[BUG] New Mend (formerly Whitesource) integration is not working correctly - autoclosed

[zelinh]

Describe the bug

We previous installed a WhiteSource Github app for CVEs scan. However, it doesn't work correctly at this time. We just get informed from WhiteSource support that they are using Java 8 for their integration with Github.com. Although we currently began to support Java 11, it would still cause the gradle resolution failed.

To Reproduce
N/A

Expected behavior
A clear and concise description of what you expected to happen.

Plugins
WhiteSource integration with Github.com

[dblock]

What is specifically failing when using Java 8?

[zelinh]

What is specifically failing when using Java 8?

WhiteSource integration can't scan all libraries comprehensively currently. @bbarani and I are reaching out to WhiteSource support separately for this same issue. However, we got different respond from them. Barani was told that the issue is because of an unsupported Gradle version v6.6.1 which is necessary for our project build, while I was told it's related to java version. We are keeping contacting them and will also have another backup plan for CVEs scan on repos.

[VachaShah]

@zelinh One of the recent PRs #1603 had a successful WhiteSource run https://github.com/opensearch-project/OpenSearch/runs/4296697988. Was any fix done for this?

[zelinh]

WhiteSource integration check on PR passes if there is no new vulnerability introduced in the PR. However, the general CVEs scan with WhiteSource integration in this repo is not working correctly and not showing the right number of libraries. There might be package manager version issue on WhiteSource side. We are escalating this issue with WhiteSource support and waiting for them to help us.

[zelinh]

I just got notice from WhiteSource team after their team review; it turned out to be a part of a bigger problem with how they manage versions of all the scanners in WhiteSource integration. They had an epic ticket for this and will keep us updated with the progress.

[VachaShah]

Thank you for the update @zelinh ! Since the WhiteSource is failing and not scanning correctly, can we disable it till we have a fix so that PRs like #1594 are not blocked?

[zelinh]

I think we can disregard the WhiteSource check for now and keep merging PRs. I don't have access to disable it. Any objections? @bbarani @dblock

[VachaShah]

@zelinh The Whitesource job on 1.x fails after 375m. Is there any update here?

[zelinh]

Unfortunately no, I had a meeting with WhiteSource support last Monday regarding of the issue on scanning our core repo and she said she would escalate this issue but I haven't heard any update from them since then.
I think for now, one option is that we ignore the WhiteSource PR check for core repo now;
or the other option is to change this to be success so the check will always be success no matter it passes or fails. Ref: https://whitesource.atlassian.net/wiki/spaces/WD/pages/697696422/WhiteSource+for+GitHub.com#Check-Run-Settings-(checkRunSettings)

[CEHENKLE]

Until this gets fixed, let's disable the whitesource integration. Otherwise this is blocking our ability to build on 1.3

[peterzhuamazon]

We will remove the mend scan config now, to resolve this temporarily and would look into re-adding it later on.
cc: @bbarani

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the errors have been resolved.