 | exit -7 7 | fi 8 | fi 9 | echo "Exceute WS" 10 | export WS_APIKEY=${APIKEY} #Taken from Jenkins Global Environment Variables 11 | export WS_USERKEY=${USERKEY} #Taken from Jenkins Global Environment Variables 12 | export WS_WSS_URL="https://saas.whitesourcesoftware.com/agent" 13 | export WS_PRODUCTNAME=Jenkins 14 | export WS_PROJECTNAME=${JOB_NAME} 15 | java -jar wss-unified-agent.jar -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature Request 3 | about: Suggest an idea for this project 4 | title: "[FR] [ws-tool-name] Feature Short Description" 5 | labels: feature request 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /Generic/UA-SCA.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Generic example for scanning for dependencies with the WhiteSource Unified Agent 3 | 4 | export WS_APIKEY= 5 | export WS_USERKEY= 6 | export WS_PRODUCTNAME= 7 | export WS_PROJECTNAME= 8 | export WS_WSS_URL=https://saas.whitesourcesoftware.com/agent 9 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 10 | echo Unified Agent downloaded successfully 11 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 12 | echo "Integrity Check Failed" 13 | else 14 | echo "Integrity Check Passed" 15 | echo Starting WhiteSource Scan 16 | java -jar wss-unified-agent.jar 17 | fi -------------------------------------------------------------------------------- /SAST/github-mend_sast.yml: -------------------------------------------------------------------------------- 1 | name: SAST 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | 7 | jobs: 8 | mend-sast: 9 | name: Mend-SAST 10 | runs-on: ubuntu-latest 11 | env: 12 | SAST_ORGANIZATION: ${{secrets.SAST_ORGANIZATION}} 13 | SASTCLI_TOKEN: ${{secrets.SASTCLI_TOKEN}} 14 | SAST_SERVER: https://saas.mend.io/sast/ 15 | steps: 16 | - name: Checkout repository 17 | uses: actions/checkout@v2 18 | # Download CLI 19 | - name: Download CLI 20 | run: curl -LJO https://downloads-sast.mend.io/sast-cli/linux/mendsastcli && chmod +x mendsastcli 21 | # Run CLI 22 | - name: Run Mend-SAST 23 | run: ./mendsastcli --dir ./ --name=${{github.event.repository.name}}-${{github.ref_name}}-${{github.sha}} --app=${{github.event.repository.name}} --baseline=true 24 | -------------------------------------------------------------------------------- /CI-CD/Bamboo/ws_scan.sh: -------------------------------------------------------------------------------- 1 | # Variables are taken from the job Variables List 2 | # For Example: 3 | # WS_PRODUCTNAME = ${bamboo.planKey} 4 | # WS_PROJECTNAME = ${bamboo.buildPlanName} 5 | # WS_WSS_URL = https://saas.whitesourcesoftware.com/agent 6 | # WS_APIKEY = {MASKED_APIKEY} 7 | # WS_USERKEY = {MASKED_USERKEY} 8 | 9 | # Download Unified Agent 10 | echo Downloading WhiteSource Unified Agent 11 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 12 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 13 | echo "Integrity Check Failed" 14 | else 15 | echo "Integrity Check Passed" 16 | echo "Starting WhiteSource Scan" 17 | java -jar wss-unified-agent.jar 18 | fi 19 | 20 | # Scan with Unified Agent 21 | java -jar wss-unified-agent.jar -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug Report 3 | about: Create a report to help us improve 4 | title: "[BUG] [ws-tool-name] Issue Short Description" 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Bug Description** 11 | A clear and concise description of what the bug is. 12 | 13 | **Steps to Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected Behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Environment Details** 27 | - OS: [e.g. Ubuntu 18.04] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Additional Context** 32 | Add any other context about the problem here. 33 | -------------------------------------------------------------------------------- /CI-CD/Bitbucket/bitbucket-pipelines-npm.yml: -------------------------------------------------------------------------------- 1 | image: atlassian/default-image:latest 2 | 3 | pipelines: 4 | default: 5 | - step: 6 | name: NPM Build 7 | caches: 8 | - node 9 | script: 10 | - npm install 11 | 12 | - step: 13 | name: "Run WhiteSource Scan" 14 | script: 15 | - echo "Downloading unified agent" 16 | - curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 17 | - export WS_APIKEY=$APIKEY #add as a variable to the pipeline 18 | - export WS_USERKEY=$USERKEY #add as a variable to the pipeline 19 | - export WS_WSS_URL=https://saas.whitesourcesoftware.com/agent 20 | - export WS_PRODUCTNAME=$BITBUCKET_REPO_SLUG 21 | - export WS_PROJECTNAME=$BITBUCKET_BRANCH 22 | - echo "Running Whitesouce" 23 | - java -jar wss-unified-agent.jar 24 | -------------------------------------------------------------------------------- /CI-CD/CodeFresh/CodeFresh-NPM: -------------------------------------------------------------------------------- 1 | # More examples of Codefresh YAML can be found at 2 | # https://codefresh.io/docs/docs/yaml-examples/examples/ 3 | # Before Running pipeline, make sure your add WS_APIKEY and WS_WSS_URL as pipeline variables 4 | 5 | version: "1.0" 6 | stages: 7 | - "WhiteSource" 8 | 9 | steps: 10 | Freestyle: 11 | title: WhiteSource-E2E 12 | type: freestyle 13 | stage: "WhiteSource" 14 | working_directory: "${{CF_BRANCH}}" 15 | arguments: 16 | image: 'quay.io/codefreshplugins/alpine:3.8' 17 | commands: 18 | - apk update 19 | - apk add openjdk8 curl npm git 20 | - git clone https://github.com/some/repo 21 | - cd repo 22 | - curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 23 | - npm install 24 | - export WS_PRODUCTNAME=CodeFresh 25 | - export WS_PROJECTNAME=$CF_BRANCH 26 | - java -jar wss-unified-agent.jar -------------------------------------------------------------------------------- /Renovate/bitbucket-pipelines.yml: -------------------------------------------------------------------------------- 1 | # add github_com_token & renovate_password as variables 2 | image: atlassian/default-image:2 3 | 4 | pipelines: 5 | default: 6 | - parallel: 7 | - step: 8 | name: 'Renovate' 9 | script: 10 | - export RENOVATE_ENDPOINT='https://api.bitbucket.org/' 11 | - export RENOVATE_PLATFORM='bitbucket' 12 | - export RENOVATE_REPOSITORIES=$BITBUCKET_REPO_FULL_NAME 13 | - export RENOVATE_USERNAME=$BITBUCKET_WORKSPACE 14 | - export RENOVATE_CONFIG='{"onboardingConfig":{"extends":["github>whitesource/merge-confidence:beta","config:base"]}}' 15 | - docker run --rm -e GITHUB_COM_TOKEN=$GITHUB_COM_TOKEN -e RENOVATE_USERNAME -e RENOVATE_PASSWORD=$RENOVATE_PASSWORD -e RENOVATE_CONFIG -e RENOVATE_ENDPOINT -e RENOVATE_PLATFORM -e RENOVATE_REPOSITORIES renovate/renovate 16 | services: 17 | - docker 18 | -------------------------------------------------------------------------------- /SAST/jenkins-mend_sast.yml: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent any 3 | 4 | environment { 5 | SAST_ORGANIZATION = "$SAST_ORGANIZATION" //Taken from Jenkins Global Environment Variables 6 | SASTCLI_TOKEN = "$SASTCLI_TOKEN" 7 | SAST_SERVER = "https://sast.mend.io/sast" 8 | } 9 | 10 | 11 | stages { 12 | 13 | stage('Cloning Git') { 14 | steps { 15 | git 'https://github.com/some/gitrepo' 16 | } 17 | } 18 | 19 | 20 | stage('Downloading Mend SAST Tool') { 21 | steps { 22 | sh 'curl -LJO https://downloads-sast.mend.io/sast-cli/linux/mendsastcli && chmod +x mendsastcli' 23 | } 24 | } 25 | 26 | stage('Run Mend SAST') { 27 | steps { 28 | sh ''' 29 | repo=$(basename -s .git $(git config --get remote.origin.url)) 30 | branch=$(git branch --show-current) 31 | ./mendsastcli --dir ./ --name=$repo_$branch --app=$repo 32 | ''' 33 | } 34 | } 35 | } 36 | } -------------------------------------------------------------------------------- /CI-CD/CircleCI/circleci-pipline-mvn-scan.yaml: -------------------------------------------------------------------------------- 1 | version: 2 2 | executorType: machine 3 | jobs: 4 | build-and-scan: 5 | docker: 6 | - image: circleci/openjdk:8u171-jdk 7 | working_directory: ~/repo 8 | environment: 9 | MAVEN_OPTS: -Xmx3200m 10 | steps: 11 | - checkout 12 | - run: 13 | name: maven install 14 | command: mvn clean install -DskipTests 15 | # Execute WhiteSource scan, curling the latest unified agent. Remeber to set environment variables (api key, url, project name and product name, they need to be upper case too) 16 | # WS_APIKEY 17 | # WS_WSS_URL 18 | # WS_PRODUCTNAME 19 | # WS_PROJECTNAME 20 | - run: 21 | name: Download WhiteSource 22 | command: bash <(curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar) 23 | - run: 24 | name: Run WhiteSource 25 | command: java -jar wss-unified-agent.jar 26 | workflows: 27 | version: 2 28 | WS-scan: 29 | jobs: 30 | - build-and-scan 31 | 32 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | Planning and implementing source code branching is a complex topic. When done properly, it’s easy to manage, otherwise it can be a nightmare. The same applies to how you manage your Mend organizations. With proper planning and implementation, finding results and knowing what you have in production can be easy. 3 | 4 | ## Multi-Organizational Pipeline or (multi-org) 5 | 6 | ### Pipeline Integration Notes 7 | Two options to store the “key” information 8 | 9 | * Global Properties 10 | * Local Pipeline script in the “environment” section 11 | 12 | ** The examples shown use the global properties. Make sure you create the following keys and populate their values: 13 | * APIKEY (Integration -> Organization APIKEY from your production organization) 14 | * DEV_APIKEY (Integration -> Organization APIKEY from your development organization) 15 | * USERKEY (User Profile -> User Keys section from your production organization) 16 | * DEV_USERKEY (User Profile -> User Keys section from your development organization) 17 | * WSURL (https://<WhiteSource URL>/agent) 18 | -------------------------------------------------------------------------------- /Prioritize/Java/Single-Module/Maven/gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | # add APIKEY as an environment variable - https://gitlab.com/help/ci/variables/README 2 | image: maven:3.8-openjdk-8 3 | build: 4 | stage: build 5 | only: 6 | - merge_requests 7 | script: | 8 | mvn clean install -DskipTests=true 9 | echo build completed successfully 10 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 11 | echo Unified Agent downloaded successfully 12 | WARFILE=$(find ./ -type f -wholename "*/target/*.war") 13 | echo $WARFILE will be added to appPath 14 | export WS_APIKEY=$APIKEY 15 | export WS_USERKEY=$USERKEY 16 | export WS_WSS_URL=https://saas.whitesourcesoftware.com/agent 17 | export WS_ENABLEIMPACTANALYSIS=true 18 | export WS_RESOLVEALLDEPENDENCIES=false 19 | export WS_MAVEN_RESOLVEDEPENDENCIES=true 20 | export WS_MAVEN_AGGREGATEMODULES=true 21 | export WS_FILESYSTEMSCAN=false 22 | export WS_PRODUCTNAME=GL_$CI_PROJECT_DIR 23 | export WS_PROJECTNAME=$CI_COMMIT_BRANCH-Prioritize 24 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ -------------------------------------------------------------------------------- /Renovate/azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | # Add GITHUB_COM_TOKEN & RENOVATE_TOKEN as environment variables 2 | # Configure the RENOVATE_ENDPOINT to match your ADO organization 3 | 4 | trigger: 5 | - master 6 | 7 | pool: 8 | vmImage: ubuntu-latest 9 | 10 | steps: 11 | - task: WhiteSource@21 12 | inputs: 13 | cwd: '$(System.DefaultWorkingDirectory)' 14 | projectName: '$(Build.Repository.Name)_$(Build.SourceBranchName)_ADOplugin' 15 | configuration: 'productName=ADO_$(System.TeamProject)' 16 | displayName: 'WS-Scan' 17 | 18 | - script: | 19 | export RENOVATE_ENDPOINT='https://dev.azure.com/' 20 | export RENOVATE_PLATFORM='azure' 21 | export RENOVATE_REPOSITORIES='$(System.TeamProject)/$(Build.Repository.Name)' 22 | export RENOVATE_CONFIG='{"onboardingConfig":{"extends":["github>whitesource/merge-confidence:beta","config:base"]}}' 23 | docker run --rm -e GITHUB_COM_TOKEN=$(GITHUB_COM_TOKEN) -e RENOVATE_TOKEN=$(RENOVATE_TOKEN) -e RENOVATE_CONFIG -e RENOVATE_ENDPOINT -e RENOVATE_PLATFORM -e RENOVATE_REPOSITORIES renovate/renovate 24 | displayName: 'Renovate' 25 | -------------------------------------------------------------------------------- /SAST/github-mend_sast_sarif.yml: -------------------------------------------------------------------------------- 1 | on: 2 | push: 3 | branches: [ main ] 4 | pull_request: 5 | branches: [ main* ] 6 | 7 | jobs: 8 | mend-sast: 9 | name: Mend-SAST 10 | runs-on: ubuntu-latest 11 | env: 12 | SAST_ORGANIZATION: ${{secrets.SAST_ORGANIZATION}} 13 | SASTCLI_TOKEN: ${{secrets.SASTCLI_TOKEN}} 14 | SAST_SERVER: https://saas.mend.io/sast/ 15 | steps: 16 | - name: Checkout repository 17 | uses: actions/checkout@v2 18 | # Download CLI 19 | - name: Download CLI 20 | run: curl -LJO https://downloads-sast.mend.io/sast-cli/linux/mendsastcli && chmod +x mendsastcli 21 | # Run CLI 22 | - name: Run Mend-SAST 23 | run: ./mendsastcli --dir ./ --name=${{github.event.repository.name}}-${{github.ref_name}}-${{github.sha}} --app=${{github.event.repository.name}} --baseline=true --report=true --formats sarif --filename Mend_SAST 24 | # Upload Mend Results to Github Security 25 | - name: Github Security Results Upload 26 | uses: github/codeql-action/upload-sarif@v2 27 | with: 28 | sarif_file: "Mend_SAST.sarif" 29 | -------------------------------------------------------------------------------- /Scripts/cache-ua.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Prerequisites: 4 | # apt install jq curl 5 | 6 | UADir="/path/to/existing/wss-unified-agent/" 7 | 8 | res="$(curl -s -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/whitesource/unified-agent-distribution/releases")" 9 | latestRelease="$(echo "$res" | jq -s '.[] | sort_by(.published_at) | last')" 10 | 11 | latestVer="$(echo "$latestRelease" | jq -rs '.[] | .tag_name')" 12 | latestVerDate="$(date -d "$(echo "$latestRelease" | jq -rs '.[] | .published_at')" +%s)" 13 | curVerDate="$(stat -c %Y "$(find $UADir -name "wss-unified-agent.jar")")" 14 | 15 | if [ $latestVerDate -gt $curVerDate ] ; then 16 | echo "Downloading the latest version ($latestVer)" 17 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 18 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 19 | echo "Integrity Check Failed" 20 | else 21 | echo "Integrity Check Passed" 22 | echo "Starting WhiteSource Scan" 23 | fi 24 | else 25 | echo "No newer versions" 26 | fi 27 | -------------------------------------------------------------------------------- /CI-CD/GitHub/github-action-swift.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Unified Agent Scan - Swift 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | 7 | jobs: 8 | build: 9 | 10 | runs-on: macos-latest 11 | 12 | steps: 13 | - uses: actions/checkout@v2 14 | - name: Build 15 | run: swift build -v 16 | - name: WhiteSource Unified Agent Scan 17 | env: 18 | WS_APIKEY: ${{secrets.APIKEY}} 19 | WS_USERKEY: ${{secrets.USERKEY}} 20 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 21 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 22 | WS_PROJECTNAME: ${{github.ref}}_ghaction 23 | run: | 24 | echo Downloading WhiteSource Unified Agent 25 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 26 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 27 | echo "Integrity Check Failed" 28 | else 29 | echo "Integrity Check Passed" 30 | echo Starting WhiteSource Scan 31 | java -jar wss-unified-agent.jar 32 | fi 33 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/azure-pipelines_npm.yml: -------------------------------------------------------------------------------- 1 | name: 'whitesource-ua-azdo-npm' 2 | 3 | trigger: 4 | - master 5 | 6 | pool: 7 | vmImage: 'ubuntu-latest' 8 | 9 | steps: 10 | - task: NodeTool@0 11 | inputs: 12 | versionSpec: '12.x' 13 | displayName: 'Install Node.js' 14 | 15 | - task: Npm@1 16 | displayName: 'NPM Install' 17 | inputs: 18 | customCommand: install --package-lock 19 | 20 | - script: | 21 | echo Downloading WhiteSource Unified Agent 22 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 23 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 24 | echo "Integrity Check Failed" 25 | else 26 | echo "Integrity Check Passed" 27 | echo Starting WhiteSource Scan 28 | java -jar wss-unified-agent.jar 29 | fi 30 | env: 31 | WS_APIKEY: $(APIKEY) 32 | WS_USERKEY: $(USERKEY) 33 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 34 | WS_PRODUCTNAME: AZDO_$(System.TeamProject) 35 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName) 36 | displayName: 'WhiteSource Scan' 37 | -------------------------------------------------------------------------------- /Scripts/check-project-state.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Prerequisites: 3 | # apt install jq 4 | # WS_GENERATEPROJECTDETAILSJSON: true 5 | # WS_USERKEY 6 | # WS_WSS_URL 7 | 8 | WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 9 | WS_URL=$(echo $WS_WSS_URL | awk -F "/agent" '{print $1}') 10 | 11 | IFS="|" 12 | scan_status=true 13 | pass_status=("UPDATE"${IFS}"FINISH"${IFS}"DIFF") 14 | fail_status=("UNKNOWN"${IFS}"FAIL") 15 | while $scan_status 16 | do 17 | new_status=$(curl -s -X POST -H "Content-Type: application/json" -d '{"requestType":"getProjectState", "userKey": "'$WS_USERKEY'", "projectToken":"'$WS_PROJECTTOKEN'"}' $WS_URL/api/v1.3 | jq '.projectState|.lastProcess' | tr -d '"') 18 | if [[ "${IFS}${pass_status[*]}${IFS}" =~ "${IFS}${new_status}${IFS}" ]]; 19 | then 20 | scan_status=false 21 | echo "Project information has been uploaded successfully!" 22 | else 23 | echo "Scan is still processing..." 24 | sleep 10 25 | fi 26 | if [[ "${IFS}${fail_status[*]}${IFS}" =~ "${IFS}${new_status}${IFS}" ]]; 27 | then 28 | echo "Scan failed to upload...exiting program" 29 | exit 1 30 | fi 31 | done 32 | unset IFS -------------------------------------------------------------------------------- /SAST/circleci-mend_sast.yml: -------------------------------------------------------------------------------- 1 | # Use the latest 2.1 version of CircleCI pipeline process engine. See: https://circleci.com/docs/2.0/configuration-reference 2 | version: 2.1 3 | # Use a package of configuration called an orb. 4 | orbs: 5 | node: circleci/node@4.7.0 6 | jobs: 7 | example-mend-sast-job: 8 | docker: 9 | # prebuilt image with java 10 | - image: cimg/openjdk:16.0.2 11 | steps: 12 | - checkout 13 | # execute Mend scan, curling the latest CLI. Remeber to set environmental variables (SAST Organization, SAST CLI Token, and SAST Server) 14 | - run: 15 | name: Download Mend SAST CLI 16 | command: bash <(curl -LJO https://downloads-sast.mend.io/sast-cli/linux/mendsastcli && chmod +x mendsastcli) 17 | - run: 18 | name: Run Mend SAST 19 | # command: ls src/main 20 | command: ./mendsastcli --dir ./ --app=circleci --baseline=true 21 | environment: 22 | SAST_ORGANIZATION: sast_organization_secret 23 | SASTCLI_TOKEN: sast_cli_secret 24 | SAST_SERVER: https://saas.mend.io/sast/ 25 | workflows: 26 | example-workflow: 27 | jobs: 28 | - example-mend-sast-job 29 | -------------------------------------------------------------------------------- /CI-CD/CircleCI/circleci-pipeline-npm-scan: -------------------------------------------------------------------------------- 1 | # Use the latest 2.1 version of CircleCI pipeline process engine. See: https://circleci.com/docs/2.0/configuration-reference 2 | version: 2.1 3 | # Use a package of configuration called an orb. 4 | orbs: 5 | node: circleci/node@4.7.0 6 | jobs: 7 | example-whitesource-job: 8 | docker: 9 | # prebuilt image with java 10 | - image: cimg/openjdk:16.0.2 11 | steps: 12 | # checkout git 13 | - checkout 14 | # install node/npm 15 | - node/install 16 | # npm install packages 17 | - node/install-packages 18 | # execute WhiteSource scan, curling the latest unified agent. Remeber to set environmental variables (api key, url, project name and product name) 19 | # WS_APIKEY 20 | # WS_WSS_URL 21 | # WS_PRODUCTNAME 22 | # WS_PROJECTNAME 23 | - run: 24 | name: Download WhiteSource 25 | command: bash <(curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar) 26 | - run: 27 | name: Run WhiteSource 28 | command: java -jar wss-unified-agent.jar 29 | workflows: 30 | example-workflow: 31 | jobs: 32 | - example-whitesource-job 33 | -------------------------------------------------------------------------------- /Prioritize/DotNet/Multi-Module/azure-pipelines_linux.yml: -------------------------------------------------------------------------------- 1 | trigger: 2 | - release* 3 | 4 | pool: 5 | vmImage: 'ubuntu-latest' 6 | 7 | variables: 8 | group: 'WhiteSource Keys' 9 | buildConfiguration: 'Release' 10 | 11 | steps: 12 | 13 | - script: ./build.sh 14 | displayName: 'Build DotNET projects' 15 | 16 | - script: | 17 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 18 | echo Unified Agent downloaded successfully 19 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/xModuleAnalyzer-NET/main/xModuleAnalyzer-NET.sh 20 | echo xModuleAnalyzer-NET downloaded successfully 21 | chmod +x ./xModuleAnalyzer-NET.sh && ./xModuleAnalyzer-NET.sh 22 | env: 23 | WS_APIKEY: $(APIKEY) 24 | WS_USERKEY: $(USERKEY) 25 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 26 | WS_PRODUCTNAME: AZ_$(System.TeamProject) 27 | WS_ENABLEIMPACTANALYSIS: true 28 | WS_RESOLVEALLDEPENDENCIES: false 29 | WS_NUGET_RESOLVEDEPENDENCIES: true 30 | WS_NUGET_RUNPRESTEP: true 31 | WS_FILESYSTEMSCAN: false 32 | WS_GENERATEPROJECTDETAILSJSON: true 33 | WS_EXCLUDES: '**/build/** **/tests/**' 34 | displayName: 'Unified Agent Prioritize Scan' 35 | -------------------------------------------------------------------------------- /Repo-Integration/README.md: -------------------------------------------------------------------------------- 1 | ![Logo](https://resources.mend.io/mend-sig/logo/mend-dark-logo-horizontal.png) 2 | 3 | [![License](https://img.shields.io/badge/License-Apache%202.0-yellowgreen.svg)](https://opensource.org/licenses/Apache-2.0) 4 | [![GitHub release](https://img.shields.io/github/release/whitesource-ft/ws-template.svg)](https://github.com/whitesource-ft/ws-template/releases/latest) 5 | # Repository Integration Automation Scripts 6 | When used, these scripts will stand up a new repository integration environment in Docker.
