Signature (file system scanning)
Signature scanning is a Black Duck technique for scanning arbitrary files, directories, and archives. It allows for components to be identified outside the context of package management or repositories. Signature scanning can identify components other methods fail to recognize. This includes components that:
- Aren’t explicitly declared via package manager
- Have files added, removed, or modified
- Come from ecosystems/languages that have no package management (C/C++)
- Are inside Docker images
Simple dependency scanners simply cannot accomplish this, and when used alone, leave a huge gap in your AppSec posture.
Black Duck Binary Analysis (BDBA) quickly generates a complete software Bill of Materials (BOM) that tracks third-party and open source components, and identifies known security vulnerabilities, associated licenses, and code quality risks—all without the need for source code.
One of BDBA’s strengths is best highlighted in a scenario where an organization has limited access to source code. Even with this limited access, an organization isn’t relieved of its software security and license responsibilities. Or perhaps an organization needs to scan firmware procured from a vendor. Fixing security or compliance issues in firmware that’s already been shipped isn’t always as easy as pushing an update, but finding these problems before deployment can be a challenge without source code access. BDBA eliminates this constraint, easily scanning third-party software even with limited access to the build environment.
And whether or not source code access is an issue, binary analysis can provide a final check before deployment, even after an application has been built.
Snippet scanning is a Black Duck technique that expertly identifies fragments of open source code in your proprietary code files or files moved into proprietary directories. Snippet scanning matches this identified code with open source code found in our Black Duck KnowledgeBase files.
Snippets are small, reusable pieces of code that can easily find their way into projects via various avenues. For example, a developer may cut and paste from Stack Overflow, thereby unknowingly inserting open source code into a project. This can easily result in unidentified license infringement.
Black Duck finds these snippets and matches them to components and licenses, so legal risks can be identified and assessed.
If all this wasn’t enough, Black Duck also offers customization to fit with your development and security practices. Users can choose which scans to run and when, so that they seamlessly match the desired development velocity and risk tolerance.