| CARVIEW |
Select Language
HTTP/2 200
date: Fri, 10 Oct 2025 21:01:06 GMT
content-type: text/html;charset=utf-8
content-encoding: gzip
x-vhost: blackduck
content-security-policy: default-src 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' data: blob: edge.adobedc.net adobedc.demdex.net *.adobe.com *.adobe.io cdn.cookielaw.org assets.adobedtm.com kit.fontawesome.com ka-p.fontawesome.com munchkin.marketo.net adobedc.demdex.net snap.licdn.com *.drift.com js.driftt.com js.zi-scripts.com j.6sc.co geolocation.onetrust.com ipv6.6sc.co c.6sc.co b.6sc.co epsilon.6sense.com px.ads.linkedin.com static.cloud.coveo.com boards.greenhouse.io *.mktoresp.com ws.zoominfo.com job-boards.greenhouse.io api.company-target.com *.org.coveo.com synopsysnonproduction2yln023as.analytics.org.coveo.com *.brighttalk.com brighttalk.com js.zi-scripts.com *.blackduck.com blackduck.com players.brightcove.net *.brightcove.com manifest.prod.boltdns.net *.brightcovecdn.com googletagmanager.com *.googletagmanager.com *.google.com *.google.ca *.google.co.uk google.co.in google.com *.google-analytics.com google-analytics.com googleads.g.doubleclick.net td.doubleclick.net *.googleapis.com *.gstatic.com *.leadspace.com *.clarity.ms *.bing.com *.bing.net *.bing-int.com *.6sc.co *.6sense.co 846-esg-342.mktoutil.com *.youtube.com;
cache-control: max-age=300
expires: Fri, 10 Oct 2025 21:06:05 GMT
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
strict-transport-security: max-age=31536000
set-cookie: affinity="ac0a40d4a4b0212d"; Path=/; HttpOnly; secure
x-served-by: cache-bom-vanm7210037-BOM
x-cache: MISS
x-timer: S1760130065.767330,VS0,VS0,VE1588
vary: Accept-Encoding,User-Agent
cf-cache-status: BYPASS
server: cloudflare
cf-ray: 98c90d081e9fa9c3-BLR
Black Duck SCA | Software Composition Analysis Tools
Secure your open source code
Black Duck® SCA helps teams manage the security, quality, and license compliance risks in open source and third-party code.
Know what’s in your code
Combine multiple scan technologies to identify dependencies in software, source code, or artifacts.
Manage software supply chain risk
Identify and resolve security, quality, and license issues associated with dependencies.
Establish trust with your customers
Meet industry and customer requirements for secure development standards and SBOMs.
Gain software supply chain visibility
Black Duck SCA's multiple scan technologies identify open source dependencies in source code, files, artifacts, containers, and firmware.
Dependency analysis
Identify direct and transitive dependencies declared by package managers.
Binary analysis
Detect dependencies in post-build artifacts without access to source code.
Codeprint analysis
Identify dependencies in source files and directories, even when they’re not declared by package managers.
Snippet analysis
Match code snippets, including AI-generated code, back to their original open source projects.
Take control of dependency risk
Black Duck® Security Advisories help teams identify vulnerabilities, assess risk, and drive remediation with precision.
Create a software supply chain firewall with SDLC integrations
Black Duck puts you in control, so you can define open source policies and enforce them automatically across every stage of development.
For developers
Build code with confidence. Address high-risk components during development.
For development and DevOps teams
Secure code without bottlenecks. Automate scans and enforce policy within CI pipelines.
For security and operations teams
Deploy secure software. Inspect risky components before deployment and get security alerts after.
Make SBOMs part of the entire SDLC
Import SBOMs into Black Duck SCA to map dependencies to known components. Export SBOMs in SPDX and CycloneDX formats. Integrate with SDLC tools for automated SBOM generation and risk monitoring.
Black Duck SCA is the spearhead of our Bill of Materials initiative.”
Philippe Bobo
Head of Research and Development, MEGA International
Looking for an integrated, cloud-based AST solution?
Black Duck Polaris® Platform brings our market-leading SCA and SAST engines into an easy-to-use and highly scalable SaaS solution.
Select the plan that fits your needs
Security Edition
Enable developers and DevOps teams to address open source policy concerns without slowing innovation.
Starting at
$525
per team member
(20-150 team members)
- Open source detection
- Unlimited application and container scans
- Rapid open source dependency analysis Address policy violations before building or merging code into release branches
- Software Bill of Materials (SBOM) export
- Open source, third-party, proprietary code
- SPDX
- CycloneDX
- Vulnerability management
- Black Duck Security Advisories
- Severity, prioritization, and reachability metrics
- Remediation guidance
- Malicious package detection
- License compliance
- Open source license identification
- Notices reports
- Open source database
- Complete access to projects, vulnerabilities, and licenses
- Policy management
- Custom security and license policy configuration
- Implementation and integrations
- Continuous monitoring of applications before and after deployment
- Integrations across entire SDLC
- Implementation and adoption services Add on enhanced technical support and assistance with workflow integrations, custom implementations, and program/project management for your Black Duck tools
*Pricing and terms vary for customers located in China. Please contact your Black Duck sales representative for details.
Supply Chain Edition
Equip the entire enterprise with a software supply chain security and risk management solution. Get complete supply chain visibility, address risk, and establish trust with consumers.
