Unified Agent Configuration Parameters

NOTE: One of the following is a required field: -project or -projectToken. When using projectToken, you do not need to specify productName or productToken.

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
apiKey	(Mandatory) A unique identifier of your organization. Used to identify the organization in plugins.	N/A	N/A	No default	-apiKey
userKey	Unique identifier of the user that can be generated from the Profile page in your Mend account. NOTE: Required only if Enforce user level access is selected in the Integrate page.	N/A	N/A	No default	-userKey
requesterEmail	The provided email will be matched with an existing Mend account. Requests for new libraries will be created with the matched account as the requester email. user@provider.com	N/A	N/A	No default	No
projectName	The name of the project to update (mandatory). NOTE: Only required if projectToken is not defined.	N/A	N/A	No default	-project
projectVersion	The project's version. NOTE: Added to the name if Use version in project names is selected in the Integrate page.	N/A	N/A	No default	-projectVersion
projectToken	Unique identifier of the project to update; found on the Integrate page. NOTE: Only required if projectName is not defined.	N/A	N/A	No default	-projectToken
projectTag	Enables setting of project tag only for a newly-created project. Project tag should be defined with key:value For example: projectTag= myTagKey:myTagValue NOTE: This parameter is not supported when using the Repo Integrations or the Azure DevOps Services Integration.	N/A	N/A	No default	-projectTag
productName	The name of the product to update. NOTE: Only required if projectToken is not defined.	N/A	N/A	MyProduct	-product
productVersion	Version of the product and project to update. It overrides the project version.	N/A	N/A	No default	-productVersion
productToken	Unique identifier of the product to update; found on the Integrate page. NOTE: Only required if projectToken is not defined.	N/A	N/A	No default	-productToken
projectPerFolder	Creates one project per subfolder according to your "-d" parameter. Each subfolder is named according to the folder.	A project per folder is created	A project per folder is not created	False	-projectPerFolder
projectPerFolderIncludes	Comma or space-delimited list of folder names to be included in the scan. NOTE: Relevant only if projectPerFolder is True.	N/A	N/A	All folders	No
projectPerFolderExcludes	Comma or space-delimited list of folder names to be excluded from the scan. NOTE: Relevant only if projectPerFolder is True.	N/A	N/A	Empty	No
wss.connectionTimeoutMinutes	Connection timeout in minutes.	N/A	N/A	60
wss.url	Enable the relevant URL according to your organization's WS Server URL from your Profile page on the Server URLs panel (additionally, it can be found in the Integrate tab). Then, add the agent path. The following URLs are supported: WhiteSource https://saas.whitesourcesoftware.com/agent https://saas-eu.whitesourcesoftware.com/agent https://app.whitesourcesoftware.com/agent https://app-eu.whitesourcesoftware.com/agent Mend https://saas.mend.io/agent https://saas-eu.mend.io/agent https://app.mend.io/agent	N/A	N/A	https://saas.whitesourcesoftware.com/agent	-wss.url

Policies

Policies enable organizations to set and enforce open source adoption policies. Parameters related to policy scan settings.

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
checkPolicies	Whether to send the check policies request before updating mend.	In case of policy violation, the scan will end with ERROR exit code POLICY_VIOLATION (-2).	The scan will end with SUCCESS. Inventory will be updated regardless of policy violations. No policy-related data will be generated.	False	No
forceCheckAllDependencies	Force checks all dependencies. NOTE: Used only if checkPolicies and updateInventory is set to True.	Checks all policies for all dependencies introduced to the Mend projects.	Checks only the new dependencies introduced to the Mend projects.	False	No
updateInventory	Whether to send an update request.	Sends an update request.	Sends a check policies request to mend without sending the update request; meaning the user will perform checkpolicies request without updating its inventory in mend.	True	No
forceUpdate	Whether to update organization inventory regardless of policy violations. NOTE: Used only if checkPolicies and updateInventory are both set to True.	Updates the project even if the checkPolicies step failed. App- Update Exit code- End with SUCCESS Output- No Error message	In case of a policy violation: App- No update Exit code- (-2) Output-end with Error	False	No
forceUpdate.failBuildOnPolicyViolation	Determines whether the Unified Agent exit code will be the result of the policy check or the result of the scan. NOTE: Used only if forceUpdate and updateInventory are both set to True.	The Unified Agent exit code will be the result of the policy check, meaning if there is a failure in checkpolicies the exit code is -2.	The Unified Agent exit code will be the result of the scan. (success or failure)	False	No

General

Miscellaneous parameter settings.

