Black Duck is a comprehensive software composition analysis solution that helps organizations manage the security, quality, and license compliance risks that come from using open source and third-party code in applications and containers. Black Duck gives organizations like Trend Micro visibility into third-party code, enabling them to control it across the software supply chain and throughout the application life cycle.
“We conducted testing on several vendors’ products noted in analysts’ reports as SCA industry leaders,” Arciniegas said. “We found that Synopsys Black Duck surpassed other vendors in terms of accuracy and support for scanning of various file types. We were impressed by the Black Duck Signature Scanner and its ability to analyze more types of files from different package management ecosystems than other vendors.”
In a typical Black Duck scan, Synopsys Detect scans source code (including archive formats), a Docker image, or a binary artifact. Once the scan is launched, Synopsys Detect utilizes a set of internal tools (Black Duck Signature Scanner, detectors, and inspectors) to discover open source components. These tools also gather metadata about the code, which includes package manager data and code prints. When that process is complete, Detect sends the metadata to Black Duck in the form of a scan file. A Black Duck server communicates with the Black Duck KnowledgeBase™ and uses the scan file to create a Software Bill of Materials that includes all discovered open source and the associated risk. Synopsys Detect maps the scan file to a project and project version in Black Duck, where the SBOM will be displayed.