Synopsys, Inc. announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains. Black Duck Supply Chain Edition combines multiple open source detection technologies, automated third-party software bill of materials (SBOM) analysis, and malware detection to provide a comprehensive view of software risks inherited from open source, third-party, and AI-generated code. Development and security teams can track their dependencies across the entire application lifecycle to identify and resolve security vulnerabilities, malicious packages, and license violations and conflicts.

Supply Chain Edition builds on the market-leading capabilities of Black Duck and delivers a full range of supply chain security capabilities to teams responsible for building secure, compliant applications. Key features of Black Duck Supply Chain include: Multiple open source detection technologies. Accurately identify open source components across any programming language using the most comprehensive combination of software analysis technologies, including package dependency, CodePrint?, snippet, binary, and container analysis.

Third-party SBOM import and analysis. Import SBOMs from third-party software suppliers and automatically catalogue the open source, commercial, and custom components contained in them. Malware detection (leveraging technology from ReversingLabs).

Perform post-build analyses to detect the presence of malware, such as suspicious files, potentially unwanted applications, protest-ware, and suspicious file structures. Risk identification and mitigation. Continuously monitor for open source vulnerabilities, exposed secrets, malware, and malicious packages in both the SBOMs generate as well as those import.

IP risk and license compliance management. Automatically identify software licenses associated with dependencies and receive guidance on obligations or conflicts with how the application is licensed, deployed, and distributed. Analyze AI-generated code to identify hidden open source snippets that may be subject to copyright or license obligations.

Industry standard SBOMs. Export SBOMs containing all open source, custom, and commercial dependencies, in SPDX or CycloneDX formats, to align with customer, industry, or regulatory requirements. Leverage out of the box templates to meet the appropriate level of sharing detail specified by downstream customers. Black Duck Supply Chain Edition will be generally available on April 25, 2024 and showcased May 6-9, 2024 at the RSA Conference in San Francisco at the Synopsys Software Integrity Group booth, #1027.