Secrets in Black Duck SCA
Secrets, tokens and credentials available to non-administrator users in Black Duck SCA.
version v7.2.
For up-to-date documentation, see the
latest version.
6 minute read
Black Duck is the Software Factory’s most complete Software Composition Analysis (SCA ) solution. It combines four detection techniques to build a complete dependency inventory — including dependencies that other tools miss, such as copy-pasted open source code and components embedded in compiled binaries.
This process helps in identifying known security vulnerabilities (CVEs/BDSAs), license compliance violations, operational risks, and generating a comprehensive Bill of Materials (BOM) for your applications.
This page describes the tool independently of any platform-specific details. For the service URL and other platform-specific configuration, please refer to your platform’s dedicated page .
The table below maps each analysis approach to its Black Duck method:
| Approach | Supported | Method | Where | SBOM type |
|---|---|---|---|---|
| Manifest / lockfile | ✅ | Dependency analysis | IDE / CLI / CI | Source |
| Snippet matching | ✅ | Snippet detection | CLI / CI | Source |
| Container OS packages | ✅ | Container scanning | CLI / CI | Analysed |
| Binary analysis | ✅ | Binary analysis | CLI / CI | Analysed |
All scanning methods are invoked through Synopsys Detect . Each targets a different type of open source usage:
pom.xml, package.json,
requirements.txt, etc.) to identify declared direct and transitive dependencies.Unlike manifest-only scanning, snippet detection and binary analysis uncover components in C/C++ projects, shaded JARs, and copy-pasted code that would otherwise go undetected.
| Capability | Support | Policy Management |
|---|---|---|
| Vuln. detection | ✅ Black Duck KnowledgeBase & BDSAs | ✅ Custom policies/block build |
| Obsolescence | ✅ Component age, maintenance, version | ✅ Policy enforcement |
| License compliance | ✅ 2,750+ licenses & obligations tracking | ✅ Custom license policies |
Black Duck checks components against the Black Duck KnowledgeBase , which tracks over 8.7 million open source components and 130,000+ known vulnerabilities.
In addition to the NVD, Black Duck publishes its own Black Duck Security Advisories (BDSAs). BDSAs include detailed exploitation information and remediation guidance, often published weeks ahead of NVD — sometimes within hours of a vulnerability’s initial discovery.
Black Duck tracks operational risk metrics per component: version age, time since last release, and maintenance status. Address these to avoid accumulating third-party Technical Debt and enable policies that flag components severely behind the latest release.
The Black Duck KnowledgeBase covers over 2,750 unique open source licenses, including full license text and detailed obligation information. It generates Notices reports to help fulfill attribution and disclosure requirements.
Some strict copyleft licenses (e.g., GPL variants) impose obligations that may affect the proprietary distribution of your application. Review license obligations carefully.
The main steps for Black Duck analysis within your pipeline:
--detect.detector.search.exclusion) to exclude
test directories or internal proprietary libraries.| Stage | Support | Notes |
|---|---|---|
| IDE / local | ✅ | Code Sight plugin (VS Code, IntelliJ, Eclipse, etc.) |
| CI pipeline | ✅ | Synopsys Detect CLI or NextGen CI/CD Black Duck step |
| Artifact registry | ❌ | — |
| Continuous monitoring | ✅ | BD server re-evaluates stored BOMs on new CVEs publication |
When a new vulnerability is published, the Black Duck server automatically re-evaluates the stored BOMs for all monitored projects and triggers relevant policies without requiring a new scan. Alerts can be routed via email, Jira, or MS Teams, keeping you informed of new risks.
Black Duck enforces governance through custom policies. Rules can be based on:
When a rule fires, actions include blocking the build, creating a Jira ticket, or notifying teams.
Adopt policies progressively to avoid disrupting development abruptly:
All results are accessible from the Black Duck UI (project version dashboard). To facilitate audits, Black Duck provides several distinct reports generated via UI or API.
| Report | Content |
|---|---|
| Vulnerabilities | CVEs/BDSAs with CVSS scores, severity, and remediation guidance |
| Policy Violations | Build-blocking and non-blocking violations with component details |
| License Compliance | All detected licenses per component, including embedded licenses |
| Operational Risk | Component age, maintenance status, and version lag |
SBOMs (SPDX or CycloneDX ) and Notices Files can also be generated automatically during a CI pipeline scan or exported from the UI for supply chain transparency.
Similar to other tools, Projects and Versions are typically created automatically during their first pipeline scan. However, naming conventions are crucial:
GBU_BL_ProjectName).main, v1.2.0).We offer support for tool integration and pipeline issues, but not on vulnerability remediation or legal license interpretations; contact your security or legal partners for assistance.
Secrets, tokens and credentials available to non-administrator users in Black Duck SCA.