WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, no matter your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated deﬁnitive database of open source repositories
WhiteSource provides WhiteSource Bolt, a lightweight open source security and management solution developed specifically for integration with Microsoft’s Visual Studio Team Services (and TFS). It works per project and does not offer real-time alert capabilities like the Full platform offering which is generally recommended for larger development teams wanting to automate their open source management throughout the entire software development lifecycle (from the repositories to post-deployment stages) and across all projects and products.
What’s covered in this lab
This lab shows how you can use WhiteSource Bolt with VSTS to automatically detect and alerts on vulnerable open source components, outdated libraries, and licenses compliance issues in your code. We will be using WebGoat, a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
Team Services integration with WhiteSource Bolt will enable you to:
- Detect and remedy vulnerable open source components.
- Generate comprehensive open source inventory reports per project or build.
- Enforce open source license compliance, including dependencies’ licenses.
- Identify outdated open source libraries with recommendations to update.
Prerequisites for the lab
You will need a Visual Studio Team Services Account. If you do not have one, you can sign up for free here
You will need a Personal Access Token to set up your project using the VSTS Demo Generator. Please see this article for instructions to create your token.Note: You should treat Personal Access Tokens like passwords. It is recommended that you save them somewhere safe so that you can re-use them for future requests.
The WhiteSource Bolt extension from the Visual Studio Marketplace needs to be installed and enables on your VSTS account.
Setting up the VSTS project
Use VSTS Demo Generator to provision the WhiteSource project on your VSTS account.
VSTS Demo Generator helps you create team projects on your VSTS account with sample content that include source code, work items,iterations, service endpoints, build and release definitions based on the template you choose during the configuration.
Once the project is provisioned, click the URL to navigate to the project.
Exercise 1: Activate WhiteSource Bolt
After installing the extension, you will need to activate your project with an activation code.
In your Team project, under Build and Release section, go to White Source Bolt tab and activate 14-days trial license
If you are a Visual Studio Enterprise subscriber, you are entitled to 6-months free subscription. You can get your activation code from the Visual Studio Enterprise benefit page and follow the instructions
Upon activation, the below message is displayed.
Exercise 2: Trigger a build
We have a Java code provisioned by the demo generator system. We will use WhiteSource Bolt extension to check the vulnerable components present in this code.
Go to Build and Release tab, click the build definition and click on Queue new build… to trigger a build.
You can see the build in progress status.
While the build is in progress, let’s explore the build definition. The tasks that is used in the build definition are listed in the table below.
Tasks Usage Maven builds Java code with the provided pom xml file WhiteSource Bolt scans the code in the provided working directory/root directory to detect security vulnerabilities, problematic open source licenses Copy Files copies the resulting JAR files from source to destination folder using match patterns Publish Build Artifacts publishes the artifacts produced by the build
Once the build is completed, you will see the summary which shows test results, code coverage as shown below.
From the build summary, go to WhiteSource Bolt Build Report to see the vulnerability report.
Exercise 3: Analyze Reports
WhiteSource bolt automatically detects OpenSource components in the software including transitive dependencies and their respective licenses.
The security dashboard shows the vulnerability of the build. This report shows the list of all vulnerable open source components with Vulnerability Score, Vulnerable Libraries, Severity Distribution.
You can see the opensource license distribution and a detailed view of all components and links to their metadata and licensed references.
WhiteSource Bolt also tracks outdated libraries in the project getting all the detailed information and links to newer versions and recommendations.
With VSTS and WhiteSource Bolt integration you can shift-left your open source management. The integration allows you to have alert in real time on vulnerabilities and other issues to help you take immediate action.