Black Duck Software Composition Analysis

Secure and manage open source risks in applications and containers​

Black Duck provides a comprehensive software composition analysis (SCA) solution for managing security, quality, and license compliance risk that comes from the use of open source and third-party code in applications and containers. Black Duck gives you unmatched visibility into third-party code, enabling you to control it across your software supply chain and throughout the application life cycle.

Are you looking to assess open source risks for M&A? Learn more about our audit services.

Manage open source risks with Black Duck

Black Duck software composition analysis combines versatile open source risk management and deep binary inspection in a best-in-class solution. Black Duck gives development, operations, procurement, and security teams the tools they need to minimize the security, compliance, and code quality risks of open source and other third-party software, while still realizing the benefits that come with it.


• Identify open source in code, binaries, and containers
• Detect partial and modified components
• Automate scanning with DevOps integrations


• Map components to known vulnerabilities
• Identify license and component-quality risks
• Monitor for new vulnerabilities in development and production


• Set and enforce open source use and security policies
• Automate policy enforcement with DevOps integrations
• Prioritize and track remediation activities

Black Duck technology

Not all open source security solutions are created equal. Synopsys solutions are built on a foundation of industry-leading technologies that ensure you get the most complete and accurate view of open source risks in your software. 

Enhanced vulnerability data

Multifactor open source detection

  • Multifactor discovery, beyond dependency scanning
  • Detect undeclared, modified, or even partial open source components
  • Thorough open source discovery, with or without access to source code
Multifactor open source detection

Enhanced vulnerability data

  • Featuring our independently researched Black Duck Security Advisories (BDSAs)
  • Rich-vulnerability data, above and beyond and weeks faster than the NVD
  • Automatically prioritize remediation efforts based on critical business requirements 
End-to-end devops integrations

End-to-end DevOps integrations

  • Manage open source risks at every stage of the application life cycle
  • Define open source use policies once, with automatic alerts and enforcement
  • Access BDSAs for vulnerabilities as you code, right in the IDE
Black Duck KnowledgeBase

Comprehensive KnowledgeBase

  • Black Duck KnowledgeBase is the definitive source for open source information
  • Continuous automated data collection from over 20,000 global sites and forges
  • Curated and validated by Black Duck’s team of experts

We’re a Leader in the 2019 Forrester Wave for Software Composition Analysis

Find out why

Manage open source during development

We selected Black Duck for three reasons: for reputation, ease of use, and confidence in results."

Lawrence Croft


VP Product Development at Copperleaf

With Black Duck software composition analysis, you can identify and track open source components within your applications’ source code and monitor for new and existing vulnerabilities that put them at risk.

Use multifactor open source detection to inventory open source in use.
Identify declared components, unique hash signatures, and dependencies resolved during a build. Track all third-party components, licenses, and versions contained in your applications.

Map your bill of materials (BOM).
Map your BOM onto the largest KnowledgeBase™ of open source project, vulnerability, and license data. Make informed decisions with relevant risk metrics and actionable remediation guidance.

Manage risk as you code.
With the Code Sight IDE plugin, developers have the information necessary to find and fix issues as they code. Access detailed vulnerability descriptions, remediation guidance, license information, and potential policy violations so you can fix the problem without interrupting your work or leaving the IDE.

Get deeper vulnerability insight.
Access detailed, proprietary security risk insight from the Cybersecurity Research Center (CyRC). Receive notifications of new vulnerabilities up to three weeks before they are published in the NVD, reducing your window of exposure.

Uphold security as threats evolve.
Automatically receive alerts for newly discovered vulnerabilities in the components and dependencies in your BOM.

Download datasheet

Manage open source during procurement

An innovative binary scanner to address 3rd party software vulnerabilities."

Software Engineer


Communications Industry

With Black Duck Binary Analysis, you can analyze systems and software to identify weak links in your software supply chain quickly and easily—all without source code.

Scan virtually any software or firmware in minutes.
This includes desktop and mobile applications, embedded system firmware, virtual appliances, and more.

Analyze without source code.
Simply upload the software you want to assess, and Black Duck performs a thorough binary analysis in minutes.

Obtain a comprehensive bill of materials (BoM).
Identify and catalog all third-party software components and licenses.

Make informed decisions about software consumption.  
Reduce security risks and the threat of license noncompliance. Identify known open source vulnerabilities, licensing obligations, sources of sensitive data leakage, and application permission requirements.    

Uphold security as threats evolve.
Automatically receive alerts for newly discovered vulnerabilities in previously scanned software.

Download datasheet

Manage software risk during mergers and acquisitions

With Black Duck Audits, you get a complete picture of the license, quality, and security risks in the codebase being acquired. 

Inventory and analyze open source and plan for remediation.
Obtain a comprehensive bill of materials (BOM) of open source components, their license obligations, and associated security vulnerabilities in the code. Get recommendations for remediating to build into your diligence plan.

Assess application security flaws.
Perform testing of the application from the outside in, and from within the app, to uncover potentially exploitable issues. Understand the risk of potential security breaches, and build a plan for remediation before data, IP, or financial loss occurs.

Identify high-level design and code quality issues.
Pair quantitative and qualitative analysis to understand code design and process quality. Design and process flaws can add time and money to integration efforts.

Learn more about Black Duck Audits

Take control of open source, eliminate risks, and accelerate remediation    

Black Duck empowers your application development, deployment, and procurement initiatives with a comprehensive toolkit to identify and remediate open source security, license, and operational risks. Use insightful vulnerability remediation and risk mitigation guidance, complete open source license compliance data, Black Duck exclusive security advisories, and impactful policy controls to eliminate risks proactively.