Black Duck SCA
Black Duck SCA empowers organizations to automatically identify, assess, and govern open-source and third-party components—whether in source code, containers, binaries, or firmware. It's designed to enhance visibility and compliance across the entire SDLC.
Complete Detection Technologies
Dependency analysis detects package manager–declared dependencies.
Binary analysis uncovers components embedded in compiled artifacts or containers—even without source code.
Codeprint & snippet analysis identify undeclared libraries or code fragments (e.g. from AI coding tools).
Risk Insight and Assessment
Leverages the Cybersecurity Research Center’s KnowledgeBase and Black Duck Security Advisories (BDSAs) to identify vulnerabilities beyond those listed in NVD, with detailed severity, exploitability, and remediation data.
Includes license and copyright analysis, license obligation tracking, Notice file generation, and full license text support. Evaluates component health and quality (e.g. maintenance status, community maturity), enabling proactive risk mitigation.
Policy Management and Automation
Define and enforce open source governance policies (e.g. block risky components, enforce license constraints) across IDE, SCM, CI/CD, and build pipelines.
Violations can trigger alerts, merge-build blocks, or automated remediation workflows. Integrates bi-directionally with issue trackers like Jira or Azure DevOps.
SBOM Generation and Supply Chain Visibility
Automatically generate Software Bill of Materials (SBOMs) in SPDX or CycloneDX formats.
Import and correlate supplier‑provided SBOMs to map the entire dependency graph, including custom or commercial components. Continuously monitor SBOM-derived components for emerging risk.