7 | - Remediate Server 8 | - Controller 9 | - Scanner 10 | 11 | ## Supported Operating Systems 12 | - **Linux (Bash):** CentOS, Debian, Ubuntu, RedHat 13 | 14 | ## Prerequisites 15 | - Docker, Docker Compose, jq, GIT, WGET, SCM Repository instance up and running 16 | 17 | ## Options 18 | setup.sh options: **ghe**, **gls**, **bb** 19 | 20 | Options Defined:
21 | **ghe** - Github Enterprise
22 | **gls** - Gitlab
23 | **bb** - Bitbucket On-Prem 24 | 25 | ## Execution 26 | Execution instructions: 27 | ``` 28 | git clone https://github.com/whitesource-ft/ws-examples.git && cd ws-examples/Repo-Integration 29 | export ws_key='' 30 | chmod +x ./setup.sh && ./setup.sh gls 31 | docker-compose up 32 | ``` 33 | -------------------------------------------------------------------------------- /CI-CD/GitLab/gitlab-pip.yml: -------------------------------------------------------------------------------- 1 | # add APIKEY and USERKEY as an environment variable - https://gitlab.com/help/ci/variables/README 2 | default: 3 | image: rappdw/docker-java-python 4 | 5 | stages: 6 | - build 7 | - scan 8 | 9 | pip_build: 10 | image: rappdw/docker-java-python 11 | stage: build 12 | script: "pip install -r requirements.txt" 13 | 14 | cache: 15 | key: "cache-$PIP_PKG-$CI_PIPELINE_ID" 16 | paths: 17 | - ${CI_PROJECT_DIR}/ 18 | 19 | ws_scan: 20 | stage: scan 21 | variables: 22 | WS_APIKEY: $API_KEY 23 | WS_USERKEY: $USER_KEY 24 | WS_WSS_URL: "https://saas.whitesourcesoftware.com/agent" 25 | WS_PRODUCTNAME: $CI_PROJECT_NAME 26 | WS_PROJECTNAME: $CI_COMMIT_REF_NAME 27 | script: | 28 | echo "Downloading WhiteSource Unified Agent" 29 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 30 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 31 | echo "Integrity Check Failed" 32 | else 33 | echo "Integrity Check Passed" 34 | echo Starting WhiteSource Scan 35 | java -jar wss-unified-agent.jar 36 | fi 37 | echo "WhiteSource Scan" 38 | java -jar ./wss-unified-agent.jar 39 | -------------------------------------------------------------------------------- /CI-CD/GitHub/github-action-go.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Unified Agent Scan - GO 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | 7 | 8 | jobs: 9 | 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v2 14 | 15 | - name: Set up Go 16 | uses: actions/setup-go@v2 17 | with: 18 | go-version: 1.17 19 | 20 | - name: Build 21 | run: go build -v ./... 22 | 23 | - name: WhiteSource Unified Agent Scan 24 | env: 25 | WS_APIKEY: ${{secrets.APIKEY}} 26 | WS_USERKEY: ${{secrets.USERKEY}} 27 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 28 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 29 | WS_PROJECTNAME: ${{github.ref}}_ghaction 30 | run: | 31 | echo Downloading WhiteSource Unified Agent 32 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 33 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 34 | echo "Integrity Check Failed" 35 | else 36 | echo "Integrity Check Passed" 37 | echo Starting WhiteSource Scan 38 | java -jar wss-unified-agent.jar 39 | fi -------------------------------------------------------------------------------- /CI-CD/GitLab/gitlab-maven.yml: -------------------------------------------------------------------------------- 1 | # add APIKEY and USERKEY as an environment variable - https://gitlab.com/help/ci/variables/README 2 | default: 3 | image: maven:3.8-openjdk-11 4 | 5 | stages: 6 | - build 7 | - scan 8 | 9 | maven_build: 10 | image: maven:3.8.4-eclipse-temurin-17-alpine 11 | stage: build 12 | script: "mvn clean install -DskipTests" 13 | 14 | cache: 15 | key: "cache-$MVN_PKG-$CI_PIPELINE_ID" 16 | paths: 17 | - ${CI_PROJECT_DIR}/ 18 | 19 | ws_scan: 20 | stage: scan 21 | variables: 22 | WS_APIKEY: $API_KEY 23 | WS_USERKEY: $USER_KEY 24 | WS_MAVEN_AGGREGATEMODULES: true 25 | WS_WSS_URL: "https://saas.whitesourcesoftware.com/agent" 26 | WS_PRODUCTNAME: $CI_PROJECT_NAME 27 | WS_PROJECTNAME: $CI_COMMIT_REF_NAME 28 | script: | 29 | echo "Downloading WhiteSource Unified Agent" 30 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 31 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 32 | echo "Integrity Check Failed" 33 | else 34 | echo "Integrity Check Passed" 35 | echo Starting WhiteSource Scan 36 | java -jar wss-unified-agent.jar 37 | fi 38 | echo "WhiteSource Scan" 39 | java -jar ./wss-unified-agent.jar 40 | -------------------------------------------------------------------------------- /CI-CD/GitHub/github-action-lua.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Unified Agent Scan - LUA 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | 7 | runs-on: ubuntu-latest 8 | 9 | steps: 10 | - name: Checkout 11 | uses: actions/checkout@v2 12 | - name: Setup Lua 13 | uses: leafo/gh-actions-lua@v8 14 | with: 15 | luaVersion: 5.4.3 16 | - name: Setup Luarocks 17 | uses: leafo/gh-actions-luarocks@v4 18 | - name: LuaRocks Build 19 | run: luarocks build --tree=./ 20 | - name: WhiteSource Unified Agent Scan 21 | env: 22 | WS_APIKEY: ${{secrets.APIKEY}} 23 | WS_USERKEY: ${{secrets.USERKEY}} 24 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 25 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 26 | WS_PROJECTNAME: ${{github.ref}}_ghaction 27 | run: | 28 | echo Downloading WhiteSource Unified Agent 29 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 30 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 31 | echo "Integrity Check Failed" 32 | else 33 | echo "Integrity Check Passed" 34 | echo Starting WhiteSource Scan 35 | java -jar wss-unified-agent.jar 36 | fi -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/azure-pipelines_maven.yml: -------------------------------------------------------------------------------- 1 | name: 'whitesource-ua-azdo-maven' 2 | 3 | trigger: 4 | - master 5 | 6 | pool: 7 | vmImage: 'ubuntu-latest' 8 | 9 | steps: 10 | - task: Maven@3 11 | inputs: 12 | mavenPomFile: 'pom.xml' 13 | goals: 'clean install' 14 | mavenOptions: -DskipTests=true 15 | publishJUnitResults: false 16 | javaHomeOption: 'JDKVersion' 17 | jdkVersionOption: '1.11' 18 | mavenVersionOption: 'Default' 19 | mavenAuthenticateFeed: false 20 | effectivePomSkip: false 21 | sonarQubeRunAnalysis: false 22 | 23 | - script: | 24 | echo Downloading WhiteSource Unified Agent 25 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 26 | 27 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 28 | echo "Integrity Check Failed" 29 | else 30 | echo "Integrity Check Passed" 31 | echo Starting WhiteSource Scan 32 | java -jar wss-unified-agent.jar 33 | fi 34 | env: 35 | WS_APIKEY: $(APIKEY) 36 | WS_USERKEY: $(USERKEY) 37 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 38 | WS_PRODUCTNAME: AZDO_$(System.TeamProject) 39 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName) 40 | displayName: 'WhiteSource Scan' 41 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/azure-pipelines_gradle.yml: -------------------------------------------------------------------------------- 1 | name: 'whitesource-ua-azdo-gradle' 2 | 3 | trigger: 4 | - master 5 | 6 | pool: 7 | vmImage: ubuntu-latest 8 | 9 | steps: 10 | - task: Gradle@2 11 | inputs: 12 | workingDirectory: '' 13 | gradleWrapperFile: 'gradlew' 14 | gradleOptions: '-Xmx3072m' 15 | publishJUnitResults: false 16 | testResultsFiles: '**/TEST-*.xml' 17 | tasks: 'build' 18 | 19 | - script: | 20 | echo Downloading WhiteSource Unified Agent 21 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 22 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 23 | echo "Integrity Check Failed" 24 | else 25 | echo "Integrity Check Passed" 26 | echo Starting WhiteSource Scan 27 | java -jar wss-unified-agent.jar 28 | fi 29 | env: 30 | WS_APIKEY: $(APIKEY) 31 | WS_USERKEY: $(USERKEY) 32 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 33 | WS_PRODUCTNAME: AZDO_$(System.TeamProject) 34 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName) 35 | WS_RESOLVEALLDEPENDENCIES: false 36 | WS_FILESYSTEMSCAN: false 37 | WS_GRADLE_RESOLVEDEPENDENCIES: true 38 | WS_GRADLE_AGGREGATEMODULES: true 39 | displayName: 'WhiteSource Scan' 40 | -------------------------------------------------------------------------------- /Prioritize/Java/Multi-Module/Maven/gitlab-ci.yml: -------------------------------------------------------------------------------- 1 | # add APIKEY as an environment variable - https://gitlab.com/help/ci/variables/README 2 | image: maven:3.8-openjdk-8 3 | build: 4 | stage: build 5 | only: 6 | - merge_requests 7 | script: | 8 | mvn clean install -DskipTests=true 9 | echo build completed successfully 10 | cat < eua.config 11 | apiKey=$APIKEY 12 | userKey=$USERKEY 13 | wss.url=https://saas.whitesourcesoftware.com/agent 14 | productName=GL_$CI_PROJECT_DIR 15 | projectName=$CI_COMMIT_BRANCH-_Prioritize 16 | enableImpactAnalysis=true 17 | resolveAllDependencies=false 18 | maven.resolveDependencies=true 19 | maven.aggregateModules=true 20 | fileSystemScan=false 21 | generateProjectDetailsJson=true 22 | EOF 23 | cat eua.config 24 | echo config created successfully 25 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 26 | curl -LJO https://unified-agent.s3.amazonaws.com/xModuleAnalyzer/xModuleAnalyzer.jar 27 | echo Unified Agent downloaded successfully 28 | java -jar wss-unified-agent.jar -d $PWD -analyzeMultiModuleExclusions '**/*internal* **/*original* **/*sources.jar' -analyzeMultiModule multimodule.txt 29 | echo 'multimodule.txt contents' 30 | cat multimodule.txt 31 | java -jar xModuleAnalyzer.jar -xModulePath multimodule.txt -fsaJarPath ./wss-unified-agent.jar -c ./eua.config -aggregateModules true 32 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | > :no_entry: **[DEPRECATED]** 2 | > **This repository will be inaccessible starting January 9th, 2023.** 3 | > 4 | > The new repository is now active at **[https://github.com/mend-toolkit/mend-examples](https://github.com/mend-toolkit/mend-examples)**, which we encourage you to visit today. 5 | --- 6 | 7 | ![Logo](https://resources.mend.io/mend-sig/logo/mend-dark-logo-horizontal.png) 8 | 9 | [![License](https://img.shields.io/badge/License-Apache%202.0-yellowgreen.svg)](https://opensource.org/licenses/Apache-2.0) 10 | # Mend Examples 11 | This repository contains examples of different ways to scan open source component using the [Unified Agent](https://docs.mend.io/bundle/unified_agent/page/overview_of_the_unified_agent.html) 12 | 13 |
14 | 15 | If you can't find something, use search to [search in this repository](https://docs.github.com/en/search-github/getting-started-with-searching-on-github/about-searching-on-github) 16 | 17 |
18 | 19 | ## Example SCM Integration Configs 20 | 21 | * [.whitesource](https://github.com/whitesource-ft/ws-examples/blob/main/.whitesource) 22 | * [Unified Agent Config](https://github.com/whitesource-ft/ws-examples/blob/main/whitesource.config) - contains SCM integration default settings 23 | 24 | ## [CI-CD by Pipeline](CI-CD) 25 | 26 | ## [Generic by Use Case](Generic) 27 | 28 | ## [Prioritize Scans by Language](Prioritize) 29 | 30 | ## [Scripts](Scripts) 31 | 32 | ## [SAST](SAST) 33 | -------------------------------------------------------------------------------- /CI-CD/GitHub/github-action-NET-nuget.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Unified Agent Scan - .NET (NuGet) 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | branches: [ develop ] 8 | 9 | 10 | jobs: 11 | 12 | build: 13 | env: 14 | BUILD_CONFIG: 'Release' 15 | SOLUTION: 'MySolution.sln' 16 | 17 | runs-on: ubuntu-latest 18 | 19 | steps: 20 | - uses: actions/checkout@v2 21 | 22 | - name: Setup NuGet 23 | uses: NuGet/setup-nuget@v1.0.5 24 | 25 | - name: Restore dependencies 26 | run: nuget restore $SOLUTION 27 | 28 | - name: WhiteSource Unified Agent Scan 29 | env: 30 | WS_APIKEY: ${{secrets.APIKEY}} 31 | WS_USERKEY: ${{secrets.USERKEY}} 32 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 33 | WS_PRODUCTNAME: ${{github.event.repository.name}} 34 | WS_PROJECTNAME: ${{github.ref}} 35 | WS_FILESYSTEMSCAN: false 36 | run: | 37 | echo Downloading WhiteSource Unified Agent 38 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 39 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 40 | echo "Integrity Check Failed" 41 | else 42 | echo "Integrity Check Passed" 43 | echo Starting WhiteSource Scan 44 | java -jar wss-unified-agent.jar 45 | fi -------------------------------------------------------------------------------- /Prioritize/DotNet/Single-Module/azure-pipelines_linux.yml: -------------------------------------------------------------------------------- 1 | trigger: 2 | - release* 3 | 4 | pool: 5 | vmImage: 'ubuntu-latest' 6 | 7 | variables: 8 | - Name: 'buildConfiguration' 9 | value: 'Release' 10 | 11 | steps: 12 | - script: dotnet build --configuration $(buildConfiguration) 13 | displayName: 'dotnet build $(buildConfiguration)' 14 | 15 | - script: | 16 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 17 | echo Unified Agent downloaded successfully 18 | CSPROJ=$(basename $(find ./src -type f -wholename "*.csproj" ! -wholename "*build*" ! -wholename "*test*") .csproj) 19 | DLL=$(find ./ -type f -wholename "*/bin/$(buildConfiguration)/*/$CSPROJ.dll" ! -wholename "*build*" ! -wholename "*test*") 20 | echo $DLL will be added to appPath 21 | java -jar wss-unified-agent.jar -appPath $DLL -d $PWD/src 22 | env: 23 | WS_APIKEY: $(WS_APIKEY) 24 | WS_USERKEY: $(WS_USERKEY) 25 | WS_WSS_URL: https://app.whitesourcesoftware.com/agent 26 | WS_PRODUCTNAME: AZ_$(System.TeamProject) 27 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 28 | WS_ENABLEIMPACTANALYSIS: true 29 | WS_RESOLVEALLDEPENDENCIES: false 30 | WS_NUGET_RESOLVEDEPENDENCIES: true 31 | WS_NUGET_RUNPRESTEP: true 32 | WS_FILESYSTEMSCAN: false 33 | WS_GENERATEPROJECTDETAILSJSON: true 34 | WS_EXCLUDES: '**/build/** **/tests/**' 35 | displayName: 'Unified Agent Prioritize Scan' 36 | -------------------------------------------------------------------------------- /Prioritize/Java/Single-Module/Maven/azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | # replace .war with .jar or .ear if needed 2 | trigger: 3 | - release* 4 | 5 | pool: 6 | vmImage: 'ubuntu-latest' 7 | 8 | steps: 9 | - task: Maven@3 10 | inputs: 11 | mavenPomFile: 'pom.xml' 12 | goals: 'clean install' 13 | mavenOptions: -DskipTests=true 14 | publishJUnitResults: false 15 | javaHomeOption: 'JDKVersion' 16 | jdkVersionOption: '1.11' 17 | mavenVersionOption: 'Default' 18 | mavenAuthenticateFeed: false 19 | effectivePomSkip: false 20 | sonarQubeRunAnalysis: false 21 | 22 | - script: | 23 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 24 | echo Unified Agent downloaded successfully 25 | WARFILE=$(find ./ -type f -wholename "*/target/*.war") 26 | echo $WARFILE will be added to appPath 27 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 28 | env: 29 | WS_APIKEY: $(APIKEY) 30 | WS_USERKEY: $(USERKEY) 31 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 32 | WS_PRODUCTNAME: AZDO_$(System.TeamProject) 33 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 34 | WS_ENABLEIMPACTANALYSIS: true 35 | WS_RESOLVEALLDEPENDENCIES: false 36 | WS_MAVEN_RESOLVEDEPENDENCIES: true 37 | WS_MAVEN_AGGREGATEMODULES: true 38 | WS_FILESYSTEMSCAN: false 39 | WS_EXCLUDES: '**/build/** **/tests/**' 40 | displayName: 'Unified Agent Prioritize Scan' 41 | -------------------------------------------------------------------------------- /CI-CD/GitHub/github-action-NET-dotnet.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Unified Agent Scan - .NET (dotnet) 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | branches: [ develop ] 8 | 9 | 10 | jobs: 11 | 12 | build: 13 | env: 14 | BUILD_CONFIG: 'Release' 15 | SOLUTION: 'MySolution.sln' 16 | 17 | runs-on: ubuntu-latest 18 | 19 | steps: 20 | - uses: actions/checkout@v2 21 | 22 | - name: Setup .NET 23 | uses: actions/setup-dotnet@v1 24 | with: 25 | dotnet-version: 5.0.x 26 | 27 | - name: Restore dependencies 28 | run: dotnet restore 29 | 30 | - name: WhiteSource Unified Agent Scan 31 | env: 32 | WS_APIKEY: ${{secrets.APIKEY}} 33 | WS_USERKEY: ${{secrets.USERKEY}} 34 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 35 | WS_PRODUCTNAME: ${{github.event.repository.name}} 36 | WS_PROJECTNAME: ${{github.ref}} 37 | WS_FILESYSTEMSCAN: false 38 | run: | 39 | echo Downloading WhiteSource Unified Agent 40 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 41 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 42 | echo "Integrity Check Failed" 43 | else 44 | echo "Integrity Check Passed" 45 | echo Starting WhiteSource Scan 46 | java -jar wss-unified-agent.jar 47 | fi -------------------------------------------------------------------------------- /Repo-Integration/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "2" 2 | services: 3 | 4 | remediate: 5 | build: 6 | context: ${BASE_DIR}/latest/wss-remediate/docker 7 | image: wss-remediate:${TAG} 8 | container_name: remediate-server 9 | ports: 10 | - "8080:8080" 11 | volumes: 12 | - ${BASE_DIR}/prop.json:/etc/usr/local/whitesource/conf/prop.json 13 | environment: 14 | - LOG_LEVEL=debug 15 | logging: 16 | driver: local 17 | options: 18 | max-size: 1m 19 | max-file: "5" 20 | 21 | app: 22 | build: 23 | context: ${BASE_DIR}/latest/wss-${SCM}-app/docker 24 | image: wss-${SCM}-app:${TAG} 25 | container_name: wss-${SCM}-app 26 | ports: 27 | - "9494:9494" 28 | - "5678:5678" 29 | volumes: 30 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 31 | depends_on: 32 | - remediate 33 | logging: 34 | driver: local 35 | options: 36 | max-size: 1m 37 | max-file: "5" 38 | 39 | scanner: 40 | build: 41 | context: ${BASE_DIR}/latest/wss-scanner/docker 42 | image: wss-scanner:${SCANNER} 43 | container_name: wss-scanner 44 | ports: 45 | - "9393:9393" 46 | volumes: 47 | - ${BASE_DIR}/:/etc/usr/local/whitesource/conf/ 48 | restart: always 49 | logging: 50 | driver: local 51 | options: 52 | max-size: 1m 53 | max-file: "5" 54 | 55 | networks: 56 | default: 57 | name: ${SCM}_bridge 58 | external: true 59 | -------------------------------------------------------------------------------- /Prioritize/DotNet/Multi-Module/github-action_linux.