WhiteSource Bolt for Azure DevOps FAQ

TOP FAQs

  • Get Started
  • Reports
  • Troubleshooting
  • Get Started
    • How to install?

      In order to install the WhiteSource Bolt for Azure DevOps, you should go to the Visual Studio marketplace, choose the Azure DevOps tab and look for the ‘WhiteSource Bolt’ extension. Choose the WhiteSource Bolt extension and click ‘Get it free’

       

       

    • How to activate?

      Follow the 4 easy steps here to activate the WhiteSource extension.

    • Are there any special build configurations?

      The default configuration is good enough. However, you can click the advanced settings near the Work directory field and define specific folders to scan or specific folders to exclude.

    • I'm a WhiteSource customer and I'd like to start using WhiteSource Bolt for Azure DevOps. Is it included in my subscription?
      WhiteSource offers WhiteSource Bolt for Azure DevOps free of charge but is limited to 5 scans per day per repository.

      However, WhiteSource paying customers are recommended to use the Azure DevOps Server or the Azure Devops Services integration.

    • About WhiteSource Bolt

      WhiteSource Bolt for Azure DevOps is an integrated open source security and management product within the Azure DevOps Services/Server product. It runs directly in your build and release pipeline.

      WhiteSource Bolt for Azure DevOps detects all open source components in your build, including dependencies, and alerts on vulnerable components, license compliance issues, and outdated libraries.

      The application is free but you can upgrade to the full solution in order to integrate with your entire SDLC.

       

  • Reports
    • Security Vulnerabilities Dashboard

      In this dashboard you will have 4 sections:

      1. Vulnerability Score – will present the highest score of the vulnerabilities found.
      2. Vulnerable Libraries – summarize how many non-vulnerable libraries and how many vulnerable libraries you have.
      3. Severity Distribution – will present how many vulnerable libraries you have from each severity level.
      4. Aging Vulnerable Libraries – presents how many vulnerable libraries you have divided by vulnerability age.

    • Security Vulnerabilities Report

      Presents all vulnerabilities in your project/build, including affected libraries, vulnerability description, and a top fix suggestion.

      The Vulnerability column lists a vulnerability’s severity score, a link to its CVE or WhiteSource profile (if the vulnerability is unregistered in the CVE/NVD), and its publishing date. The column is ordered according to severity, with the most severe vulnerabilities appearing first.

      The Library column lists the name of the library containing the vulnerability. Note that if a vulnerability impacts more than one source file, all impacted source files will be displayed, parenthesized and separated by commas. Binary component do not contain source files (e.g. jar, dll, tgz, etc.).

      The Description column provides a description of the vulnerability as written in the CVE database. If the vulnerability is unregistered (WS), a link is provided to its description in an alternative open source vulnerability resource.

      The Top Fix column lists the top-rated solution that WhiteSource recommends for each vulnerability. A condensed description of the recommended course of action is given, followed by a link to a broader description.

    • Outdated Libraries Report

      Presents information regarding libraries with updated versions.

      The Library column lists the name of the outdated library.
      The Versions column lists the version number and release date of the outdated library, the library’s most up-to-date version number and release date, and the number of versions that have been released in between.
      The Recommendations column lists the course of action recommended by WhiteSource and a link to the library’s homepage.

    • License Risks and Compliance Dashboard

      Presents the open source license distribution.

      The License Distribution table lists the license types associated with detected open source components and provides links to the licenses’ official descriptions. A risk level is given for each license type, as well as the license type’s total number of occurrences.

      The License Risk Distribution histogram breaks down the number of licenses by their risk level. Unknown risk level only means the license risk was not analyzed by WhiteSource legal experts.

    • Inventory and license report

      Presents an inventory of all open source components detected.

      The Library column shows the name of the open source library and a link to its homepage or direct download.

      The Licenses column lists licenses detected for each library, and links to their official license descriptions. The reference site that identifies the library’s license type is also linked to or described.

    • How to view build level reports?

      Go to the relevant build that WhiteSource Bolt was one of his steps and click on WhiteSource Bolt Report

    • How to view project-level reports?

      Go to your project. Under ‘Build & Releases’ go to ‘WhiteSource Bolt’ tab.

    • How to view account level reports?

      WhiteSource Bolt does not offer an account-level report. However, the full platform does enable you to do so. For more information – contact us.

  • Troubleshooting
    • Why can't I see any data in my reports?

      Please make sure you have open source components in your work directory. Please pay attention to the order of your build steps. For example, NPM and Nuget steps should come before WhiteSource Bolt step.

    • Why do I see only partial results?

      You only see results for the libraries which were identified as open source components.

    • Why can't I see any data for my Maven projects?

      Currently, WhiteSource Bolt does not support Maven projects.

    • Why don’t I see a license for all components?

      Some of the components will not have a license since not all open source components have licenses that were published by an open source authority.

    • Why don’t I see a fix for all vulnerabilities?

      Some Vulnerabilities don’t have fixes that are publicly available

    • Still encountering technical issues?

      Check out our documentation or contact support here: boltazure@whitesourcesoftware.com