Let's talk
- Open source detection
- Unlimited application and container scans
- Rapid open source dependency analysis Address policy violations before building or merging code into release branches
- Detection of partial code snippets Find parts of open source code that have been copied into applications and containers, and that still carry license obligations
- Binary file and firmware analysis Analyze the contents of an application without access to its source code
- Undeclared component identification Find open source dependencies not explicitly declared, and in languages that don’t use package managers, like C/C++
- Custom component detection Find non–open source, internal, and third-party components
- Software Bill of Materials (SBOM) import and export
- Open source, third-party, and proprietary components
- Auto custom component creation
- Out-of-the-box and custom SBOM templates
- SPDX
- CycloneDX
- Vulnerability management
- Black Duck Security Advisories
- Severity, prioritization, and reachability metrics
- Remediation guidance
- Malicious package detection
- License compliance
- Declared and undeclared open source license identification
- Notices reports
- Full license text
- Obligation fulfillment guidance & tracking
- Deep copyright data
- Open source database
- Complete access to projects, vulnerabilities, and licenses
- Policy management
- Custom security and license policy configuration
- Automatic policy enforcement, notification, and reporting
- Implementation and integrations
- Continuous monitoring of applications before and after deployment
- Integrations across entire SDLC
- Implementation and adoption services Add on enhanced technical support and assistance with workflow integrations, custom implementations, and program/project management for your Black Duck tools
Frequently Asked Questions
-
How is software composition analysis (SCA) different from other application security tools?Open source security is often overlooked due to the misconception that vulnerabilities in proprietary code and open source code can be detected and remediated in similar ways. The reality is that SAST, DAST, and other application security testing tools cannot effectively detect open source vulnerabilities. Enter SCA.
The key differentiator between SCA and other application security tools is what these tools analyze, and in what state. SCA analyzes third-party open source code for vulnerabilities, licenses, and operational factors, while SAST analyzes weaknesses in proprietary code, and DAST tests running applications for vulnerable behavior. -
Do you need both SAST and software composition analysis?A comprehensive software security program contains both SAST and SCA. Organizations that adopt such an approach see improvements throughout the SDLC, including improved quality through early identification of issues, better visibility across proprietary and open source code, lower remediation costs by detecting and fixing vulnerabilities early in the development process, minimized risk of security breaches, and optimized security testing that is both effective and compatible with agile development.
-
What integrations does Black Duck support?Black Duck offers easy-to-use open source integrations for the most popular development tools and REST APIs, allowing you to build your own integrations for virtually any commercial or custom development environment. Black Duck offers a wide range of integrations across the SDLC, including IDEs, package managers, CI/CD, issue trackers, and production capabilities.
Black Duck Supported Integrations -
Where does Black Duck’s vulnerability information come from?Most solutions rely solely on data from the National Vulnerability Database (NVD). This limitation presents a problem, as many vulnerabilities are never documented in the NVD, and others are not listed until weeks after they become public. Black Duck Security Advisories (BDSAs) go beyond the NVD, with enhanced data that is researched and analyzed by the Cybersecurity Research Center (CyRC) to ensure completeness and accuracy, providing early warning and complete insight.
Black Duck vulnerability reporting -
Why should I care about scanning for more than declared dependencies?Most solutions use package manager declarations to identify open source components. But failing to scan for more than declared dependencies guarantees that you’ll miss some open source. And if you don’t know it’s there, you can’t ensure it’s secure and compliant.
Package manager scanning will overlook open source that developers don’t declare in package manifests, languages like C and C++, open source built into containers where no package manager is used, open source that has been modified, or partial snippets of code that still carry license obligations. By combining file system scanning and snippet scanning with build process monitoring, Black Duck provides visibility into open source components not tracked by a package manager, partial open source, and open source that was potentially modified or not declared, as well as component and version verification for dynamic and transitive dependencies. -
What should I look for in a software composition analysis solution?The short answer is an extensive and powerful solution that provides end-to-end control of open source risks. A solution like Black Duck provides a comprehensive approach to open source management throughout the entire SDLC.
More specifically, the following capabilities should be considered when selecting an SCA solution:- Comprehensive scanning, beyond what is declared
- Persistent Bill of Materials
- Policy, workflow, and SDLC integrations
- Robust vulnerability database, beyond the NVD
- License compliance functionality
- Monitoring and alerting
-
What languages and platforms does Black Duck support?Black Duck supports the most common package managers. Black Duck’s snippet scanning covers the top and most frequently used languages. The expert KnowledgeBase team is constantly monitoring for and adding new languages, ensuring that all common languages are supported.
Additionally, Black Duck’s proprietary signature scanning approach is language-agnostic. This scanning approach searches for signatures based on file and directory layouts along with other metadata that is independent of language.
Contact us for the most current list of supported languages and platforms. -
Does SCA support binary code in addition to source code?Yes. Some solutions can scan binaries for package manager information or binaries pulled directly from a repository without any modification. Black Duck’s sophisticated binary scanning solution can crack binaries open to detect modified binaries and provide legacy language and broad artifact support.
Black Duck Binary AnalysisHow comprehensive is Black Duck’s licensing data in the KnowledgeBase?Black Duck’s open source KnowledgeBase is the industry’s most comprehensive database of open source project, license, and security information, sourced and curated by the Cybersecurity Research Center (CyRC). The KnowledgeBase contains more than 2,750 unique open source licenses (GPL, LGPL, Apache, etc.), with full license text for the most popular open source licenses and dozens of encoded attributes and obligations for each license. Black Duck also includes deep copyright data and the ability to pull out embedded open source licenses for complete open source compliance.Does Black Duck scan containers?Yes. Black Duck allows teams that package and deliver applications using Docker (and other) containers to confirm and attest that any open source in their containers meets use and security policies, is free of vulnerabilities, and fulfills license obligations. Open source management includes ongoing monitoring for new vulnerabilities affecting existing applications and containers.