Exam AZ-400 topic 4 question 28 discussion

B. No. CI by itself won't address the issues.

This answer should be No. Although Whitesource can be added to the CI build, simply enabling CI will not at all have the required effect. The answer doesn't mention Whitesource Bolt at all - only the examtopics explanation talks about Whitesource Bolt (and doesn't even mention CI once). This answer makes no sense.

I think is B since the question says 'You plan to update the Azure DevOps strategy of your company.' so I think it infers that some build pipeline was created so now you need to configure the Whitesource bolt

Just continuous integration isn't enough to meet the goal. The answer really needs to be more specific, i.e. what kind of CI?

B- Não. Implementing continuous integration alone does not directly resolve issues of licensing violations or the use of prohibited libraries. Continuous integration is a practice that involves automating builds and tests to ensure that code is always ready for deployment. To address the issues of license violations and banned libraries, you often need to add additional tools or processes such as static code analysis, dependency checking, and license checking.

The Answer Should be "NO"

GPT4 No, this does not meet the goal. Implementing continuous integration (CI) in and of itself does not inherently identify licensing violations or prohibited libraries. Continuous integration is a practice in software development where developers regularly merge their changes into a main branch, often triggering automated build and test processes. To identify licensing violations and prohibited libraries, you'd typically use a software composition analysis (SCA) tool. An SCA tool analyzes the open source components of your software for security vulnerabilities, licensing compliance, and more. An example of such a tool could be WhiteSource Bolt, Sonatype, or BlackDuck. These tools can be incorporated into your CI pipeline to check every build for these issues.

Mend will handle both reqs. and the recommended step to run it is on CI. https://learn.microsoft.com/en-us/training/modules/introduction-to-secure-devops/5-explore-key-validation-points?pivots=portal

It's a very clear No.

Should be a No because CI itself doesn't necessarily include WhiteSource it could mean anything

I would go with No as the answer You need security scanning

It should be Yes

Continuous Integration as part of the build pipeline --> WhiteSource so it is YES.

This answer should be No, CI is not the solution. CI + WhiteSource is the solution

I think the answer provided is correct even though it is very general. In fact however tools like WhiteSource Bolt or Black Duck are used in the Continuos Integration process, so it is correct to implement it. Indubitably it would be desirable to have more precise answers.

Agree with this

If considering this question with others in a bundle, this CI solution is the most correct. 1. you need WhiteSource or DarkDuck to scan 2. WhiteSource or DarkDuke is integrated in CI 3. Therefore, if you implement CI, it is possible to achieve the goal I tend to agree with "A"--Yes