close search bar

Sorry, not available in this language yet

close language selection

Fine-tuning roles, controlling licenses, and matching code snippets in Black Duck 4.5

In Black Duck 4.5, we’ve improved the functions and controls used by development and security teams to create the most effective SCA tool for the job.

Fine-tuning roles, controlling licenses, and matching code snippets in Hub 4.5

Any tradesperson, specialist, expert, aficionado, or technologist will tell you that the key to a quality outcome is a set of tools specific to the project and oriented to the goal. The realm of software security and secure DevOps is no exception to this truth, and in Black Duck’s version 4.5 release, we further hone the functions and controls used by development and security teams around the globe to establish the most effective tool for the job: to build secure, high-quality software faster.

Identify open source code fragment reuse (snippet matching)

Let’s start by introducing one of the most-requested enhancements to Black Duck: the ability to find open source code snippets in applications. Snippets are fragments of open source code that compose a larger open source component and that may carry with them license requirements present in their source component.

Now, in Black Duck 4.5, organizations can be assured that they are tracking more open source in their applications than ever before. Users can choose to run an optional snippet scan for nonmatched files following a component scan, identifying components with the highest match prevalence to the detected snippets. Black Duck 4.5’s snippet matching supports nearly 150 file extensions and 75 languages and optimizes performance with delta scanning.

Role-based capabilities to support enterprises

Modern development and release processes often require the persistent involvement of an array of contributors, each serving a distinct role and requiring access to relevant project information. In enterprise organizations, concerns often arise surrounding unnecessary or unrestricted access to projects or overprovisioning of activity rights.

Black Duck 4.5 updates and expands the relevance and granularity of role provisioning. With five global roles and six project-level roles, enterprises can better control access and capabilities without impeding productivity. This means streamlining execution, enforcing organizational policies for data proliferation and accessibility, and discouraging unapproved workarounds, which may otherwise result. We are excited to empower enterprises with project roles best suited for their organization structure and workflows, including those for project, bill of materials (BOM), and security managers, and customizations to restrict or enable code scanning rights and policy violation review.

Enhanced control over open source licenses

Some open source licenses can be simple, and others can be complex; this much is obvious. I would venture to say that there are few experts on all the 2,500+ open source licenses that we are tracking in the Black Duck KnowledgeBase™. To give organizations better ways to control open source license use and avoid license noncompliance, Black Duck 4.5 continues to augment our license management capabilities with license whitelist and blacklist capabilities and an improved license review status model.

Now, users looking to annotate licenses as part of their review workflow can add detailed notes and guidance to developers for remediation. Black Duck 4.5 introduces new review statuses for licenses to help compliance users structure and track license approvals, and it bolsters this new capability with policy rules that can be structured as a condition of License Status, as well as expiration dates, which can be applied for temporary approval or to indicate the need for recurring review.

The smaller steps that make great leaps

To help development teams address application security risks more readily, Black Duck 4.5 adds the ability to query the Black Duck KnowledgeBase for vulnerability remediation guidance via a new REST API. And we are improving performance and scalability by providing additional resources for authentication, alleviating a potential bottleneck during scanning or when using API-based utilities.

Without a doubt, the enhancements and new capabilities Black Duck 4.5 provides to enterprises and organizations worldwide are poised to support modern security and compliance initiatives, without burdening the teams tasked with achieving them.

Manage open source risks with Black Duck

Steven Zimmerman

Posted by

Steven Zimmerman

Steven Zimmerman

Steven Zimmerman is a Staff Product Marketing Manager for Synopsys Software Integrity Group, focusing on helping organizations establish a cohesive, resilient application security strategy with developers and software engineers built-in at critical stages. His work supports shift-left software security initiatives and DevSecOps, ensuring enterprise agility and continuous workflows without impeding development.

More from Security news and research