Software Integrity Blog

 

Discovery capabilities: A core differentiator for Black Duck SCA

Stay on top of open source vulnerabilities and license obligations with discovery capabilities from Black Duck.

discovery capabilities in Black Duck SCA | Synopsys

In a world run on increasingly complex software, ensuring its reliability and security is becoming progressively daunting. This is especially true for open source components. Although they play a key role in nearly every software application in every industry, open source’s ease of use, faster time to market, and decreased costs often overshadow its potential risks. This point is underscored by Synopsys’ Open Source Security and Risk Analysis (OSSRA) report, which provides an annual assessment of the current state of software and security. In the 2021 OSSRA, of the 1,500+ applications audited, 75% of all codebases were composed of open source, and 84% had at least one vulnerability. Given this expansive presence, failure to implement adequate open source risk management solutions, like software composition analysis (SCA), renders you unquestionably exposed and vulnerable. 

In this blog series, Synopsys highlights the key differentiators that set our Black Duck® SCA solution apart. As the leader in open source security and compliance management, Black Duck provides the superior capabilities, support, and automation required to supplement today’s modern DevSecOps environments.

The problem: Limited discovery capabilities

One of the common complaints of security and development teams is their current SCA tool’s discovery limitations—namely its lack of breadth. Often, teams are faced with the realization that their current solution doesn’t uncover all the open source that they suspect is in their code. The tool lacks the coverage and depth needed to adequately protect them. In order to stay on top of open source vulnerabilities and license obligations, you must know what is in your code; you can’t secure what you don’t know exists.

To address this shortcoming, organizations should look for scanning methods with broad language support, artifact support, and multiple detection methods. Although tracking your code manually is possible, it’s rarely accurate—and by nature, inefficient. A robust SCA tool like Black Duck offers the best-in-class solution. 

For the purpose of this discussion, let’s dive into current market offerings for discovery.

What most SCA tools can do

SCA identifies the open source in a codebase and maps that inventory to a list of currently known vulnerabilities and licenses. To accomplish this, most SCA tools on the market today use only one method: dependency scanning. Dependency scanning works by interrogating package managers and then manifesting files to identify which open source components, licenses, and dependencies are actually being used. 

This approach, while quick and easy, relies on strong trust that everything is explicitly declared in the package managers. This type of reliance leaves room for components, and any associated vulnerabilities, to be easily overlooked. Essentially, the program is only as good as the information it’s armed with— leaving large gaps in the risk picture. 

Using a tool that goes beyond simple dependency scanning is critical.

What discovery capabilities you’ll find only with Black Duck

More advanced solutions, like Black Duck SCA, use multifaceted approaches to open source discovery, employing multiple robust discovery techniques. Only Black Duck offers these industry-leading multifactor discovery capabilities.

Key Black Duck discovery methods 

discovery methods in Black Duck SCA | Synopsys

Signature (file system scanning)

Signature scanning is a Black Duck technique for scanning arbitrary files, directories, and archives. It allows for components to be identified outside the context of package management or repositories. Signature scanning can identify components other methods fail to recognize. This includes components that:

  • Aren’t explicitly declared via package manager
  • Have files added, removed, or modified
  • Come from ecosystems/languages that have no package management (C/C++)
  • Are inside Docker images 

Simple dependency scanners simply cannot accomplish this, and when used alone, leave a huge gap in your AppSec posture. 

Binary analysis

Black Duck Binary Analysis (BDBA) quickly generates a complete software Bill of Materials (BOM) that tracks third-party and open source components, and identifies known security vulnerabilities, associated licenses, and code quality risks—all without the need for source code. 

One of BDBA’s strengths is best highlighted in a scenario where an organization has limited access to source code. Even with this limited access, an organization isn’t relieved of its software security and license responsibilities. Or perhaps an organization needs to scan firmware procured from a vendor. Fixing security or compliance issues in firmware that’s already been shipped isn’t always as easy as pushing an update, but finding these problems before deployment can be a challenge without source code access. BDBA eliminates this constraint, easily scanning third-party software even with limited access to the build environment. 

And whether or not source code access is an issue, binary analysis can provide a final check before deployment, even after an application has been built.

Snippet scanning

Snippet scanning is a Black Duck technique that expertly identifies fragments of open source code in your proprietary code files or files moved into proprietary directories. Snippet scanning matches this identified code with open source code found in our Black Duck KnowledgeBase files. 

Snippets are small, reusable pieces of code that can easily find their way into projects via various avenues. For example, a developer may cut and paste from Stack Overflow, thereby unknowingly inserting open source code into a project. This can easily result in unidentified license infringement. 

Black Duck finds these snippets and matches them to components and licenses, so legal risks can be identified and assessed. 

Customization

If all this wasn’t enough, Black Duck also offers customization to fit with your development and security practices. Users can choose which scans to run and when, so that they seamlessly match the desired development velocity and risk tolerance. 

Interested in learning more about Black Duck?

Stay tuned for a five-part series offering more in-depth information about how Black Duck can elevate your AppSec posture and keep you ahead of the pack. 

Learn how Black Duck identifies open source in your applications

 

More by this author