close search bar

Sorry, not available in this language yet

close language selection
 

Scan nirvana: Hub Detect for all native build and CI tools

Hub Detect is an all-in-one open source scanner leveraging Signature Scanning and Package Management. Integrating with all the CI tools, it’s Scan Nirvana.

Scan nirvana: Hub Detect for all native build and CI tools

When you’re trying to secure and manage the open source code in your applications, the first step is to accurately discover all the open source in your systems. Simply put, if you don’t know which open source components you’re using, you can’t protect yourself from vulnerabilities in those components. That’s why Black Duck uses a multi-factor discovery method, leveraging the power of both package manager declarations and file signature scanning for the most accurate results.

With Hub 4.1, we introduced a new umbrella implementation that envelops all our scanning technologies, making for an easier out-of-the-box scan experience and the most accurate open source scans. Hub Detect is an umbrella implementation for all existing native build and CI tools. 


Let’s look at the different scanning technologies supported by Hub Detect. Like all our CI/Build Tool plugins, Detect continues to work as a post-build step. It starts by first looking at package manager information and then signature scanning data.

Package management information

Detect plugs into existing build processes to look at the flow of dependencies within the build job of your CI of choice. It captures both declared and transitive dependencies and provides a comprehensive 360° view into the project’s dependencies without having to make any changes to the native build environment. (Pretty cool, right?) The plugin has been designed to recursively check for formal dependency management files (For example: pom.xml, setup.py, gemfile.lock), which help it understand the environment the project is getting built in so it can invoke the right configuration. Detect currently supports the following package managers: Maven, Gradle, SBT, Ruby Gems, NPM, Node.js, Cocopods, PyPi, Pear, Packagist, CPAN, Go, CRAN & Nuget. Hub Detect also supports functionality to handle major Linux package managers like apk, dpkg and rpms for major Linux operating systems via the Docker-inspector functionality.

Although Hub Detect is invoked as a post-build step, it monitors and injects itself within the build to capture the dependency information above. After Package Management inspection, the baton is handed over to the Black Duck Signature Scanner to scan the built artifact for file matches. 

Black Duck Signature Scanner

Detect now invokes the Black Duck Signature Scanner to look for file/directory matches and identify components that may have been missed the package manager inspection above. This culminates in a comprehensive, more accurate bill of materials (BOM) that can also be checked for policy violations, with the optional setting to fail builds.

Scan nirvana: Hub Detect for all native build and CI tools

Axis 1.4 in the example below was found declared as a dependency and also as an exact match in multiple directories; thus providing multiple pieces of evidence to corroborate a result. 

Scan nirvana: Hub Detect for all native build and CI tools

Hub Detect also offers a PDF risk report that gets added to the local workspace of the CI tool. This risk report can be shared with users outside of the native build environments.

Scan nirvana: Hub Detect for all native build and CI tools

Automagically, all these processes can be configured to run from just one post-build step! 

Scan nirvana: Hub Detect for all native build and CI tools

This is a drastic improvement from the previous approach of having multiple tools to handle multiple techniques.

Hub Detect does not add significant additional time to your build jobs. Its fast execution technique was designed to meet the needs of high velocity enterprise teams running multiple CI builds.

In summary, Hub Detect:

  • What: A shell based post-build configuration that envelops functionality for package management and signature scanning
  • Pre-requisites: Detect should be plugged into an environment that can build the project, that is, an environment that has the native build environment (can be local/CI tool). Internet connection required.
  • Benefits: All-in-one, easy to setup, minimal one-time configuration, no install and upgrade required.

Download the implementation, which is hosted on GitHub as always. 

The documentation is available on our public wiki.

 
Utsav Sanghani

Posted by

Utsav Sanghani

Utsav Sanghani

Utsav is a Product Manager at Black Duck by Synopsys and drives DevOps Integrations to help the world’s most innovative companies streamline, safeguard and manage the use of open source software (OSS). Prior to Black Duck, Utsav worked with SMG Convonix to help clients in the area of Enterprise Software, Retail and Hospitality to design and deliver their web-based products. He started as a web-developer but his yearning to communicate and evangelize got him closer to customer-facing roles. He holds a Bachelor's in Engineering from the University of Mumbai and a business Master's from the Tuck School of Business at Dartmouth College. He loves comedy and can be seen frequenting comedy clubs around Boston.


More from Open source and software supply chain risks