Black Duck
Software Component Analysis Solution (SCA)
Black Duck
Black Duck is a solution (Software Composition Analysis, SCA) that analyzes software components to identify open source licenses and security vulnerabilities.
It provides visibility into SBOM for open source components, versions, licenses, security vulnerabilities, and third-party software used in software, and provides an automated open source risk management environment through integration with existing SDLC.
Key Features
Black Duck provides complete open source risk management based on over 2,750 licenses, 247,000 open source vulnerabilities, and a massive Knowledge Base of 1.5 PB.
-
Quest
- Identify and track all open source in your apps and containers
-
Protect
- Helps identify and fix known open source vulnerabilities in development and production
-
Observance
- Open source license expert verification and compliance support
-
Management
- Support for implementing and automating open source risk management policies
Special Features
-
Software component analysis
Provides open source components, licenses, security vulnerability analysis and countermeasures
-
Application and container analytics
Analysis of application source code and containers
-
Binary Analysis
Native, Java, .NET, Go binary analysis
-
Snippet Analysis
Analyzing a snippet that duplicates part of the code
-
Compression and Archive Analysis
Analysis of compression and archives such as zip, jar, etc.
-
Dependency Analysis
Dependency and Transit Dependency Analysis
-
Code Print Analysis
Analyze modified code as well as 100% matching
-
Commercial component analysis
Analysis of commercial libraries
-
Analyzing the installation package
Analysis of installers such as RPM, DEB, etc.
-
Firmware Analysis
Firmware analysis including Intel HEX, SREC, U-Boot, etc.
-
Filesystem/disk image analysis
Analysis of ISO 9660, ext2/3/4, FreeBSD UFS, etc.
-
Provides enhanced security vulnerability information
Provides NVD CVE information and its own vulnerability data, Black Duck Security Advisories (BDSA)
-
Monitoring new vulnerabilities
Monitoring and alerting of newly discovered vulnerabilities
-
Provide license details
Provides detailed information on licensing, obligations, etc.
-
License Compatibility Analysis
Compatibility Analysis Between Open Source Licenses
-
Multi-license analysis
Analyze one or more multi-licenses
-
Providing operational risk
Provide operational severity information for open source components
-
Integration with existing SDLC
IDE, Package Manager, Build&CI, Binary Repository, Workflow&Notifications, Vulnerability Management, Production Linkage support
-
Automatic policy setting
Support for setting and automating open source risk management policies
-
Simultaneous Scan
Supports Simultaneous Scanning
-
Offline Scan
Closed network environment inspection support
-
Support for various platforms
- Server: Linux
- Client: Windows, Mac, Linux
-
Support for various reports
Supports various formats such as SPDX-based SBOM (Software Bill of Materials), CycloneDX, etc.
Open source detection using multifactor analysis method
- Dependency Analysis
-
Track declared components and built dependencies.
- Code Print Analysis
-
Analyze file/directory metadata & SHA file signatures to detect undeclared, modified, and partial open source.
- Code snippet match
-
Identifying open source code fragments that contain potential copyright and licensing obligations
- Binary Analysis
-
Analyze compiled software, firmware, or installers without access to binary source code.
- Discovering custom components
-
Identify non-open source internal or third-party commercial components using string searches and code printing
-
- TOP