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
offline	Whether to create an offline update request instead of sending one to mend.	An offline request file is created in the Mend folder next to the scanned project.	Results are sent directly to the server.	False	-offline
offline.zip	Whether to create a zipped offline update request instead of sending one to mend.	A zipped offline request file is created in the Mend folder next to the scanned project.	The offline request will not be zipped.	False	No
updateType	If scanning a previously-scanned project, whether to append or override the results. APPEND - Add the scanned libraries to the project’s inventory. If only a transitive dependency has been added, it will be added as a direct dependency, so all of the application's mechanisms such as alerts and policies will be applied on it. Use this value only in case of working with multiple build processes that are managed under the same Mend project. `OVERRIDE`- Adds the newly-added dependencies (the difference)	N/A	N/A	OVERRIDE	-updateType
includes	Whether to include specific files in the scan. NOTE: This parameter is relevant only for the file system scan, controlled by the fileSystemScan parameter.	Specifies which files to include in the scan (e.g., file extensions, file names, folder names, etc.). A list of arguments is received, delimited by a comma, semicolon, or space.	All files will be included in the scan.	Comprises all the Mend supported extensions that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc.).	No
excludes	Whether to exclude specific files from the scan. If a directory is specified to be excluded, no manifest files located in the directory will be picked up by the different resolvers. NOTE: This parameter is relevant for the file system scan and the package manager resolutions.	Specifies which files to exclude from the scan (file extensions, file names. folder names, etc.). A list of arguments is received, delimited by a comma, semicolon, or space.	No files will be excluded from the scan.	*/., /node_modules, /src/test, /testdata, /sources.jar, /javadoc.jar For examples on how to exclude directories or files using GLOB patterns, please refer to this section.	No
fileSystemScan	Performs a file system scan for source files and binaries, in addition to the package manager based dependencies resolution. The files to be scanned can be controlled by the includes and excludes parameters and the resolver-specific ignoreSourceFiles parameters. NOTE: This parameter replaces the formally deprecated ignoreSourceFiles.	Performs a file system scan for source files and binaries, in addition to the package manager based dependencies resolution.	Only package manager based dependencies resolution is being performed.	True	No
scanComment	Adds a comment to a scan. The comment is then displayed in the Project Vitals panel of the Project pages, and the Plugin Request History Report. Supports UTF-8 characters.	A comment is added to the scan.	No comments will be added to the scan.	No default	-scanComment
failErrorLevel	When set to ALL - the Unified Agent will exit on any major error (such as resolution failed, pre-steps error, etc.) Otherwise, there is no change in behavior. Possible values - ALL or DEFAULT (upper-case only)	N/A	N/A	"DEFAULT"	No
requireKnownSha1	Checks for dependencies with known/unknown SHA-1.	The Unified Agent will terminate the scan if one or more dependencies with an unknown SHA-1 were found. NOTE: Enabling this parameter ensures that all of the results generated from Prioritize scans are 100% correct. This does not apply to JS Prioritize scans which do not require this parameter enabled.	The scan will continue normally.	True	-requireKnownSha1
generateProjectDetailsJson	Whether to generate a JSON file upon scan completion containing the projectTokens and projectNames.	The Unified Agent generates a JSON file at the end of the scan named scanProjectDetails.json containing the projectTokens and projectNames.	The JSON file report will not be generated.	False	No
generateScanReport	(For Organization and Product Administrators only) Whether to create a report in JSON format at the end of the scan, which includes information on vulnerabilities, policy violations, top fixes, and inventory details. The filename format is '<project_name>-<yyyy-mm-dd>T<HHmmss>+<UTC offset>-scan_report.json'. For example: 'Demo App-2019-06-04T181226+0300-scan_report.json' NOTES: The userKey configuration parameter is mandatory for this report. To generate this report, the configuration parameter updateInventory must be set to True. This parameter does not work in offline mode.	A report in JSON format is created at the end of the scan, which includes information on vulnerabilities, policy violations, top fixes, and inventory details.	The report will not be generated.	False	-generateScanReport
scanReportTimeoutMinutes	Time-out (in minutes) for the process of generating the scan report. If the timeout interval has passed then the report will not be generated, but the scan will continue.	N/A	N/A	10	No
scanReportFilenameFormat	Controls the filename format of a generated scan report. Valid values are: `project_with_timestamp` (default) - the format will be: <project_name>-<yyyy-mm-dd>T<HHmmss>+<UTC offset>-scan_report.json `project_only` - the format will be: `<project_name>-scan_report.json` `static` - the format will be scan_report.json	N/A	N/A	Default value is "`project_with_timestamp"`	No
commandTimeout	Time-out (in seconds) for the running of commands.	N/A	N/A	900	No
updateEmptyProject	Whether to create an empty project in Mend or to update an existing project with empty data. NOTE: This parameter affects all resolvers/package managers.	Updates/creates a project even if there are no dependencies.	Will not create/ update the empty project.	True	No
log.files.level	For storing logs by default, this determines the log's level: Trace Debug (default) Info Warn Error Off - Deactivates the feature NOTES: The location of the logs is determined by the log.files.path parameter. In the Unified Agent, each successive scan of the same library generates its own folder. The structure is: wss-scan-<date>-<time>	N/A	N/A	Debug	-log.files.level
log.files.maxFileSize	For storing logs by default, this is the maximum size in MB. If exceeding this size, the file will be overridden. NOTE: This reflects one run (cycle) of the Unified Agent. The files accumulate after each run.	N/A	N/A	10 MB	No
log.files.maxFilesCount	For storing logs by default, this is the maximal count of log files. If exceeding this size, the oldest files will be overridden with new files. NOTE: This reflects one run (cycle) of the Unified Agent. The files accumulate after each run.	N/A	N/A	3	No
log.files.path	Location of the created log file. NOTE: In Windows, do not put "`\` " at the end of the value.	N/A	N/A	The default location of the logs is in the 'mend' folder (determined by the whiteSourceFolderPath parameter)	No
log.level	Specifies the minimal log level printed to stdout/command line Trace Debug Info (default) Warn Error Off - Deactivates the feature	N/A	N/A	Info	-log.level
sendLogsToWss	Whether to send logs to mend.	Sends logs to mend.	Will not send logs to mend.	False	No
case.sensitive.glob	Whether the file system should be case sensitive.	The file system will be case sensitive.	The file system will not be case sensitive.	False	No
showProgressBar	Whether to display a progress bar inside logs. NOTE: This parameter is valid for the Unified Agent only (not Prioritize).	Progress bars will be displayed inside logs.	Progress bars will not be displayed inside logs.	True	No

