Multifactor Open Source Detection

Black Duck by Synopsys multifactor open source scanning technology ensures that you have the most complete and accurate view of open source in your applications and containers. Our open source detection combines build process monitoring and file system scanning to track all open source in use, including components most solutions miss.

Build process monitoring

Tracks both the components explicitly declared in package manifests and additional dependencies dynamically resolved during a build

File system scanning

Analyzes file and directory metadata, as well as SHA file signature “code prints,” to discover undeclared, modified, and partial open source components

Code snippet matching

Identifies “snippets” of open source embedded in your code to reveal potential copyright and license obligations

Why package declarations aren’t enough

Most other solutions rely solely on package manager declarations to identify open source components. But these solutions miss a lot of open source that may be in your code, including:

  • Open source that developers add to your code but don’t declare in package manifests
  • Open source in languages like C and C++ where no package manager is used
  • Open source built into containers without use of a package manager

In addition, these solutions often provide inaccurate results for transitive dependencies and components where the package declaration does not specify a single version to include in the build.

By combining file system information with build process monitoring, Black Duck provides visibility into open source components not tracked by a package manager as well as component and version verification for dynamic and transitive dependencies.

Simple integration into your CI/CD pipeline

Black Duck Detect, our open source discovery client, makes it easy to integrate open source detection into your existing development tools and processes. It automatically identifies which languages and package managers you’re using, configures the appropriate integrations for discovery, and finds the most effective way to analyze your code.

 

Learn more about Black Duck integrations