Faster, Smarter Vulnerability Alerts: AI in Black Duck Security Advisories

Mike McGuire

Authored by Mike McGuire

Jul 31, 2025 / 5 min read

Table of Contents

In February 2024, the Linux kernel became a CVE Numbering Authority, and it immediately began overwhelming the National Vulnerability Database (NVD) with vulnerabilities (CVEs). This created a significant gap in the coverage offered by the NVD, and further lengthened the amount of time it takes the NVD to populate CVE details. In response, Black Duck began producing AI-assisted Black Duck Security Advisories (BDSAs) to fill in the gap left by the NVD. Since then, Black Duck has further expanded its use of AI and large language model (LLM) tooling to increase the scope of BDSAs.

From selective use to full integration

Starting in July 2025, Black Duck is expanding its use of AI to assist in BDSA creation and scale up vulnerability research and analysis. As part of this, Black Duck® SCA is retiring the “AI-Assisted” BDSA tag introduced in March 2024. This does not remove human review by the Vulnerability Analysis team; to the contrary, it enables the creation of more BDSAs and provides more coverage than would be possible without AI. To illustrate this, the graph below showcases the number of BDSAs produced over the last few years. Through the use of AI, Black Duck has been able to create accurate and timely BDSAs for more components than ever before.

 

Newly integrated AI processes

In the new BDSA process, the vulnerability analyst will group BDSAs into one of four categories. This new process will further help accelerate BDSA production, cover more open source components, and provide customers with time-sensitive vulnerability information. Black Duck will continue to prioritize more in-depth research for the most critical issues and widely used open source components.

  • Prioritized BDSAs: These are the primary focus for human-led vulnerability research efforts aided by human-operated internal AI tooling. These BDSAs are analyzed and authored by a vulnerability analyst and then reviewed by another vulnerability analyst. They are created for the top 3.5k components in the Black Duck KnowledgeBase™, which are used by 40% or more of our customer base.[1]
  • BDSAs: All BDSAs undergo research and full review by a vulnerability analyst to ensure they meet our high standards for BDSAs. This process leverages AI to automate the research and BDSA draft creation. BDSAs are created for the top 3.5k to 10k components in our KnowledgeBase, which are used by 5% to 40% of our customer base.
  • Automated BDSAs: These BDSAs are produced at a large scale through a fully automated process and typically come from well-established third-party sources. These include Linux Kernel vulnerabilities and malware package advisories. The process uses AI to extensively automate the BDSA creation, and these are not independently reviewed by our vulnerability analyst team.
  • BDSA alerts: BDSA alerts have not been researched independently by our vulnerability analyst team. AI is used to automate the research and BDSA creation, and only basic checks for quality and component version range mapping is performed by vulnerability analyst. These alerts provide a vulnerability notification and extended visibility for customers, without the full review from the vulnerability analyst team. These are created for the top 10k to 20k components in our KnowledgeBase, which are used by 0.005% to 5% of our customer base.

 

 

[1] KB component ranking is calculated through anonymized customer scan statistics for components detected during scans performed by all our customers.

Recent BDSA insights

In the first quarter of 2025, the vulnerability analyst team created 3,800 BDSAs. At the time this blog is being written, 62% of those BDSAs do not have an associated analyzed NVD CVE. That means no common platform enumeration (CPE) information or vulnerable range insights exists for teams to assess their impact. Of these vulnerabilities

  • 56% are “awaiting analysis” in the NVD
  • 41% are malware advisories, which the NVD does not cover
  • 2% have no CVE coverage
  • 1% are “undergoing analysis” in the NVD, without vulnerable software versions

In this same time frame, the NVD analyzed 1,289 CVEs impacting open source software, all of which have a corresponding BDSA. A full 97.6% of BDSAs made it into the KnowledgeBase faster than the NVD analyzed the CVEs. Throughout the same time frame BDSAs were issued an average of 165 days faster that NVD-analyzed CVEs. For high and critical risk vulnerabilities, BDSAs were 203 days faster, on average.

If the NVD has not analyzed a CVE, it means that the NVD itself has not reviewed the vulnerability to add vulnerable CPE ranges. Therefore, these CVEs are missing critical information that allows them to alert customers to the specific vulnerable software versions. In the NVD, this information is found under “Known Affected Software Configurations.” CVEs in “Received” and “Awaiting Analysis” statuses will not have been analyzed. In some cases, this is also the case for CVEs with an “Undergoing Analysis” status.”

Example BDSAs

Here are a few examples of BDSAs published in the first half of 2025.

Node.js vulnerability

  • BDSA-2025-0477: Published on January 23
  • CVE-2025-23085: Published on February 7 but still awaiting analysis as of June 25

Go vulnerability

  • BDSA-2025-0272: Published on January 17
  • CVE-2024-45341: published on January 27 but still awaiting analysis as of June 25

Kerberos5 vulnerability

  • BDSA-2025-0719: Published on January 29
  • CVE-2025-24528: No CVE published as of June 25

Something to note about all three of the BDSAs listed above (and about most BDSAs issued in general) is that they were all published with full details before the NVD. They contain accurate affected version ranges, CVSS scores, remediation guidance and references, and detailed descriptions that anyone can understand, regardless of security background.

Your data privacy

We understand that trust is earned and protected. That’s why our expanded use of AI comes with strict safeguards. No customer data is ever shared with AI tooling for training purposes or BDSA evaluation. The BDSA AI tools never have any access to customer data; all AI prompts built into our processes are populated with public information only.

Human-led, AI-enhanced

AI is a powerful tool, but it’s just that: a tool. Black Duck leverages it to enhance processes and BDSA creation so that customers can have expanded, accurate, and fast vulnerability data. AI helps us deliver True Scale Application Security, but humans remain at the heart of everything we do.

This expansion marks a new chapter in how we work—one that’s more agile, more responsive, and more focused on delivering value to you. We’ll continue to explore new ways to use AI responsibly, always with transparency and trust at the core.

Learn more about our BDSA creation process, and why customers turn to Black Duck for earlier, actionable vulnerability insights.

Learn More
Continue Reading
Explore Topics
Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security