Black Duck® software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers.
Combine multiple scan technologies to identify open source dependencies in any type of software, source code, or artifact.
Identify and resolve security, quality, and license issues associated with application dependencies before shipping software.
Align with industry and customer requirements regarding secure development standards and SBOM generation.
Determining an application‘s composition and dependencies is the first step in managing risk. Black Duck SCA offers multiple scan technologies to identify all open source dependencies in source code, files, artifacts, containers, and firmware.
Identifies direct and transitive dependencies declared by package managers.
Detects dependencies in post-build artifacts, like firmware and container images, without access to source code.
Learn moreIdentifies dependencies in source files and directories, even when they’re not declared by package managers.
Matches code snippets, such as those included by AI coding tools, back to their original open source projects.
Once dependencies are identified, Black Duck® Security Advisories enable teams to evaluate them for associated risk, and guides prioritization and remediation efforts.
Is it secure? Receive alerts for existing and newly discovered vulnerabilities, along with enhanced security data to evaluate exposure and plan remediation efforts.
Is it trustworthy? Perform a post-build analysis on artifacts to detect the presence of malware, such as known malicious packages or suspicious files and file structures, as well as digital signatures, security mitigations, and sensitive information.
Is it compliant? For every component identified, Black Duck SCA provides insights into license obligations and attribution requirements to reduce risk to intellectual property.
Is it high quality? Black Duck SCA provides metrics that teams use to evaluate the health, history, community support, and reputation of a project, so that they can be proactive in their risk mitigation process.
Black Duck policy management enables teams to define policies for open source use and automate enforcement across the software development life cycle (SDLC) within development, build, and SCM tools. Learn more about our DevOps integrations.
Identify, avoid, or automatically remediate components that are higher risk or violate policy, as you code.
Automate scans, alerting or halting builds based on policy violations using CI tools like Jenkins.
Inspect apps and containers before they are deployed and get automated security alerts after. Use binary repositories as private repositories of approved components.
Import Software Bills of Materials (SBOMs) into Black Duck to automatically map dependencies to known components, and create new components for custom or commercial dependencies.
Export SPDX and CycloneDX reports, with standard or custom fields, to provide application transparency and align with customer or industry requirements.
Integrate with SDLC tools to automate SBOM generation and continuously monitor SBOM dependencies for existing or newly discovered risk.
Black Duck Polaris® Platform brings together the market-leading SAST and SCA engines that power Coverity® Static Analysis and Black Duck into an easy-to-use, cost-effective, and highly scalable SaaS solution, optimized for the needs of modern DevSecOps.
Enable developers and DevOps teams to address open source policy concerns without slowing innovation.
Starting at
$525
per team member
(20-150 team members)
Equip the entire enterprise with a software supply chain security and risk management solution. Obtain complete supply chain visibility, address risk, and establish trust with consumers.
Let's talk
Open source security is often overlooked due to the misconception that vulnerabilities in proprietary code and open source code can be detected and remediated in similar ways. The reality is that SAST, DAST, and other application security testing tools cannot effectively detect open source vulnerabilities. Enter SCA.
The key differentiator between SCA and other application security tools is what these tools analyze, and in what state. SCA analyzes third-party open source code for vulnerabilities, licenses, and operational factors, while SAST analyzes weaknesses in proprietary code, and DAST tests running applications for vulnerable behavior.
A comprehensive software security program contains both SAST and SCA. Organizations that adopt such an approach see improvements throughout the SDLC, including improved quality through early identification of issues, better visibility across proprietary and open source code, lower remediation costs by detecting and fixing vulnerabilities early in the development process, minimized risk of security breaches, and optimized security testing that is both effective and compatible with agile development.
Black Duck offers easy-to-use open source integrations for the most popular development tools and REST APIs, allowing you to build your own integrations for virtually any commercial or custom development environment. Black Duck offers a wide range of integrations across the SDLC, including IDEs, package managers, CI/CD, issue trackers, and production capabilities.
Most solutions rely solely on data from the National Vulnerability Database (NVD). This limitation presents a problem, as many vulnerabilities are never documented in the NVD, and others are not listed until weeks after they become public. Black Duck Security Advisories (BDSAs) go beyond the NVD, with enhanced data that is researched and analyzed by the Cybersecurity Research Center (CyRC) to ensure completeness and accuracy, providing early warning and complete insight.
Most solutions use package manager declarations to identify open source components. But failing to scan for more than declared dependencies guarantees that you’ll miss some open source. And if you don’t know it’s there, you can’t ensure it’s secure and compliant.
Package manager scanning will overlook open source that developers don’t declare in package manifests, languages like C and C++, open source built into containers where no package manager is used, open source that has been modified, or partial snippets of code that still carry license obligations. By combining file system scanning and snippet scanning with build process monitoring, Black Duck provides visibility into open source components not tracked by a package manager, partial open source, and open source that was potentially modified or not declared, as well as component and version verification for dynamic and transitive dependencies.
The short answer is an extensive and powerful solution that provides end-to-end control of open source risks. A solution like Black Duck provides a comprehensive approach to open source management throughout the entire SDLC.
More specifically, the following capabilities should be considered when selecting an SCA solution:
Black Duck supports the most common package managers. Black Duck’s snippet scanning covers the top and most frequently used languages. The expert KnowledgeBase team is constantly monitoring for and adding new languages, ensuring that all common languages are supported.
Additionally, Black Duck’s proprietary signature scanning approach is language-agnostic. This scanning approach searches for signatures based on file and directory layouts along with other metadata that is independent of language.
Contact us for the most current list of supported languages and platforms.
Yes. Some solutions can scan binaries for package manager information or binaries pulled directly from a repository without any modification. Black Duck’s sophisticated binary scanning solution can crack binaries open to detect modified binaries and provide legacy language and broad artifact support.
Black Duck’s open source KnowledgeBase is the industry’s most comprehensive database of open source project, license, and security information, sourced and curated by the Cybersecurity Research Center (CyRC). The KnowledgeBase contains more than 2,750 unique open source licenses (GPL, LGPL, Apache, etc.), with full license text for the most popular open source licenses and dozens of encoded attributes and obligations for each license. Black Duck also includes deep copyright data and the ability to pull out embedded open source licenses for complete open source compliance.
Yes. Black Duck allows teams that package and deliver applications using Docker (and other) containers to confirm and attest that any open source in their containers meets use and security policies, is free of vulnerabilities, and fulfills license obligations. Open source management includes ongoing monitoring for new vulnerabilities affecting existing applications and containers.