Code Sight automatically performs just-in-time code analysis as the developer opens, edits, and saves files in the IDE. It does this in the background without disrupting workflow. As it detects issues, it reports them in the IDE itself, and the developer can fix them immediately—no need to change tools or reopen past projects.
Code Sight’s new capabilities extend this analysis to open source dependencies. As developers work on a software project in their IDE, Code Sight analyzes the project’s dependencies against information in the Black Duck KnowledgeBase. In the IDE, Code Sight lists components with known vulnerabilities alongside any CWEs it has identified through SAST analysis.
The developer can then review vulnerability severity and risk information from Black Duck Security Advisories (BDSAs), independently researched by Synopsys, as well as public CVE records from the National Vulnerability Database (NVD). In addition to vulnerability information, Code Sight provides other information developers can use to optimize component selection, including the open source license type and potential violations of the organization’s predefined policies on open source security and license compliance.
Finally, Code Sight helps developers quickly identify and select the best fix for the issue using information in the BDSAs, which provide more timely, accurate, and thorough risk and remediation guidance than tools that only use the NVD.