Posted by Patrick Carey on Tuesday, June 13th, 2017
Today we’re happy to announce the release of Black Duck CoPilot by Synopsys (https://copilot.blackducksoftware.com/), a new cloud service that helps open source project teams catalog and report on their project’s dependencies and vulnerabilities.
Black Duck CoPilot is FREE for open source developers who use GitHub.com (the #1 open source repository in the world today) as the repository for their projects. It connects to your GitHub repositories and provides you with security risk information for your open source project’s dependencies (i.e. the open source components used to build your project).
A completely cloud-based service, CoPilot is an easy, integrated, light-weight way to view security vulnerabilities in your open source projects. Once you connect CoPilot and build your project, you get a list of components, associated vulnerabilities (CVEs), as well as recommendations for adjacent vulnerability-free versions you can use if the components you are using have security issues.
You may already be using GitHub badges as a way to communicate information about your project, like testing coverage and license type. With CoPilot, you can also post a Black Duck “security status badge” on your project’s GitHub page to show the results of the Black Duck security analysis.
This badge helps you show potential users of your project that you take security seriously and that they can trust that your project won’t introduce vulnerabilities into their code. In turn, it helps those users pick the best quality components.
Since 2004, Black Duck’s mission has been to help organizations get the most out of open source by giving them solutions that help them manage and, if possible, avoid the security, license, and quality risks that can come with it. We believe that when teams take control of these risks, open source thrives. Black Duck Hub gives these organizations (open source consumers) a sophisticated and automated solution that allows them to secure virtually any application or container codebase, across the entire development lifecycle, at any scale.
CoPilot complements Hub by giving open source producers a solution that helps them produce better quality components and communicate that to open source consumers — and that benefits everybody. However, CoPilot is not intended to be the full open source management solution that Hub is, and its functionality is a subset of Hub. The table below provides more detail on the specific feature differences between the two.
|Codebase Support||Wide support for virtually any codebase or container image in any repository or storage location.||Support for open source codebases on GitHub.com.|
|Open Source Discovery||Broad component discovery and language support using multi-factor discovery, combining source and binary scanning, package inspection, and build output analysis.||Component discovery based on package manifest information in projects built with the following build and CI tools.
|Vulnerability Data||Enhanced Vulnerability Data that extends the CVE data in NVD with independently researched vulnerability information. Provides more vulnerabilities, same-data notification, and deeper remediation guidance than NVD.||NVD CVE data only.|
|BOM Vulnerability Updates||Continuously updated. No need to re-scan or build to see latest vulnerabilities.||Updates when the project is rebuilt.|
|New Vulnerability Alerts||Yes||No|
|View Risks Across Multiple Projects||Yes||No|
|License Compliance Features||Yes||No|
|Policy Management Features||Yes||No|
|Integration Across DevOps Tool Chain||Yes – integrates in a wide variety of IDEs, build/CI tools, binary repositories, container platforms, and other DevOps tools. View the full list here.||Limited to GitHub and build/CI tools listed above.|
If you are an open source developer with projects on GitHub.com you can get started today by visiting copilot.blackducksoftware.com. We look forward to getting your feedback on this new offering.
Get the latest AppSec news and trends sent directly to you.