Package Manager Dependency Resolvers

Parameters related to package manager scan configurations.

NOTE: All Package Manager Dependency resolvers are set to True by default. There are additional parameters for repo integrations like GitHub.com.

General

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

resolveAllDependencies

Whether to enable or disable by default all dependency resolvers for a scan.

For example, when the following parameters are set, only npm dependencies will be resolved in this case:
resolveAllDependencies=false
npm.resolveDependencies=true
#maven.resolveDependencies=false

When set to True, the default for all package managers' resolveDependencies parameter is set to True, unless explicitly set to False.

When set to False, the default for all package managers' resolveDependencies the parameter is set to False, unless explicitly set to True.

True

-resolveAllDependencies

excludeDependenciesFromNodes=.*commons-io.*,.*maven-model

Comma-delimited list of regular expressions.

Specify an artifact id or multiple artifact ids (comma-delimited) to exclude the provided tree nodes and their sub-nodes from the scan.

NOTE: These will not be added to your project inventory.

N/A

No default

No

Includes/Excludes Glob Patterns

These parameters specify which files to include/exclude in the scan (file extensions, file names. folder names, etc.), and receive a list of arguments delimited by a comma, semicolon, or space.

NOTES:

These parameters cannot be specified in the command line, but can be set by the environment variables includes and excludes.
The includes parameter is relevant only for the file system scan, controlled by the fileSystemScan parameter.
The excludes parameter, is relevant for the file system scan and the package manager resolutions. If a directory is specified to be excluded, no manifest files located in the directory will be picked up by the different resolvers.
The includes parameter has a default value (comprising all the Mend supported extensions) that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc.).
The excludes parameter has a default value of:
**/.*, **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar

Use only one exclude line and one include line.

includes=**/*.c **/*.cc **/*.cp **/*.cpp **/*.cxx **/*.c++ **/*.h **/*.hpp **/*.hxx
#includes=**/*.m **/*.mm **/*.js **/*.php
#includes=**/*.jar
#includes=**/*.gem **/*.rb
#includes=**/*.dll **/*.cs **/*.nupkg
#includes=**/*.tgz **/*.gzip **/*.tar.bz2
#includes=**/*.zip **/*.tar.gz **/*.egg **/*.whl **/*.py

#Exclude file extensions or specific directories by adding **/*.<extension> or **/<excluded_dir>/**

excludes=**/*sources.jar **/*javadoc.jar

case.sensitive.glob=false
followSymbolicLinks=true

Archive Properties

Properties related to archive file extraction (.rar,.zip, .jar).

The drill-down hierarchy is limited to a maximum of 10 and can be modified in the configuration file.
By default, the drill-down hierarchy level is zero - no drill-down.

For a list of supported archive file types, refer here.

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
archiveExtractionDepth	The number of levels to extract from archive files (up to 10)	N/A	N/A	0 (archive extraction is disabled)	No
archiveIncludes=/.war /.ear**	Comma, space or line-delimited list specifying which archive files to include during the scan	N/A	N/A	Empty	No
archiveExcludes=/sources.jar*	Comma, space or line-delimited list specifying which archive files to exclude during the scan	N/A	N/A	Empty	No

Scan Modes

Scan mode options (Docker images, Docker containers, etc.).

Docker Images

For more information regarding Docker images, see here.