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Prioritize DotNET Core 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | build: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - uses: actions/setup-dotnet@v1 17 | with: 18 | dotnet-version: 3.1.402 19 | - name: Build DotNET projects 20 | run: ./build.sh 21 | - name: WhiteSource Unified Agent Scan 22 | env: 23 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 24 | WS_APIKEY: ${{secrets.APIKEY}} 25 | WS_USERKEY: ${{secrets.USERKEY}} 26 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 27 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 28 | WS_ENABLEIMPACTANALYSIS: true 29 | WS_RESOLVEALLDEPENDENCIES: false 30 | WS_NUGET_RESOLVEDEPENDENCIES: true 31 | WS_NUGET_RUNPRESTEP: true 32 | WS_FILESYSTEMSCAN: false 33 | WS_GENERATEPROJECTDETAILSJSON: true 34 | WS_EXCLUDES: '**/build/** **/tests/**' 35 | run: | 36 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 37 | echo Unified Agent downloaded successfully 38 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/xModuleAnalyzer-NET/main/xModuleAnalyzer-NET.sh 39 | echo xModuleAnalyzer-NET downloaded successfully 40 | chmod +x ./xModuleAnalyzer-NET.sh && ./xModuleAnalyzer-NET.sh 41 | -------------------------------------------------------------------------------- /Prioritize/JavaScript/azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | # Node.js 2 | # Build a general Node.js project with npm. 3 | # Add steps that analyze code, save build artifacts, deploy, and more: 4 | # https://docs.microsoft.com/azure/devops/pipelines/languages/javascript 5 | 6 | trigger: 7 | - master 8 | 9 | pool: 10 | vmImage: ubuntu-latest 11 | 12 | steps: 13 | - task: NodeTool@0 14 | inputs: 15 | versionSpec: '12.x' 16 | displayName: 'Install Node.js' 17 | 18 | - script: | 19 | npm install --only=prod 20 | displayName: 'npm install' 21 | 22 | - script: | 23 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 24 | echo Unified Agent downloaded successfully 25 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 26 | echo "Integrity Check Failed" 27 | else 28 | echo "Integrity Check Passed" 29 | echo "Starting WhiteSource Scan" 30 | fi 31 | java -jar wss-unified-agent.jar -appPath ./package.json -d ./ 32 | 33 | env: 34 | WS_APIKEY: $(APIKEY) 35 | WS_USERKEY: $(USERKEY) 36 | WS_WSS_URL: $(WSS_URL) 37 | WS_PRODUCTNAME: AZDO_$(System.TeamProject) 38 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 39 | WS_ENABLEIMPACTANALYSIS: true 40 | WS_RESOLVEALLDEPENDENCIES: false 41 | WS_FILESYSTEMSCAN: false 42 | WS_NPM_RESOLVEDEPENDENCIES: true 43 | WS_NPM_RESOLVELOCKFILE: false 44 | 45 | displayName: 'Unified Agent Prioritize Scan' 46 | -------------------------------------------------------------------------------- /CI-CD/GitHub/github-action-android.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Unified Agent Scan - Android 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | 7 | jobs: 8 | build: 9 | 10 | runs-on: ubuntu-latest 11 | 12 | steps: 13 | - uses: actions/checkout@v2 14 | - name: set up JDK 8 15 | uses: actions/setup-java@v2 16 | with: 17 | java-version: '8' 18 | distribution: 'adopt' 19 | 20 | - name: Setup Android SDK 21 | uses: android-actions/setup-android@v2 22 | 23 | - name: Grant execute permission for gradlew 24 | run: | 25 | chmod +x gradlew 26 | echo "ANDROID_HOME:" $ANDROID_HOME 27 | - name: Build with Gradle 28 | run: ./gradlew build 29 | 30 | - name: WhiteSource Unified Agent Scan 31 | env: 32 | WS_APIKEY: ${{secrets.APIKEY}} 33 | WS_USERKEY: ${{secrets.USERKEY}} 34 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 35 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 36 | WS_PROJECTNAME: ${{github.ref}}_ghaction 37 | run: | 38 | echo Downloading WhiteSource Unified Agent 39 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 40 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 41 | echo "Integrity Check Failed" 42 | else 43 | echo "Integrity Check Passed" 44 | echo Starting WhiteSource Scan 45 | java -jar wss-unified-agent.jar 46 | fi 47 | -------------------------------------------------------------------------------- /Prioritize/JavaScript/prioritize.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #### Prerequisite commands & installs 4 | # apt-get update 5 | # apt-get install -y curl git openjdk-8-jdk nano 6 | 7 | #### Install Nodejs 8 | # curl -fsSL https://deb.nodesource.com/setup_12.x | bash - 9 | # apt-get install -y nodejs 10 | 11 | #### Clone your repo & run script 12 | # git clone && cd ./ 13 | # chmod +x ./prioritize.sh 14 | # ./prioritize.sh 15 | 16 | #### Build application & check JAVA_HOME 17 | echo JAVA_HOME: $JAVA_HOME 18 | npm install --only=prod 19 | 20 | #### Run WS Prioritize 21 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 22 | echo Unified Agent downloaded successfully 23 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 24 | echo "Integrity Check Failed" 25 | else 26 | echo "Integrity Check Passed" 27 | echo "Starting WhiteSource Scan" 28 | fi 29 | export WS_APIKEY= 30 | export WS_USERKEY= 31 | export WS_WSS_URL=https://saas.whitesourcesoftware.com/agent 32 | export WS_ENABLEIMPACTANALYSIS=true 33 | export WS_RESOLVEALLDEPENDENCIES=false 34 | export WS_NPM_RESOLVEDEPENDENCIES=true 35 | export WS_NPM_RESOLVELOCKFILE=false 36 | export WS_FILESYSTEMSCAN=false 37 | export WS_PRODUCTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $4}') 38 | export WS_PROJECTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $5}' | awk -F "." '{print $1}')-Prioritize 39 | java -jar wss-unified-agent.jar -appPath ./package.json -d ./ 40 | -------------------------------------------------------------------------------- /Prioritize/Java/Multi-Module/Maven/azure-pipelines.yml: -------------------------------------------------------------------------------- 1 | trigger: 2 | - release* 3 | 4 | pool: 5 | vmImage: 'ubuntu-latest' 6 | 7 | steps: 8 | - task: Maven@3 9 | inputs: 10 | mavenPomFile: 'pom.xml' 11 | goals: 'clean install' 12 | mavenOptions: -DskipTests=true 13 | publishJUnitResults: false 14 | javaHomeOption: 'JDKVersion' 15 | jdkVersionOption: '1.11' 16 | mavenVersionOption: 'Default' 17 | mavenAuthenticateFeed: false 18 | effectivePomSkip: false 19 | sonarQubeRunAnalysis: false 20 | - task: CmdLine@2 21 | inputs: 22 | script: | 23 | cat < eua.config 24 | apiKey=$(APIKEY) 25 | userKey=$(USERKEY) 26 | wss.url=https://saas.whitesourcesoftware.com/agent 27 | productName=$(System.TeamProject) 28 | projectName=$(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 29 | enableImpactAnalysis=true 30 | resolveAllDependencies=false 31 | maven.resolveDependencies=true 32 | maven.aggregateModules=true 33 | fileSystemScan=false 34 | generateProjectDetailsJson=true 35 | EOF 36 | cat eua.config 37 | - task: CmdLine@2 38 | inputs: 39 | script: | 40 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 41 | curl -LJO https://unified-agent.s3.amazonaws.com/xModuleAnalyzer/xModuleAnalyzer.jar 42 | java -jar wss-unified-agent.jar -d $PWD -analyzeMultiModuleExclusions '**/*internal* **/*original* **/*sources.jar' -analyzeMultiModule multimodule.txt 43 | echo 'multimodule.txt contents' 44 | cat multimodule.txt 45 | java -jar xModuleAnalyzer.jar -xModulePath multimodule.txt -fsaJarPath ./wss-unified-agent.jar -c ./eua.config -aggregateModules true 46 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Jenkins_pipeline_npm.groovy: -------------------------------------------------------------------------------- 1 | pipeline { 2 | 3 | agent any 4 | 5 | environment { 6 | WS_APIKEY = "${APIKEY}" //Taken from Jenkins Global Environment Variables 7 | WS_WSS_URL = "${WSURL}" //Taken from Jenkins Global Environment Variables 8 | WS_USERKEY = "${USERKEY}" //Taken from Jenkins Global Environment Variables 9 | WS_PRODUCTNAME = "Jenkins_Pipeline" 10 | WS_PROJECTNAME = "${JOB_NAME}" 11 | } 12 | 13 | tools { 14 | nodejs "nodejs-17.3.1" 15 | } 16 | 17 | stages { 18 | stage('Cloning Git') { 19 | steps { 20 | git 'https://github.com/Some/Java/Project/URL' 21 | } 22 | } 23 | 24 | stage('Install dependencies') { 25 | steps { 26 | sh 'npm install' 27 | } 28 | } 29 | 30 | stage('Download WS Script') { 31 | steps { 32 | script { 33 | echo "Downloading WhiteSource Unified Agent and Checking Integrity" 34 | sh 'curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar' 35 | ua_jar_checksum=sh(returnStdout: true, script: "sha256sum 'wss-unified-agent.jar'") 36 | ua_integrity_file=sh(returnStdout: true, script: "curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256") 37 | if ("${ua_integrity_file}" == "${ua_jar_checksum}") { 38 | echo "Integrity Check Passed" 39 | } else { 40 | echo "Integrity Check Failed" 41 | } 42 | } 43 | } 44 | } 45 | 46 | stage('Run WS Script') { 47 | steps { 48 | sh 'java -jar wss-unified-agent.jar' 49 | } 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /Generic/UA-Docker-Image.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Generic example for scanning docker images with the WhiteSource Unified Agent 3 | # Glob patterns used scan all pulled images with repository name containing "ubuntu" 4 | # Scans only the pulled immage "maven:3.8-openjdk-8" 5 | # See docker.includes & docker.excludes sections section for more detail - https://whitesource.atlassian.net/wiki/spaces/WD/pages/1544880156/Unified+Agent+Configuration+Parameters#Docker-Images 6 | # Scans are only done on repository name, tag version, or image id. Not repositoryname + tag 7 | # For specific scans Image ID is recommended using the following - replace maven:3.8-openjdk-8 with your repository name + tag 8 | # export WS_DOCKER_INCLUDES=$(docker images maven:3.8-openjdk-8 -q) 9 | 10 | docker pull ubuntu:latest 11 | docker pull maven:3.8-openjdk-8 12 | 13 | export WS_APIKEY= 14 | export WS_USERKEY= 15 | export WS_PRODUCTNAME= 16 | export WS_PROJECTNAME=doesnotmatter 17 | export WS_WSS_URL=https://saas.whitesourcesoftware.com/agent 18 | export WS_DOCKER_INCLUDES=.*ubuntu.* 19 | export WS_DOCKER_SCANIMAGES=true 20 | export WS_DOCKER_LAYERS=true 21 | export WS_DOCKER_PROJECTNAMEFORMAT=repositoryNameAndTag 22 | export WS_ARCHIVEEXTRACTIONDEPTH=2 23 | export WS_ARCHIVEINCLUDES='**/*war **/*ear **/*zip **/*whl **/*tar.gz **/*tgz **/*tar **/*car **/*jar' 24 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 25 | echo Unified Agent downloaded successfully 26 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 27 | echo "Integrity Check Failed" 28 | else 29 | echo "Integrity Check Passed" 30 | echo Starting WhiteSource Scan 31 | java -jar wss-unified-agent.jar 32 | fi -------------------------------------------------------------------------------- /CI-CD/GitLab/gitlab-npm.yml: -------------------------------------------------------------------------------- 1 | # add APIKEY and USERKEY as an environment variable - https://gitlab.com/help/ci/variables/README 2 | default: 3 | image: timbru31/java-node:latest 4 | 5 | stages: 6 | - build 7 | - scan 8 | 9 | before_script: 10 | - NPM_PACKAGE_NAME=$(node -p "require('./package.json').name") 11 | - NPM_PACKAGE_VERSION=$(node -p "require('./package.json').version") 12 | - NPM_PKG="$NPM_PACKAGE_NAME@$NPM_PACKAGE_VERSION" 13 | - NPM_APP_ENTRY_POINT=$(node -p "require('./package.json').main") 14 | - NPM_IS_PRIVATE=$(node -p "require('./package.json').private") 15 | 16 | cache: 17 | key: "cache-$NPM_PKG-$CI_PIPELINE_ID" 18 | paths: 19 | - ${CI_PROJECT_DIR}/ 20 | 21 | npm_build: 22 | stage: build 23 | script: 24 | - echo "CI_PROJECT_DIR - $CI_PROJECT_DIR" 25 | - echo "Package - $NPM_PKG" 26 | - | 27 | if [ -f "./package-lock.json" ] ; then 28 | npm install 29 | else 30 | npm install --package-lock 31 | fi 32 | 33 | ws_scan: 34 | stage: scan 35 | variables: 36 | WS_APIKEY: $API_KEY 37 | WS_USERKEY: $USER_KEY 38 | WS_WSS_URL: "https://saas.whitesourcesoftware.com/agent" 39 | WS_PRODUCTNAME: $CI_PROJECT_NAME 40 | WS_PROJECTNAME: $CI_COMMIT_REF_NAME 41 | script: | 42 | echo "Downloading WhiteSource Unified Agent" 43 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 44 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 45 | echo "Integrity Check Failed" 46 | else 47 | echo "Integrity Check Passed" 48 | echo Starting WhiteSource Scan 49 | java -jar wss-unified-agent.jar 50 | fi 51 | echo "WhiteSource Scan" 52 | java -jar ./wss-unified-agent.jar 53 | -------------------------------------------------------------------------------- /CI-CD/Jenkins/Jenkins_pipeline_maven.groovy: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent any 3 | 4 | environment { 5 | WS_APIKEY = "${APIKEY}" //Taken from Jenkins Global Environment Variables 6 | WS_WSS_URL = "${WSURL}" //Taken from Jenkins Global Environment Variables 7 | WS_USERKEY = "${USERKEY}" //Taken from Jenkins Global Environment Variables 8 | WS_PRODUCTNAME = "Jenkins_Pipeline" 9 | WS_PROJECTNAME = "${JOB_NAME}" 10 | } 11 | 12 | tools { 13 | maven "mvn_3.6.3" 14 | } 15 | 16 | stages { 17 | 18 | stage('Cloning Git') { 19 | steps { 20 | git 'https://github.com/Some/Java/Project/URL' 21 | } 22 | } 23 | 24 | stage('Install dependencies') { 25 | steps { 26 | sh 'mvn clean install -DskipTests' 27 | } 28 | } 29 | 30 | stage('Download WS Script') { 31 | steps { 32 | script { 33 | echo "Downloading WhiteSource Unified Agent and Checking Integrity" 34 | sh 'curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar' 35 | ua_jar_checksum=sh(returnStdout: true, script: "sha256sum 'wss-unified-agent.jar'") 36 | ua_integrity_file=sh(returnStdout: true, script: "curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256") 37 | if ("${ua_integrity_file}" == "${ua_jar_checksum}") { 38 | echo "Integrity Check Passed" 39 | } else { 40 | echo "Integrity Check Failed" 41 | } 42 | } 43 | } 44 | } 45 | 46 | stage('Run WS Script') { 47 | steps { 48 | sh 'java -jar wss-unified-agent.jar' 49 | } 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /Prioritize/Java/Single-Module/Gradle/prioritize.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #### Prerequisite commands & installs 4 | # apt-get update 5 | # apt-get install -y curl git openjdk-8-jdk nano 6 | 7 | #### Clone your repo & run script 8 | # git clone && cd ./ 9 | # chmod +x ./prioritize.sh 10 | # ./prioritize.sh 11 | 12 | #### Build application & check JAVA_HOME 13 | echo JAVA_HOME:$JAVA_HOME 14 | ./gradlew build -x test 15 | 16 | #### Run WS Prioritize 17 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 18 | echo Unified Agent downloaded successfully 19 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 20 | echo "Integrity Check Failed" 21 | else 22 | echo "Integrity Check Passed" 23 | fi 24 | # replace .war with .ear or the following for WARFILE if needed 25 | # JARFILE=$(find ./build/libs -type f -wholename "*.jar" ! -wholename "*javadoc*" ! -wholename "*groovydoc*" ! -wholename "*sources*") 26 | export WARFILE=$(find ./build/libs -type f -wholename "*.war") 27 | echo $WARFILE will be added to appPath 28 | echo Starting WhiteSource Prioritize Scan 29 | export WS_APIKEY= 30 | export WS_USERKEY= 31 | export WS_WSS_URL=https://saas.whitesourcesoftware.com/agent 32 | export WS_ENABLEIMPACTANALYSIS=true 33 | export WS_RESOLVEALLDEPENDENCIES=false 34 | export WS_GRADLE_RESOLVEDEPENDENCIES=true 35 | export WS_GRADLE_AGGREGATEMODULES=true 36 | export WS_FILESYSTEMSCAN=false 37 | export WS_PRODUCTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $4}') 38 | export WS_PROJECTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $5}' | awk -F "." '{print $1}')-Prioritize 39 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 40 | -------------------------------------------------------------------------------- /Prioritize/Java/Single-Module/Maven/github-action.yml: -------------------------------------------------------------------------------- 1 | # replace .war with .jar or .ear if needed 2 | name: Whitesource Prioritize Java with Maven 3 | 4 | on: 5 | push: 6 | branches: [ main ] 7 | 8 | jobs: 9 | build: 10 | env: 11 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 12 | WS_APIKEY: ${{secrets.APIKEY}} 13 | WS_USERKEY: ${{secrets.USERKEY}} 14 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 15 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 16 | WS_PROJECTNAME: ${{github.event.repository.name}}_${{github.ref_name}}_Prioritize 17 | 18 | runs-on: ubuntu-latest 19 | 20 | steps: 21 | - uses: actions/checkout@v2 22 | - name: Set up JDK 23 | uses: actions/setup-java@v2 24 | with: 25 | java-version: '8' 26 | distribution: 'adopt' 27 | - name: Cache local Maven repository 28 | uses: actions/cache@v2 29 | with: 30 | path: ~/.m2/repository 31 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 32 | restore-keys: | 33 | ${{ runner.os }}-maven- 34 | 35 | - name: Build with Maven 36 | run: mvn clean install -DskipTests=true 37 | - name: WhiteSource Unified Agent Scan 38 | env: 39 | WS_ENABLEIMPACTANALYSIS: true 40 | WS_RESOLVEALLDEPENDENCIES: false 41 | WS_MAVEN_RESOLVEDEPENDENCIES: true 42 | WS_MAVEN_AGGREGATEMODULES: true 43 | WS_FILESYSTEMSCAN: false 44 | WS_GENERATEPROJECTDETAILSJSON: true 45 | run: | 46 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 47 | echo Unified Agent downloaded successfully 48 | WARFILE=$(find ./ -type f -wholename "*/target/*.war") 49 | echo $WARFILE will be added to appPath 50 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 51 | -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/azure-pipelines_dockerscan.yml: -------------------------------------------------------------------------------- 1 | # WS_DOCKER_INCLUDES should be the name of the docker image you would like to scan 2 | # project name does not matter, it is set by docker.projectNameFormat 3 | # default is 4 | # repositoryNameAndTag = 5 | # repositoryName = 6 | 7 | # To remove the base image from findings, use the following paramaters 8 | # WS_DOCKER_EXCLUDEBASEIMAGE: true 9 | # WS_DOCKER_DOCKERFILEPATH: ./Dockerfile 10 | 11 | 12 | pool: 13 | vmImage: 'ubuntu-latest' 14 | 15 | steps: 16 | 17 | - task: DockerCompose@0 18 | inputs: 19 | containerregistrytype: 'Container Registry' 20 | dockerComposeFile: '**/docker-compose.yml' 21 | action: 'Run a Docker Compose command' 22 | dockerComposeCommand: 'build' 23 | 24 | 25 | - script: | 26 | echo Downloading WhiteSource Unified Agent 27 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 28 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 29 | echo "Integrity Check Failed" 30 | else 31 | echo "Integrity Check Passed" 32 | echo Starting WhiteSource Scan 33 | java -jar wss-unified-agent.jar 34 | fi 35 | env: 36 | WS_APIKEY: $(APIKEY) 37 | WS_USERKEY: $(USERKEY) 38 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 39 | WS_PRODUCTNAME: $(System.TeamProject) 40 | WS_PROJECTNAME: doesnotmatter 41 | WS_DOCKER_SCANIMAGES: true 42 | WS_DOCKER_INCLUDES: ".