Black Duck

Software Composition Analysis

Secure and manage Overview

open source throughout Black Duck is a comprehensive solution for managing security, license compliance,
the software supply and code quality risks that come from the use of open source in applications and
chain containers. Named a leader in software composition analysis (SCA) by Forrester, Black
Duck gives you unmatched visibility into third-party code, enabling you to control it
across your software supply chain and throughout the application life cycle.

An integrated solution for source and binaries

Only Black Duck combines versatile open source risk management with deep
binary inspection to provide a best-in-class SCA solution that helps you minimize
risks associated with open source and other third-party software. In a time when
open source composes 60% of the average codebase, Black Duck empowers your
development, operations, procurement, and security teams to:

• Find and fix security vulnerabilities at each stage in the SDLC, with detailed,
vulnerability-specific remediation guidance and technical insight.
• Eliminate risk of open source license noncompliance and safeguard your
intellectual property by using the industry’s largest open source knowledge base to
identify which of 2,600+ licenses are relevant to the open source in your applications
(including code snippets from larger components).
• Avoid development cost overruns and combat code decay with operational risk
metrics associated with poor open source code quality.
• Scan virtually any software, firmware, and source code to generate a
comprehensive bill of materials (BOM) of what’s inside.
• Automatically monitor for new vulnerabilities that affect your BOM, with custom
policies and workflow triggers to accelerate remediation and reduce your risk
exposure.

| synopsys.com | 1
Discover
Key benefits
• Identify open source in code, Get deeper, more streamlined analysis
binaries, and containers.
Black Duck identifies more open source, with greater accuracy, using a unique multifactor
• Detect partial and modified detection technology to generate and validate a complete BOM to track declared
components. components, unique file hash signatures, dependencies resolved during a build, and open
• Automate scanning with DevOps source code snippets. Black Duck’s intelligent scan client integrates with development
integrations. tools used throughout the SDLC and automatically detects resources to optimize its scan
methodology.

Protect Find and fix vulnerabilities quickly

• Map components to known Black Duck’s open source security risk insight combines curated data from public sources
vulnerabilities. (e.g., NVD) and detailed, proprietary analysis from the Synopsys Cybersecurity Research
• Identify license and component Center (CyRC). Get notified of new vulnerabilities up to 30 days before they are published
quality risks. in the NVD (reducing your window of exposure), and benefit from our exclusive enhanced
• Monitor for new vulnerabilities in vulnerability data and Black Duck Security Advisories (BDSAs), including:
development and production. • Critical risk metrics, vulnerability-specific technical insight, exploit details, and impact
analysis
• CVSS 2 and CVSS 3 scoring and CWE classification data
Manage • Common Attack Pattern Enumeration and Classification (CAPEC)
• Set and enforce open source use • Temporal scoring not provided by the NVD
and security policies. • Component-level upgrade and remediation guidance, mitigating factors, and
• Automate policy enforcement compensating controls
with DevOps integrations. • Custom vulnerability risk scoring to match your company risk profile
• Prioritize and track remediation
activities. Automatically enforce security and use policies
Configure your open source security and use policies based on a comprehensive array of
criteria, including license type, vulnerability severity, open source component version, and
more. Enforce policies with automatic workflow triggers, notifications, and bidirectional Jira
integration for accelerated remediation initiation and reporting.

Identify open source risks, even without source code

With Black Duck in your toolkit, you can quickly and easily analyze vendor-supplied binaries
to identify weak links in your software supply chain without access to the source code. Get
deep, actionable risk metrics to make informed decisions about your use and procurement
of technologies before they put you at risk. Black Duck’s intelligent scan client automatically
determines if the target software is source or a compiled binary, then identifies and catalogs
all third-party software components, associated licenses, and known vulnerabilities
affecting your applications.

