Loading manuals...

Black Duck Software Composition Analysis Manual

Black Duck Software Composition Analysis Manual Image

Black Duck

Software Composition Analysis

Black Duck is a comprehensive solution for managing security, license compliance, and code quality risks that come from the use of open source in applications and containers. Named a leader in software composition analysis (SCA) by Forrester, Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

Only Black Duck combines versatile open source risk management with deep binary inspection to provide a best-in-class SCA solution that helps you minimize risks associated with open source and other third-party software. In a time when , Black Duck empowers your development, operations, procurement, and security teams to:

  • Find and fix security vulnerabilities at each stage in the SDLC, with detailed, vulnerability-specific remediation guidance and technical insight.
  • Eliminate risk of open source license noncompliance and safeguard your intellectual property by using the industry’s largest open source knowledge base to identify which of 2,650 licenses are relevant to the open source in your applications (including code snippets from larger components).
  • Avoid development cost overruns and combat code decay with operational risk metrics associated with poor open source code quality.
  • Scan virtually any software, firmware, and source code to generate a comprehensive bill of materials (BOM) of what’s inside.
  • Automatically monitor for new vulnerabilities that affect your BOM, with custom policies and workflow triggers to accelerate remediation and reduce your risk exposure.Synopsys social media 1
  • Identify open source in code, binaries, and containers.
  • Detect partial and modified components.
  • Automate scanning with DevOps integrations.
  • Map components to known vulnerabilities.
  • Identify license and component quality risks.
  • Monitor for new vulnerabilities in development and production.
  • Set and enforce open source use and security policies.
  • Automate policy enforcement with DevOps integrations.
  • Prioritize and track remediation activities.

Black Duck identifies more open source, with greater accuracy, using a unique multifactor detection technology to generate and validate a complete BOM to track declared components, unique file hash signatures, dependencies resolved during a build, and open source code snippets. Black Duck’s intelligent scan client integrates with development tools used throughout the SDLC and automatically detects resources to optimize its scan methodology.

Black Duck’s open source security risk insight combines curated data from public sources (e.g., NVD) and detailed, proprietary analysis from the Synopsys Cybersecurity Research Center (CyRC). Get notified of new vulnerabilities weeks before they are published in the NVD (reducing your window of exposure), and benefit from our exclusive enhanced vulnerability data and Black Duck Security Advisories (BDSAs), including:

  • Critical risk metrics, vulnerability-specific technical insight, exploit details, and impact analysis
  • CVSS 2 and CVSS 3 scoring and CWE classification data
  • Common Attack Pattern Enumeration and Classification (CAPEC)
  • Temporal scoring not provided by the NVD
  • Component-level upgrade and remediation guidance, mitigating factors, and compensating controls
  • Vulnerability impact analysis to determine if the vulnerable code is being called by the application
  • Custom vulnerability risk scoring to match your company risk profile
  • Vulnerabilities are prioritized for remediation across multiple critical data points, including severity, solution availability, exploitability, CWE, and reachability

Configure your open source security and use policies based on a comprehensive array of criteria, including license type, vulnerability severity, open source component version, and more. Enforce policies with automatic workflow triggers, notifications, and bidirectional Jira integration for accelerated remediation initiation and reporting.

With Black Duck in your toolkit, you can quickly and easily analyze vendor-supplied binaries to identify weak links in your software supply chain without access to the source code. Get deep, actionable risk metrics to make informed decisions about your use and procurement of technologies before they put you at risk. Black Duck’s intelligent scan client automatically determines if the target software is source or a compiled binary, then identifies and catalogs all third-party software components, associated licenses, and known vulnerabilities affecting your applications.

Synopsys social media 2

Languages

  • C
  • C++
  • C#
  • Clojure
  • Erlang Mark box
  • Golang
  • Groovy
  • Java
  • JavaScript Mark box
  • Kotlin
  • Node.js Mark box
  • Objective-C
  • Perl Mark box
  • Python Mark box
  • PHP Mark box
  • R Mark box
  • Ruby
  • Scala
  • Swift Mark box
  • .NET Cloud technologies

Package Managers

  • NuGet Mark box
  • Hex Mark box
  • Vndr Mark box
  • Godep Mark box
  • Dep Mark box
  • Maven Mark box
  • Gradle Mark box
  • Npm Mark box
  • CocoaPods Mark box
  • Cpanm Mark box
  • Conda Mark box
  • Pear Mark box
  • Composer Mark box
  • Pip Mark box
  • Packrat Mark box
  • RubyGems Mark box
  • SBT Mark box

BDBA Package Manager Support

  • Distro-package-manager: Leverages information from a Linux distribution package manager database to extract component information.
  • The remaining four methods are only applicable to Java bytecode:

–pom: Extracts the Java package, group name, and version from the pom.xml or pom.properties files in a JAR file.

