Synopsys Black Duck User Manual

Black Duck

Software Composition Analysis

Secure and manage
open source throughout
the software supply
chain

Overview

Black Duck is a comprehensive solution for managing security, license compliance,
and code quality risks that come from the use of open source in applications and
containers. Named a leader in software composition analysis (SCA) by Forrester, Black
Duck gives you unmatched visibility into third-party code, enabling you to control it
across your software supply chain and throughout the application life cycle.

An integrated solution for source and binaries

Only Black Duck combines versatile open source risk management with deep
binary inspection to provide a best-in-class SCA solution that helps you minimize
risks associated with open source and other third-party software. In a time when

open source composes 70% of the average codebase,

development, operations, procurement, and security teams to:

• Find and fix security vulnerabilities at each stage in the SDLC, with detailed,
vulnerability-specific remediation guidance and technical insight.

• Eliminate risk of open source license noncompliance and safeguard your
intellectual property by using the industry’s largest open source knowledge base to
identify which of 2,650 licenses are relevant to the open source in your applications
(including code snippets from larger components).

• Avoid development cost overruns and combat code decay with operational risk
metrics associated with poor open source code quality.

• Scan virtually any software, firmware, and source code to generate a
comprehensive bill of materials (BOM) of what’s inside.

• Automatically monitor for new vulnerabilities that affect your BOM, with custom
policies and workflow triggers to accelerate remediation and reduce your risk
exposure.

Black Duck empowers your

| synopsys.com | 1

Discover

• Identify open source in code,
binaries, and containers.

• Detect partial and modified
components.

• Automate scanning with DevOps
integrations.

Key benefits

Get deeper, more streamlined analysis

Black Duck identifies more open source, with greater accuracy, using a unique multifactor
detection technology to generate and validate a complete BOM to track declared
components, unique file hash signatures, dependencies resolved during a build, and open
source code snippets. Black Duck’s intelligent scan client integrates with development
tools used throughout the SDLC and automatically detects resources to optimize its scan
methodology.

Protect

• Map components to known
vulnerabilities.

• Identify license and component
quality risks.

• Monitor for new vulnerabilities in
development and production.

Manage

• Set and enforce open source use
and security policies.

• Automate policy enforcement
with DevOps integrations.

• Prioritize and track remediation
activities.

Find and fix vulnerabilities quickly

Black Duck’s open source security risk insight combines curated data from public sources
(e.g., NVD) and detailed, proprietary analysis from the Synopsys Cybersecurity Research
Center (CyRC). Get notified of new vulnerabilities weeks before they are published in
the NVD (reducing your window of exposure), and benefit from our exclusive enhanced
vulnerability data and Black Duck Security Advisories (BDSAs), including:

• Critical risk metrics, vulnerability-specific technical insight, exploit details, and impact
analysis

• CVSS 2 and CVSS 3 scoring and CWE classification data

• Common Attack Pattern Enumeration and Classification (CAPEC)

• Temporal scoring not provided by the NVD

• Component-level upgrade and remediation guidance, mitigating factors, and
compensating controls

• Vulnerability impact analysis to determine if the vulnerable code is being called by the
application

• Custom vulnerability risk scoring to match your company risk profile

• Vulnerabilities are prioritized for remediation across multiple critical data points,
including severity, solution availability, exploitability, CWE, and reachability

Automatically enforce security and use policies

Configure your open source security and use policies based on a comprehensive array of
criteria, including license type, vulnerability severity, open source component version, and
more. Enforce policies with automatic workflow triggers, notifications, and bidirectional Jira
integration for accelerated remediation initiation and reporting.

Identify open source risks, even without source code

With Black Duck in your toolkit, you can quickly and easily analyze vendor-supplied binaries
to identify weak links in your software supply chain without access to the source code. Get
deep, actionable risk metrics to make informed decisions about your use and procurement
of technologies before they put you at risk. Black Duck’s intelligent scan client automatically
determines if the target software is source or a compiled binary, then identifies and catalogs
all third-party software components, associated licenses, and known vulnerabilities
affecting your applications.

| synopsys.com | 2