*$(Build.Repository.Name).*" 43 | WS_DOCKER_LAYERS: true 44 | WS_DOCKER_PROJECTNAMEFORMAT: repositoryNameAndTag 45 | WS_ARCHIVEEXTRACTIONDEPTH: 2 46 | WS_ARCHIVEINCLUDES: '**/*war **/*ear **/*zip **/*whl **/*tar.gz **/*tgz **/*tar **/*car **/*jar' 47 | displayName: WhiteSource Docker Image Scan 48 | 49 | -------------------------------------------------------------------------------- /CI-CD/GitLab/gitlab-maven-cached-ua.yml: -------------------------------------------------------------------------------- 1 | # add APIKEY and USERKEY as an environment variable - https://gitlab.com/help/ci/variables/README 2 | default: 3 | image: maven:3.8-openjdk-11 4 | 5 | stages: 6 | - build 7 | - scan 8 | 9 | maven_build: 10 | image: maven:3.8.4-eclipse-temurin-17-alpine 11 | stage: build 12 | script: "mvn clean install -DskipTests" 13 | 14 | cache: 15 | key: "cache-$MVN_PKG-$CI_PIPELINE_ID" 16 | paths: 17 | - ${CI_PROJECT_DIR}/ 18 | 19 | ws_scan: 20 | stage: scan 21 | cache: 22 | key: WhiteSource 23 | paths: 24 | - ./wss-unified-agent.jar 25 | variables: 26 | WS_APIKEY: $API_KEY 27 | WS_USERKEY: $USER_KEY 28 | WS_MAVEN_AGGREGATEMODULES: true 29 | WS_WSS_URL: "https://saas.whitesourcesoftware.com/agent" 30 | WS_PRODUCTNAME: $CI_PROJECT_NAME 31 | WS_PROJECTNAME: $CI_COMMIT_REF_NAME 32 | script: | 33 | echo "Checking for the newer versions for WhiteSource Unified Agent" 34 | res="$(curl -s -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/whitesource/unified-agent-distribution/releases")" 35 | latestRelease="$(echo "$res" | jq -s '.[] | sort_by(.published_at) | last')" 36 | latestVer="$(echo "$latestRelease" | jq -rs '.[] | .tag_name')" 37 | latestVerDate="$(date -d "$(echo "$latestRelease" | jq -rs '.[] | .published_at')" +%s)" 38 | if [ -f "${CI_PROJECT_DIR}/wss-unified-agent.jar" ] ; then 39 | curVerDate="$(stat -c %Y "${CI_PROJECT_DIR}/wss-unified-agent.jar" 2>/dev/null)" 40 | else 41 | curVerDate=0 42 | fi 43 | if [ $latestVerDate -gt $curVerDate ] ; then 44 | echo "Downloading WhiteSource Unified Agent latest version ($latestVer)" 45 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 46 | else 47 | echo "Already using the latest version of the WhiteSource Unified Agent" 48 | fi 49 | 50 | echo "WhiteSource Scan" 51 | java -jar ./wss-unified-agent.jar 52 | -------------------------------------------------------------------------------- /Repo-Integration/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #Prereqs - sudo yum install wget jq 3 | # export ws_key='' 4 | 5 | SCM=$1 6 | BASE_DIR=$HOME/mend/$SCM 7 | REPO_INTEGRATION_DIR=$(pwd) 8 | 9 | rm -rf $BASE_DIR && mkdir -p $BASE_DIR 10 | 11 | 12 | # Fetch Integration 13 | case $SCM in 14 | gls) 15 | AGENT_PATH="Agent-for-GitLab-Enterprise" 16 | AGENT_TAR="agent-4-gitlab-server.tar.gz" 17 | ;; 18 | 19 | bb) 20 | AGENT_PATH="Agent-for-BitBucket" 21 | AGENT_TAR="agent-4-bitbucket.tar.gz" 22 | ;; 23 | 24 | ghe) 25 | AGENT_PATH="Agent-for-GitHub-Enterprise" 26 | AGENT_TAR="agent-4-github-enterprise.tar.gz" 27 | ;; 28 | 29 | esac 30 | 31 | # Dowload agent file and copy to latest 32 | wget https://integrations.mend.io/release/$AGENT_PATH/$AGENT_TAR -P $BASE_DIR 33 | AGENT_FILE=$(basename $AGENT_TAR .tar.gz) 34 | echo "$AGENT_FILE is the agent" 35 | mkdir $BASE_DIR/untar 36 | tar -xvf $BASE_DIR/$AGENT_TAR -C $BASE_DIR/untar 37 | cd $BASE_DIR/untar 38 | AGENT_LATEST=$(ls -d */) 39 | echo "$AGENT_LATEST is agent latest" 40 | cd $BASE_DIR 41 | mkdir $BASE_DIR/latest 42 | mv $BASE_DIR/untar/$AGENT_LATEST* $BASE_DIR/latest 43 | rm -rf $BASE_DIR/untar 44 | 45 | 46 | # Copy License Key 47 | jq --arg ws_key $ws_key '(.properties[] | select(.propertyName=="bolt.op.activation.key")).propertyValue |= $ws_key' ${BASE_DIR}/latest/wss-configuration/config/prop.json > ${BASE_DIR}/prop.json 48 | 49 | ## Grab scanner tags 50 | TAG=$(grep -v ^\# ${BASE_DIR}/latest/build.sh | grep . | awk -F "[ ]" 'NR==1 {print $4}' | awk -F ":" '{print $2}') 51 | SCANNER=$(grep -v ^\# ${BASE_DIR}/latest/build.sh | grep . | awk -F "[ ]" 'NR==2 {print $4}'| awk -F ":" '{print $2}') 52 | rm -rf ${REPO_INTEGRATION_DIR}/.env 53 | echo "TAG=${TAG}" >> ${REPO_INTEGRATION_DIR}/.env 54 | echo "SCANNER=${SCANNER}" >> ${REPO_INTEGRATION_DIR}/.env 55 | echo "BASE_DIR=${BASE_DIR}" >> ${REPO_INTEGRATION_DIR}/.env 56 | echo "SCM=$SCM" >> ${REPO_INTEGRATION_DIR}/.env 57 | -------------------------------------------------------------------------------- /CI-CD/TeamCity/teamcity-pipelines-maven.yml: -------------------------------------------------------------------------------- 1 | package WebGoat.buildTypes 2 | 3 | import jetbrains.buildServer.configs.kotlin.v2019_2.* 4 | import jetbrains.buildServer.configs.kotlin.v2019_2.buildSteps.maven 5 | import jetbrains.buildServer.configs.kotlin.v2019_2.buildSteps.script 6 | 7 | object WebGoat : BuildType({ 8 | id = DslContext.projectId 9 | name = "WebGoat" 10 | description = "WebGoat" 11 | params { 12 | password("env.APIKEY", "******", display = ParameterDisplay.HIDDEN) 13 | password("env.USERKEY", "******", display = ParameterDisplay.HIDDEN) 14 | } 15 | vcs { 16 | root(WebGoat_HttpsGithubComLukebroganwsWebGoatRefsHeadsDevelop) 17 | } 18 | 19 | steps { 20 | maven { 21 | name = "Maven" 22 | goals = "clean install -DskipTests" 23 | } 24 | script { 25 | name = "WhiteSource" 26 | scriptContent = """ 27 | echo "Downloading WS" 28 | if ! [ -f ./wss-unified-agent.jar ]; then 29 | curl -fSL -R -JO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 30 | if [[ "${'$'}(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "${'$'}(sha256sum wss-unified-agent.jar)" ]]; then 31 | echo "Integrity Check Failed" 32 | exit -7 33 | fi 34 | fi 35 | echo "Exceute WS" 36 | export WS_APIKEY=${'$'}{APIKEY} #Taken from TeamCity Environment Variables 37 | export WS_USERKEY=${'$'}{USERKEY} #Taken from TeamCity Environment Variables 38 | export WS_WSS_URL="https://saas.whitesourcesoftware.com/agent" 39 | export WS_PRODUCTNAME=TC_${'$'}{TEAMCITY_PROJECT_NAME} 40 | export WS_PROJECTNAME=${'$'}{TEAMCITY_BUILDCONF_NAME} 41 | java -jar wss-unified-agent.jar 42 | """.trimIndent() 43 | } 44 | } 45 | }) 46 | -------------------------------------------------------------------------------- /Prioritize/Scala/SBT-Maven/github-action.yml: -------------------------------------------------------------------------------- 1 | name: WhiteSource Prioritize Scala with SBT & Maven 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | build: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Set up JDK 17 | uses: actions/setup-java@v2 18 | with: 19 | java-version: '8' 20 | distribution: 'adopt' 21 | - name: SBT Package 22 | run: | 23 | sbt package 24 | sbt makePom 25 | mv $(find ./ -type f -wholename "*/target/*.pom") ./pom.xml 26 | mvn clean install -DskipTests=true 27 | 28 | - name: WhiteSource Unified Agent Scan 29 | continue-on-error: true 30 | env: 31 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 32 | WS_APIKEY: ${{secrets.APIKEY}} 33 | WS_USERKEY: ${{secrets.USERKEY}} 34 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 35 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 36 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 37 | WS_ENABLEIMPACTANALYSIS: true 38 | WS_RESOLVEALLDEPENDENCIES: false 39 | WS_MAVEN_RESOLVEDEPENDENCIES: true 40 | WS_MAVEN_AGGREGATEMODULES: true 41 | WS_FILESYSTEMSCAN: false 42 | WS_GENERATEPROJECTDETAILSJSON: true 43 | run: | 44 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 45 | echo Unified Agent downloaded successfully 46 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 47 | echo "Integrity Check Failed" 48 | else 49 | echo "Integrity Check Passed" 50 | echo "Starting WhiteSource Scan" 51 | fi 52 | JARFILE=$(find ./ -type f -wholename "*/target/*.jar") 53 | echo $JARFILE will be added to appPath 54 | java -jar wss-unified-agent.jar -appPath $JARFILE -d ./ -------------------------------------------------------------------------------- /Prioritize/DotNet/Single-Module/azure-pipelines_windows.yml: -------------------------------------------------------------------------------- 1 | trigger: 2 | - release* 3 | 4 | pool: 5 | vmImage: 'windows-latest' 6 | 7 | variables: 8 | solution: '**/*.sln' 9 | buildPlatform: 'Any CPU' 10 | buildConfiguration: 'Release' 11 | 12 | steps: 13 | - task: NuGetToolInstaller@1 14 | 15 | - task: NuGetCommand@2 16 | inputs: 17 | restoreSolution: '$(solution)' 18 | 19 | - task: VSBuild@1 20 | inputs: 21 | solution: '$(solution)' 22 | msbuildArgs: '/p:DeployOnBuild=true /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /p:SkipInvalidConfigurations=true /p:DesktopBuildPackageLocation="$(build.artifactStagingDirectory)\WebApp.zip" /p:DeployIisAppPath="Default Web Site"' 23 | platform: '$(buildPlatform)' 24 | configuration: '$(buildConfiguration)' 25 | 26 | - task: PowerShell@2 27 | inputs: 28 | targetType: 'inline' 29 | script: | 30 | $CSPROJ=(Get-ChildItem -Path ./src -Recurse -Filter '*.csproj' | Foreach-Object {$_.BaseName}) 31 | $DLL=(Get-ChildItem -Path ./ -Recurse -Filter "$CSPROJ.dll" | where{$_.DirectoryName -match "bin\\Release" -and $_.DirectoryName -notmatch "test"} | Select-Object -ExpandProperty FullName) 32 | echo $DLL will be added to appPath 33 | wget https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -OutFile wss-unified-agent.jar 34 | echo Unified Agent downloaded successfully 35 | java -jar wss-unified-agent.jar -appPath $DLL -d ./ 36 | env: 37 | WS_APIKEY: $(APIKEY) 38 | WS_USERKEY: $(USERKEY) 39 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 40 | WS_PRODUCTNAME: AZDO_$(System.TeamProject) 41 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 42 | WS_ENABLEIMPACTANALYSIS: true 43 | WS_RESOLVEALLDEPENDENCIES: false 44 | WS_NUGET_RESOLVEDEPENDENCIES: true 45 | WS_NUGET_RUNPRESTEP: true 46 | WS_FILESYSTEMSCAN: false 47 | WS_GENERATEPROJECTDETAILSJSON: true 48 | WS_EXCLUDES: '**/build/** **/tests/**' 49 | displayName: 'Unified Agent Prioritize Scan' -------------------------------------------------------------------------------- /Prioritize/DotNet/Single-Module/github-action_linux.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Prioritize DotNET Core 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | build: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - uses: actions/setup-dotnet@v1 17 | with: 18 | dotnet-version: 3.1.402 19 | - name: Build 20 | run: dotnet build -c Release 21 | - name: WhiteSource Unified Agent Scan 22 | env: 23 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 24 | WS_APIKEY: ${{secrets.APIKEY}} 25 | WS_USERKEY: ${{secrets.USERKEY}} 26 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 27 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 28 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 29 | WS_ENABLEIMPACTANALYSIS: true 30 | WS_RESOLVEALLDEPENDENCIES: false 31 | WS_NUGET_RESOLVEDEPENDENCIES: true 32 | WS_NUGET_RUNPRESTEP: true 33 | WS_FILESYSTEMSCAN: false 34 | WS_GENERATEPROJECTDETAILSJSON: true 35 | WS_EXCLUDES: '**/build/** **/tests/**' 36 | run: | 37 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 38 | echo Unified Agent downloaded successfully 39 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 40 | echo "Integrity Check Failed" 41 | else 42 | echo "Integrity Check Passed" 43 | echo Starting WhiteSource Scan 44 | java -jar wss-unified-agent.jar 45 | fi 46 | CSPROJ=$(basename $(find ./src -type f -wholename "*.csproj" ! -wholename "*build*" ! -wholename "*test*") .csproj) 47 | DLL=$(find ./ -type f -wholename "*/bin/Release/*/$CSPROJ.dll" ! -wholename "*build*" ! -wholename "*test*") 48 | echo $DLL will be added to appPath 49 | java -jar wss-unified-agent.jar -appPath $DLL -d ./src 50 | -------------------------------------------------------------------------------- /Prioritize/DotNet/Multi-Module/azure-pipelines_windows.yml: -------------------------------------------------------------------------------- 1 | trigger: 2 | - main 3 | 4 | pool: 5 | vmImage: 'windows-latest' 6 | 7 | variables: 8 | solution: '**/*.sln' 9 | buildPlatform: 'Any CPU' 10 | buildConfiguration: 'Release' 11 | 12 | steps: 13 | - task: NuGetToolInstaller@1 14 | 15 | - task: NuGetCommand@2 16 | inputs: 17 | restoreSolution: '$(solution)' 18 | 19 | - task: VSBuild@1 20 | inputs: 21 | solution: '$(solution)' 22 | msbuildArgs: '/p:DeployOnBuild=true /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /p:SkipInvalidConfigurations=true /p:PackageLocation="$(build.artifactStagingDirectory)"' 23 | platform: '$(buildPlatform)' 24 | configuration: '$(buildConfiguration)' 25 | 26 | - task: PowerShell@2 27 | inputs: 28 | targetType: 'inline' 29 | script: | 30 | Set-Content -Value "apiKey=$(APIKEY)" -Path ./eua.config 31 | Set-Content -Value "userKey=$(USERKEY)" -Path ./eua.config 32 | Set-Content -Value "wss.url=https://saas.whitesourcesoftware.com/agent" -Path ./eua.config 33 | Add-Content -Value "enableImpactAnalysis=true" -Path ./eua.config 34 | Add-Content -Value "resolveAllDependencies=false" -Path ./eua.config 35 | Add-Content -Value "nuget.resolveDependencies=true" -Path ./eua.config 36 | Add-Content -Value "nuget.runPreStep=true" -Path ./eua.config 37 | Add-Content -Value "fileSystemScan=false" -Path ./eua.config 38 | Add-Content -Value "includes=**/*.dll **/*.exe" -Path ./eua.config 39 | Add-Content -Value "excludes=**/tests/**" -Path ./eua.config 40 | Get-Content -Path ./eua.config 41 | displayName: 'Create whitesource config' 42 | 43 | - script: | 44 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/xModuleAnalyzer-NET/main/xModuleAnalyzer-NET.ps1 45 | echo "xModuleAnalyzer-NET downloaded successfully" 46 | - task: PowerShell@2 47 | inputs: 48 | filePath: './xModuleAnalyzer-NET.ps1' 49 | arguments: '-d ./ -c ./eua.config -productName AZDO_$(System.TeamProject)' 50 | displayName: 'Unified Agent Prioritize Scan' -------------------------------------------------------------------------------- /CI-CD/GitHub/github-action-conan.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Unified Agent Scan - Conan 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | 7 | jobs: 8 | prioritize: 9 | 10 | runs-on: ubuntu-latest 11 | strategy: 12 | matrix: 13 | python-version: [3.8] 14 | 15 | steps: 16 | - uses: actions/checkout@v2 17 | - name: Set up Python ${{ matrix.python-version }} 18 | uses: actions/setup-python@v2 19 | with: 20 | python-version: ${{ matrix.python-version }} 21 | - name: Install Conan 22 | run: | 23 | python -m pip install --upgrade pip 24 | pip install virtualenv --user 25 | sudo apt install -y cmake 26 | pip install conan --upgrade 27 | conan profile new default --detect 28 | conan profile update settings.compiler.libcxx=libstdc++11 default 29 | - name: Build 30 | run: | 31 | mkdir build && cd build 32 | conan install .. 33 | cmake .. -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release 34 | cmake --build . 35 | - name: WhiteSource Unified Agent Scan 36 | env: 37 | WS_APIKEY: ${{secrets.APIKEY}} 38 | WS_USERKEY: ${{secrets.USERKEY}} 39 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 40 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 41 | WS_PROJECTNAME: ${{github.ref}}_ghaction 42 | WS_EXCLUDES: "**/*conan_export.tgz **/*conan_package.tgz **/*conanfile.py **/node_modules **/src/test **/testdata **/*sources.jar **/*javadoc.jar" 43 | run: | 44 | echo Downloading WhiteSource Unified Agent 45 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 46 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 47 | echo "Integrity Check Failed" 48 | else 49 | echo "Integrity Check Passed" 50 | cp -r ~/.conan/data ./conan-libraries 51 | echo Starting WhiteSource Scan 52 | java -jar wss-unified-agent.jar 53 | fi -------------------------------------------------------------------------------- /Prioritize/Java/Single-Module/Maven/prioritize.