Black Duck Binary Analysis

Manage security, license, Overview

and code quality risks Black Duck Binary Analysis is a software composition analysis (SCA) solution to help
in your software supply you manage the ongoing risks associated with a complex, modern software supply
chain chain. Empower procurement, operations, and development teams with visibility and
insight into the composition of commercial applications, vendor-supplied binaries, and
other third-party software.

A portrait of risk
To accelerate innovation and bolster efficiency in critical business infrastructure,
organizations consume systems and software from various suppliers. Their demand
for better, faster technology drives an increasing reliance on a complex software supply
chain for third-party components. While this approach has many advantages, it also
presents many security challenges:

• A software patchwork. Virtually all software includes third-party components,

including free and open source software (FOSS), commercial off-the-shelf code
(COTS), and internally developed components, which are rarely sourced with security
in mind and often contain vulnerabilities.
• Deferred accountability. Consumers of software and systems often incorrectly
assume that security and robustness are upstream responsibilities—and thus bear
the risk of an unchecked software supply chain.
• Ground zero for attacks. Vulnerable third-party software represents a weak link in
the supply chain that provides a point of entry for attackers.

Key features
Scan almost anything
Black Duck Binary Analysis quickly generates a complete software bill of materials
(BOM), which tracks third-party and open source components, and identifies known
security vulnerabilities, associated licenses, and code quality risks. Because Black Duck
Binary Analysis analyzes binary code, as opposed to source code, it can scan virtually
any software, including desktop and mobile applications, embedded system firmware,
and more.

| synopsys.com | 1
Easy-to-use dashboard
Black Duck Binary Analysis has an interactive dashboard with a high-level overview of the composition and overall health of scanned
software. The dashboard summary includes:

• Software bill of materials. The BOM provides detailed information about each identified third-party component, including version,
location, license obligations, known vulnerabilities, and more.
• Vulnerability assessment. Black Duck Binary Analysis uses an advanced proprietary engine to provide enhanced, relevant information
about each vulnerability from the NIST National Vulnerability Database (NVD), including the Common Vulnerabilities and Exposures
(CVE) identifier and severity.
• Open source licenses report. The report helps you avoid software license noncompliance by identifying applicable licenses and any
potential conflicts.

Take security a step further

Black Duck Binary Analysis takes security even further by identifying additional attack vectors beyond security vulnerabilities, including:

• Information leakage. Further enrich your risk calculation by uncovering surface data inadvertently left in the application, such as clear
text passwords, active AWS keys, developers’ credentials, and IP addresses.
• Compiler switches. Identify the compiler security methods used when compiling the software to evaluate residual risks and reduce
potential security holes.
• Mobile permissions. Identify the permissions required by mobile applications that have a potential impact on the security of sensitive
data and compliance requirements.

Key benefits
With Black Duck Binary Analysis, you can analyze software without requiring access to source code and identify weak links in your
software supply chain quickly and easily.

• Scan virtually any software or firmware in minutes. Gain visibility into essentially any software or firmware, including desktop and
mobile applications, embedded system firmware, virtual appliances, and more.
• No source code required. Simply upload the software you want to assess, and Black Duck Binary Analysis performs a thorough binary
or runtime analysis in minutes. This black box technique emulates an attacker’s approach to detecting vulnerabilities.
• Obtain a comprehensive BOM. Identify and catalog all third-party software components and licenses.
• Manage your risk profile. Diagnose software health by identifying known vulnerabilities and licensing obligations in software
components. Make informed decisions about the use and procurement of technology with realistic metrics.
• Proactively manage threats. Automatically receive alerts for newly discovered vulnerabilities in previously scanned software.
• Enjoy a flexible delivery model. Black Duck Binary Analysis is available as a cloud-based service or an on-premises appliance.

| synopsys.com | 2
Black Duck Binary Analysis | Binary and Package Manager Scanning

Languages Compression formats Firmware formats

• C • Gzip (.gz) • Intel HEX
• C++ • bzip2 (.bz2) • SREC
• C# • LZMA (.lz) • U-Boot
• Clojure • LZ4 (.lz4) • Arris firmware
• CocoaPods • Compress (.Z) • Juniper firmware
• Golang • XZ (.xz) • Kosmos firmware
• Groovy • Pack200 (.jar) • Android sparse file system
• Java • UPX (.exe) • Cisco firmware
• Kotlin • Snappy
• Objective-C • DEFLATE File systems / disk images
• Python • zStandard (.zst) • ISO 9660 / UDF (.iso)
• Ruby • Windows Imaging
• Scala Archive formats • ext2/3/4
• ZIP (.zip, .jar, .apk, and other derivatives) • JFFS2
• .NET Cloud technologies
• XAR (.xar) • UBIFS
Package Manager Support • 7-Zip (.7z) • RomFS
• Distro-package-manager: Leverages • ARJ (.arj) • Microsoft Disk Image
information from a Linux distribution • TAR (.tar) • Macintosh HFS
package manager database to extract • VM TAR (.tar) • VMware VMDK (.vmdk, .ova)
component information. • cpio (.cpio) • QEMU Copy-On-Write (.qcow2)
• The remaining four methods are only • RAR (.rar) • VirtualBox VDI (.vdi)
applicable to Java bytecode: • LZH (.lzh) • QNX—EFS, IFS
– pom: Extracts the Java package, • Electron archive (.asar) • NetBoot image (.nbi)
group name, and version from the • DUMP • FreeBSD UFS
pom.xml or pom.properties files in
a JAR file. Installation formats Container Formats
– manifest: extracts the Java • Red Hat RPM (.rpm) • Docker
package name and version from • Debian package (.deb)
the entries in the MANIFEST.MF • Mac installers (.dmg, .pkg)
file in a JAR file. • Unix shell file installers (.sh, .bin)
– jar-filename: Extracts the Java • Windows installers (.exe, .msi, .cab)
package name and version from • vSphere Installation Bundle (.vib)
the jar-filename. • Bitrock Installer
– hashsum: Uses the sha1 • Installer generator formats that are
checksum of the JAR file to look
supported:
it up from known Maven Central
– 7z, zip, rar self extracting .exe
registered Java projects.
– MSI Installer
Binary formats – CAB Installer
– InstallAnywhere
• Native binaries
– Install4J
• Java binaries
– InstallShield
• .NET binaries
– InnoSetup
• Go binaries – Wise Installer
– Nullsoft Scriptable Install System
(NSIS)
– WiX Installer

| synopsys.com | 3
The Synopsys difference

Synopsys helps development teams build secure, high-quality software, minimizing risks while
maximizing speed and productivity. Synopsys, a recognized leader in application security,
provides static analysis, software composition analysis, and dynamic analysis solutions that
enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source
components, and application behavior. With a combination of industry-leading tools, services,
and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps
and throughout the software development life cycle.

For more information, go to www.synopsys.com/software.

Synopsys, Inc.
185 Berry Street, Suite 6500
San Francisco, CA 94107 USA

Contact us:
U.S. Sales: 800.873.8193
International Sales: +1 415.321.5237
Email: [email protected]

©2021 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at
www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners. April 2021

| synopsys.com | 4