How to 'whitesource' from Makefile

[andygnewman]

cc: @matthew-andrews

Steps would be;

• validate that the whitesource npm module exists in the application (if not, skip)
• get the whitesource api key (from config vars)
• write a whitesource config json file
• run the whitesource commands (whitesource run and whitesource bower)

Something like this (but not quite);

_whitesource:
    @if [ -e node_modules/whitesource/package.json ];
    then
    $(eval WHITESOURCE_API_KEY = $(call CONFIG_VARS,deployment) | $(call JSON_GET_VALUE,WHITESOURCE_API_KEY))
    $(shell echo "{\"apiKey\":\""$(WHITESOURCE_API_KEY)"\", \"checkPolicies\":true, \"productName\": \"Next\", \"projectName\": \""$(APP_NAME)"\"}" > whitesource.config.json)
    $(shell whitesource run)
    $(shell whitesource bower)
    @$(DONE) ;
    fi

[matthew-andrews]

Things to think about before rolling whitesource out across the estate:-

Definitely need thought:

• [ ] Seeing if there's a way we can avoid setting bower.json.name to be package.json.name+'-bower' manually. (Either doing it automatically or extending ws-bower to accept an argument for the name?) (Or maybe just skipping ws-bower if it's not set or the same as package.json) (Or possibly just rolling out npm dependency checks across the site initially)

Might need thought:-

• [ ] Snapshotting the bower dependencies that get deployed rather than forcing a reinstall then snapshotting those. (Again, possibly an argument on ws-bower?)
• [ ] Beaconing to failures to report to Whitesource to a tools project on Sentry. (Quite like this idea to non-critical failures that we're interested in but currently ignore, e.g. things like CMDB logging failures)