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #### Prerequisite commands & installs 4 | # apt-get update 5 | # apt-get install -y curl git openjdk-8-jdk nano 6 | 7 | #### Install Maven 8 | # curl -LJO https://mirrors.ocf.berkeley.edu/apache/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz 9 | # tar -xvf ./apache-maven-3.6.3-bin.tar.gz -C /opt 10 | # ln -s /opt/apache-maven-3.6.3 /opt/maven 11 | # rm ./apache-maven-3.6.3-bin.tar.gz 12 | # nano /etc/profile.d/maven.sh 13 | 14 | ## Add the following into the maven.sh file and change jdk 15 | # export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 16 | # export M2_HOME=/opt/maven 17 | # export MAVEN_HOME=/opt/maven 18 | # export PATH=${M2_HOME}/bin:${PATH} 19 | # export MAVEN_CONFIG=/root/.m2 20 | 21 | ## Make the script runable 22 | # chmod +x /etc/profile.d/maven.sh 23 | # source /etc/profile.d/maven.sh 24 | # mvn -version 25 | 26 | #### Clone your repo & run script 27 | # git clone && cd ./ 28 | # chmod +x ./prioritize.sh 29 | # ./prioritize.sh 30 | 31 | #### Build application & check JAVA_HOME 32 | echo JAVA_HOME: $JAVA_HOME 33 | mvn clean install -DskipTests=true 34 | 35 | #### Run WS Prioritize 36 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 37 | echo Unified Agent downloaded successfully 38 | # replace .war with .jar or .ear if needed 39 | export WARFILE=$(find ./ -type f -wholename "*/target/*.war") 40 | echo $WARFILE will be added to appPath 41 | export WS_APIKEY= 42 | export WS_USERKEY= 43 | export WS_WSS_URL=https://saas.whitesourcesoftware.com/agent 44 | export WS_ENABLEIMPACTANALYSIS=true 45 | export WS_RESOLVEALLDEPENDENCIES=false 46 | export WS_MAVEN_RESOLVEDEPENDENCIES=true 47 | export WS_MAVEN_AGGREGATEMODULES=true 48 | export WS_FILESYSTEMSCAN=false 49 | export WS_PRODUCTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $4}') 50 | export WS_PROJECTNAME=$(git config --get remote.origin.url | awk -F "/" '{print $5}' | awk -F "." '{print $1}')-Prioritize 51 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 52 | -------------------------------------------------------------------------------- /Prioritize/Python/github-action.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Prioritize Python 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | prioritize: 11 | 12 | runs-on: ubuntu-latest 13 | strategy: 14 | matrix: 15 | python-version: [3.7] 16 | 17 | steps: 18 | - uses: actions/checkout@v2 19 | - name: Set up Python ${{ matrix.python-version }} 20 | uses: actions/setup-python@v2 21 | with: 22 | python-version: ${{ matrix.python-version }} 23 | 24 | - uses: actions/cache@v2 25 | with: 26 | path: ~/.cache/pip 27 | key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} 28 | restore-keys: | 29 | ${{ runner.os }}-pip- 30 | 31 | 32 | - name: Install dependencies 33 | run: | 34 | python -m pip install --upgrade pip 35 | pip install virtualenv --user 36 | pip install -r requirements.txt 37 | 38 | - name: WhiteSource Prioritize Scan 39 | env: 40 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 41 | WS_APIKEY: ${{secrets.APIKEY}} 42 | WS_USERKEY: ${{secrets.USERKEY}} 43 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 44 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 45 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 46 | WS_ENABLEIMPACTANALYSIS: true 47 | WS_RESOLVEALLDEPENDENCIES: false 48 | WS_PYTHON_RESOLVEDEPENDENCIES: true 49 | WS_FILESYSTEMSCAN: false 50 | WS_GENERATEPROJECTDETAILSJSON: true 51 | run: | 52 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 53 | echo Unified Agent downloaded successfully 54 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 55 | echo "Integrity Check Failed" 56 | else 57 | echo "Integrity Check Passed" 58 | echo "Starting WhiteSource Scan" 59 | fi 60 | java -jar wss-unified-agent.jar -appPath ./requirements.txt -d ./ -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/azure-pipelines_dotnet_sbom.yml: -------------------------------------------------------------------------------- 1 | name: 'whitesource-ua-azdo-dotnet-sbom' 2 | 3 | trigger: 4 | tags: 5 | - release* 6 | 7 | pool: 8 | vmImage: 'ubuntu-latest' 9 | 10 | variables: 11 | buildConfiguration: Release 12 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 13 | WS_URL: https://saas.whitesourcesoftware.com 14 | WS_PRODUCTNAME: AZ_$(System.TeamProject) 15 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName) 16 | WS_GENERATEPROJECTDETAILSJSON: true 17 | 18 | 19 | steps: 20 | - script: dotnet build --configuration $(buildConfiguration) 21 | displayName: 'dotnet build $(buildConfiguration)' 22 | 23 | - script: | 24 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 25 | echo Unified Agent downloaded successfully 26 | java -jar wss-unified-agent.jar 27 | displayName: 'Unified Agent Scan' 28 | env: 29 | WS_APIKEY: $(APIKEY) 30 | WS_USERKEY: $(USERKEY) 31 | 32 | - script: | 33 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/check-project-state.sh 34 | chmod +x ./check-project-state.sh && ./check-project-state.sh 35 | displayName: 'Check Project State' 36 | env: 37 | WS_APIKEY: $(APIKEY) 38 | WS_USERKEY: $(USERKEY) 39 | 40 | - script: | 41 | export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 42 | pip install ws-sbom-generator 43 | ws_sbom_generator -u $WS_USERKEY -k $WS_APIKEY -s $WS_PROJECTTOKEN -a $WS_URL -t tv -o ./whitesource 44 | displayName: 'Generate SBOM' 45 | env: 46 | WS_APIKEY: $(APIKEY) 47 | WS_USERKEY: $(USERKEY) 48 | 49 | - script: | 50 | export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 51 | curl --output ./whitesource/riskreport.pdf --request POST $WS_URL'/api/v1.3' -H 'Content-Type: application/json' --data-raw '{"requestType":"getProjectRiskReport","userKey":"'$WS_USERKEY'","projectToken":"'$WS_PROJECTTOKEN'"}' 52 | displayName: 'Generate Risk Report' 53 | env: 54 | WS_APIKEY: $(APIKEY) 55 | WS_USERKEY: $(USERKEY) 56 | 57 | - publish: $(System.DefaultWorkingDirectory)/whitesource 58 | artifact: Whitesource 59 | -------------------------------------------------------------------------------- /CI-CD/README.md: -------------------------------------------------------------------------------- 1 | # Examples by CI/CD Tool 2 | This repository contains tool specific examples of how to scan using the Mend Unified Agent within a CI/CD pipeline. 3 | 4 | 5 | * [AWSCodeBuild](AWSCodeBuild) 6 | * [AzureDevOps](AzureDevOps) 7 | * [Bamboo](Bamboo) 8 | * [Bitbucket](Bitbucket) 9 | * [CodeFresh](CodeFresh) 10 | * [CircleCI](CircleCI) 11 | * [GitHub](GitHub) 12 | * [GitLab](GitLab) 13 | * [GoogleCloudBuild](GoogleCloudBuild) 14 | * [Jenkins](Jenkins) 15 | * [TeamCity](TeamCity) 16 | 17 | ## Caching the Unified Agent 18 | Typically, the best practice with all of the above pipeline integrations is to have the [Unified Agent](https://docs.mend.io/bundle/unified_agent/page/getting_started_with_the_unified_agent.html#GettingStartedwiththeUnifiedAgent-DownloadingtheUnifiedAgent) downloaded onto the build's workspace during the build job, so that you always use the latest version. 19 | 20 | It is possible, however, to utilize your CI tool's built-in caching functionality, so that you only download the latest version of the agent once every release. 21 | 22 | In the following examples, the `wss-unified-agent.jar` artifact is stored in the pipeline's cache, and the Mend pipeline task first checks whether a newer version of the agent was published since the last time the agent was cached, and if so, it downloads the latest version to be cached instead, before proceeding to the scan itself. 23 | * [Caching the Unified Agent - GitLab Pipelines](GitLab/gitlab-maven-cached-ua.yml) 24 | 25 | See also: [Cache the Latest Version of the Unified Agent](../Scripts/README.md#cache-the-latest-version-of-the-unified-agent) (generic example script) 26 | 27 | 28 | 29 | ## Pipeline Log Publishing 30 | 31 | * Publish the `whitesource` folder with logs & reports by adding the following commands depending on each pipeline 32 | 33 | ### Azure DevOps Pipelines 34 | 35 | ``` 36 | - publish: $(System.DefaultWorkingDirectory)/whitesource 37 | artifact: Whitesource 38 | ``` 39 | ### GitHub Actions 40 | 41 | ``` 42 | - name: 'Upload WhiteSource folder' 43 | uses: actions/upload-artifact@v2 44 | with: 45 | name: WhiteSource 46 | path: whitesource 47 | retention-days: 1 48 | ``` 49 | 50 | ## [Mend Report Publishing](../Scripts/README.md) 51 | -------------------------------------------------------------------------------- /Prioritize/DotNet/Single-Module/azure-pipelines_linux-workshop.yml: -------------------------------------------------------------------------------- 1 | trigger: 2 | - main 3 | 4 | pool: 5 | vmImage: 'ubuntu-latest' 6 | 7 | variables: 8 | - name: 'buildConfiguration' 9 | value: 'Release' 10 | 11 | steps: 12 | - script: dotnet build --configuration $(buildConfiguration) 13 | displayName: 'dotnet build $(buildConfiguration)' 14 | 15 | - script: | 16 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 17 | echo Unified Agent downloaded successfully 18 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 19 | echo "Integrity Check Failed" 20 | else 21 | echo "Integrity Check Passed" 22 | fi 23 | CSPROJ=$(basename $(find ./src -type f -wholename "*.csproj" ! -wholename "*build*" ! -wholename "*test*") .csproj) 24 | DLL=$(find ./ -type f -wholename "*/bin/$(buildConfiguration)/*/$CSPROJ.dll" ! -wholename "*build*" ! -wholename "*test*") 25 | echo $DLL will be added to appPath 26 | echo Starting WhiteSource Scan 27 | java -jar wss-unified-agent.jar -appPath $DLL -d $PWD/src 28 | env: 29 | WS_APIKEY: $(WS_APIKEY) 30 | WS_USERKEY: $(WS_USERKEY) 31 | WS_WSS_URL: https://app.whitesourcesoftware.com/agent 32 | WS_PRODUCTNAME: AZ_$(System.TeamProject) 33 | WS_PROJECTNAME: $(Build.Repository.Name)_$(Build.SourceBranchName)_Prioritize 34 | WS_ENABLEIMPACTANALYSIS: true 35 | WS_RESOLVEALLDEPENDENCIES: false 36 | WS_NUGET_RESOLVEDEPENDENCIES: true 37 | WS_NUGET_RUNPRESTEP: true 38 | WS_FILESYSTEMSCAN: false 39 | WS_GENERATEPROJECTDETAILSJSON: true 40 | WS_EXCLUDES: '**/build/** **/tests/**' 41 | displayName: 'Unified Agent Prioritize Scan' 42 | 43 | - script: curl -LJO https://downloads-sast.whitesourcesoftware.com/sast-cli/linux/wscli && chmod +x wscli 44 | displayName: 'Downloading WS SAST Tool' 45 | 46 | - script: ./wscli --dir ./ --name=$(Build.Repository.Name)$(Build.SourceBranchName) --app AZ$(System.TeamProject) 47 | displayName: 'Run WS SAST' 48 | env: 49 | SAST_ORGANIZATION: $(SAST_ORGANIZATION) 50 | SASTCLI_TOKEN: $(SASTCLI_TOKEN) 51 | SAST_SERVER: https://sast-demo.whitesourcesoftware.com 52 | 53 | 54 | -------------------------------------------------------------------------------- /CI-CD/TeamCity/teamcity-pipelines-npm.yml: -------------------------------------------------------------------------------- 1 | package _Self.buildTypes 2 | 3 | import jetbrains.buildServer.configs.kotlin.v2019_2.* 4 | import jetbrains.buildServer.configs.kotlin.v2019_2.buildSteps.NodeJSBuildStep 5 | import jetbrains.buildServer.configs.kotlin.v2019_2.buildSteps.nodeJS 6 | import jetbrains.buildServer.configs.kotlin.v2019_2.buildSteps.script 7 | import jetbrains.buildServer.configs.kotlin.v2019_2.triggers.vcs 8 | 9 | object Build : BuildType({ 10 | name = "Build" 11 | 12 | params { 13 | password("env.APIKEY", "******", display = ParameterDisplay.HIDDEN) 14 | password("env.USERKEY", "******", display = ParameterDisplay.HIDDEN) 15 | } 16 | 17 | vcs { 18 | root(HttpsGithubComLukebroganwsNodeGoatRefsHeadsMaster) 19 | } 20 | steps { 21 | nodeJS { 22 | name = "NPM" 23 | shellScript = "npm install" 24 | dockerImagePlatform = NodeJSBuildStep.ImagePlatform.Any 25 | dockerImage = "node:14.18.3-buster-slim" 26 | } 27 | script { 28 | name = "WhiteSource" 29 | scriptContent = """ 30 | echo "Downloading WS" 31 | if ! [ -f ./wss-unified-agent.jar ]; then 32 | curl -fSL -R -JO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 33 | if [[ "${'$'}(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "${'$'}(sha256sum wss-unified-agent.jar)" ]]; then 34 | echo "Integrity Check Failed" 35 | exit -7 36 | fi 37 | fi 38 | echo "Exceute WS" 39 | export WS_APIKEY=${'$'}{APIKEY} #Taken from TeamCity Environment Variables 40 | export WS_USERKEY=${'$'}{USERKEY} #Taken from TeamCity Environment Variables 41 | export WS_WSS_URL="https://saas.whitesourcesoftware.com/agent" 42 | export WS_PRODUCTNAME=TC_${'$'}{TEAMCITY_PROJECT_NAME} 43 | export WS_PROJECTNAME=${'$'}{TEAMCITY_BUILDCONF_NAME} 44 | java -jar wss-unified-agent.jar 45 | """.trimIndent() 46 | } 47 | } 48 | triggers { 49 | vcs { 50 | } 51 | } 52 | }) 53 | -------------------------------------------------------------------------------- /Prioritize/Java/Multi-Module/Maven/github-action.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Prioritize Java with Maven 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | build: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Set up JDK 17 | uses: actions/setup-java@v2 18 | with: 19 | java-version: '8' 20 | distribution: 'adopt' 21 | 22 | - name: Cache local Maven repository 23 | uses: actions/cache@v2 24 | with: 25 | path: ~/.m2/repository 26 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 27 | restore-keys: | 28 | ${{ runner.os }}-maven- 29 | 30 | - name: Build with Maven 31 | run: mvn clean install -DskipTests=true 32 | 33 | - name: WhiteSource Unified Agent Scan 34 | env: 35 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 36 | WS_APIKEY: ${{secrets.APIKEY}} 37 | WS_USERKEY: ${{secrets.USERKEY}} 38 | run: | 39 | cat < eua.config 40 | apiKey=$WS_APIKEY 41 | userKey=$WS_USERKEY 42 | wss.url=https://saas.whitesourcesoftware.com/agent 43 | productName=GH_${{ github.event.repository.name }} 44 | projectName=${{ github.ref }}_Prioritize 45 | enableImpactAnalysis=true 46 | resolveAllDependencies=false 47 | maven.resolveDependencies=true 48 | maven.aggregateModules=true 49 | fileSystemScan=false 50 | generateProjectDetailsJson=true 51 | EOF 52 | cat eua.config 53 | echo config created successfully 54 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 55 | curl -LJO https://unified-agent.s3.amazonaws.com/xModuleAnalyzer/xModuleAnalyzer.jar 56 | echo Unified Agent downloaded successfully 57 | java -jar wss-unified-agent.jar -d $PWD -analyzeMultiModuleExclusions '**/*internal* **/*original* **/*sources.jar' -analyzeMultiModule multimodule.txt 58 | echo 'multimodule.txt contents' 59 | cat multimodule.txt 60 | java -jar xModuleAnalyzer.jar -xModulePath multimodule.txt -fsaJarPath ./wss-unified-agent.jar -c ./eua.config -aggregateModules true 61 | -------------------------------------------------------------------------------- /Scripts/list-policy-violations.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Description: 4 | # This script parses the policyRejectionSummary.json file, following a 5 | # WhiteSource Unified Agent scan, and prints to the stdout the policies 6 | # that where violated, as well as the libraries that violated them. 7 | 8 | # The policyRejectionSummary.json file is created automatically under 9 | # the agent log directory (./whitesource) during a scan that's configured 10 | # to check policies. 11 | # Every policy check overwrites this file, so this list is always specific 12 | # to the last scan (that had policy check enabled). 13 | 14 | # Prerequisites: 15 | # apt install jq 16 | # WS_CHECKPOLICIES: true 17 | 18 | jsonFile="./whitesource/policyRejectionSummary.json" 19 | 20 | ShowLibSystemPath=false 21 | if [[ "$1" =~ ^(--includePath|-p)$ ]] ; then 22 | ShowLibSystemPath=true 23 | fi 24 | 25 | echo "" 26 | echo "WhiteSource Policy Violations" 27 | echo "=============================" 28 | if [[ ! -f $jsonFile ]] ; then 29 | echo "[ERROR] File not found: $jsonFile" 30 | echo "Make sure to specify the correct working directory and that the last agent scan had WS_CHECKPOLICIES=true" 31 | exit 32 | fi 33 | 34 | if [[ -v WS_PRODUCTNAME ]]; then echo "Product: $WS_PRODUCTNAME" ; fi 35 | if [[ -v WS_PROJECTNAME ]]; then echo "Product: $WS_PROJECTNAME" ; fi 36 | 37 | libCount="$(cat $jsonFile | jq -r '.summary.totalRejectedLibraries')" 38 | if (($libCount == 0)) ; then 39 | echo "All dependencies conform with open source policies." 