–manifest: extracts the Java package name and version from the entries in the MANIFEST.MF file in a JAR file.

–jar-filename: Extracts the Java package name and version from the jar-filename.

–hashsum: Uses the sha1 checksum of the JAR file to look it up from known Maven Central registered Java projects.

Binary formats

  • Native binaries
  • Java binaries
  • .NET binaries
  • Go binaries

Compression formats

  • Gzip (.gz)
  • bzip2 (.bz2)
  • LZMA (.lz)
  • LZ4 (.lz4) Mark circle
  • Compress (.Z)
  • XZ (.xz)
  • Pack200 (.jar)
  • UPX (.exe)
  • Snappy
  • DEFLATE
  • zStandard (.zst) Mark circle

Archive formats

  • ZIP (.zip, .jar, .apk, and other derivatives)
  • XAR (.xar) Mark circle
  • 7-Zip (.7z)
  • ARJ (.arj)
  • TAR (.tar)
  • VM TAR (.tar) Mark circle
  • cpio (.cpio)
  • RAR (.rar)
  • LZH (.lzh) Mark circle
  • Electron archive (.asar) Mark circle
  • DUMP

Installation formats

  • Red Hat RPM (.rpm)
  • Debian package (.deb)
  • Mac installers (.dmg, .pkg)
  • Unix shell file installers (.sh, .bin)
  • Windows installers (.exe, .msi, .cab)
  • vSphere Installation Bundle (.vib) Mark circle
  • Bitrock Installer Mark circle
  • Installer generator formats that are supported:

–7z, zip, rar self extracting .exe Mark circle

–MSI Installer Mark circle

–CAB Installer Mark circle

–InstallAnywhere Mark circle

–Install4J Mark circle

–InstallShield Mark circle

–InnoSetup Mark circle

–Wise Installer Mark circle

–Nullsoft Scriptable Install System (NSIS) Mark circle

–WiX Installer Mark circle

Firmware formats

  • Intel HEX Mark circle
  • SREC Mark circle
  • U-Boot Mark circle
  • Arris firmware Mark circle
  • Juniper firmware Mark circle
  • Kosmos firmware Mark circle
  • Android sparse file system Mark circle
  • Cisco firmware Mark circle

File systems / disk images

  • ISO 9660 / UDF (.iso) Mark circle
  • Windows Imaging Mark circle
  • ext2/3/4 Mark circle
  • JFFS2 Mark circle
  • UBIFS Mark circle
  • RomFS Mark circle
  • Microsoft Disk Image Mark circle
  • Macintosh HFS Mark circle
  • VMware VMDK (.vmdk, .ova) Mark circle
  • QEMU Copy-On-Write (.qcow2) Mark circle
  • VirtualBox VDI (.vdi) Mark circle
  • QNX—EFS, IFS Mark circle
  • NetBoot image (.nbi) Mark circle
  • FreeBSD UFS Mark circle

Container Formats

  • Docker

Mark box Black Duck only

Mark circle BDBA only

Synopsys social media 3

Cloud platforms

  • Amazon Web Services
  • Google Cloud Platform
  • Microsoft Azure

Container platforms

  • Docker
  • OpenShift
  • Pivotal Cloud Foundry
  • Kubernetes Package managers
  • PostgreSQL

IDEs

  • Eclipse
  • Visual Studio IDE

Continuous integration

  • Jenkins
  • TeamCity
  • Bamboo
  • Team Foundation Server
  • Travis CI
  • CircleCI
  • GitLab CI
  • Visual Studio Team Services
  • Concourse CI
  • AWS CodeBuild
  • Codeship

Workflow and notifications

  • Jira
  • Slack
  • Email
  • SPDX

Binary and source repositories

  • Artifactory
  • Nexus

Application security suites

  • IBM AppScan
  • Micro Focus Fortify
  • SonarQube
  • ThreadFix
  • Cybric
  • Code Dx

Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior.For more information about the Synopsys Software Integrity Group, visit us online atSynopsys, Inc.185 Berry Street, Suite 6500San Francisco, CA 94107 USAU.S. Sales: 800.873.8193International Sales: +1 415.321.5237Email: ©2020 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at . All other names mentioned herein are trademarks or registered trademarks of their respective owners.