Last updated : Aug 26,2019

Overview

WhiteSource is the leader in continuous open source software security and compliance management. WhiteSource integrates into your build process, no matter your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories

WhiteSource provides WhiteSource Bolt, a lightweight open source security and management solution developed specifically for integration with Microsoft’s Visual Studio Team Services (and TFS). It works per project and does not offer real-time alert capabilities like the Full platform offering which is generally recommended for larger development teams wanting to automate their open source management throughout the entire software development lifecycle (from the repositories to post-deployment stages) and across all projects and products.

What’s covered in this lab

This lab shows how you can use WhiteSource Bolt with VSTS to automatically detect and alerts on vulnerable open source components, outdated libraries, and licenses compliance issues in your code. We will be using WebGoat, a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

Team Services integration with WhiteSource Bolt will enable you to:

  1. Detect and remedy vulnerable open source components.
  2. Generate comprehensive open source inventory reports per project or build.
  3. Enforce open source license compliance, including dependencies’ licenses.
  4. Identify outdated open source libraries with recommendations to update.

Prerequisites for the lab

  1. You will need a Visual Studio Team Services Account. If you do not have one, you can sign up for free here

  2. You will need a Personal Access Token to set up your project using the VSTS Demo Generator. Please see this article for instructions to create your token.

  3. The WhiteSource Bolt extension from the Visual Studio Marketplace needs to be installed and enables on your VSTS account.

Setting up the VSTS project

  1. Use VSTS Demo Generator to provision the WhiteSource project on your VSTS account.

    VSTS Demo Generator helps you create team projects on your VSTS account with sample content that include source code, work items,iterations, service endpoints, build and release definitions based on the template you choose during the configuration.

    VSTSDemogenerator

  2. Once the project is provisioned, click the URL to navigate to the project.

    VSTSDemogenerator-create

Exercise 1: Activate WhiteSource Bolt

After installing the extension, you will need to activate your project with an activation code.

In your Team project, under Build and Release section, go to White Source Bolt tab and activate 14-days trial license

Dev_Essentials

If you are a Visual Studio Enterprise subscriber, you are entitled to 6-months free subscription. You can get your activation code from the Visual Studio Enterprise benefit page and follow the instructions

ActivateWhiteSourceBolt

Upon activation, the below message is displayed.

14daystrial

Exercise 2: Trigger a build

We have a Java code provisioned by the demo generator system. We will use WhiteSource Bolt extension to check the vulnerable components present in this code.

  1. Go to Build and Release tab, click the build definition and click on Queue new build… to trigger a build.

    build-def

    queue-build

  2. You can see the build in progress status.

    inprogress_build

  3. While the build is in progress, let’s explore the build definition. The tasks that is used in the build definition are listed in the table below.

    Tasks Usage
    maven Maven builds Java code with the provided pom xml file
    whitesourcebolt WhiteSource Bolt scans the code in the provided working directory/root directory to detect security vulnerabilities, problematic open source licenses
    copy-files Copy Files copies the resulting JAR files from source to destination folder using match patterns
    publish-build-artifacts Publish Build Artifacts publishes the artifacts produced by the build

  4. Once the build is completed, you will see the summary which shows test results, code coverage as shown below.

    build_summary

  5. From the build summary, go to WhiteSource Bolt Build Report to see the vulnerability report.

    report

Exercise 3: Analyze Reports

WhiteSource bolt automatically detects OpenSource components in the software including transitive dependencies and their respective licenses.

Security Dashboard

The security dashboard shows the vulnerability of the build. This report shows the list of all vulnerable open source components with Vulnerability Score, Vulnerable Libraries, Severity Distribution.

Security

You can see the opensource license distribution and a detailed view of all components and links to their metadata and licensed references.

Outdated Libraries

WhiteSource Bolt also tracks outdated libraries in the project getting all the detailed information and links to newer versions and recommendations.

outdatedlibraries

Summary

With VSTS and WhiteSource Bolt integration you can shift-left your open source management. The integration allows you to have alert in real time on vulnerabilities and other issues to help you take immediate action.