• Silicon Design & Verification Products
  • Solutions
  • Resources
  • Services
  • Community
  • Training
  • Silicon IP Products
  • Solutions
  • Resources
  • Services
  • Community
Contact Us
Contact Us
Contact Us
  • Software Integrity
  • Services
  • Solutions
  • Resources
  • Training and Education
  • Support
Contact Sales
Contact Sales

Contact Sales

Contact Sales

Contact Sales

  • About Us
Discover
+ Silicon Design & Verification + Silicon IP + Software Integrity + About Us
Support
SolvNet Software Integrity
Global SItes
日本サイ ト 中文网站 中文網站

Software Composition Analysis

Manage Risk in Open Source Software 

Contact Sales

Synopsys Software Composition Analysis (SCA) provides a comprehensive solution for managing risk from open source (OSS) and third-party software. Synopsys SCA gives you visibility into third-party code, enabling you to control it throughout an increasingly complex software supply chain and during your application development process.

state of software composition analysis

What’s hiding in your applications?

Third-party code saves time and money, but it can also harbor some dangers, including these:

  • Security vulnerabilities (e.g., CVEs identified in the National Vulnerability Database)
  • Common software weaknesses (e.g., SANS Top 25 or OWASP Top 10)
  • Risks related to license violations and IP ownership
See what we observed in the latest State of Software Composition report.

Synopsys SCA helps you navigate OSS with ease

Synopsys has combined versatile open source risk management from Black Duck with the deep binary inspection of Protecode to provide a best-in-class solution. Synopsys SCA gives development, operations, procurement, and security teams the tools they need to minimize the security, compliance, and code-quality risks of open source and other third-party software, while still realizing the benefits that come with it.

 

Discover

• Identify open source in code, binaries, and containers
• Detect partial and modified components
• Automate scanning with DevOps integrations

Protect

• Map components to known vulnerabilities
• Identify license and component-quality risks
• Monitor for new vulnerabilities in development and production

Manage

• Set and enforce open source use and security policies
• Automate policy enforcement with DevOps integrations
• Triage, schedule, and track remediation activities

We're a Gartner Magic Quadrant Leader in application security testing—again.

Find out why

Source code analysis with Black Duck is smooth sailing

With Black Duck Hub, you can identify and track open source components within your applications’ source code and monitor for new and existing vulnerabilities that put them at risk.

source code analysis with Black Duck

We selected Black Duck for three reasons: for reputation, ease of use, and confidence in the results."

Lawrence Croft

|

VP Product Development at Copperleaf

Use multifactor open source detection.
Identify declared components, unique hash signatures, and dependencies resolved during a build.

Generate a complete inventory of open source in use.
Track all third-party components, licenses, and versions contained in your applications.

Map your bill of materials (BoM).
Map your BoM on the largest knowledge base of open source project, vulnerability, and license data. Make informed decisions with relevant risk metrics and actionable remediation guidance.

Get deeper vulnerability insight. 
Access detailed, proprietary security risk insight from the Black Duck Center for Open Source Research and Innovation (COSRI). Receive notifications of new vulnerabilities up to 3 weeks before they are published in the NVD, reducing your window of exposure.
 
Combat code decay proactively.
Automatically receive alerts for newly discovered vulnerabilities in the components and dependencies within your BoM.
 

Breaking down DevSecOps

Build AppSec into your CI/CD pipeline with static application security testing and software composition analysis.

Watch the webinar

Binary analysis is a breeze with Protecode SC

With Protecode SC, you can analyze systems and software to identify weak links in your software supply chain quickly and easily—all without source code.

Scan virtually any software or firmware in minutes.
This includes desktop and mobile applications, embedded system firmware, virtual appliances, and more.

Analyze without source code.
Simply upload the software you want to assess, and Protecode SC performs a thorough binary analysis in minutes.

Obtain a comprehensive bill of materials (BoM).
Identify and catalog all third-party software components and licenses.

Identify known vulnerabilities and licensing obligations within software components.
Make informed decisions about the use and procurement of technology with realistic metrics.

Combat code decay proactively.
Automatically receive alerts for newly discovered vulnerabilities in previously scanned software.

Download datasheet

Protecode SC

Protecode SC is an innovative binary scanner to address 3rd party software vulnerabilities."

Software Engineer

|

Communications Industry

Master your supply chain

Gain visibility into the composition of purchased software, make better buying decisions, and manage the ongoing risk of operating complex systems and software.

Datasheet
Black Duck Hub

Black Duck Hub

Download datasheet

White Paper

Get supply chain transparency

Download the white paper
state of software composition

The State of Software Composition 2017

Get report

Blog

Best practices for free and open source software vulnerability management

Read the article
Datasheet

Protecode SC

Learn more

Datasheet

SAST and Software Composition Analysis integration

Learn more