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
docker.scanImages	Runs scans on all or specified images. When set to True, only Docker image scan will occur. This will include the detection of Linux packages, and a general scan of the image file system for package managers' based resolution and identification of source files/binaries. See here for more information on scanning Docker images.	Only the Docker image scan will occur.	Docker image scan will not take place.	False	-docker.scanImages
docker.includes	Comma, space or line-delimited list specifying which images to include in the scan. Values provided should come from either of the following: Repository (image name) Tag Image ID NOTE: You can also use a combined name and tag syntax CODE `<name>.<tag>` For example: ubuntu.latest This combined syntax does not work with Image ID.	N/A	N/A	The default value is ".." (All images will be scanned)	No
docker.excludes	Comma, space or line-delimited list specifying which images to exclude in the scan. Values provided should come from either of the following: Repository (image name) Tag Image ID NOTE: You can also use a combined name and tag syntax CODE `<name>.<tag>` For example: ubuntu.latest This combined syntax does not work with Image ID.	N/A	N/A	Empty (No images will be excluded)	No
docker.excludeLayersByLabel	Enables scanning Docker layers defined after a specific label. This feature can be used to exclude certain Docker layers from the scan, for example, the layers that comprise the base image. The parameter should be set with a label string (key=value) which will direct the Unified Agent to scan only the Docker layers that appear after the specified label. NOTES: This feature is currently in Beta status. The mechanism is based on the Docker LABEL instruction and is not applicable for labels defined via the docker build command.	N/A	N/A	Empty	No
docker.projectNameFormat	Determine's the Docker project's name's format. If the value is set to default, the project name created in Mend comprises the Docker repository name, tag and ID, in the following format: CODE `<Image Name> <Image Tag> <Image ID>` If the value is set to repositoryNameAndTag, then the project name created in Mend comprises the Docker repository name and tag, in the following format: CODE `<Image Name> <Image Tag>` If the value is set to repositoryName, the project name comprises only the Docker repository name: CODE `<Image Name>` NOTE: Irrelevant when docker.scanTarFiles=true.	N/A	N/A	"DEFAULT"	No
docker.scanTarFiles	Used when the user supplies the tar file of a Docker image. NOTE: The project name will be derived from the tar file name.	The Unified Agent will scan the .tar file as a Docker image.	The Unified Agent will not scan the .tar file as a Docker image.	False	No
docker.layers	Enables users scanning docker images to receive information regarding packages in layer granularity. The layer granularity can be viewed in the interface under the hierarchical display.	Provides information packages in layer granularity. The scan will split the result into layers, each layer contains all packages/libraries and files found under the layer (in case a package was added at layer 2 and deleted from 3, it will not appear at all in the result, since its not part of the final result).	Will not provide the aforementioned information.	False	No
docker.pull.enable	Whether to execute "pull" from all relevant registries	Executes 'pull' from all relevant registries	Will not pull anything	False	No
docker.pull.images	Pull Docker images that match the specified filter (string). Can include regular expressions or a list of space-delimited values.	N/A	N/A	Empty (all images will be pulled)	No
docker.pull.maxImages	Defines the maximum number of images to be pulled. When this number of pulled images is reached, no more images are pulled.	N/A	N/A	10	No
docker.pull.tags	Pulls Docker images whose tags match the specified filter (string). Can include regular expressions or a list of space-delimited values.	N/A	N/A	Empty (all images will be pulled)	No
docker.pull.digest	Pull Docker images whose digests match the specified filter (string). Can include regular expressions or a list of space-delimited values.	N/A	N/A	Empty (all images will be pulled)	No
docker.delete.force	Enables mend to use Docker to delete images via the 'force' flag. This is required if the user pulled images that are related to other images, so in this case a regular delete may not work. NOTE: Use this parameter with caution.	Mend uses Docker to delete images via the 'force' flag.	Mend will not use Docker to delete images via the 'force' flag.	False	No
docker.login.sudo	Whether the Unified Agent will run 'sudo docker login'.	The Unified Agent will run 'sudo docker login'.	The Unified Agent will not run 'sudo docker login'.	True	No
docker.aws.enable	Enables pulling Docker Images from Amazon Elastic Container Registry (ECR). NOTE: If set to True, the 'docker.scanImages' and 'docker.pull.enable' parameter values are also set to True.	Pulls Docker Images from Amazon Elastic Container Registry (ECR).	Will not pull Docker Images from Amazon Elastic Container Registry (ECR).	False	No
