Product Overview: Black Duck by Synopsys
Introduction
Black Duck by Synopsys is a comprehensive software composition analysis (SCA) solution designed to help organizations manage and mitigate the security, license compliance, and code quality risks associated with using open source, third-party, and AI-generated code in their software applications. This tool is integral for development and security teams aiming to build secure, compliant, and high-quality software.
What Black Duck Does
Black Duck SCA is an automated process that identifies and analyzes the open source and third-party components within a codebase. It evaluates these components for security vulnerabilities, license compliance issues, and code quality risks. This analysis is crucial in modern DevOps and DevSecOps environments, where the majority of code (over 75%) comes from open source and third-party dependencies.
Key Features and Functionality
Comprehensive Scanning
Black Duck SCA employs multiple scan technologies to provide a complete view of open source, third-party, and custom component dependencies in source code, containers, and binaries. This includes scanning package managers, manifest files, source code, binary files, and container images.
Vulnerability and License Management
The tool identifies known vulnerabilities, exposed secrets, and malicious code, and provides independently researched insights on component health. It streamlines component selection, issue prioritization, and remediation by comparing the identified components against databases such as the National Vulnerability Database (NVD).
Automated SBOM Analysis
Black Duck Supply Chain Edition generates automated third-party software bills of materials (SBOM) analysis, which helps in tracking dependencies across the entire application lifecycle. This feature is essential for maintaining a comprehensive view of software risks inherited from various sources, including open source components, commercial software, and AI-generated code.
Policy Enforcement and Customization
The tool allows for the setting of out-of-the-box and customizable policies to integrate open source governance into development workflows and toolchains. This includes managing exceptions by project and component, and quickly identifying policy violations.
Integration and Deployment Options
Black Duck SCA can be seamlessly integrated into various development and DevOps workflows. It offers deployment options such as cloud-based solutions (e.g., on AWS Marketplace), on-premises deployment, and support for air-gapped environments. The Code Sight™ IDE plug-in enables developers to find and fix open source security and compliance issues directly within their integrated development environment (IDE).
Ongoing Monitoring and Alerting
The tool provides ongoing monitoring and alerting for newly reported open source security vulnerabilities, ensuring that teams are notified promptly about any risks associated with the open source code in use.
Unified Platform
While the solution is built on multiple technologies, the Black Duck Polaris® Platform unifies SCA, SAST (Static Application Security Testing), and DAST (Dynamic Application Security Testing) engines into a single, easy-to-use, and highly scalable SaaS solution optimized for modern DevSecOps needs.
In summary, Black Duck by Synopsys is a robust SCA solution that offers comprehensive visibility and control over open source and third-party dependencies, enabling organizations to manage software supply chain risks effectively, maintain security and compliance, and ensure high code quality throughout the application lifecycle.