This repository contains scripts for use with Mend Unified agent scanning within a CI/CD pipeline.
- Adding Red Shield Comment Links to GitHub Issues
- Adding Red Shield Comments Links to GitHub Issues and Closing Green Shield Issues
- Reports Within a Pipeline
- Pipeline SBOM Generation
- Display Vulnerabilities Affecting a Project
- Display Policy Violations Following a Scan
- Cache the Latest Version of the Unified Agent
All scripts should call check-project-state.sh before running to ensure that the project scan has completed.
Add the following lines after the Unified Agent command in a GitHub action to add comments to your GitHub issues that are created by the Mend GitHub integration. These comments will indicate if the vulnerability has a red shield and provide a link to the Mend UI for further examination.
Prerequisites:
jqandawkmust be installed- 99.9% of pipelines have these pre-installed
- ENV variables must be set
- WS_GENERATEPROJECTDETAILSJSON: true
- WS_USERKEY
- WS_PRODUCTNAME
- WS_PROJECTNAME
- WS_WSS_URL
Execution:
curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/ghissue-eua.sh
chmod +x ./ghissue-eua.sh && ./ghissue-eua.sh
Add the following lines after the Unified Agent command in a CI/CD pipeline to ignore vulnerabilities based on Mend Prioritize Green shields in a repository that is scanned via the Github Integration.
Prerequisites:
jqandawkmust be installed- 99.9% of pipelines have these pre-installed
- ENV variables must be set
- WS_GENERATEPROJECTDETAILSJSON: true
- WS_USERKEY
- WS_PRODUCTNAME
- WS_PROJECTNAME
- WS_APIKEY
- WS_WSS_URL
Execution:
curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/prioritize-ignore.sh
chmod +x ./prioritize-ignore.sh && ./prioritize-ignore.sh
Any WhiteSource report can also be published as a part of the pipeline.
Add the following snippet after calling the Unified Agent in any pipeline file to save reports from the scanned project to the ./whitesource logs folder, then use your pipeline publish feature to save the whitesource log folder as an artifact.
Prerequisites:
jqandawkmust be installed- 99.9% of pipelines have these pre-installed
- ENV variables must be set
- WS_GENERATEPROJECTDETAILSJSON: true
- WS_USERKEY
- WS_WSS_URL
Execution:
export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json)
export WS_URL=$(echo $WS_WSS_URL | awk -F "agent" '{print $1}')
#RiskReport-Example
curl --output ./whitesource/riskreport.pdf --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json' --data-raw '{"requestType":"getProjectRiskReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}'
#InventoryReport-Example
curl --output ./whitesource/inventoryreport.xlsx --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json' --data-raw '{"requestType":"getProductInventoryReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}'
#DueDiligenceReport-Example
curl --output ./whitesource/duediligencereport.pdf --request POST $WS_URL'/api/v1.3' --header 'Content-Type: application/json' --data-raw '{"requestType":"getProjectDueDiligenceReport","userKey":"$WS_USERKEY","projectToken":"$WS_PROJECTTOKEN"}'
Add the following snippet after calling the Unified Agent in any pipeline to create an SPDX tag value output from the scanned project to the ./whitesource logs folder, then use your pipeline publish feature to save the whitesource log folder as an artifact.
Prerequisites:
jq,awk,python3andpython3-pipmust be installed- 99.9% of pipelines have these pre-installed
- ENV variables must be set
- WS_GENERATEPROJECTDETAILSJSON: true
- WS_USERKEY
- WS_APIKEY
- WS_WSS_URL
Execution:
export WS_PROJECTTOKEN=$(jq -r '.projects | .[] | .projectToken' ./whitesource/scanProjectDetails.json)
export WS_URL=$(echo $WS_WSS_URL | awk -F "agent" '{print $1}')
pip install ws-sbom-generator
ws_sbom_generator -u $WS_USERKEY -k $WS_APIKEY -s $WS_PROJECTTOKEN -a $WS_URL -t tv -o ./whitesource
More information & usage regarding the WS SBOM generator
This script can be added to the CI/CD pipeline (or executed independently) following the WhiteSource Unified Agent scan, to list vulnerabilities affecting the last scanned project(s).
This script parses the scanProjectDetails.json file to get the name and projectToken of the project(s) created/updated during the last scan, and then uses WhiteSource's getProjectAlertsByType API request to retrieve all the vulnerability alerts associated with that project. It then prints them to the standard output (stdout), sorted by severity and optionally color-coded.
