Black Duck Software Composition Analysis

Secure and manage open source risks in applications and containers​

Black Duck® software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.

Over 2,000 organizations worldwide use Black Duck

Black Duck met Entersekt's checklist of what we needed in an open source vulnerablity management solution better than any other vendor."

Philip Botha

|

Quality Assurance Manager, Entersekt

Know what's in your code

Black Duck’s multifactor open source detection and KnowledgeBase of over 4 million components gives you an accurate bill of materials (BoM) for any application or container.

Dependency Analysis
dependency analysis

Integrates with build tools like Maven and Gradle to track both declared and transitive open source dependencies in applications built in languages like Java and C#.

Codeprint Analysis
codeprint analysis

Maps string, file, and directory information to the Black Duck KnowledgeBase to identify open source and third-party components in applications built using languages like C & C++.

Binary Analysis
binary analysis

Identifies open source within compiled application libraries and executables. No source code or build system access required.

Snippet Analysis
snippet analysis

Finds parts of open source code that have been copied within proprietary code, which can potentially expose you to license violations and conflicts.

Find and fix your highest-priority vulnerabilities quickly

Black Duck Security Advisories help you avoid being caught off-guard by open source vulnerabilities, both in development and production. And they provide the critical data necessary to prioritize vulnerabilities for remediation, such as exploit info, remediation guidance, severity scoring, and call path analysis. Learn more about Black Duck's vulnerability database.

Timely. Thousands of security feeds are monitored and enhanced to provide same-day notification of most vulnerabilitiesweeks before they appear in the National Vulnerability Database.

Accurate. Our team of security experts review and verify vulnerability data to ensure accurate reporting on vulnerability descriptions, severity, exploit risk, and affected versions.

Actionable. Mitigation and remediation guidance detailed by our teams help prioritize vulnerabilities, select optimal patch or upgrade path, and identify evidence of attack or compromise.

Automated. Vulnerabilities are prioritized for remediation based on critical vulnerability data, such as severity, available solutions, exploitability, CWE, and call path analysis.

Integrate and automate open source governance into DevSecOps

Black Duck automated policy management allows you to define policies for open source use, security risk, and license compliance up front, and automate enforcement across the software development life cycle (SDLC) with the tools your developers already use.  Learn more about our DevOps Integrations.

Developers

Identify, avoid, or automatically remediate components that are higher risk or violate policy, as you code.

Development & DevOps Teams

Automate scans, alerting or halting builds based on policy violations using CI tools like Jenkins.

Security & Operations Teams

Inspect apps and containers before they are deployed and get automated security alerts after.

Maintain compliance with open source licenses

Whether your software is delivered via the web or embedded in a hardware device, compliance with open source licenses is critical. Mitigate the cost and risk to intellectual property with greater insight into license obligations and attribution requirements. Learn more about open source license compliance.  

Identify

Black Duck maps identified components to one of over 2,700+ licenses tracked in our KnowledgeBase, and flags components with unknown licenses so they can be reviewed.  

Understand

Obligation summaries explain license requirements in simple and standard terms so development and legal teams can quickly assess the impact of including a component in their application.

Comply

Black Duck automatically flags potential license conflicts and helps teams stay in compliance with policy enforcement, and notices file generation helps them accurately report license terms for customers.

Gartner report: 2020 Market Guide for Software Composition Analysis

Get the report

Learn more about how you can innovate with open source while maintaining security and compliance with Black Duck

FREQUENTLY ASKED QUESTIONS


How is software composition analysis different from other application security tools?

Open source security is often overlooked, given the misconception that vulnerabilities in proprietary code and open source code can be detected and remediated in similar ways. The reality is that SAST, DAST, and other application security testing tools cannot effectively detect open source vulnerabilities. Enter SCA.

The key differentiator between software composition analysis (SCA) and other application security tools is what these tools analyze, and in what state. SCA analyzes third-party open source code for vulnerabilities, licenses, and operational factors, while SAST analyzes weaknesses in proprietary code, and DAST tests running applications for vulnerable behavior.

