Synopsys has released a new solution to help companies manage upstream risks of software supply chains.
Black Duck Supply Chain Edition does software composition analysis (SCA) that makes use of a number of security analysis techniques to determine the components in a piece of software, such as package dependency, CodePrint, snippet, binary, and container analysis.
Customers can import SBOMs of their third-party components and automatically catalog the components found within. It performs continuous risk analysis on both internal SBOMs and the SBOMs of third-party components.
This also allows it to identify not just security issues, but issues with licenses of third-party components. This includes analyzing AI-generated code and detecting if any part of it might be subject to license requirements.
The tool also performs post-build analysis that can help detect malware or potentially unwanted applications.
SBOMs can be exported in SPDX or CycloneDX formats, which makes it easier to meet customer, industry, or regulatory requirements, according to Synopsys.
“With the rise in software supply chain attacks targeting vulnerable or maliciously altered open source and third-party components, it’s critical for organizations to understand and thoroughly scrutinize the composition of their software portfolios,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “This requires constant vigilance over the patchwork of software dependencies that get pulled in from a variety of sources, including open source components downloaded from public repositories, commercial software packages purchased from vendors, code generated from AI coding assistants, and the containers and IT infrastructure used to deploy applications. It also requires the ability to detect and generate actionable insights for a wide range of risk factors such as known vulnerabilities, exposed secrets, and malicious code.”