What is WhiteSource?
WhiteSource automates the entire process of open source component selection, approval and management, including detection and remediation of security and compliance issues. It integrates with all stages of your software development lifecycle (SDLC) to alert in real time and help you fix issues faster and easier.
How does your product work?
Our plugins integrate with your repositories, build tools, CI servers and more. It calculates the digital signature for all your components without ever scanning your code. It then cross reference the digital signatures with the ones in WhiteSource database to detect the open source components in your products. An immediate up-to-date report is generated with all components and issues detected. It does that every time you run your build.
Is WhiteSource for Containers a separate product?
No. WhiteSource for Containers is part of the WhiteSource product. It integrates with more than 15 different tools: CI/CD, build tools, image registries, and containers management platforms, to give you an updated view of your container’s lifecycle. You can also define automated policies to block unwanted open source components from entering your containers.
Where does the vulnerability information comes from?
The WhiteSource database is the biggest and most mature database of open source vulnerabilities. It contains more than 300,000 vulnerable components which are aggregated from the CVE/NVD, and various other sources like the GitHub issue tracker, security advisories, and open source projects issue trackers.
WhiteSource uses a proprietary patented algorithm that matches between vulnerability and only the impacted version, thus guaranteeing no false positives that waste developers’ time.
Can you enforce customized policies? And how do you enforce it?
Yes, WhiteSource enforces policies automatically throughout the software development process. You can define your policies according to security vulnerabilities severity, open source license type, software bugs severity, age of a component and many more. You can approve, reject, initiate an approval flow or open an issue ticket based on your criteria and definitions.
In addition, WhiteSource also offers a browser extension, which notifies your developers if a certain component meets your organization’s policies while searching online in the worldwide web without downloading the component.
What type of reports do you offer?
We offer a variety of reports that will help you monitor all of your open source activity such as an Inventory report, due diligence report, high severity bugs report and vulnerability report and many more. You can see some examples at the bottom of this page.
Do you offer an on-premise option?
WhiteSource is a cloud-based service, but we also offer an on-premise option, if necessary. It’s important to emphasize that we do not scan your code. We also offer a dedicated instances option.
Can I still use your solution if my environment is not connected to the Internet?
Yes, some of our plugins can be used on isolated environments. The plugin generates the update request, saves the request locally as a text file. This file is then moved to an online environment from which it can be uploaded either automatically or manually to WhiteSource.
What browsers does the browser integration support?
WhiteSource browser integration supports Google Chrome. We’re looking to extend it to additional browsers in future releases.
Do I need to receive an invitation to use the browser integration?
Yes, your WhiteSource administrator needs to send you an email invitation to use the browser integration. It is a simple and quick process.
How do I see the results of the browser integration?
The browser integration supports any Web page with a mention of an open source component. You just need to click on the toolbar icon to initiate the scan. It automatically scans web pages and detect package references. It support Mvn repository, Maven central, RubyGem, Pypi, NpmJs, Nuget, StackOverFlow and many more.
How to view in-page results?
You will need to click on the WhiteSource icon on your browser’s toolbar. Identified open source components will have a special WhiteSource icon near them, together with an indication on the level of security vulnerabilities associated with the component.
You can click on the icon to get the details results.
What is WhiteSource Prioritize?
WhiteSource Prioritize uses groundbreaking new technology to enable organizations to check if and how their software projects are affected by employed open source software components that are reported to have security vulnerabilities.
What is WhiteSource for Developers?
WhiteSource for Developers is a new product offered to WhiteSource Core customers that aims to make developers work simpler when using open source. It includes the following four tools:
1. WhiteSource Remediate
2. IDE Integration
3. Repo Integration
4. Browser Integration (formerly called Web Advisor or Selection Tool)
Which WhiteSource for Developers tools are supported for on-premise customers?
WhiteSource for Developers supports WhiteSource for GitHub Enterprise, Bitbucket server and Advise for Chrome.
- What is WhiteSource?
How long Does a scan take?
A scan takes just a few seconds and has no impact on your build.
Do you scan my source code?
We only calculate digital signatures without scanning your code and compare them to the digital signatures of the open source components in our database.
What is your false positive ratio?
We take pride in developing patented algorithms that assure no false positives.
Do you have to scan my entire code base every time?
WhiteSource does not scan your code at all. It only calculates the digital signature of your components and cross reference it against WhiteSource’s database. Our default is to detect the delta from build to build for maximum efficiency.
Do you support mobile applications?
Of course. We support Go, Swift and many more languages, including APK enabling us to detect open source components in a delivered software package.
Are you able to resolve transitive dependencies?
Yes. We detect all open source components, including their direct and transitive dependencies.
Does WhiteSource Prioritize pass customer code to the cloud?
No – WhiteSource Prioritize does not pass proprietary code. It passes information pertaining to traces of proprietary code calls to open source components, including function name, line number of function call, name for file featuring the function call, identifier for vulnerability reported for a pertinent open source library (e.g., CVE), and vulnerable element[s] in the library.
What project environments are supported by WhiteSource Prioritize?
How long does it take to run WhiteSource Prioritize?