Do you need both SAST and software composition analysis?

A comprehensive software security program contains both SAST and SCA. Organizations that adopt such an approach see improvements throughout the SDLC, including these: improved quality through early identification of issues, visibility across proprietary and open source code, lower remediation costs by detecting and fixing vulnerabilities early in the development process, minimized risk of security breaches, and optimized security testing that is both effective and compatible with agile development.

What integrations does your software composition analysis tool support?

Black Duck offers easy-to-use open source integrations for the most popular development tools and REST APIs, allowing you to build your own integrations for virtually any commercial or custom development environment. Black Duck offers a wide range of integrations across the SDLC, including IDEs, package managers, CI/CD, issue trackers, and production capabilities.

Black Duck Supported Integrations

Where does Black Duck’s vulnerability information come from?

Most solutions rely solely on data from the National Vulnerability Database (NVD). This limitation presents a problem, as many vulnerabilities are never documented in the NVD, and others are not listed until weeks after they become public. Black Duck Security Advisories (BDSAs) go beyond the NVD, with enhanced data that is researched and analyzed by the Synopsys Cybersecurity Research Center (CyRC) to ensure completeness and accuracy, providing early warning and complete insight.

Black Duck vulnerability reporting

Why should I care about scanning for more than declared dependencies?

Most solutions use package manager declarations to identify open source components. But failing to scan for more than declared dependencies guarantees that you’ll miss some open source. And if you don’t know it’s there, you can’t possibly ensure it’s secure and compliant.

Package manager scanning will overlook open source that developers don’t declare in package manifests, languages like C and C++ or open source built into containers where no package manager is used, open source that has been modified, or partial snippets of code that still carry license obligations. By combining file system scanning and snippet scanning with build process monitoring, Black Duck provides visibility into open source components not tracked by a package manager, partial open source, and open source that was potentially modified or not declared, as well as component and version verification for dynamic and transitive dependencies.

What should I look for in a software composition analysis solution?

The short answer is an extensive and powerful solution that provides end-to-end control of open source risks. A solution like Black Duck provides a comprehensive approach to open source management throughout the entire SDLC.

More specifically, the following capabilities should be considered when selecting an SCA solution:

  • Comprehensive scanning, beyond what is declared
  • Persistent bill of materials
  • Policy, workflow, SDLC integrations
  • Robust vulnerability database, beyond the NVD
  • License compliance functionality
  • Monitoring and alerting
What languages and platforms does your software composition analysis tool support?

Black Duck supports the most common package managers. Black Duck’s snippet scanning covers the top and most frequently used languages. The expert KnowledgeBase™ team is constantly monitoring for and adding new languages, ensuring that all common languages are supported.

Additionally, Black Duck’s proprietary signature scanning approach is language agnostic. This scanning approach searches for signatures based on file and directory layouts along with other metadata that is independent of language.

Contact us for the most current list of supported languages and platforms.

Does SCA support binary code in addition to source code?

Yes. Some solutions can scan binaries for package manager information or binaries pulled directly from a repository without any modification. Black Duck’s sophisticated binary scanning solution can crack binaries open to detect modified binaries and provide legacy language and broad artifact support.

Black Duck Binary Analysis

How comprehensive is Black Duck’s licensing data in the KnowledgeBase™ ?

Black Duck’s open source KnowledgeBase™ is the industry’s most comprehensive database of open source project, license, and security information, sourced and curated by the Synopsys Cybersecurity Research Center (CyRC). The KnowledgeBase contains more than 2,650 unique open source licenses (GPL, LGPL, Apache, etc.), with full license text for the most popular open source licenses and dozens of encoded attributes and obligations for each license. Black Duck also includes deep copyright data and the ability to pull out embedded open source licenses for complete open source compliance.

Does your SCA tool scan containers?

Yes. Black Duck allows teams who package and deliver applications using Docker (and other) containers to confirm and attest that any open source in their containers meets use and security policies, is free of vulnerabilities, and fulfills license obligations. Open source management includes ongoing monitoring for new vulnerabilities affecting existing applications and containers.