docker.aws.registryIds	The Registry IDs list on Amazon Web Services (the AWS 12-digit account IDs that correspond to the Amazon ECR registries). The list must include the following: Full registry IDs and no GLOB patterns. At least one registry ID. Values are space-delimited. NOTE: Required if docker.aws.enable=true.	N/A	N/A	No default	No
docker.azure.enable	Enables pulling Docker Images from Azure Container registry. NOTE: If set to True, the 'docker.scanImages' and 'docker.pull.enable' parameter values must also be set to True.	Pulls Docker Images from Azure Container registry.	Will not pull Docker Images from Azure Container registry.	False	No
docker.azure.userName	Username for Azure Container registry. NOTE: Required if docker.azure.enable is True.	N/A	N/A	No default	No
docker.azure.userPassword	Password for Azure Container registry. NOTE: Required if if docker.azure.enable=true. However, it is not mandatory if you already logged in manually to your Azure account via the Azure Client CLI.	N/A	N/A	No default	No
docker.azure.registryNames	Docker registry names in Azure Container registry, space-delimited. NOTE: Required if docker.azure.enable=true.	N/A	N/A	No default	No
docker.azure.authenticationType	Whether to use “containerRegistry” or "userAccount" as the authentication type. Using "userAccount" login method require setting should be filled "docker.azure.userName" and "docker.azure.userPassword" Using "containerRegistry", login method will login to each registry using registry username and password provided in config file in the param docker.azure.registryAuthenticationParameters	N/A	N/A	userAccount	No
docker.azure.registryAuthenticationParameters	Registry authentication parameters should contain username and password for each registry in the following format <registryUsername>:<registryPassword>. If there are more than one registry contain in docker.azure.registryNames param then username and password should be provided separated by space: <registry1UserName>:<registry1Password> <registry2UserName>:<registry2Password>	N/A	N/A	No default	No
docker.artifactory.enable	Enables pulling Docker Images from the Artifactory Pro Docker registry. NOTE: Verify that the 'docker.scanImages' and 'docker.pull.enable' parameter values are also set to True.	Pulls Docker Images from the Artifactory Pro Docker registry.	Will not pull Docker Images from the Artifactory Pro Docker registry.	False	No
docker.artifactory.url	Artifactory URL including http:// or https:// and contextpath (Artifactory default contextPath is “/artifactory" ) NOTE: Required if if docker.artifactory.enable=true. Where read-only users are created via docker.artifactory.dockerAccessMethod, this must consist of http/s://<public server name>:<HTTP/S port>/<public context path>.	N/A	N/A	No default	No
docker.artifactory.pullUrl	If ‘docker.artifactory.pullUrl’ is empty, use original behavior of 'docker.artifactory.url' If ‘docker.artifactory.pullUrl’ is not empty use it as URL to docker [login/pull] commands while ‘docker.artifactory.url’ is used to run REST API command for artifactory.	N/A	N/A	No default	No
docker.artifactory.userName	Username for Artifactory Pro Docker registry NOTE: Required if docker.artifactory.enable=true.	N/A	N/A	No default	No
docker.artifactory.userPassword	Password for Artifactory Pro Docker registry. NOTE: Required if docker.artifactory.enable=true.	N/A	N/A	No default	No
docker.artifactory.repositoriesNames	Repository names in Artifactory Pro Docker registry, space-delimited list. NOTE: Required if docker.artifactory.enable=true.	N/A	N/A	No default	No
docker.artifactory.dockerAccessMethod	Required when the user has read-only access. Values are: repopath, subdomain, port. In case customers use port method 'docker.artifactory.dockerAccessMethod=port', 'repository port' must be added to each repository in ‘docker.artifactory.repositoriesNames' in this format: <repositoryName>:<repositoryPort>	N/A	N/A	No default	No
docker.hub.enabled	Enables pulling Docker Images from the Docker Hub registry. NOTE: Verify that the 'docker.scanImages' and 'docker.pull.enable' parameter values are also set to True.	Pulls Docker Images from the Docker Hub registry.	Will not pull Docker Images from the Docker Hub registry.	False	No
docker.hub.userName	Username for Docker Hub registry. NOTE: Required if docker.hub.enable=true	N/A	N/A	No default	No
docker.hub.userPassword	Password required for Password for Azure Container registry. NOTE: Required if docker.hub.enable=true	N/A	N/A	No default	No
docker.hub.organizationsNames	Space-delimited list of organizations under the user to be scanned. NOTE: Required if docker.hub.enable=true.	N/A	N/A	No default	No
docker.gcr.repositories	A list of repositories, comma-delimited. If empty, the Unified Agent will use the default repository. Example value: http://gcr.io/whitesource-main,gcr.io/whitesource-johnsmith	N/A	N/A	Empty	No
docker.gcr.enable	Enables pulling Docker Images from Google Container Registry with Docker. NOTE: Verify that the docker.scanImages and docker.pull.enable parameter values are also set to 'true'	Pulls Docker Images from Google Container Registry with Docker.	Will not pull Docker Images from Google Container Registry with Docker.	False	No
docker.gcr.account	Email of Google Container Registry account.	N/A	N/A	Empty	No

