Additional Info

Company size (employees)10,000 or more
Headquarters RegionNorth America
Type of solutionSoftware


Black Duck SCA helps teams manage security, quality, and license compliance risks associated with open source software (OSS) and 3rd party code in applications and containers.

With Black Duck, teams can:
– Scan apps that you build and procure to identify OSS and 3rd party components, regardless of access to source code or build systems
– Analyze containers, binaries, firmware, executables, or other built software, for all software languages and ecosystems, to identify OSS components and sensitive information/secrets
– View the list of components identified, and export the resulting SBOM in SPDX and CycloneDX formats
– Access enhanced vulnerability information, including severity scoring, exploit details, remediation guidance, external references, and vulnerability tags to help prioritize fixing critical vulnerabilities fast
– Leverage guidance on license obligations, such as actions that are required or prohibited
– Use custom policy configuration to define OSS, license, and security policies up front, and automate enforcement across the SDLC by integrating into existing toolchains
– Assess OSS component suitability, including supply chain risk factors, known security vulnerabilities or potential malware
– Receive component upgrade guidance to fix security vulnerabilities

How we are different

1. Deep discovery of open source in applications and containers

Multi-factor open source discovery allows Black Duck to identify more open source components while minimizing false positives, helping organizations build a more accurate software bill of materials (SBOM). Black Duck’s multi-factor discovery methodology includes:
- File system hash signature scanning: the unique “fingerprints” of components
- Build process monitoring: examining package manager declarations (what developers say they’re using) and the dependencies resolved during a build
- Open source code snippets: smaller parts/lines of code from open source components that can still carry vulnerabilities or license requirements
- Binary analysis: Black Duck’s unique binary analysis capabilities enable organizations to identify open source components within compiled binaries, third-party libraries, executables, and commercial software.

2. Rapid, comprehensive identification of open source security and license risks

Synopsys SCA solutions draw on the Black Duck KnowledgeBase™, which is “the industry’s largest knowledge base of open source project, vulnerability, and license data.” The KnowledgeBase catalogs and tracks:
- More than 3 million open source components from more than 16,000 unique sources
- Tracking 121,000+ vulnerabilities (including vulnerabilities exclusive to Black Duck). affecting more than 361,000 component versions
- 2,600+ open source licenses

Black Duck is supported by the Synopsys Cybersecurity Research Center (CyRC), the industry’s largest dedicated open source research organization.CyRC publishes Black Duck Security Advisories (BDSAs) an average of 23 days before records appear in the NVD and include enhanced vulnerability data exclusive to Black Duck, critical risk metrics, vulnerability-specific technical insight, exploit details, and impact analysis

3. Integrates across the SDLC and enables DevSecOps

Black Duck SCA features robust integrations to fit into SDLC toolchain. Additionally, Black Duck is easily scalable and enables teams to perform scans at the speed of development.