40 | echo "" 41 | exit 42 | fi 43 | echo "Total Rejected Libraries: $libCount" 44 | echo "" 45 | 46 | cat $jsonFile | jq -c '.rejectingPolicies[]' | while read oPolicy; do 47 | for policy in "${oPolicy[@]}" ; do 48 | echo "Policy Name: $(echo "${policy//\\/\\\\}" | jq -r '(.policyName)')" 49 | echo "Policy Type: $(echo "${policy//\\/\\\\}" | jq -r '(.filterType)')" 50 | echo "Rejected Libraries:" 51 | if $ShowLibSystemPath ; then 52 | echo "$(echo "${policy//\\/\\\\}" | jq -r '.rejectedLibraries[] | (" " + .name + " (" + .systemPath + ")")')" 53 | else 54 | echo "$(echo "${policy//\\/\\\\}" | jq -r '.rejectedLibraries[] | (" " + .name)')" 55 | fi 56 | echo "" 57 | done 58 | done 59 | -------------------------------------------------------------------------------- /Prioritize/JavaScript/github-action.yml: -------------------------------------------------------------------------------- 1 | name: NPM Prioritize Scan 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | WhiteSource-Prioritize: 11 | runs-on: ubuntu-latest 12 | 13 | strategy: 14 | fail-fast: false 15 | matrix: 16 | node-version: ["12.x"] 17 | 18 | steps: 19 | - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }} 20 | uses: actions/checkout@v2 21 | with: 22 | persist-credentials: false 23 | 24 | - name: Set up Node.js ${{ matrix.node-version }} 25 | uses: actions/setup-node@v1 26 | with: 27 | node-version: ${{ matrix.node-version }} 28 | 29 | - uses: actions/cache@v2 30 | with: 31 | path: ~/.npm 32 | key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} 33 | restore-keys: | 34 | ${{ runner.os }}-node- 35 | 36 | - name: Install dependencies 37 | run: npm install --only=prod 38 | 39 | - name: WhiteSource Unified Agent Scan 40 | env: 41 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 42 | WS_APIKEY: ${{secrets.APIKEY}} 43 | WS_USERKEY: ${{secrets.USERKEY}} 44 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 45 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 46 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 47 | WS_ENABLEIMPACTANALYSIS: true 48 | WS_RESOLVEALLDEPENDENCIES: false 49 | WS_NPM_RESOLVEDEPENDENCIES: true 50 | WS_NPM_RESOLVELOCKFILE: false 51 | WS_FILESYSTEMSCAN: false 52 | WS_GENERATEPROJECTDETAILSJSON: true 53 | run: | 54 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 55 | echo Unified Agent downloaded successfully 56 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 57 | echo "Integrity Check Failed" 58 | else 59 | echo "Integrity Check Passed" 60 | echo "Starting WhiteSource Scan" 61 | fi 62 | java -jar wss-unified-agent.jar -appPath ./package.json -d ./ 63 | -------------------------------------------------------------------------------- /Prioritize/Java/Single-Module/Maven/github-action-workshop.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Prioritize Java with Maven & Github Issue comments 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | 7 | jobs: 8 | build: 9 | env: 10 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 11 | WS_APIKEY: ${{secrets.APIKEY}} 12 | WS_USERKEY: ${{secrets.USERKEY}} 13 | WS_WSS_URL: https://saas-eu.whitesourcesoftware.com/agent 14 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 15 | WS_PROJECTNAME: ${{github.event.repository.name}}_${{github.ref_name}}_Prioritize 16 | 17 | runs-on: ubuntu-latest 18 | 19 | steps: 20 | - uses: actions/checkout@v2 21 | - name: Set up JDK 22 | uses: actions/setup-java@v2 23 | with: 24 | java-version: '8' 25 | distribution: 'adopt' 26 | - name: Cache local Maven repository 27 | uses: actions/cache@v2 28 | with: 29 | path: ~/.m2/repository 30 | key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} 31 | restore-keys: | 32 | ${{ runner.os }}-maven- 33 | 34 | - name: Build with Maven 35 | run: mvn clean install -DskipTests=true 36 | - name: WhiteSource Unified Agent Scan 37 | env: 38 | WS_ENABLEIMPACTANALYSIS: true 39 | WS_RESOLVEALLDEPENDENCIES: false 40 | WS_MAVEN_RESOLVEDEPENDENCIES: true 41 | WS_MAVEN_AGGREGATEMODULES: true 42 | WS_FILESYSTEMSCAN: false 43 | WS_GENERATEPROJECTDETAILSJSON: true 44 | run: | 45 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 46 | echo Unified Agent downloaded successfully 47 | WARFILE=$(find ./ -type f -wholename "*/target/*.war") 48 | echo $WARFILE will be added to appPath 49 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 50 | - name: Check Project State 51 | run: | 52 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/check-project-state.sh 53 | chmod +x ./check-project-state.sh && ./check-project-state.sh 54 | - name: Prioritize GH Issue Comments 55 | run: | 56 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/ghissue-eua.sh 57 | chmod +x ./ghissue-eua.sh && ./ghissue-eua.sh 58 | 59 | -------------------------------------------------------------------------------- /Prioritize/Java/Multi-Module/Gradle/github-action.yml: -------------------------------------------------------------------------------- 1 | name: Whitesource Prioritize Java with Gradle 2 | 3 | on: 4 | push: 5 | branches: [ release* ] 6 | pull_request: 7 | branches: [ release* ] 8 | 9 | jobs: 10 | WhiteSource-Prioritize: 11 | 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Set up JDK 17 | uses: actions/setup-java@v2 18 | with: 19 | java-version: '8' 20 | distribution: 'adopt' 21 | - uses: actions/cache@v2 22 | with: 23 | path: | 24 | ~/.gradle/caches 25 | ~/.gradle/wrapper 26 | key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} 27 | restore-keys: | 28 | ${{ runner.os }}-gradle- 29 | 30 | - name: Grant execute permission for gradlew 31 | run: chmod +x gradlew 32 | - name: Build with Gradle 33 | run: ./gradlew build -x test 34 | - name: WhiteSource Prioritize Scan 35 | env: 36 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 37 | WS_APIKEY: ${{secrets.APIKEY}} 38 | WS_USERKEY: ${{secrets.USERKEY}} 39 | run: | 40 | cat < eua.config 41 | apiKey=$WS_APIKEY 42 | userKey=$WS_USERKEY 43 | wss.url=https://saas.whitesourcesoftware.com/agent 44 | productName=GH_${{ github.event.repository.name }} 45 | projectName=${{ github.ref }}_Prioritize 46 | enableImpactAnalysis=true 47 | resolveAllDependencies=false 48 | gradle.resolveDependencies=true 49 | gradle.aggregateModules=true 50 | fileSystemScan=false 51 | generateProjectDetailsJson=true 52 | EOF 53 | cat eua.config 54 | echo config created successfully 55 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 56 | curl -LJO https://unified-agent.s3.amazonaws.com/xModuleAnalyzer/xModuleAnalyzer.jar 57 | echo Unified Agent downloaded successfully 58 | java -jar wss-unified-agent.jar -d $PWD -analyzeMultiModule multimodule.txt 59 | echo 'multimodule.txt contents' 60 | cat multimodule.txt 61 | java -jar xModuleAnalyzer.jar -xModulePath multimodule.txt -fsaJarPath ./wss-unified-agent.jar -c ./eua.config -aggregateModules true 62 | -------------------------------------------------------------------------------- /Prioritize/Java/Single-Module/Gradle/github-action.yml: -------------------------------------------------------------------------------- 1 | # replace .war with .ear or the following for WARFILE if needed 2 | # JARFILE=$(find ./build/libs -type f -wholename "*.jar" ! -wholename "*javadoc*" ! -wholename "*groovydoc*" ! -wholename "*sources*") 3 | name: Whitesource Prioritize Java with Gradle 4 | 5 | on: 6 | push: 7 | branches: [ release* ] 8 | pull_request: 9 | branches: [ release* ] 10 | 11 | jobs: 12 | build: 13 | 14 | runs-on: ubuntu-latest 15 | 16 | steps: 17 | - uses: actions/checkout@v2 18 | - name: Set up JDK 19 | uses: actions/setup-java@v2 20 | with: 21 | java-version: '8' 22 | distribution: 'adopt' 23 | - uses: actions/cache@v2 24 | with: 25 | path: | 26 | ~/.gradle/caches 27 | ~/.gradle/wrapper 28 | key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} 29 | restore-keys: | 30 | ${{ runner.os }}-gradle- 31 | 32 | - name: Grant execute permission for gradlew 33 | run: chmod +x gradlew 34 | - name: Build with Gradle 35 | run: ./gradlew build -x test 36 | - name: WhiteSource Unified Agent Scan 37 | env: 38 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 39 | WS_APIKEY: ${{secrets.APIKEY}} 40 | WS_USERKEY: ${{secrets.USERKEY}} 41 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 42 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 43 | WS_PROJECTNAME: ${{github.ref}}_Prioritize 44 | WS_ENABLEIMPACTANALYSIS: true 45 | WS_RESOLVEALLDEPENDENCIES: false 46 | WS_GRADLE_RESOLVEDEPENDENCIES: true 47 | WS_GRADLE_AGGREGATEMODULES: true 48 | WS_FILESYSTEMSCAN: false 49 | WS_GENERATEPROJECTDETAILSJSON: true 50 | run: | 51 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 52 | echo Unified Agent downloaded successfully 53 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 54 | echo "Integrity Check Failed" 55 | else 56 | echo "Integrity Check Passed" 57 | WARFILE=$(find ./build/libs -type f -wholename "*.war") 58 | echo $WARFILE will be added to appPath 59 | echo Starting WhiteSource Scan 60 | java -jar wss-unified-agent.jar -appPath $WARFILE -d ./ 61 | -------------------------------------------------------------------------------- /Generic/UA-ECR-Image.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Generic example for scanning docker images with the WhiteSource Unified Agent from Amazon Elastic Container Registry 3 | # Glob patterns used scans & pulls all images with repositoryName containing "ubuntu" 4 | # docker.pull.tags can be used instead of docker.pull.images - the default pulls all tags with associated images 5 | # See docker.includes & docker.excludes sections for more detail - https://whitesource.atlassian.net/wiki/spaces/WD/pages/1544880156/Unified+Agent+Configuration+Parameters#Docker-Images 6 | 7 | # Ensure the aws cli is configured with the correct login information - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html 8 | # aws configure 9 | 10 | # Ensure docker is logged in to AWS - # https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html 11 | # aws ecr get-login-password --region | docker login --username AWS --password-stdin .dkr.ecr..amazonaws.com 12 | 13 | # default images pulled is 10 - uncomment and change below value for more 14 | # export WS_DOCKER_PULL_MAXIMAGES=10 15 | 16 | # docker pull commands are not run with sudo by default - uncomment below if sudo is needed 17 | #export WS_DOCKER_LOGIN_SUDO=true 18 | 19 | IMAGES=.*ubuntu.* 20 | export WS_APIKEY= 21 | export WS_USERKEY= 22 | export WS_PRODUCTNAME= 23 | export WS_PROJECTNAME=doesnotmatter 24 | export WS_WSS_URL=https://saas.whitesourcesoftware.com/agent 25 | export WS_DOCKER_AWS_ENABLE=true 26 | export WS_DOCKER_PULL_ENABLE=true 27 | export WS_DOCKER_PULL_IMAGES=$IMAGES 28 | export WS_DOCKER_AWS_REGISTRYID= 29 | export WS_DOCKER_INCLUDES=$IMAGES 30 | export WS_DOCKER_SCANIMAGES=true 31 | export WS_DOCKER_LAYERS=true 32 | export WS_DOCKER_PROJECTNAMEFORMAT=repositoryNameAndTag 33 | export WS_FILESYSTEMSCAN=false 34 | export WS_ARCHIVEEXTRACTIONDEPTH=2 35 | export WS_ARCHIVEINCLUDES='**/*war **/*ear **/*zip **/*whl **/*tar.gz **/*tgz **/*tar **/*car **/*jar' 36 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 37 | echo Unified Agent downloaded successfully 38 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 39 | echo "Integrity Check Failed" 40 | else 41 | echo "Integrity Check Passed" 42 | echo Starting WhiteSource Scan 43 | java -jar wss-unified-agent.jar 44 | fi -------------------------------------------------------------------------------- /CI-CD/AzureDevOps/azure-pipelines_ECR Image scan.yml: -------------------------------------------------------------------------------- 1 | # Generic example for scanning docker images with the WhiteSource Unified Agent from Amazon Elastic Container Registry 2 | 3 | # Add AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY as environment variables for the AWS CLI configuration/authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html). 4 | # Add WS_APIKEY & WS_USERKEY as environment variables for the WhiteSource authentication. 5 | # Adjust variables to match your Image URI. 6 | 7 | trigger: 8 | branches: 9 | include: 10 | - main 11 | variables: 12 | - name: aws_region 13 | value: 'us-east-1' 14 | - name: aws_account_id 15 | value: '' 16 | - name: image 17 | value: '' 18 | stages: 19 | - stage: __default 20 | jobs: 21 | - job: Job 22 | pool: 23 | vmImage: ubuntu-latest 24 | steps: 25 | - task: CmdLine@2 26 | displayName: 'Pull Image $(image) from ECR' 27 | inputs: 28 | script: | 29 | aws configure set aws_access_key_id $(AWS_ACCESS_KEY_ID) 30 | aws configure set aws_secret_access_key $(AWS_SECRET_ACCESS_KEY) 31 | aws configure set region $(aws_region) 32 | aws ecr get-login-password --region $(aws_region) | docker login --username AWS --password-stdin $(aws_account_id).dkr.ecr.$(aws_region).amazonaws.com 33 | - task: CmdLine@2 34 | env: 35 | WS_APIKEY: $(APIKEY) 36 | WS_USERKEY: $(USERKEY) 37 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 38 | WS_PRODUCTNAME: $(System.TeamProject) 39 | WS_PROJECTNAME: doesnotmatter 40 | WS_DOCKER_SCANIMAGES: true 41 | WS_DOCKER_INCLUDES: ".*$(image).*" 42 | WS_DOCKER_AWS_ENABLE: true 43 | WS_DOCKER_PULL_ENABLE: true 44 | WS_DOCKER_PULL_IMAGES: ".*$(image).*" 45 | WS_DOCKER_AWS_REGISTRYID: $(aws_account_id) 46 | WS_DOCKER_LAYERS: true 47 | WS_DOCKER_PROJECTNAMEFORMAT: repositoryNameAndTag 48 | WS_FILESYSTEMSCAN: false 49 | WS_ARCHIVEEXTRACTIONDEPTH: 2 50 | WS_ARCHIVEINCLUDES: "**/*war **/*ear **/*zip **/*whl **/*tar.gz **/*tgz **/*tar **/*car **/*jar" 51 | displayName: WhiteSource Docker Image Scan 52 | inputs: 53 | script: | 54 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 55 | echo Unified Agent downloaded successfully 56 | java -jar wss-unified-agent.jar 57 | 58 | -------------------------------------------------------------------------------- /Scripts/ghissue-eua.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Prerequisites: 3 | # apt install jq curl 4 | # WS_GENERATEPROJECTDETAILSJSON: true 5 | # WS_PRODUCTNAME 6 | # WS_PROJECTNAME 7 | # WS_USERKEY 8 | # WS_WSS_URL 9 | 10 | # TODO - Add ERROR handling 11 | 12 | WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 13 | WS_URL=$(echo $WS_WSS_URL | awk -F "/agent" '{print $1}') 14 | echo "variables for local debugging" 15 | echo "export WS_APIKEY=" 16 | echo "export WS_USERKEY=" 17 | echo "export WS_PRODUCTNAME="$WS_PRODUCTNAME 18 | echo "export WS_PROJECTNAME="$WS_PROJECTNAME 19 | echo "export WS_PROJECTTOKEN="$WS_PROJECTTOKEN 20 | echo "export WS_URL="$WS_URL 21 | 22 | ### getProjectAlertsbyType 23 | curl --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json' --header 'Accept-Charset: UTF-8' --data-raw '{ 'requestType' : 'getProjectAlertsByType', 'userKey' : '$WS_USERKEY', 'alertType': 'SECURITY_VULNERABILITY', 'projectToken': '$WS_PROJECTTOKEN','format' : 'json'}' | jq '.alerts[]' >>alerts.json 24 | echo "saving alerts.json" 25 | 26 | ### getProjectSecurityAlertsbyVulnerabilityReport - finds Red Shields 27 | curl --request POST $WS_URL'/api/v1.3' -H 'Content-Type: application/json' \ 28 | -d '{ 'requestType' : 'getProjectSecurityAlertsByVulnerabilityReport', 'userKey' : '$WS_USERKEY', 'projectToken': '$WS_PROJECTTOKEN', 'format' : 'json'}' \ 29 | | jq -r '.alerts[] | select(.euaShield=="RED") | .vulnerabilityId' >> redshields.txt 30 | echo 'saving redshields.txt' 31 | cat redshields.txt && echo "cat of redshields" 32 | 33 | redshieldlist=`cat redshields.txt` 34 | ### Get CVE by Red Shield 35 | for REDSHIELDVULN in $redshieldlist 36 | do 37 | echo "REDSHIELDVULN:"$REDSHIELDVULN 38 | 39 | ## Get Github issue number by CVE 40 | GHISSUE=$(gh issue list -S "$REDSHIELDVULN in:title,body" --json number --jq '.[] | .number ') 41 | echo "GHISSUE:"$GHISSUE 42 | 43 | ### Get keyUuid 44 | KEYUUID=$(jq -r --arg REDSHIELDVULN $REDSHIELDVULN '. | select(.vulnerability.name==$REDSHIELDVULN) | .library.keyUuid' alerts.json) 45 | echo "KEYUIID:" $KEYUUID 46 | 47 | PROJECTID=$(jq -r --arg REDSHIELDVULN $REDSHIELDVULN '. | select(.vulnerability.name==$REDSHIELDVULN) | .projectId' alerts.json) 48 | echo "PROJECTID:" $PROJECTID 49 | 50 | ### Construct Link 51 | EUALINK="$WS_URL/Wss/WSS.html#!libraryVulnerabilities;uuid=$KEYUUID;project=$PROJECTID" 52 | echo $EUALINK 53 | 54 | gh issue comment $GHISSUE --body "Red Shield Alert: $REDSHIELDVULN - An effective vulnerability has been found in your open-source code demanding urgent remediation steps. $EUALINK" 55 | 56 | done 57 | -------------------------------------------------------------------------------- /whitesource.config: -------------------------------------------------------------------------------- 1 | # https://whitesource.atlassian.net/wiki/spaces/WD/pages/1781760001/Unified+Agent+Configuration+Parameters+for+Native+Integrations 2 | # This config file has been created from the above link and is used in all WS Native Repo Integrations by default 3 | # This file is meant to be used as a template when switching from AUTO to LOCAL configMode in the .whitesource file 4 | 5 | # rg: made a few changes based on most recent UA versions, see comments below 6 | # randy.geyer@whitesourcesoftware.com 7 | 8 | maven.ignoreSourceFiles=true 9 | maven.ignoreMvnTreeErrors=true 10 | # rg: added maven.aggregateModules=true for better multi-module support 11 | maven.aggregateModules=true 12 | 13 | gradle.ignoreSourceFiles=true 14 | # rg: added gradle.aggregateModules=true for better multi-module support 15 | gradle.aggregateModules=true 16 | 17 | npm.includeDevDependencies=false 18 | # rg: uses npm.runPreStep=false (default), uncomment next line if you don't get good npm results 19 | #npm.runPreStep=true 20 | npm.ignoreNpmLsErrors=true 21 | npm.yarnProject=false 22 | 23 | bower.runPreStep=true 24 | bower.ignoreSourceFiles=true 25 | 26 | nuget.runPreStep=true 27 | 28 | paket.runPreStep=true 29 | paket.ignoreSourceFiles=true 30 | 31 | python.ignorePipInstallErrors=true 32 | python.installVirtualenv=true 33 | python.resolveSetupPyFiles=true 34 | python.runPipenvPreStep=true 35 | python.pipenvDevDependencies=true 36 | python.IgnorePipenvInstallErrors=true 37 | python.runPoetryPreStep=true 38 | 39 | go.collectDependenciesAtRuntime=true 40 | go.ignoreSourceFiles=true 41 | 42 | sbt.runPreStep=true 43 | 44 | r.runPreStep=true 45 | r.cranMirrorUrl=https://cloud.r-project.org/ 46 | 47 | php.runPreStep=true 48 | php.includeDevDependencies=true 49 | 50 | ruby.installMissingGems=true 51 | ruby.runBundleInstall=true 52 | 53 | cocoapods.runPreStep=true 54 | 55 | hex.runPreStep=true 56 | 57 | haskell.runPreStep=true 58 | haskell.ignorePreStepErrors=true 59 | 60 | includes=**/*c **/*cc **/*cp **/*cpp **/*cxx **/*c++ **/*h **/*hh **/*hpp **/*hxx **/*h++ **/*m **/*mm **/*pch **/*c# **/*cs **/*csharp **/*go **/*goc **/*js **/*pl **/*plx **/*pm **/*ph **/*cgi **/*fcgi **/*pod **/*psgi **/*al **/*perl **/*t **/*pl6 **/*p6m **/*p6l **/*pm6 **/*nqp **/*6pl **/*6pm **/*p6 **/*php **/*py **/*rb **/*swift **/*java **/*clj **/*cljx **/*cljs **/*cljc **/*jar **/*egg **/*dll **/*tar.gz **/*tgz **/*zip **/*whl **/*gem **/*apk **/*air **/*dmg **/*exe **/*gem **/*gzip **/*msi **/*nupkg **/*swc **/*swf **/tar.bz2 **/pkg.tar.xz **/(u)?deb **/(a)?rpm 61 | # rg: added **/target to the SCM default excludes 62 | excludes=*/., **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar, **/target 63 | 64 | archiveExtractionDepth=0 65 | archiveIncludes=**/*war **/*ear **/*zip **/*whl **/*tar.gz **/*tgz **/*tar **/*car 66 | archiveExcludes=**/*sources.jar **/*javadoc.jar -------------------------------------------------------------------------------- /CI-CD/Jenkins/Jenkins_pipeline_maven_multi-org.groovy: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent any 3 | 4 | environment { 5 | WS_WSS_URL = "${WSURL}" //Taken from Jenkins Global Environment Variables 6 | WS_PRODUCTNAME = "Jenkins_Pipeline" 7 | WS_PROJECTNAME = "${JOB_NAME}" 8 | WS_PRODUCTION_BRANCH = "main" 9 | } 10 | 11 | tools { 12 | // Install the Maven version configured as "M3" and add it to the path. 13 | maven "M3" 14 | } 15 | 16 | stages { 17 | stage('Build') { 18 | steps { 19 | // Get some code from a GitHub repository 20 | git 'https://github.com/k-tamura/easybuggy.git' 21 | 22 | // Run Maven on a Unix agent. 