The Synopsys Software Integrity Group is now Black Duck®. Learn More

Use and Compliance Data Policy

Version 2024.1

Black Duck Applications - Use and Compliance Data Policy

The Black Duck Applications report Use and Compliance Data for the Data Collected section described below through Automated Reporting.  

Data Collected

  • Customer specific
    • Anonymized user GUID
    • Customer industry category (i.e. automotive, healthcare, etc.)
  •  Developer environment
    • Machine configuration
      • including cpu, ram, os name/version, browser/platform/arch, preferred languages, screen resolution, GTK/glibc versions, etc.
    • VM configuration (i.e. docker, OS, etc.)
    • CI system used (i.e. Jenkins, Azure, etc.)
  • Black Duck product specific information for tools/servers used, including
    • Version/type
    • Performance metrics, including time to update products and page loading 
      • including runtime, velocity (time/LoC), average and peak memory usage
    • Settings/options used while running products
    • Number of Agents connected overall
    • Number of Agents still connected
    • Hardware usage (cpu, ram, etc.)
  • Black Duck product specific information for tools/servers used, including
    • Feature usage metrics
      • including feature enablement, actions taken, flows used in product, time spent in areas of product, Black Duck packages downloaded/used, etc.
    • Types of messages shown users
      • including error/crash codes, notification codes, etc.
    • APIs used
      • including method, response status, timings, counts
  • Capture Metrics
    • Method of capture
    • Num of files captured
    • Parsing success rate
    • Types of files
    • Capture status, etc.
  • Anonymized project statistics
    • Programming languages analyzed
      • including language name, number of lines of code, language versions and dialects
    • Frameworks, third party libraries analyzed
    • Code structure, including
      • bytes/lines of code scanned
      • count of components in a BOM
      • number of levels in the directory tree
      • number of files/sub-projects/modules, etc.
    • SCM type
    • Package manager 
    • File extensions
    • Type of build file (build system/tool)
    • Target platforms
  • Account metrics
    • Number of Accounts used/scanned/created
      • Number of Streams used/scanned/created
      • Number of Scans created and number of File records created per Scan
      • Number of active/unique/concurrent/logged-in users/groups/roles
  • Analysis metrics regarding
    • Type of analysis
    • Performance/frequency metrics
    • Issue metrics
      • Issues found, fixed, auto-fixed and triaged
      • Time between first detection and fix
      • Location of fix (i.e. IDE vs CI/CD)
      • Number of fixes suggested
      • Number of fixes accepted
    • Results of analysis
      • Failing the pipeline rate (vs passing)
      • Pass/fail/error rates of individual tools/modes used
      • Number of files scanned
      • Types of issues found
      • Match confidence
      • False positive rates
      • Types and causes of recoverable failures
    • Black Duck or public domain Data
      • Most common vulnerabilities
      • Most common open source, package managers, languages, licenses, etc.

Note that the terms below have the following meanings with respect to the Black Duck Applications:

Automatic Reporting” means the Black Duck Applications will automatically transmit encrypted data of the Use and Compliance Data as identified above to Black Duck.

Use and Compliance Data” means limited information about the Customer’s use of the Licensed Product as identified in the Data Collected section above. Use and Compliance Data does not include (i) any software code owned or licensed by the Customer that the Licensed Product is being used on; or (ii) any personal information from Customers.

Black Duck collects Use and Compliance Data though the Black Duck Applications and uses collected data to provide Maintenance Services and to improve features of the Licensed Product most important to our Customers. Subject to Sections 3 (Confidentiality) and 8.1 (Promotion), as applicable or where such numbering scheme has been changed for Customer’s applicable license terms, the applicable Confidentiality and/or Promotion clause, of the End User Software License and Maintenance Agreement, Black Duck may also use the Use and Compliance Data on an anonymous, aggregated basis for Black Duck product marketing purposes.

Use and Compliance Data by the Black Duck Applications is collected without personally identifying Licensed Product users and without specifically identifying the names of any Code Base or Team (as applicable) comprising the data. Collected data may be stored or processed in the United States or any other country in which Black Duck or its affiliates or contractors maintain facilities.

Customers are permitted to stop the transmission of the Use and Compliance Data to Black Duck by blocking the transmission of data.  Instructions on how to disable transmission are available within respective product documentations.

Should Customer attempt to tamper with or modify the Black Duck Applications and / or the Licensed Product in any way (other than as permitted by the terms and conditions of the license to the Licensed Product), Black Duck shall not be responsible regarding the operation of the Black Duck Applications and / or the collection and transmission of Use and Compliance Data.