Synopsys has released a new solution to help companies manage upstream risks in their software supply chains.
Black Duck Supply Chain Edition performs software composition analysis (SCA) which uses a variety of security analysis techniques to determine components in a piece of software, such as package dependency, CodePrint, snippet, binary analysis, and container analysis.
Customers can import SBOMs of their third-party components and automatically catalog the components contained within them. Performs continuous risk analysis on internal SBOMs and SBOMs of third-party components.
This also makes it possible to identify not only security issues, but also license issues with third-party components. This includes analyzing AI-generated code and finding out whether any part of it may be subject to licensing requirements.
The tool also performs post-build analysis that can help detect malware or potentially unwanted applications.
SBOMs can be exported in SPDX or CycloneDX formats, making it easy to meet customer, industry or regulatory requirements, according to Synopsys.
“With the rise of software supply chain attacks targeting vulnerable or maliciously modified open source and third-party components, it is critical for organizations to understand and thoroughly examine the composition of their software portfolios,” said Jason Schmitt, general manager of Synopsys Software Integrity. Group. “This requires constant vigilance over the patchwork of software dependencies that are fed in from a variety of sources, including open source components downloaded from public repositories, commercial software packages purchased from vendors, code generated by AI coding assistants, and containers and IT infrastructure. used to deploy applications. It also requires the ability to detect and generate actionable insights for a wide range of risk factors such as known vulnerabilities, exposed secrets and malicious code.”