Black Duck® software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from using open source and third-party code in applications. Manage software supply chain risks and make software bills of materials (SBOMs) part of the entire app lifecycle. Import SBOMs, automatically map dependencies, and document new components from custom or commercial dependencies. Export SPDX reports with standard or custom fields, automate SBOM generation, and monitor SBOM dependencies for emergent risks.
SBOM tool category
[X] Produce(Build)
[X] Produce(Analyze)
[X] Produce(Edit)
[ ] Consume(View)
[X] Consume(Diff)
[X] Consume(Import)
[X] Transform(Translate)
[X] Transform(Merge)
[ ] Transform(Tool Support)
SPDX Versions supported
[ ] 2.0
[ ] 2.1
[X] 2.2
[X] 2.3
[ ] 3.0
SPDX verification
Black Duck uses the https://github.com/spdx/Spdx-Java-Library to generate SPDX compliant SBOMs. The https://github.com/spdx/Spdx-Java-Library is used to validate that SBOMs imported into Black Duck meet the SPDX specifications. Logs and references to specific lines causing the verification to fail are available if the SBOM being imported does not pass verification.
Tool or Product name
Black Duck SCA
Open Source or Proprietary
proprietary
Company or Organization name
Synopsys
Organization or Company Logo Usage
Public Contact Email or URL
info@synopsys.com
Product or tool website
https://www.synopsys.com/software-integrity/software-composition-analysis-tools.html
Description
Black Duck® software composition analysis (SCA) helps teams manage the security, quality, and license compliance risks that come from using open source and third-party code in applications. Manage software supply chain risks and make software bills of materials (SBOMs) part of the entire app lifecycle. Import SBOMs, automatically map dependencies, and document new components from custom or commercial dependencies. Export SPDX reports with standard or custom fields, automate SBOM generation, and monitor SBOM dependencies for emergent risks.
SBOM tool category
SPDX Versions supported
SPDX verification
Black Duck uses the https://github.com/spdx/Spdx-Java-Library to generate SPDX compliant SBOMs. The https://github.com/spdx/Spdx-Java-Library is used to validate that SBOMs imported into Black Duck meet the SPDX specifications. Logs and references to specific lines causing the verification to fail are available if the SBOM being imported does not pass verification.
How to procure
Visit https://www.synopsys.com/software-integrity/software-composition-analysis-tools/black-duck-sca.html for more information. Contact us to schedule a demo or with questions at https://www.synopsys.com/software-integrity/contact-sales.html
Installation instructions
Black Duck SCA may be run on-premises or as a hosted solution. Complete installation and use documentation may be found within the Black Duck SCA documentation. https://sig-product-docs.synopsys.com/bundle/bd-hub/page/Welcome.html
Link to quick start guide
https://sig-product-docs.synopsys.com/bundle/bd-hub/page/Welcome.html