Synopsys Announces Black Duck Supply Chain Edition
April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

Black Duck Supply Chain Edition combines multiple open source detection technologies, automated third-party software bill of materials (SBOM) analysis, and malware detection to provide a comprehensive view of software risks inherited from open source, third-party, and AI-generated code. Development and security teams can track their dependencies across the entire application lifecycle to identify and resolve security vulnerabilities, malicious packages, and license violations and conflicts.

Supply Chain Edition builds on the capabilities of Black Duck and delivers a full range of supply chain security capabilities to teams responsible for building secure, compliant applications.

"With the rise in software supply chain attacks targeting vulnerable or maliciously altered open source and third-party components, it's critical for organizations to understand and thoroughly scrutinize the composition of their software portfolios," said Jason Schmitt, general manager of the Synopsys Software Integrity Group. "This requires constant vigilance over the patchwork of software dependencies that get pulled in from a variety of sources, including open source components downloaded from public repositories, commercial software packages purchased from vendors, code generated from AI coding assistants, and the containers and IT infrastructure used to deploy applications. It also requires the ability to detect and generate actionable insights for a wide range of risk factors such as known vulnerabilities, exposed secrets, and malicious code. Black Duck Supply Chain Edition combines a suite of best-in-class capabilities to streamline these requirements and attest to the results in standardized or customized SBOM formats."

Key features of Black Duck Supply Chain include:

- Multiple open source detection technologies. Accurately identify open source components across any programming language using the most comprehensive combination of software analysis technologies, including package dependency, CodePrint™, snippet, binary, and container analysis.

- Third-party SBOM import and analysis. Import SBOMs from third-party software suppliers and automatically catalogue the open source, commercial, and custom components contained in them.

- Malware detection (leveraging technology from ReversingLabs). Perform post-build analyses to detect the presence of malware, such as suspicious files, potentially unwanted applications, protest-ware, and suspicious file structures.

- Risk identification and mitigation. Continuously monitor for open source vulnerabilities, exposed secrets, malware, and malicious packages in both the SBOMs you generate as well as those you import.

- IP risk and license compliance management. Automatically identify software licenses associated with your dependencies and receive guidance on obligations or conflicts with how the application is licensed, deployed, and distributed. Analyze AI-generated code to identify hidden open source snippets that may be subject to copyright or license obligations.

- Industry standard SBOMs. Export SBOMs containing all open source, custom, and commercial dependencies, in SPDX or CycloneDX formats, to align with customer, industry, or regulatory requirements. Leverage out of the box templates to meet the appropriate level of sharing detail specified by your downstream customers.

Black Duck Supply Chain Edition will be generally available on April 25

Share this

Industry News

May 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

May 16, 2024

Mend.io and Sysdig unveiled a joint solution to help developers, DevOps, and security teams accelerate secure software delivery from development to deployment.

May 16, 2024

GitLab announced new innovations in GitLab 17 to streamline how organizations build, test, secure, and deploy software.

May 16, 2024

Kobiton announced the beta release of mobile test management, a new feature within its test automation platform.

May 15, 2024

Gearset announced its new CI/CD solution, Long Term Projects in Pipelines.

May 15, 2024

Rafay Systems has extended the capabilities of its enterprise PaaS for modern infrastructure to support graphics processing unit- (GPU-) based workloads.

May 15, 2024

NodeScript, a free, low-code developer environment for workflow automation and API integration, is released by UBIO.

May 14, 2024

IBM announced IBM Test Accelerator for Z, a solution designed to revolutionize testing on IBM Z, a tool that expedites the shift-left approach, fostering smooth collaboration between z/OS developers and testers.

May 14, 2024

StreamNative launched Ursa, a Kafka-compatible data streaming engine built on top of lakehouse storage.

May 14, 2024

GitKraken acquired code health innovator, CodeSee.

May 13, 2024

ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.

May 13, 2024

Security Innovation has added new skills assessments to its Base Camp training platform for software security training.

May 13, 2024

CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.

May 09, 2024

Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.

May 09, 2024

Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.