23 | sh "mvn -Dmaven.test.failure.ignore=true clean package" 24 | } 25 | } 26 | 27 | stage('Set Result Environment') { 28 | steps { 29 | script { 30 | //get the branch information from Git 31 | GIT_COMMIT_BRANCH = sh (script:"git branch | grep \\* | cut -d ' ' -f2",,returnStdout:true).trim() 32 | 33 | if ( "${WS_PRODUCTION_BRANCH}" == "${GIT_COMMIT_BRANCH}" ) { 34 | echo "Working in the production branch" 35 | WORKING_USERKEY = "${USERKEY}" 36 | WORKING_APIKEY = "${APIKEY}" 37 | } else { 38 | echo "Working in the dev branch" 39 | WORKING_USERKEY = "${DEV_USERKEY}" 40 | WORKING_APIKEY = "${DEV_APIKEY}" 41 | } 42 | } 43 | } 44 | } 45 | 46 | stage('Download WS Script') { 47 | steps { 48 | script { 49 | echo "Downloading WhiteSource Unified Agent and Checking Integrity" 50 | sh 'curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar' 51 | ua_jar_checksum=sh(returnStdout: true, script: "sha256sum 'wss-unified-agent.jar'") 52 | ua_integrity_file=sh(returnStdout: true, script: "curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256") 53 | if ("${ua_integrity_file}" == "${ua_jar_checksum}") { 54 | echo "Integrity Check Passed" 55 | } else { 56 | echo "Integrity Check Failed" 57 | } 58 | } 59 | } 60 | } 61 | 62 | stage('Run WS Script') { 63 | steps { 64 | script { 65 | withEnv(["WS_USERKEY=${WORKING_USERKEY}", "WS_APIKEY=${WORKING_APIKEY}", "WS_PROJECTNAME=${JOB_NAME}-${GIT_COMMIT_BRANCH}"]) { 66 | sh 'java -jar wss-unified-agent.jar' 67 | } 68 | } 69 | } 70 | } 71 | } 72 | } 73 | 74 | -------------------------------------------------------------------------------- /Scripts/whitesource-spdx.yml: -------------------------------------------------------------------------------- 1 | name: WhiteSource scan and SPDX report 2 | 3 | on: 4 | push: 5 | branches: [] 6 | 7 | jobs: 8 | build: 9 | 10 | runs-on: ubuntu-latest 11 | 12 | steps: 13 | - uses: actions/checkout@v2 14 | 15 | - name: Set up JDK 16 | uses: actions/setup-java@v2 17 | with: 18 | java-version: '8' 19 | distribution: 'adopt' 20 | 21 | - name: Build with Maven 22 | run: mvn clean install -DskipTests=true 23 | 24 | - name: WhiteSource Unified Agent Scan 25 | env: 26 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 27 | WS_APIKEY: ${{secrets.APIKEY}} 28 | WS_USERKEY: ${{secrets.USERKEY}} 29 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 30 | WS_PRODUCTNAME: GH_${{github.event.repository.name}} 31 | WS_PROJECTNAME: ${{github.ref}}_SPDX_report 32 | WS_GENERATEPROJECTDETAILSJSON: true 33 | run: | 34 | curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar 35 | echo Unified Agent downloaded successfully 36 | if [[ "$(curl -sL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar.sha256)" != "$(sha256sum wss-unified-agent.jar)" ]] ; then 37 | echo "Integrity Check Failed" 38 | else 39 | echo "Integrity Check Passed" 40 | echo "Starting WhiteSource Scan" 41 | fi 42 | java -jar wss-unified-agent.jar -d ./ 43 | 44 | - name: Generate WhiteSource SPDX Report 45 | env: 46 | WS_WSS_URL: https://saas.whitesourcesoftware.com/agent 47 | run: | 48 | export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 49 | echo WS_PROJECTTOKEN: $WS_PROJECTTOKEN 50 | export WS_URL=$(echo $WS_WSS_URL | awk -F "agent" '{print $1}') 51 | echo WS_URL: $WS_URL 52 | echo === Installing WhiteSource SBOM Generator === 53 | pip install ws_sbom_generator 54 | echo === Checking Project State before generating SBOM === 55 | IFS="|" 56 | scan_status=true 57 | pass_status=("UPDATE"${IFS}"FINISH"${IFS}"DIFF") 58 | fail_status=("UNKNOWN"${IFS}"FAIL") 59 | while $scan_status 60 | do 61 | new_status=$(curl -s -X POST -H "Content-Type: application/json" -d '{"requestType":"getProjectState", "userKey": "'$WS_USERKEY'", "projectToken":"'$WS_PROJECTTOKEN'"}' $WS_URL/api/v1.3 | jq '.projectState|.lastProcess' | tr -d '"') 62 | if [[ "${IFS}${pass_status[*]}${IFS}" =~ "${IFS}${new_status}${IFS}" ]]; 63 | then 64 | scan_status=false 65 | echo "Project information has been uploaded successfully!" 66 | else 67 | echo "Scan is still processing..." 68 | sleep 10 69 | fi 70 | if [[ "${IFS}${fail_status[*]}${IFS}" =~ "${IFS}${new_status}${IFS}" ]]; 71 | then 72 | echo "Scan failed to upload...exiting program" 73 | exit 1 74 | fi 75 | done 76 | unset IFS 77 | echo === Generating SBOM === 78 | ws_sbom_generator -u ${{secrets.USERKEY}} -k ${{secrets.APIKEY}} -s $WS_PROJECTTOKEN -a $WS_URL -t tv -o ./whitesource-spdx 79 | 80 | - name: Publish WhiteSource SPDX Report 81 | uses: actions/upload-artifact@master 82 | with: 83 | name: WhiteSource SPDX report 84 | path: ${{github.workspace}}/whitesource-spdx 85 | 86 | -------------------------------------------------------------------------------- /Scripts/list-project-alerts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Description: 4 | # This script uses WhiteSource's API to display (in the stdout) a list of 5 | # vulnerabilities affecting the last scanned project(s). 6 | # It is intended to be executed from the scan's working directory, either 7 | # independently or following a Unified Agent scan. 8 | 9 | # Prerequisites: 10 | # apt install jq curl 11 | # WS_GENERATEPROJECTDETAILSJSON: true 12 | # WS_USERKEY (admin assignment is required) 13 | # WS_WSS_URL 14 | # WS_UPDATEINVENTORY: true (defaults to true) 15 | 16 | # Known Limitations: 17 | # - CVSS Score Filtering 18 | # The API response will be filtered by default based on the .cvss3_severity 19 | # property. If a given vulnerability alert does not have a CVSS3 severity (i.e. 20 | # the .vulnerability.cvss3_severity property is blank), that alert will not be 21 | # included in the results. To use CVSS2 for filtering, change the jq condition 22 | # below from `.vulnerability.cvss3_severity` to `.vulnerability.severity`. 23 | # Note that when doing so, however, while the alert count will be accurate, 24 | # some alerts might display a different severity than in the UI. 25 | # 26 | # - Inventory Update 27 | # The scanProjectDetails.json file is only created when an inventory update has 28 | # occurred, so this script won't work if WS_UPDATEINVENTORY is set to false. 29 | # Moreover, if policy check is enabled (WS_CHECKPOLICIES), and a policy 30 | # violation was found, the scan will be aborted without updating the inventory 31 | # (and as a result, scanProjectDetails.json won't be created), so it is also 32 | # required to enable WS_FORCEUPDATE. 33 | # Note that WS_FORCEUPDATE enabled would result in exit code 0 even upon policy 34 | # violation, so if you rely on the exit code (-2) for other tasks in your 35 | # pipeline, make sure to also enable WS_FORCEUPDATE_FAILBUILDONPOLICYVIOLATION. 36 | 37 | WS_API_URL="$(echo "${WS_WSS_URL/agent/'api/v1.3'}")" 38 | PROJECT_DETAILS="./whitesource/scanProjectDetails.json" 39 | showColors=true 40 | 41 | if $showColors ; then 42 | RD="\e[1;31m" 43 | GN="\e[1;32m" 44 | YW="\e[1;33m" 45 | BL="\e[1;34m" 46 | NC="\e[0m" 47 | fi 48 | 49 | declare -a projects=( $(cat $PROJECT_DETAILS | jq -r '.projects[] | (.projectToken + "," + .projectName)') ) 50 | 51 | for project in "${projects[@]}"; do 52 | IFS=, read projectToken projectName <<< "$project" 53 | printf "\nWhiteSource Vulnerability Alerts for project: ${BL}%s${NC}\n" "$projectName" 54 | apiRes="$(curl -s -X POST -H "Content-Type: application/json" -d '{ "requestType": "getProjectAlertsByType", "alertType": "SECURITY_VULNERABILITY", "userKey": "'"$WS_USERKEY"'", "projectToken": '"$projectToken"' }' $WS_API_URL)" 55 | 56 | # High severity CVEs 57 | cveH="$(echo "$apiRes" | jq -r '.alerts[] | select(.vulnerability.cvss3_severity=="high") | ("[H] " + .vulnerability.name + " - " + .library.filename)')" 58 | cveCountH="$([ "${#cveH}" -gt 0 ] && echo "$cveH" | wc -l || echo 0)" 59 | 60 | # Medium severity CVEs 61 | cveM="$(echo "$apiRes" | jq -r '.alerts[] | select(.vulnerability.cvss3_severity=="medium") | ("[M] " + .vulnerability.name + " - " + .library.filename)')" 62 | cveCountM="$([ "${#cveM}" -gt 0 ] && echo "$cveM" | wc -l || echo 0)" 63 | 64 | # Low severity CVEs 65 | cveL="$(echo "$apiRes" | jq -r '.alerts[] | select(.vulnerability.cvss3_severity=="low") | ("[L] " + .vulnerability.name + " - " + .library.filename)')" 66 | cveCountL="$([ "${#cveL}" -gt 0 ] && echo "$cveL" | wc -l || echo 0)" 67 | 68 | printf "Alerts: ${RD}$cveCountH High${NC}, ${YW}$cveCountM Medium${NC}, ${GN}$cveCountL Low${NC}\n\n" 69 | printf "${RD}$cveH${NC}\n" 70 | printf "${YW}$cveM${NC}\n" 71 | printf "${GN}$cveL${NC}\n" 72 | printf "\n" 73 | done 74 | -------------------------------------------------------------------------------- /Renovate/README.md: -------------------------------------------------------------------------------- 1 | # Renovate Examples by CI/CD Tool 2 | This repository contains examples of a Self-hosted instance of [Renovate](https://docs.renovatebot.com/) to generate automatic pull requests as part of various pipelines. 3 | 4 | **Important Note - The following step is required for all integrations** 5 | 6 | It is highly recommend to configure a GitHub.com [Personal Access Token](https://github.com/settings/tokens) (with the scope repos) as GITHUB_COM_TOKEN so that your bot can make authenticated requests to GitHub.com for changelog retrieval as well as for any dependency that uses GitHub tags (without such a token, GitHub.com's API will rate limit requests and make such lookups unreliable). 7 | 8 | ## [Azure DevOps pipelines](https://docs.microsoft.com/en-us/azure/devops/pipelines/?view=azure-devops) 9 | * Set a [Personal Access Token](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page) as RENOVATE_TOKEN for the bot account. 10 | * Create a new pipeline for the desired project and replace contents with the attached azure-pipelines.yml file. 11 | * Add GITHUB_COM_TOKEN and RENOVATE_TOKEN as [Environment variables](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch) 12 | * Update the RENOVATE_ENDPOINT to match your ADO organization (e.g. https://dev.azure.com/MyOrg). 13 | 14 | ## [Bitbucket pipelines](https://support.atlassian.com/bitbucket-cloud/docs/configure-bitbucket-pipelinesyml/) 15 | * Set an [App password](https://bitbucket.org/account/settings/app-passwords/) as RENOVATE_PASSWORD for the bot account. 16 | * Create a new pipeline for the desired project and replace contents with the attached bitbucket-pipelines.yml file. 17 | * Add GITHUB_COM_TOKEN and RENOVATE_PASSWORD as [Environment variables](https://support.atlassian.com/bitbucket-cloud/docs/variables-and-secrets/) 18 | 19 | ## [GitLab pipelines](https://docs.gitlab.com/ee/ci/pipelines/) 20 | The gitlab [renovate runner](https://docs.renovatebot.com/getting-started/running/#gitlab-runner) can implemented using the following steps: 21 | * Create a [Personal Access Token](https://gitlab.com/-/profile/personal_access_tokens) (PAT) for the runner to use (scopes: read_user, api and write_repository). 22 | * Create a new project to host the runner (e.g. renovate-runner-host). 23 | * Add the following variables to [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/) in the runner project. 24 | * GITHUB_COM_TOKEN = a PAT for Github 25 | * RENOVATE_TOKEN = a PAT created above for Gitlab 26 | * Create a new main pipeline for the desired project and replace contents with the [.gitlab-ci.yml](.gitlab-ci.yml) file in this folder. 27 | * Adjust RENOVATE_EXTRA_FLAGS parameters to indicate what projects Renovate should run against 28 | * If you wish for your bot to run against any project which the RENOVATE_TOKEN PAT has access to, but already has been onboarded 29 | * ```--autodiscover=true``` 30 | * Projects will not receive an onboarding PR with this setting and require a renovate.json or similar config 31 | * We recommend you apply an autodiscoverFilter value like the following so that the bot does not run on any stranger's project it gets invited to 32 | * ```--autodiscover=true --autodiscover-filter=group1/*``` 33 | * group1 is the target gitlab project group 34 | * If you wish for your bot to run against every project which the RENOVATE_TOKEN PAT has access to, and onboard any projects which don't yet have a config 35 | * ```--autodiscover=true --onboarding=true --autodiscover-filter=group1/*``` 36 | * If you wish to manually specify which projects that your bot runs again, use a space-delimited set of project names 37 | * ```--autodiscover-filter=group1/repo5 user3/repo1``` 38 | * Set up a schedule (CI / CD > Schedules) to run Renovate regularly 39 | - A good practise is to run it hourly. The following runs Renovate on the third minute every hour ```3 * * * *``` 40 | -------------------------------------------------------------------------------- /Scripts/prioritize-ignore.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Prerequisites: 3 | # apt install jq curl 4 | # WS_GENERATEPROJECTDETAILSJSON: true 5 | # WS_PRODUCTNAME 6 | # WS_PROJECTNAME 7 | # WS_USERKEY 8 | # WS_APIKEY 9 | # WS_WSS_URL 10 | 11 | # TODO - Add ERROR handling 12 | # TODO - Only works with default branch 13 | # TODO - Only works when WS_PRODUCTNAME=WS_PROJECTNAME for ignore 14 | # TODO - Delete prioritize project aftewards and publish report to pipeline 15 | 16 | WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 17 | WS_URL=$(echo $WS_WSS_URL | awk -F "/agent" '{print $1}') 18 | echo "variables for local debugging" 19 | echo "export WS_APIKEY=" 20 | echo "export WS_USERKEY=" 21 | echo "export WS_PRODUCTNAME="$WS_PRODUCTNAME 22 | echo "export WS_PROJECTNAME="$WS_PROJECTNAME 23 | echo "export WS_PROJECTTOKEN="$WS_PROJECTTOKEN 24 | echo "export WS_URL="$WS_URL 25 | 26 | red=$'\e[1;31m' 27 | grn=$'\e[1;32m' 28 | yel=$'\e[1;33m' 29 | blu=$'\e[1;34m' 30 | mag=$'\e[1;35m' 31 | cyn=$'\e[1;36m' 32 | end=$'\e[0m' 33 | 34 | 35 | 36 | ### getProjectSecurityAlertsbyVulnerabilityReport - finds Green Shields 37 | curl --request POST $WS_URL'/api/v1.3' -H 'Content-Type: application/json' -d '{ "requestType" : "getProjectSecurityAlertsByVulnerabilityReport", "userKey" : "'$WS_USERKEY'", "projectToken": "'$WS_PROJECTTOKEN'", "format" : "json"}' | jq -r '.alerts[] | select(.euaShield=="GREEN") | .vulnerabilityId' >> greenshields.txt 38 | echo "saving greenshields.txt" 39 | 40 | # Get productToken from WS_PRODUCTNAME 41 | WS_PRODUCTTOKEN=$(curl --request POST $WS_URL'/api/v1.3' -H 'Content-Type: application/json' -d '{ "requestType" : "getAllProducts", "userKey" : "'$WS_USERKEY'", "orgToken": "'$WS_APIKEY'"}' | jq -r --arg WS_PRODUCTNAME $WS_PRODUCTNAME '.products[] | select(.productName==$WS_PRODUCTNAME) | .productToken') 42 | echo "getting productToken" $WS_PRODUCTTOKEN 43 | 44 | # Get repo default branch projectToken from productToken 45 | REPOTOKEN=$(curl --request POST $WS_URL'/api/v1.3' -H 'Content-Type: application/json' -d '{ "requestType" : "getAllProjects", "userKey" : "'$WS_USERKEY'", "productToken": "'$WS_PRODUCTTOKEN'"}' | jq -r --arg WS_PRODUCTNAME $WS_PRODUCTNAME '.projects[] | select(.projectName==$WS_PRODUCTNAME) | .projectToken') 46 | echo "getting projectToken for repository default branch" $REPOTOKEN 47 | 48 | ### getProjectAlertsbyType for repo default branch 49 | curl --request POST $WS_URL'/api/v1.3' -H 'Content-Type: application/json' -d '{ "requestType" : "getProjectAlertsByType", "userKey" : "'$WS_USERKEY'", "alertType": "SECURITY_VULNERABILITY", "projectToken": "'$REPOTOKEN'","format" : "json"}' >> alerts.json 50 | echo "saving alerts.json" 51 | ### Get Previously Ignored Alerts 52 | declare -a IGNORED_ALERTS 53 | IGNORED_ALERTS=($(curl --request POST $WS_URL'/api/v1.3' -H 'Content-Type: application/json' -d '{ "requestType" : "getProjectIgnoredAlerts", "userKey" : "'$WS_USERKEY'", "projectToken": "'$REPOTOKEN'" }' | jq -r '.alerts[].vulnerability.name')) 54 | echo "previously ignoreAlerts:" ${IGNORED_ALERTS[*]} 55 | 56 | greenshieldlist=$(cat greenshields.txt) 57 | ### Get CVE by GREEN Shield 58 | for GREENSHIELDVULN in $greenshieldlist 59 | do 60 | echo -e "${grn}GREENSHIELDVULN: $GREENSHIELDVULN${end}" 61 | 62 | if [[ ! " ${IGNORED_ALERTS[*]} " =~ " ${GREENSHIELDVULN} " ]]; then 63 | ALERT=$(jq --arg GREENSHIELDVULN $GREENSHIELDVULN '.alerts[] | select(.vulnerability.name==$GREENSHIELDVULN)|.alertUuid' alerts.json) 64 | IGNORES+=$ALERT, 65 | fi 66 | done 67 | 68 | if [ -z "$IGNORES" ] 69 | then 70 | echo "$IGNORES All Alerts were previously ignored" 71 | else 72 | IGNORE_ALERTS=${IGNORES::-1} 73 | echo "${yel}Ignoring the following alertUuids $IGNORE_ALERTS${end}" 74 | curl --request POST $WS_URL'/api/v1.3' -H 'Content-Type: application/json' -d '{ "requestType" : "ignoreAlerts", "userKey" : "'$WS_USERKEY'", "orgToken" : "'$WS_APIKEY'", "alertUuids" : ['$IGNORE_ALERTS'], "comments" : "green shield vulnerabilities are not reachable or exploitable and have been ignored"}' 75 | fi -------------------------------------------------------------------------------- /Prioritize/README.md: -------------------------------------------------------------------------------- 1 | # Prioritize Examples by Language 2 | This repository contains language specific examples of different ways to scan using [Mend Prioritize](https://docs.mend.io/bundle/sca_user_guide/page/scanning_with_mend_prioritize.html) 3 | 4 | * [.NET](DotNet) 5 | * [Multi-Module](DotNet/Multi-Module) 6 | * [Single-Module](DotNet/Single-Module) 7 | * [Java](Java) 8 | * [Multi-Module](Java/Multi-Module) 9 | * [Single-Module](Java/Single-Module) 10 | * [Javascript](JavaScript) 11 | * [Python](Python) 12 | * [Scala](Scala) 13 | 14 | For all examples above, make sure to change the branches defined within the .yml file according to your needs. Refer to [Branching](#Branching) for best practices 15 | 16 | **Important .NET Note** 17 |
