Integration of WhiteSource with vNext builds for scanning third-party libraries/packages
When we build software in an Agile environment, the customer expects that it will be fast paced and delivered constantly. Ideally, with DevOps in place, one click of a button could deploy our software to production. This is what’s expected in this model.
We think a lot about delivery, quality, delivered value, practices to follow, all kinds of tests and its reports. All these are fine and pretty much required also. But what we constantly forget to check (or monitor) are the vulnerabilities present in the third-party libraries or packages we use in our software. There is no second thought in using these third-party libraries/packages because productivity increases and there is no need to reinvent the wheel again.
What if we monitor or take care of these regularly, then follow the below mentioned simple steps to achieve this.
Why this integration is required?
This is required to scan all our open source libraries which we use in our project. It is also required to know about the licenses, the outdated libraries etc. so that we can take necessary actions accordingly.
What is the WhiteSource tool?
WhiteSource is an open source security and license compliance management platform.
This scanning tool provides the inventory of all the open source components used in the solution. You can read how WhiteSource exactly works here.
Integration with vNext build
Before we add the WhiteSource step, we need to activate this plugin as shown below.
Note: You can obtain the activation code from Virtual Studio subscriptions. You can try it for free for six months.
Secondly, we will integrate WhiteSource, as depicted in the screenshot below. Just add the step and point it to the artifacts.
After scanning, the build report looks like this: