The KB is a collection of vulnerability information about open source components that is meticulously collected and maintained by our tireless Black Duck security research team.
When our customers use Black Duck®, the tool makes queries to the KB to retrieve information about specific open source components.
We can’t look into the applications our customers are scanning and what they are finding, but we can observe the queries that come into the KB. A query is recorded for several reasons:
- When a customer uses Black Duck to scan one or more applications, a query is performed for each component found. For example, if log4j 2.14.0 was detected in a single application or in a hundred, Black Duck would use a single query to retrieve its information from the KB.
- If a customer uses the Black Duck user interface to examine a specific component, a query is sent to the KB to retrieve its information.
- Black Duck periodically checks to see if any KB updates are available for components in previously scanned applications. If the KB information has been updated, Black Duck generates a query to retrieve the latest information.
Our data about KB queries is entirely anonymized and cannot be linked to specific applications or specific customers.
Having said that, the KB query data does serve as a rough measure of usage, although that interpretation is diluted somewhat by the update process.