Docker Containers

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

docker.scanContainers

Scan all or specified containers.
When set to True, only Docker container scan will occur. This will include the detection of Linux packages, and a general scan of the container file system for package managers' based resolution and identification of source files/binaries.

Before starting a container scan, run the command "docker ps -a" to check for listed containers.
See here for more information on scanning Docker images.

Only the Docker container scan will occur.

Docker container scan will not take place.

False

No

docker.containerIncludes

Comma, space or line-delimited list specifying which containers to include in the scan.

Values provided should come from any of the following:

Container ID
Container name
Image name

N/A

The default value is "*" (all containers will be scanned)

No

docker.containerExcludes

Comma, space or line separated list specifying which containers to exclude in the scan.

Values provided should come from any of the following:

Container ID
Container name
Image name

N/A

Empty (no container will be excluded)

No

Linux Package Manager Settings

Configuration File Parameter

Description and Expected Behavior

If True

If False

Default

Command Line Parameter Available?

scanPackageManager

Scans Linux packages by their file name and version. Supported package types are Debian, RPM, Alpine, Arch Linux, and DNF.

Depending on the package type, one of the following commands will be run:

Debian: dpkg -l
RPM: rpm -qa
Alpine: apk -vv info
Arch Linux: pacman -Q
DNF/ centOS:8 - no command, image should contain at least journal.log file (installation log) and rpm.dnf.log file (in case of system packages update was executed).

The Linux packages mentioned here will be resolved. All other dependency resolvers will be disabled even if the 'resolveDependencies' parameter is set to True.

No operating system packages will be scanned.