Prerequisites:
jqandcurlmust be installed- ENV variables must be set
WS_GENERATEPROJECTDETAILSJSON: trueWS_USERKEY(admin assignment is required)WS_WSS_URLWS_UPDATEINVENTORY: true(defaults to true)
Execution:
./list-project-alerts.sh
Sample Output:
Alerts for project: vulnerable-node
Alerts: 10 High, 4 Medium, 2 Low
[H] CVE-2017-16138 - mime-1.3.4.tgz
[H] CVE-2015-8858 - uglify-js-2.3.0.tgz
[H] CVE-2017-1000228 - ejs-0.8.8.tgz
[H] CVE-2017-1000048 - qs-4.0.0.tgz
[H] CVE-2020-8203 - lodash-4.17.11.tgz
[H] CVE-2021-23337 - lodash-4.17.11.tgz
[H] CVE-2019-5413 - morgan-1.6.1.tgz
[H] CVE-2019-10744 - lodash-4.17.11.tgz
[H] CVE-2017-16119 - fresh-0.3.0.tgz
[H] CVE-2015-8857 - uglify-js-2.3.0.tgz
[M] CVE-2020-28500 - lodash-4.17.11.tgz
[M] CVE-2017-16137 - debug-2.2.0.tgz
[M] CVE-2019-14939 - mysql-2.12.0.tgz
[M] WS-2018-0080 - mysql-2.12.0.tgz
[L] WS-2018-0589 - nwmatcher-1.3.9.tgz
[L] WS-2017-0280 - mysql-2.12.0.tgz
See known limitations here.
This script parses the policyRejectionSummary.json file, following a WhiteSource Unified Agent scan, and prints to the standard output (stdout) the policies that where violated, as well as the libraries that violated them.
The policyRejectionSummary.json file is created automatically under the agent log directory (./whitesource) during a scan that's configured to check policies.
Every policy check overwrites this file, so this list is always specific to the last scan (that had policy check enabled).
Prerequisites:
jqmust be installed- ENV variables must be set
WS_CHECKPOLICIES: true
Execution:
./list-policy-violations.sh [-p|--includePath]
Sample Outputs:
$ ./list-policy-violations.sh
WhiteSource Policy Violations
=============================
Product: vulnerable-node
Project: master
Total Rejected Libraries: 9
Policy Name: Reject Vuln CVSS 9+
Policy Type: VULNERABILITY_SCORE
Rejected Libraries:
morgan-1.6.1.tgz
pg-5.1.0.tgz
ejs-2.7.4.tgz
lodash-4.17.11.tgz
ejs-0.8.8.tgz
Policy Name: Review BSD2
Policy Type: LICENSE
Rejected Libraries:
semver-4.3.2.tgz
source-map-0.1.43.tgz
qs-4.0.0.tgz
uglify-js-2.3.0.tgz
$ ./list-policy-violations.sh --includePath
WhiteSource Policy Violations
=============================
Product: easybuggy
Project: master
Total Rejected Libraries: 6
Policy Name: Reject Vuln CVSS 9+
Policy Type: VULNERABILITY_SCORE
Rejected Libraries:
log4j-1.2.13.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/log4j-1.2.13.jar)
commons-fileupload-1.3.1.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/commons-fileupload-1.3.1.jar)
derby-10.8.3.0.jar (/home/gl/.m2/repository/org/apache/derby/derby/10.8.3.0/derby-10.8.3.0.jar)
Policy Name: Review LGPL
Policy Type: LICENSE
Rejected Libraries:
xom-1.2.5.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/xom-1.2.5.jar)
bsh-core-2.0b4.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/bsh-core-2.0b4.jar)
javassist-3.12.1.GA.jar (/build/gl/easybuggy/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/javassist-3.12.1.GA.jar)
This script allows caching of the WhiteSource Unified Agent, so you can periodically check for updates and download the latest version only if needed, rather than redundantly downloading prior to every scan.
The cache-ua.sh script can be added to the CI/CD pipeline on a static/hosted build agent (prior to the Unified Agent scan task), or triggered independently, manually or by a scheduled task.
Prerequisites:
jqandcurlmust be installed
Execution:
curl -LJO https://raw.githubusercontent.com/whitesource-ft/ws-examples/main/Scripts/cache-ua.sh.sh
chmod +x ./cache-ua.sh.sh && ./cache-ua.sh.sh
See additional example for implementation within a build pipeline under CI-CD (*-cached-ua.yml).