Open Source and Relevance of Open Source Security
Open-source refers to any software or libraries with publicly accessible source code. It is generally free to use and developed and maintained through community collaboration. By having access to a program’s source code, developers can modify the software/libraries according to their need. To successfully achieve their goals within short software release cycles, developers or organizations use open source software components. In doing so they gain competitive advantage in many ways. Some of them being, speed up software delivery, save money on development, stay flexible, and stay updated on latest technology.
But using open source software comes with its own complexity and risk. There’s added complexity when one uses open source code to integrate and redistribute it their own products and software. Open Source code comes from multiple sources, have various licenses, have varied levels of quality and maturity and comes with various levels of vulnerabilities. Due to these factors open source can expose organizations to issues with security, integration, support and management, not to mention legal action. This is why companies that successfully leverage open source for business advantage, have established processes to manage the open source usage effectively. And that’s why open source security is so important.
WhiteSource and WhiteSource Bolt
WhiteSource is an open source security and license compliance management platform. It’s a tool that provides an inventory of all the open-source components used in your projects. It integrates with the Azure DevOps build pipeline and keeps you advised on any issues in the open-source libraries that you’re using and even provide recommendations on how to fix them. WhiteSource comes in a few different versions. There’s the Full Solution, and there’s also a version called WhiteSource Bolt for Azure DevOps and another version of WhiteSource Bolt for GitHub.
|WhiteSource Full Solution||WhiteSource Bolt for Azure DevOps|
|Paid product||Its free|
|Unlimited scans||Allows to scan the project five times per day|
|Supports over 200 languages, frameworks, and development environments||Supports a limited subset of languages and integrates with Azure pipelines only|
|Provides visibility across organization and its projects||Limited to project|
|Lot of built-in reports at the project, product, or organization level, including trend reports||Reporting is limited|
The WhiteSource Full Solution is a paid product while WhiteSource Bolt for Azure DevOps is free. With the Full Solution, you get real-time alerts, automated workflows, and even automated pull requests whenever dependencies need updating. Reporting is limited with WhiteSource Bolt. But you do get an inventory of the open-source software libraries in use in your project. It also provides vulnerabilities related to those libraries, the licenses they use, and whether the libraries are out of date. While WhiteSource Bolt is limited compared to the Full Solution, it’s still very powerful and it’s certainly a lot better than no scanning of your open- source libraries. Next, let’s see how to integrate WhiteSource Bolt into our build pipeline.
Setup Azure DevOps for WhiteSource Bolt
I am using a .NET Core MVC web application (called SKBookClub which I have used a few times before). The application is already integrated with Azure DevOps. Which means, my source code resides in Azure Repos and I already have a build pipeline created. Another point to note is, I have SonarCloud integrated in by build pipeline as described in my previous post. Therefore, you will see reference to that. Let’s get started.
Step 1: First, we need to install the Azure DevOps extension from the marketplace. So let’s browse to the marketplace at the top right corner and search for ‘WhiteSource‘. If you have a WhiteSource account and you want to leverage the full features of the product, you can install the WhiteSource extension, but I am going to use the free WhiteSource Bolt extension for this demo. Therefore, I’ll choose WhiteShource Bolt and on the overview page click ‘Get it free’. It takes me to the marketplace install page where the drop-down is already defaulted to the Azure DevOps organization where I want the extension installed. Click on Install.
Step 2: Let’s open up the project that we need to configure. The first thing we need to do is to configure the extension. Under Pipelines, there’s now a menu item called WhiteSource Bolt. I need to enter some contact information in order to set up the product and get updates. Fill up the fields and click Get Started. This opens up a Whitesource Bolt webpage with some videos, you can close it.
Configure Azure Build Pipeline for WhiteSource Bolt
Step 3: Next, lets go to our build pipeline and click Edit. As you can see, I already have SonarCloud within this build, I’ll be running WhiteSource Bolt after the SonarCloud task. technically, the WhiteSource Bolt task needs to be added after the build is complete.
Position the cursor after the Build task and search for WhiteSource in the Tasks menu. When WhiteSource Bolt comes up, select that. By default, the task will search the entire project directory, but we have options to change that. Under advanced options, we can add a list of folders to exclude or include in the scanning.
Step 4: I’ll just add this task with no additional parameters. I removed the inputs field, as I don’t need that. Instead, I will just enter a displayName parameter and call it WhiteSource Bolt. Now we’re ready to save this. Since my CI built is set up, saving it triggers a build.
Analyze the WhiteSource Bolt Scan Results
Now that the build is finished, we can go to the WhiteSource Bolt menu item under Pipelines where we can view the results of the scan. There is a security section that tells you a few things at a glance.
- The vulnerability score rates the overall vulnerability based on the single highest severity of any vulnerability scanned.
- The vulnerable Libraries section shows the number of secure and vulnerable libraries.
- The Severity Distribution breaks down the severity level of the libraries
- The Aging Vulnerable Libraries section shows the length of time since the found vulnerabilities were first detected in the open-source community
Moving down to the Security Vulnerabilities section, there’s a link to each vulnerability in the CVE or Common Vulnerabilities and Exposures database. There’s a description of the vulnerability. Then there’s a recommended fix in the Top Fix column.
License Risks and Compliance Section
Moving down to License Risks and Compliance, you can see all the associated licenses with the open-source libraries in your project and how many occurrences there are. I am using pretty standard libraries as part of the Visual Studio ASP.NET Core project template so the risk is low in terms of the license types. There are a few unknowns as well (which I have to check what they are).
Next, WhiteSource breaks down all the outdated libraries in the project, and it looks like I am a few versions behind in all these libraries.
Outdated Libraries and Inventory Section
And finally, is the full inventory of open-source libraries. You can see I am just using standard libraries here, Bootstrap and jQuery, but this gives you a list of all the libraries in your project. Remember, WhiteSource Bolt is free, but you can only scan a project up to five times per day, and after that, the scan will fail. So you could either get a full WhiteSource license or you might want to run WhiteSource Bolt as part of a separate full scan overnight rather than as a part of continuous integration builds.
So that’s how to integrate WhiteSource into your Azure DevOps pipeline to ensure the security and licensing of your open-source software components. WhiteSource Bolt redefines developer-focused application security tools with a free offering of integrated security alerts for open source vulnerabilities.
If your software development process uses open-source libraries, then it is highly recommended to use a tool that helps manage them; whether its WhiteSource or any other similar products like SonaType Nexus.