18 | [xModuleAnalyzer](https://github.com/whitesource-ft/xModuleAnalyzer-NET) scripts may require some customization due to different build and exclusion types 19 | 20 | ## [GitHub Actions](https://docs.github.com/en/actions) 21 | YAML files beginning with "github-action" 22 | * Add the yml file to a subfolder named workflows underneath the .github folder in the branch you would like to scan and adjust branch triggers (on:) within the yml file. 23 | * `.github/workflows/github-action.yml` 24 | * Add a [repository secret](https://docs.github.com/en/actions/reference/encrypted-secrets) named "APIKEY" to the repository with your Mend API Key from the Integrate page, "USERKEY" from your profile page, and update WS_WSS_URL if necessary 25 | 26 | ## [Azure DevOps pipelines](https://docs.microsoft.com/en-us/azure/devops/pipelines/?view=azure-devops) 27 | YAML files containing "azure-pipelines" 28 | * Create a new pipeline by selecting Pipelines>Create Pipeline>Azure Repos Git> your imported repository, then select starter pipeline and replace contents with the .yml file 29 | * Add a [pipeline variable](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch) named "apiKey" with your Mend API Key from the integrate page, "userKey" from your profile page, and update WS_WSS_URL if necessary 30 | 31 | ## [GitLab pipelines](https://docs.gitlab.com/ee/ci/pipelines/) 32 | YAML files containing "gitlab-ci" 33 | * Add the gitlab-ci.yml file to the root of your repository 34 | * Add a [variable](https://docs.gitlab.com/ee/ci/variables/) named "APIKEY" with your Mend API Key from the integrate page, "USERKEY" from your profile page, and update WS_WSS_URL if necessary 35 | 36 | ## Branching 37 | The default for many of these yml files is enabled to scan on every push & pull request to a release branch. It is recommended to run Prioritize on pull requests to a protected branch. An example of this config for GitHub actions can be seen below 38 | 39 | ``` 40 | on: 41 | pull_request: 42 | branches: [ release* ] 43 | ``` 44 | ## [Adding Prioritize Comment Links to GitHub Issues](../Scripts/README.md) 45 | 46 | ## Prioritize Troubleshooting 47 | * Add ```-viaDebug true``` at the end of the Unified Agent command 48 | * Publish the following folders using your pipeline publish tool, [GitHub Prioritize Log Publish example](#GitHub-Prioritize-Log-Publish) 49 | * /tmp/whitesource* 50 | * /tmp/ws-ua* 51 | * For GitHub actions use ```continue-on-error: true``` in the Priortize step if the step is failing before the log publish 52 | 53 | * Important items 54 | * App.json file will have the elementid & method that should be tracked down 55 | * The log should mention if java or jdeps is a problem 56 | * %TEMP% should be used in Windows instead of /tmp/ 57 | 58 | ### GitHub Prioritize Log Publish 59 | ``` 60 | - name: 'Upload Prioritize Logs' 61 | uses: actions/upload-artifact@v2 62 | with: 63 | name: Prioritize-Logs 64 | path: | 65 | ${{github.workspace}}/whitesource 66 | /tmp/whitesource* 67 | /tmp/ws-ua* 68 | retention-days: 1 69 | ``` 70 | 71 | ### Single Folder Log Publish 72 | If your pipeline publish does not allow for multi folder publishing like GitHub actions, then add the following script after your scan to copy all required folders to the Mend folder. [AzureDevOps](../CI-CD#Azure-DevOps-Pipelines) is a good example where only single folder publishing is allowed. 73 | 74 | #### Azure DevOps Linux based machines (Bash script) 75 | ``` 76 | if [ -d "/tmp/whitesource*" ] ; then cp /tmp/whitesource* ./whitesource ; else echo "/tmp/whitesource* does not exist" ; fi 77 | if [ -d "/tmp/ws-ua*" ] ; then cp /tmp/whitesource* ./whitesource ; else echo "/tmp/ws-ua* does not exist" ; fi 78 | ``` 79 | #### Azure DevOps Windows based machines (Powershell script) 80 | ``` 81 | - task: PowerShell@2 82 | inputs: 83 | targetType: 'inline' 84 | script: | 85 | $Folder = "$env:USERPROFILE\appdata\local\temp\whitesource*" 86 | if (Test-Path -Path $Folder) 87 | { 88 | Write-Host "Copying Prioritize logs" 89 | cp -R $Folder $(System.DefaultWorkingDirectory)/whitesource/ 90 | } 91 | else 92 | { 93 | Write-Host "No Prioritize logs found" 94 | } 95 | displayName: 'Copy WhiteSource Prioritize Logs' 96 | ``` 97 | -------------------------------------------------------------------------------- /Scripts/README.md: -------------------------------------------------------------------------------- 1 | # Scripts 2 | This repository contains scripts for use with Mend Unified agent scanning within a CI/CD pipeline. 3 | 4 | - [Adding Red Shield Comment Links to GitHub Issues](#adding-red-shield-comment-links-to-github-issues) 5 | - [Adding Red Shield Comments Links to GitHub Issues and Closing Green Shield Issues](#adding-red-shield-comments-links-to-github-issues-and-closing-green-shield-issues) 6 | - [Reports Within a Pipeline](#reports-within-a-pipeline) 7 | - [Pipeline SBOM Generation](#pipeline-sbom-generation) 8 | - [Display Vulnerabilities Affecting a Project](#display-vulnerabilities-affecting-a-project) 9 | - [Display Policy Violations Following a Scan](#display-policy-violations-following-a-scan) 10 | - [Cache the Latest Version of the Unified Agent](#cache-the-latest-version-of-the-unified-agent) 11 | 12 | All scripts should call [check-project-state.sh](check-project-state.sh) before running to ensure that the project scan has completed. 13 |
14 |
15 | 16 | ## Adding Red Shield Comment Links to GitHub Issues 17 | 18 | [ghissue-eua.sh](ghissue-eua.sh) 19 | 20 | Add the following lines after the Unified Agent command in a GitHub action to add comments to your GitHub issues that are created by the Mend GitHub integration. These comments will indicate if the vulnerability has a red shield and provide a link to the Mend UI for further examination. 21 | 22 |
23 | 24 | **Prerequisites:** 25 | 26 | * `jq` and `awk` must be installed 27 | * 99.9% of pipelines have these pre-installed 28 | * ENV variables must be set 29 | * WS_GENERATEPROJECTDETAILSJSON: true 30 | * WS_USERKEY 31 | * WS_PRODUCTNAME 32 | * WS_PROJECTNAME 33 | * WS_WSS_URL 34 | 35 |
36 | 37 | **Execution:** 38 | 39 | ``` 40 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/ghissue-eua.sh 41 | chmod +x ./ghissue-eua.sh && ./ghissue-eua.sh 42 | ``` 43 | 44 |
45 |
46 | 47 | ## Ignoring Alerts Based on Prioritize 48 | 49 | [ghissue-prioritize.sh](ghissue-prioritize.sh) 50 | 51 | Add the following lines after the Unified Agent command in a CI/CD pipeline to ignore vulnerabilities based on Mend Prioritize Green shields in a repository that is scanned via the Github Integration. 52 | 53 |
54 | 55 | **Prerequisites:** 56 | 57 | * `jq` and `awk` must be installed 58 | * 99.9% of pipelines have these pre-installed 59 | * ENV variables must be set 60 | * WS_GENERATEPROJECTDETAILSJSON: true 61 | * WS_USERKEY 62 | * WS_PRODUCTNAME 63 | * WS_PROJECTNAME 64 | * WS_APIKEY 65 | * WS_WSS_URL 66 | 67 |
68 | 69 | **Execution:** 70 | 71 | ``` 72 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/prioritize-ignore.sh 73 | chmod +x ./prioritize-ignore.sh && ./prioritize-ignore.sh 74 | ``` 75 | 76 |
77 |
78 | 79 | ## Reports Within a Pipeline 80 | 81 | Any WhiteSource report can also be published as a part of the pipeline. 82 | Add the following snippet after calling the Unified Agent in any pipeline file to save reports from the scanned project to the `./whitesource` logs folder, then use your [pipeline publish](../CI-CD#Pipeline-Log-Publishing) feature to save the whitesource log folder as an artifact. 83 | 84 |
85 | 86 | **Prerequisites:** 87 | 88 | * `jq` and `awk` must be installed 89 | * 99.9% of pipelines have these pre-installed 90 | * ENV variables must be set 91 | * WS_GENERATEPROJECTDETAILSJSON: true 92 | * WS_USERKEY 93 | * WS_WSS_URL 94 | 95 |
96 | 97 | **Execution:** 98 | 99 | ``` 100 | export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 101 | export WS_URL=$(echo $WS_WSS_URL | awk -F "agent" '{print $1}') 102 | #RiskReport-Example 103 | curl --output ./whitesource/riskreport.pdf --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json' --data-raw '{"requestType":"getProjectRiskReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}' 104 | #InventoryReport-Example 105 | curl --output ./whitesource/inventoryreport.xlsx --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json' --data-raw '{"requestType":"getProductInventoryReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}' 106 | #DueDiligenceReport-Example 107 | curl --output ./whitesource/duediligencereport.pdf --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json' --data-raw '{"requestType":"getProjectDueDiligenceReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}' 108 | ``` 109 | 110 |
111 |
112 | 113 | ## Pipeline SBOM Generation 114 | 115 | Add the following snippet after calling the Unified Agent in any pipeline to create an SPDX tag value output from the scanned project to the `./whitesource` logs folder, then use your [pipeline publish](../CI-CD#Pipeline-Log-Publishing) feature to save the whitesource log folder as an artifact. 116 | 117 |
118 | 119 | **Prerequisites:** 120 | 121 | * `jq`, `awk`, `python3` and `python3-pip` must be installed 122 | * 99.9% of pipelines have these pre-installed 123 | * ENV variables must be set 124 | * WS_GENERATEPROJECTDETAILSJSON: true 125 | * WS_USERKEY 126 | * WS_APIKEY 127 | * WS_WSS_URL 128 | 129 |
130 | 131 | **Execution:** 132 | 133 | ``` 134 | export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json) 135 | export WS_URL=$(echo $WS_WSS_URL | awk -F "agent" '{print $1}') 136 | pip install ws-sbom-generator 137 | ws_sbom_generator -u $WS_USERKEY -k $WS_APIKEY -s $WS_PROJECTTOKEN -a $WS_URL -t tv -o ./whitesource 138 | ``` 139 | 140 | More information & usage regarding the [WS SBOM generator](https://github.com/whitesource-ps/ws-sbom-spdx-report) 141 | 142 | 143 |
144 |
145 | 146 | ## Display Vulnerabilities Affecting a Project 147 | 148 | [list-project-alerts.sh](list-project-alerts.sh) 149 | 150 | This script can be added to the CI/CD pipeline (or executed independently) following the WhiteSource Unified Agent scan, to list vulnerabilities affecting the last scanned project(s). 151 | 152 | This script parses the `scanProjectDetails.json` file to get the `name` and `projectToken` of the project(s) created/updated during the last scan, and then uses WhiteSource's [getProjectAlertsByType](https://whitesource.atlassian.net/wiki/spaces/WD/pages/1651769359/Alerts+API#Project.2) API request to retrieve all the vulnerability alerts associated with that project. It then prints them to the standard output (`stdout`), sorted by severity and optionally color-coded. 153 | 154 |
155 | 156 | **Prerequisites:** 157 | 158 | * `jq` and `curl` must be installed 159 | * ENV variables must be set 160 | * `WS_GENERATEPROJECTDETAILSJSON: true` 161 | * `WS_USERKEY` (admin assignment is required) 162 | * `WS_WSS_URL` 163 | * `WS_UPDATEINVENTORY: true` (defaults to true) 164 | 165 |
166 | 167 | **Execution:** 168 | 169 | ``` 170 | ./list-project-alerts.sh 171 | ``` 172 | **Sample Output:** 173 | ``` 174 | Alerts for project: vulnerable-node 175 | Alerts: 10 High, 4 Medium, 2 Low 176 | 177 | [H] CVE-2017-16138 - mime-1.3.4.tgz 178 | [H] CVE-2015-8858 - uglify-js-2.3.0.tgz 179 | [H] CVE-2017-1000228 - ejs-0.8.8.tgz 180 | [H] CVE-2017-1000048 - qs-4.0.0.tgz 181 | [H] CVE-2020-8203 - lodash-4.17.11.tgz 182 | [H] CVE-2021-23337 - lodash-4.17.11.tgz 183 | [H] CVE-2019-5413 - morgan-1.6.1.tgz 184 | [H] CVE-2019-10744 - lodash-4.17.11.tgz 185 | [H] CVE-2017-16119 - fresh-0.3.0.tgz 186 | [H] CVE-2015-8857 - uglify-js-2.3.0.tgz 187 | [M] CVE-2020-28500 - lodash-4.17.11.tgz 188 | [M] CVE-2017-16137 - debug-2.2.0.tgz 189 | [M] CVE-2019-14939 - mysql-2.12.0.tgz 190 | [M] WS-2018-0080 - mysql-2.12.0.tgz 191 | [L] WS-2018-0589 - nwmatcher-1.3.9.tgz 192 | [L] WS-2017-0280 - mysql-2.12.0.tgz 193 | ``` 194 | 195 | See known limitations [here](list-project-alerts.sh). 196 | 197 |
198 |
199 | 200 | ## Display Policy Violations Following a Scan 201 | 202 | [list-policy-violations.sh](list-policy-violations.sh) 203 | 204 | This script parses the `policyRejectionSummary.json` file, following a WhiteSource Unified Agent scan, and prints to the standard output (`stdout`) the policies that where violated, as well as the libraries that violated them. 205 | 206 | The `policyRejectionSummary.json` file is created automatically under the agent log directory (`./whitesource`) during a scan that's configured to check policies. 207 | Every policy check overwrites this file, so this list is always specific to the last scan (that had policy check enabled). 208 | 209 |
210 | 211 | **Prerequisites:** 212 | 213 | * `jq` must be installed 214 | * ENV variables must be set 215 | * `WS_CHECKPOLICIES: true` 216 | 217 |
218 | 219 | **Execution:** 220 | 221 | ``` 222 | ./list-policy-violations.sh [-p|--includePath] 223 | ``` 224 | **Sample Outputs:** 225 | ``` 226 | $ ./list-policy-violations.sh 227 | 228 | WhiteSource Policy Violations 229 | ============================= 230 | Product: vulnerable-node 231 | Project: master 232 | Total Rejected Libraries: 9 233 | 234 | Policy Name: Reject Vuln CVSS 9+ 235 | Policy Type: VULNERABILITY_SCORE 236 | Rejected Libraries: 237 | morgan-1.6.1.tgz 238 | pg-5.1.0.tgz 239 | ejs-2.7.4.tgz 240 | lodash-4.17.11.tgz 241 | ejs-0.8.8.tgz 242 | 243 | Policy Name: Review BSD2 244 | Policy Type: LICENSE 245 | Rejected Libraries: 246 | semver-4.3.2.tgz 247 | source-map-0.1.43.tgz 248 | qs-4.0.0.tgz 249 | uglify-js-2.3.0.tgz 250 | 251 | ``` 252 | 253 | ``` 254 | $ ./list-policy-violations.sh --includePath 255 | 256 | WhiteSource Policy Violations 257 | ============================= 258 | Product: easybuggy 259 | Project: master 260 | Total Rejected Libraries: 6 261 | 262 | Policy Name: Reject Vuln CVSS 9+ 263 | Policy Type: VULNERABILITY_SCORE 264 | Rejected Libraries: 265 | log4j-1.2.13.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/log4j-1.2.13.jar) 266 | commons-fileupload-1.3.1.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/commons-fileupload-1.3.1.jar) 267 | derby-10.8.3.0.jar (/home/gl/.m2/repository/org/apache/derby/derby/10.8.3.0/derby-10.8.3.0.jar) 268 | 269 | Policy Name: Review LGPL 270 | Policy Type: LICENSE 271 | Rejected Libraries: 272 | xom-1.2.5.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/xom-1.2.5.jar) 273 | bsh-core-2.0b4.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/bsh-core-2.0b4.jar) 274 | javassist-3.12.1.GA.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/javassist-3.12.1.GA.jar) 275 | 276 | ``` 277 | 278 |
279 |
280 | 281 | ## Cache the Latest Version of the Unified Agent 282 | 283 | [cache-ua.sh](cache-ua.sh) 284 | 285 | This script allows caching of the [WhiteSource Unified Agent](https://whitesource.atlassian.net/wiki/spaces/WD/pages/1140852201/Getting+Started+with+the+Unified+Agent), so you can periodically check for updates and download the latest version only if needed, rather than redundantly downloading prior to every scan. 286 | 287 | The [cache-ua.sh](cache-ua.sh) script can be added to the CI/CD pipeline on a static/hosted build agent (prior to the Unified Agent scan task), or triggered independently, manually or by a scheduled task. 288 | 289 |
290 | 291 | **Prerequisites:** 292 | 293 | * `jq` and `curl` must be installed 294 | 295 |
296 | 297 | **Execution:** 298 | 299 | ``` 300 | curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/cache-ua.sh.sh 301 | chmod +x ./cache-ua.sh.sh && ./cache-ua.sh.sh 302 | ``` 303 | 304 | See additional example for implementation within a build pipeline under [CI-CD](../CI-CD/README.md#caching-the-unified-agent) (`*-cached-ua.yml`). 305 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------