False

No

Serverless Settings

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
serverless.provider	Provider of serverless functions	N/A	N/A	aws-lambda	No
serverless.scanFunctions	Whether or to run the serverless functions	Scans serverless functions	Will not scan serverless functions	False	No
serverless.includes	Comma, space or line-delimited list of GLOB patterns specifying which serverless functions to run.	N/A	N/A	Empty	No
serverless.excludes	Comma, space or line-delimited list of GLOB patterns specifying which serverless functions to exclude.	N/A	N/A	Empty	No
serverless.region	The provider's region.	N/A	N/A	Empty	No
serverless.maxFunctions	The maximum number of functions that can be run.	N/A	N/A	10	No

Artifactory Settings

For more information regarding Artifactory integration, see here.

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
artifactory.enableScan	Whether to run Artifactory repository scanner	Runs the Artifactory repository scanner (not the Unified Agent).	Will not run the Artifactory repository scanner	False	No
artifactory.url	Artifactory host URL. NOTES Required when `artifactory.enableScan` is True.	N/A	N/A	No default	No
artifactory.accessToken	Artifactory access token. NOTES: Required when `artifactory.enableScan` is True When `artifactory.userName` & `artifactory.userPassword` are available; If all 3 parameters are available - the username/password have priority)	N/A	N/A	No default	No
artifactory.repoKeys	List of repository names space/comma-delimited. NOTE: Required when `artifactory.enableScan` is True.	N/A	N/A	No default	No
artifactory.userName	Artifactory user name NOTE: Required when `artifactory.enableScan` is True, unless `artifactory.accessToken` is available.	N/A	N/A	No default	No
artifactory.userPassword	Artifactory user password NOTE: Required when `artifactory.enableScan` is True, unless `artifactory.accessToken` is available.	N/A	N/A	No default	No
artifactory.includes	Comma, space or line separated list of Regex patterns specifying which Artifactory repositories/folders/files to scan.	N/A	N/A	Empty	No
artifactory.excludes	Comma, space or line separated list of Regex patterns specifying which Artifactory repositories/folders/files to exclude.	N/A	N/A	Empty	No

SCM Settings

For customers using SCM (Git, SVN, Mercurial), define the relevant settings (type, user, password).

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
scm.type	A comma-delimited list of all scm types (Git, SVN, mercurial (select one). NOTE: Required if remote repository connection is requested.	N/A	N/A	Empty	No
scm.user	Username to connect to the remote repository. NOTE: Required if the repository is private and requires credentials.	N/A	N/A	Empty	No
scm.pass	Password to connect to the remote repository. NOTES: When using SSH to fetch a Git repository, set this value to the passphrase of your private key (as specified in scm.ppk). If there is no passphrase, then leave this parameter empty. Required if the repository is private and requires credentials. A Personal Access Token (PAT) can be used in place of a password if the scm.url is https.	N/A	N/A	Empty	No
scm.ppk	Path to the private key. NOTE: Required if the repository requires an SSH connection.	N/A	N/A	Empty	No
scm.url	URL of the remote repository. e.g: https://github.com/XXXX/XXXX.git . For on-premises repositories, provide the URL of the on-premises instance. NOTE: Required if the remote repository connection is requested.	N/A	N/A	Empty	No
scm.branch	Name of the branch to scan.	N/A	N/A	Empty	No
scm.tag	Name of the tag to scan.	N/A	N/A	Empty	No
scm.npmInstall	Whether or not to perform 'npm install' when package.json was found	Performs 'npm install' when package.json is found	Will not perform 'npm install' when package.json is found	True	No
scm.npmInstallTimeoutMinutes	npm install timeout in minutes	N/A	N/A	15 minutes	No
scm.repositoriesFile	A URL of JSON file that contains a list of remote repositories.	N/A	N/A	Empty	-scm.repositoriesFile

Proxy Settings

Configuration File Parameter	Description and Expected Behavior	If True	If False	Default	Command Line Parameter Available?
proxy.host	Proxy hostname	N/A	N/A	Empty	-proxy.host
proxy.port	Proxy port number	N/A	N/A	Empty	-proxy.port
proxy.user	Proxy username	N/A	N/A	Empty	-proxy.user
proxy.pass	Proxy password	N/A	N/A	Empty	-proxy.pass

Configuring the Unified Agent by Environment Variables

All the parameters available in the Unified Agent configuration file can be also set using environment variables.