| synopsys.com | 2
Black Duck | Source & Package Manager Scanning

Scanning BDBA Package Manager Support Installation formats

• Distro-package-manager: Leverages • Red Hat RPM (.rpm)
Languages information from a Linux distribution • Debian package (.deb)
• C package manager database to extract • Mac installers (.dmg, .pkg)
• C++ component information. • Unix shell file installers (.sh, .bin)
• C# • The remaining four methods are only • Windows installers (.exe, .msi, .cab)
• Clojure applicable to Java bytecode: • vSphere Installation Bundle (.vib) 
• Erlang  – pom: Extracts the Java package, • Bitrock Installer 
• Golang group name, and version from the • Installer generator formats that are
• Groovy pom.xml or pom.properties files in a supported:
• Java JAR file. – 7z, zip, rar self extracting .exe 
• JavaScript  – manifest: extracts the Java package – MSI Installer 
• Kotlin name and version from the entries in – CAB Installer 
the MANIFEST.MF file in a JAR file. – InstallAnywhere 
• Node.js 
– jar-filename: Extracts the Java – Install4J 
• Objective-C
package name and version from the – InstallShield 
• Swift 
jar-filename. – InnoSetup 
• Perl 
– Wise Installer 
• Python  Binary formats – Nullsoft Scriptable Install System
• PHP  • Native binaries (NSIS) 
• R • Java binaries – WiX Installer 
• Ruby • .NET binaries
• Scala • Go binaries Firmware formats
• Swift  • Intel HEX 
• .NET Cloud technologies Compression formats • SREC 
• Gzip (.gz) • U-Boot 
Package Managers • bzip2 (.bz2) • Arris firmware 
• NuGet  • LZMA (.lz) • Juniper firmware 
• Hex  • LZ4 (.lz4)  • Kosmos firmware 
• Vndr  • Compress (.Z) • Android sparse file system 
• Godep  • XZ (.xz)
• Cisco firmware 
• Dep  • Pack200 (.jar)
• Maven  • UPX (.exe) File systems / disk images
• Gradle  • Snappy • ISO 9660 / UDF (.iso) 
• Npm  • DEFLATE • Windows Imaging 
• CocoaPods  • zStandard (.zst)  • ext2/3/4 
• Cpanm  • JFFS2 
• Conda  Archive formats • UBIFS 
• Pear  • ZIP (.zip, .jar, .apk, and other derivatives) • RomFS 
• Composer  • XAR (.xar)  • Microsoft Disk Image 
• Pip  • 7-Zip (.7z) • Macintosh HFS 
• Packrat  • ARJ (.arj) • VMware VMDK (.vmdk, .ova) 
• RubyGems  • TAR (.tar) • QEMU Copy-On-Write (.qcow2) 
• SBT  • VM TAR (.tar)  • VirtualBox VDI (.vdi) 
• cpio (.cpio) • QNX—EFS, IFS 
• RAR (.rar) • NetBoot image (.nbi) 
• LZH (.lzh)  • FreeBSD UFS 
 Black Duck only • Electron archive (.asar) 
• DUMP Container Formats
 BDBA only • Docker

| synopsys.com | 3
Black Duck | Integrations

Cloud technologies DevOps tools Workflow and notifications

• Jira
Cloud platforms IDEs • Slack
• Amazon Web Services • Eclipse • Email
• Google Cloud Platform • Visual Studio IDE
• SPDX
• Microsoft Azure
Continuous integration Binary and source repositories
Container platforms • Jenkins
• Artifactory
• Docker • TeamCity
• Nexus
• OpenShift • Bamboo
• Pivotal Cloud Foundry • Team Foundation Server Application security suites
• Kubernetes Package managers • Travis CI • IBM AppScan
• CircleCI • Micro Focus Fortify
Databases • GitLab CI • SonarQube
• PostgreSQL • Visual Studio Team Services • ThreadFix
• Concourse CI • Cybric
• AWS CodeBuild • Code Dx
• Codeship

The Synopsys difference

Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity.
Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis
solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and
application behavior.

For more information about the Synopsys Synopsys, Inc. U.S. Sales: 800.873.8193
Software Integrity Group, visit us online at 185 Berry Street, Suite 6500 International Sales: +1 415.321.5237
www.synopsys.com/software. San Francisco, CA 94107 USA Email: sig-info@synopsys.com

©2019 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at
www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. December 2019

| synopsys.com | 4