WhiteSource Prioritize was designed for high performance and scales to accommodate projects ranging from extremely small (a handful of libraries and dependencies) to extremely large projects (thousands of libraries and dependencies). The design underlying WhiteSource Prioritize enables it to complete analysis for projects with several hundreds of dependencies in mere minutes.
- How long Does a scan take?
What languages and platforms does your solution support?
WhiteSource supports more than 20 programming languages like Java, C++, .NET, PHP, python and more.
Which tools do you support?
We support many repositories, build tools, package managers, CI servers and more. You can check our integration page for more details.
Which container registries does it integrate with?
WhiteSource for Containers integrates with Docker, JFrog Artifactory, Amazon ECR, Azure Container Registry, and Google Container Registry.
I am currently using Google Kuberntes Engine (GKE)/ Amazon EKS/ Microsoft AKS to manage and deploy my containerized environments? Do you support these managed services?
Yes. We support all the above managed service providers.
I can’t find a plugin for my repository/build tool/CI server. Does that mean you cannot support?
If you cannot find your desired tool, you can also use our Unified Agent for integration.
I like the WhiteSource web interface, but we use our own homegrown system. Do you offer APIs?
Yes. we offer REST APIs.
Can you integrate with my issue tracker (JIRA, WorkItem)?
Yes, we offer this kind of integration. You need to enter your issue tracker credentials, and then form a policy with an “Issue” action, and choose the issue tracker you are using.
Do you support on-premise issues tracker instances?
Yes. WhiteSource’s utilizes the issue tracker’s generic API to generate new ticket creation requests. In most issue trackers, the same API request is used for both SaaS and On-Premise deployments, so as long as your instance allows external incoming API requests, and the server where the instance resides is accessible from outside the organizational network, the integration should function properly.
Does WhiteSource has an integration with Atlassian Bitbucket Server?
Yes. The WhiteSource Bitbucket Server Integration detects open source components in each repository, alerts on vulnerable components in real-time, and combined with Code Insights for Bitbucket server, provides detailed information about the vulnerabilities to help developers make informed decisions about remediation. It also enforces organizational open source security policies automatically and generates automatic pull requests (PR) to fix open source security vulnerabilities.
This integration is available only for WhiteSource users.
Which repositories are supported with WhiteSource for Developers?
WhiteSource for Developers supports GitHub Enterprise, github.com and Bitbucket server.
- What languages and platforms does your solution support?
What is your SLA?
Our standard SLAs are:
SEVERITY LEVEL FIRST ANALYSIS TIME STANDARD RESTORATION TIME Severity 1 6 hours 24 hours Severity 2 24 hours 10 business days Severity 3 48 hours 21 business days Severity 4 48 hours N/A
What types of communication do you offer for support?
Most of our communication is done via e-mails and comments in the support tickets.
When needed we conduct meetings over the phone but don’t offer phone support as a standard part of our service.
Do you offer on-site support/implementation?
We Support our customers remotely. In on-premises installations we conduct hands on sessions with the customers to jointly connect to the environment and troubleshoot.
In such cases, where a critical issue cannot be resolved remotely, we also support on site visits to ensure quick turnarounds.
Is WhiteSource compliant with GDPR?
Yes, you can read more information here.
Is WhiteSource ISO27001 certified?
Yes, WhiteSource is ISO27001 certified.
What type of onboarding do you provide?
The onboarding process is included in our pricing. As part of it, we escort our customers during the whole deployment process: plugin integration, platform configuration, understanding reports and dashboards and analyzing data provided by WhiteSource. We also share best practices and suggest known processes so the maximum value can be driven from our tool.
- What is your SLA?
What is a Contributing Developer?
“Contributing Developer” means any employee or contractor of Customer who at any point (1) accesses or uses the WhiteSourcesoftware; and/or (2) develops, maintains, or otherwise works in connection with any software application that has been scanned or monitored by the WhiteSource software
Why are you pricing per Contributing Developers?
WhiteSource automates and manages open source components throughout the Software Development Life Cycle (SDLC). Therefore, pricing based on the number of Contributing Developers best reflects the impact of our solution, without limiting you to artificial factors such as size of code or number of scans.
Is pricing per user available?
No. The number of portal users does not reflect the work that is actually being performed in order to support these developers. We find that many organizations can even manage their open source usage with a limited number of portal users, for example by leveraging our APIs and consume our data outside the web portal.
Does the above pricing include all vulnerability sources?
Yes. WhiteSource offers one comprehensive solution that includes the full extent of our database with vulnerabilities from the CVE and dozens of other sources and unlimited capabilities (unlimited number of plugins, unlimited number of users, unlimited number of policies, and more).
Are there additional fees per scan?
No. We believe that only through continuous monitoring can our customers take full advantage of WhiteSource’s capabilities. Our recommended practice is to activate our plugins with every commit, or nightly build, and therefore we offer an unlimited number of scans.
Are there additional fees per GB?
No. We take pride in offering a transparent, simple, and predictable pricing.
We price per Contributing Developers, since we know managers have a better visibility into the growth of their head count rather than the size of their software or lines of code.
Is WhiteSource Prioritize included in all WhiteSource pricing plans?
WhiteSource Prioritize is not included in the cost of WhiteSource Core. WhiteSource customers interested in WhiteSource Prioritize should approach their account representative.
- What is a Contributing Developer?