close search bar

Sorry, not available in this language yet

close language selection

Introducing Black Duck CoPilot

Patrick Carey

Jun 12, 2017 / 3 min read

Table of Contents

Today we’re happy to announce the release of Black Duck CoPilot by Synopsys, a new cloud service that helps open source project teams catalog and report on their project’s dependencies and vulnerabilities.

What is CoPilot and what does it do?

Black Duck CoPilot is FREE for open source developers who use GitHub.com (the #1 open source repository in the world today) as the repository for their projects. It connects to your GitHub repositories and provides you with security risk information for your open source project’s dependencies (i.e. the open source components used to build your project).

A completely cloud-based service, CoPilot is an easy, integrated, light-weight way to view security vulnerabilities in your open source projects. Once you connect CoPilot and build your project, you get a list of components, associated vulnerabilities (CVEs), as well as recommendations for adjacent vulnerability-free versions you can use if the components you are using have security issues.

co pilot

You may already be using GitHub badges as a way to communicate information about your project, like testing coverage and license type. With CoPilot, you can also post a Black Duck “security status badge” on your project’s GitHub page to show the results of the Black Duck security analysis.

co pilot badge

This badge helps you show potential users of your project that you take security seriously and that they can trust that your project won’t introduce vulnerabilities into their code. In turn, it helps those users pick the best quality components.

CoPilot – The supply-side complement to Black Duck Hub

Since 2004, Black Duck’s mission has been to help organizations get the most out of open source by giving them solutions that help them manage and, if possible, avoid the security, license, and quality risks that can come with it. We believe that when teams take control of these risks, open source thrives. Black Duck Hub gives these organizations (open source consumers) a sophisticated and automated solution that allows them to secure virtually any application or container codebase, across the entire development lifecycle, at any scale.

CoPilot complements Hub by giving open source producers a solution that helps them produce better quality components and communicate that to open source consumers — and that benefits everybody. However, CoPilot is not intended to be the full open source management solution that Hub is, and its functionality is a subset of Hub. The table below provides more detail on the specific feature differences between the two.

Feature

Hub

CoPilot

Codebase Support

Wide support for virtually any codebase or container image in any repository or storage location.

Support for open source codebases on GitHub.com.

Open Source Discovery

Broad component discovery and language support using multi-factor discovery, combining source and binary scanning, package inspection, and build output analysis.

Component discovery based on package manifest information in projects built with the following build and CI tools.

Build Tools

  • Gradle
  • Maven
  • Scala Build Tool
  • NuGet
  • pip

CI Systems

  • Travis CI
  • Circle CI
  • AppVeyor

Vulnerability Data

Enhanced Vulnerability Data that extends the CVE data in NVD with independently researched vulnerability information. Provides more vulnerabilities, same-data notification, and deeper remediation guidance than NVD.

NVD CVE data only.

BOM Vulnerability Updates

Continuously updated. No need to re-scan or build to see latest vulnerabilities.

Updates when the project is rebuilt.

New Vulnerability Alerts

Yes

No

View Risks Across Multiple Projects

Yes

No

License Compliance Features

Yes

No

Policy Management Features

Yes

No

Integration Across DevOps Tool Chain

Yes – integrates in a wide variety of IDEs, build/CI tools, binary repositories, container platforms, and other DevOps tools. View the full list here.

Limited to GitHub and build/CI tools listed above.

Get started today!

If you are an open source developer with projects on GitHub.com you can get started today by visiting copilot.blackducksoftware.com. We look forward to getting your feedback on this new offering.

Continue Reading

Introducing fAST Dynamic: Streamlining dynamic application security testing

Introducing fAST Dynamic: Streamlining dynamic application security testing

Vishrut Iyengar
By Vishrut Iyengar

Mar 19, 2024 / 3 min read

Tags: DAST, Software Integrity, Security News & Trends, Build Security into DevOps
CVE-2017-5638: The Apache Struts vulnerability explained

CVE-2017-5638: The Apache Struts vulnerability explained

Fred Bals
By Fred Bals

Mar 16, 2024 / 3 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain
2024 OSSRA Report: Outdated code risk in open source components

2024 OSSRA Report: Outdated code risk in open source components

Fred Bals
By Fred Bals

Mar 06, 2024 / 4 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain, Manage Security Risks

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security