Key Capabilities / Features

Comprehensive open source discovery. Identify open source components using a combination of dependency, CodePrint, snippet, binary, and container analysis to surface all dependencies regardless of language or use of a package manager.

Third-party SBOM import and analysis. Teams leveraging software from third-party providers can import supplied SBOMs into Black Duck, and automatically catalog the open source, commercial and custom components contained in them.

Malware analysis – Perform post-build analyses to detect presence of known and potential malware and malicious packages.

Continuous risk identification and monitoring. Application dependencies in both generated and imported SBOMs are analyzed and continuously monitored for open source vulnerabilities, secrets, malware, and malicious packages.

IP risk and license compliance management. Automatically identify open source licenses associated with dependencies, and receive guidance on any conflicts with how the application is licensed, deployed, and distributed.

Support for industry SBOM standards. Export SBOMs, containing all open source, custom, and commercial dependencies, in SPDX or CycloneDX formats, to align with customer, industry, or regulatory requirements. Leverage out of the box templates to meet the appropriate level of sharing detail specified by the consumer.

How we are different

- Black Duck’s multiple open source detection technologies enable users to establish supply chain visibility that no other software composition analysis (SCA) tool can provide. Dependency, binary, snippet, and CodePrint analyses ensure that all open source is detected in source code, files, artifacts, and containers, regardless of language, framework, or package manager specification. This technology, combined with third-party SBOM import make it so users can compile a complete inventory of third-party dependencies (commercial, custom, and open source), and easily export SBOMs in multiple formats to comply with various customer and industry requirements.

- Black Duck Security Advisories (BDSAs), and the dedicated team of cybersecurity researchers that build them, give customers in-depth information on any vulnerability that impacts their SBOMs and applications. BDSAs, which are more complete, accurate, and timely than those offered by other feeds, give teams the information needed to prioritize and resolve vulnerabilities in an efficient manner. In addition to security risk, Black Duck analyzes dependencies for, and alerts users of, license violations, malware, and component health concerns.

- Black Duck enables teams to build software supply chain security directly into their development workflows. The primary reason software development teams leverage third-party software and introduce supply risk is to increase development velocity. If security tools introduce too much friction, it offsets the original benefit of using third-party and open-source software. Black Duck’s broad set of DevOps integrations and custom policy configuration allows teams to build scans and resulting workflows into the application lifecycle. For example, teams can define which license types are allowed, and set vulnerability thresholds that, once met, break a build and prevent an application from shipping.