The naming convention for the environment variables is:

A parameter name as defined in the configuration file converted to upper case, with each dot (.) replaced by an underscore (_), and “WS” prefix added to it.

For example the maven.runPreStep parameter can be set using the WS_MAVEN_RUNPRESTEP environment variable.

Environment variables can be used in several ways:

Passed to the Unified Agent in the command line, for example:
WS_PROJECTNAME=my-awesome-project java -jar ../wss-unified-agent.jar
Be set prior to the run, available for the current shell session only:
Linux and MacOS:
export WS_PROJECTNAME=my-awesome-project
java -jar ../wss-unified-agent.jar
Windows:
set WS_PROJECTNAME=my-awesome-project
java -jar ../wss-unified-agent.jar
Be set prior to the run to persist between shell sessions:
- For Linux and macOS using a shell startup script
- For Windows using setxcommand

Command Line Parameters

NOTE: This table is not a complete list of command-line parameters. For command-line parameters that have corresponding (standard) configuration file parameters, refer to the Command Line Parameter Available column on the right side of the above tables.

Parameter	Type	Description	Required	Default
-c	String	Configuration file name (including file path).	No	The default file name is 'wss-unified-agent.config' Starting from version 19.1.1, the default file is 'wss-unified-agent.config'. If this file is not found, then the Unified Agent searches for a 'mend-fs-agent.config' file. When using the -detect flag, the generated configuration file is wss-generated-file.config and it should be explicitly stated: -c wss-generated-file.config
-d	String	Comma-separated list of directories and/or files to scan	No	N/A
-f	String	File list path	No	N/A
-v	String	Query the Unified Agent for its version	No	N/A
-archiveFastUnpack	Boolean	Fast unpacking of archive files	No	False
-requestFiles	String	Comma-separated list of paths to offline request files. Regarding the priority of the parameters usage, the Unified Agent searches for the CLI argument, then the configuration file parameter (if not found in the CLI), and then the offline request parameter (if not found in the configuration file). If multiple request files are provided, then the data from the first offline request is used. Note that the 'projectName', 'projectToken', and 'projectVersion' are fetched from each request file. If '-d' is explicitly provided when '-requestFiles' is also used, then the Unified Agent does not scan the local folder (which '-d' points to). Instead, it scans only the offline request file(s) provided. '-d' will be ignored in this scenario.	No	When a single request file is provided and if neither 'productName' or 'productToken' values are set in the CLI, Config and Offline request file, then the default product name is 'My Product'.
-whiteSourceFolderPath	String	A path to the 'mend' directory. The Mend folder is created when checking policies and creating an offline file. Path can be absolute or relative.	No	The default location of the 'mend' folder is the working directory from which the Unified Agent is run.
-requirementsFileIncludes (there is only python)	String	Comma-separated list of dependency filenames specifying which files to be scanned for dependencies.	No	requirements.txt
-noConfig	Boolean	When set to True, you can run a scan without using a configuration file. However, in this case, parameters -`projectToken` or -`project` and -`apiKey` are mandatory. Unless explicitly provided, the default wss.url parameter value is https://saas.whitesourcesoftware.com/agent	No	False
-detect		When this parameter is added, the Unified Agent will analyze the scanned files and will create a new .config file with the relevant configuration parameters. The new configuration file will contain the `resolveDependencies` parameters according to the discovered package managers. For each manifest file, we will set the relevant parameter to True. Usage: `java -jar unified-agent.jar -detect` For example, if a `bower.json` file is found in the project folder, `bower.resolveDependencies` will be set to True in the newly created configuration file.	No	By default, the detection is based on the current directory where the Unified Agent jar is located. To change this, add the `-d` parameter. For example use: `java -jar unified-agent.jar -detect -d projectFolder`
-help or -h	Boolean	The Unified Agent prints the parameters that can be used from the CLI.	No
-logLevel	String	Specifies the minimal log level printed to stdout/command line. This parameter can be used to control console logging and is useful if a customer is trying to pull logs from a pipeline scan and does not have access to the generated log file after the scan completes. To disable console logging, set logLevel=off To enable console debug logging, set logLevel=debug Note: For editing the log verbosity of the generated log file post-scan (`whitesource.0.log`), please see the log.files.level parameter	No	info
-proxy	String	Proxy info in the following format: scheme://<user>:<password>@host:port/	No