Synopsys,
Inc. announced the availability of Black Duck Supply Chain Edition, a new software
composition analysis (SCA) offering that enables organizations to mitigate
upstream risk in their software supply chains. Black Duck Supply Chain Edition
combines multiple open source detection technologies, automated third-party
software bill of materials (SBOM) analysis, and malware detection to provide a
comprehensive view of software risks inherited from open source, third-party,
and AI-generated code. Development and security teams can track their
dependencies across the entire application lifecycle to identify and resolve
security vulnerabilities, malicious packages, and license violations and
conflicts.
Supply Chain Edition
builds on the market-leading capabilities of Black Duck and delivers a full
range of supply chain security capabilities to teams responsible for building
secure, compliant applications.
"With the rise in software
supply chain attacks targeting vulnerable or maliciously altered open source
and third-party components, it's critical for organizations to understand and
thoroughly scrutinize the composition of their software portfolios," said Jason
Schmitt, general manager of the Synopsys Software Integrity Group. "This
requires constant vigilance over the patchwork of software dependencies that
get pulled in from a variety of sources, including open source components
downloaded from public repositories, commercial software packages purchased
from vendors, code generated from AI coding assistants, and the containers and
IT infrastructure used to deploy applications. It also requires the ability to
detect and generate actionable insights for a wide range of risk factors such
as known vulnerabilities, exposed secrets, and malicious code. Black Duck
Supply Chain Edition combines a suite of best-in-class capabilities to
streamline these requirements and attest to the results in standardized or customized
SBOM formats."
Key features of Black Duck
Supply Chain include:
- Multiple open
source detection technologies. Accurately
identify open source components across any programming language using the
most comprehensive combination of software analysis technologies,
including package dependency, CodePrint, snippet, binary, and container
analysis.
- Third-party
SBOM import and analysis. Import
SBOMs from third-party software suppliers and automatically catalogue the
open source, commercial, and custom components contained in them.
- Malware
detection (leveraging
technology from ReversingLabs). Perform post-build analyses to
detect the presence of malware, such as suspicious files, potentially
unwanted applications, protest-ware, and suspicious file structures.
- Risk
identification and mitigation. Continuously
monitor for open source vulnerabilities, exposed secrets, malware, and
malicious packages in both the SBOMs you generate as well as those you
import.
- IP risk and
license compliance management. Automatically
identify software licenses associated with your dependencies and receive
guidance on obligations or conflicts with how the application is licensed,
deployed, and distributed. Analyze AI-generated code to
identify hidden open source snippets that may be subject to copyright or
license obligations.
- Industry
standard SBOMs. Export
SBOMs containing all open source, custom, and commercial dependencies, in
SPDX or CycloneDX formats, to align with customer, industry, or regulatory
requirements. Leverage out of the box templates to meet the appropriate
level of sharing detail specified
by your downstream customers.
Black Duck Supply Chain
Edition will be generally available on April 25.