Synopsis Black Duck Connector Guide

How to set up and use the Synopsis Black Duck connector in RiskSense.

Synopsis Black Duck Connector Overview

The RiskSense platform provides a API-based connector that integrates with Synopsis Black Duck, which enables customers to bring in their open-source (OSS) findings into RiskSense to gain visibility of their overall risk due to vulnerabilities in their open-source libraries to enable a simplified and efficient way to manage those vulnerabilities. RiskSense users can configure the connector to pull scan data from Black Duck on a periodic basis, as well.

Data from Black Duck is ingested as Applications and Application Findings in RiskSense. Refer to the data mapping section below for details.

Black Duck Overview

Black Duck is a complete, open-source management solution that fully discovers all open source in your code. It can map components to known vulnerabilities and identify license and component quality risks. Black Duck is used to set and enforce open-source policies and integrate open-source management into DevOps environments.

Black Duck helps security and development teams identify and mitigate open-source-related risks across application portfolios. Black Duck:

  • Scans and identifies open-source software throughout your code base.
  • Maps vulnerabilities to your open-source software.
  • Triages vulnerability results and tracks remediation.
  • Monitors for newly disclosed vulnerabilities in your open-source code.
  • Finds and fixes open-source vulnerabilities in applications and containers.

Black Duck Connector Configuration

Black Duck Setup

  • Requires a subscription to Black Duck.
  • Upload projects into Black Duck using Black Duck Synopsis Detect/CLI. The RiskSense connector pulls this data and categorizes it into applications and their corresponding findings.

RiskSense Connector Setup

When logged into the platform, navigate to the Automation > Integrations page.

Black Duck Guide - Integrations Page

Using the search bar in the upper-right corner of the Integrations page, type Black Duck to find the connector.

Black Duck Guide - Searching for Black Duck

Click Configuration in the Black Duck connector card.

Black Duck Guide - Black Duck Tile Configuration Button

Complete the following required fields. These fields include:

  • Name: Connector name.
  • URL: Black Duck instance URL.
  • User Name and Password: Black Duck user credentials.
  • Network: Network name in RiskSense. Ingested applications and findings will be associated with this network.
  • SSL: Black Duck SSL certificate.

Black Duck Guide - Black Duck Connector Setup

Once the fields have been filled out, click Test Credentials to ensure the connector can connect to the Black Duck instance.

Additional connector configurations, such as Schedule and Connector-Specific Options can be set up here. If required, you can also enable Auto URBA (Update Remediation by Assessment) here, too. Once connector configuration is complete, click the Save button.

Black Duck Guide - Connector Specific Options

When the connector is set up, a new entry for it appears at the top of the Integrations page. This connector runs once the initial setup is complete. Check the connector’s status by clicking the History button.

Black Duck Guide - History Button Location

Black Duck Guide - Connector History

In the Upload Center (navigate to the Settings (Settings Menu - Gear - Small) > Upload page), files pulled from Black Duck are parsed, aggregated, and filtered for displaying data on the Applications/Application Findings pages.

Black Duck Guide - Connector File Pulls

Data Visualization in RiskSense

The data from a Black Duck scan file is ingested into RiskSense as Applications and Application Findings. The Scanner Name associated with these scans is BLACKDUCK. Scanner Name can be used as a filter for Applications and Application Findings.

Applications

Asset data extracted from Black Duck scan files is shown on the Applications page. Project and version details are also extracted from the scan file.

Black Duck Guide - Applications Page

In the Application Detail pane under the Sources section, the scanner is listed as BLACKDUCK.

Black Duck Guide - Applications Detail Pane

The Scanner Type filter allows you to filter for OSS, SAST (static application security testing), and DAST (dynamic application security testing).

Black Duck Guide - Scanner Type Filter

Application Findings

All findings from the Black Duck scan file are shown on the Application Findings page.

Black Duck Guide - Application Findings Page

The Finding Type column is available on the Application Findings page. This column provides additional information about each finding, such as OSS, DAST, or SAST.

New filters are also available. These filters allow users to search and aggregate their data.

  • Risk Type: This filter helps segregate the type of risk, such as security, operational, or license, for example.
  • Finding Type: This filter helps segregate the type of finding, such as OSS. DAST or SAST.

License and Operational Risk are system generated as connector tags, which are also filterable. This helps fetch data based on the risk’s nature.

Black Duck Guide - Operational and License Risk Tag Filter

License Name is also available for all findings. The OSS Details icon is available, as well.

Black Duck Guide - Application Findings Detail Pane

This field is filterable, as well. Users can filter all findings, irrespective of security, license, or operational, based on the license name.

New icons are available in the Application Findings Detail pane.

  • License Risk: This icon is displayed only for license risk findings and remains hidden for all other finding types. New columns are available that has license-risk-related information. The addition of the License Risk finding tag helps for filtering findings.

Black Duck Guide - License Risk Finding Tag

  • Operational Risk: This icon is displayed only for operational risk findings and remains hidden for all other finding types. New columns are available that has operational-risk-related information. The addition of the Operational Risk finding tag helps for filtering findings.

Black Duck Guide - Operational Risk Finding Tag

The Application Findings’ Output section has information about the following fields:

  • Credit: Vulnerability contributor details.
  • Zero Day: Boolean value that gives information about a finding’s zero-day attribute.
  • Origin IDs: Source package details.

Black Duck Guide - Output Section