Introducing Black Duck CoPilot

CoPilot-Blog1.png

Today we’re happy to announce the release of Black Duck CoPilot (https://copilot.blackducksoftware.com/), a new cloud service that helps open source project teams catalog and report on their project’s dependencies and vulnerabilities.

What is CoPilot and What Does It Do?

Black Duck CoPilot is a FREE for open source developers who use GitHub.com (the #1 open source repository in the world today) as the repository for their projects. It connects to your GitHub repositories and provides you with security risk information for your open source project’s dependencies (i.e. the open source components used to build your project).

A completely cloud-based service, CoPilot is an easy, integrated, light-weight way to view security vulnerabilities in your open source projects. Once you connect CoPilot and build your project, you get a list of components, associated vulnerabilities (CVEs), as well as recommendations for adjacent vulnerability-free versions you can use if the components you are using have security issues.

screenshot of Black Duck CoPilot

You may already be using GitHub badges as a way to communicate information about your project, like testing coverage and license type. With CoPilot, you can also post a Black Duck “security status badge” on your project’s GitHub page to show the results of the Black Duck security analysis.

CoPilot Badge in GitHub

This badge helps you show potential users of your project that you take security seriously and that they can trust that your project won’t introduce vulnerabilities into their code. In turn, it helps those users pick the best quality components.

CoPilot – The Supply-side Complement to Black Duck Hub

Since 2004, Black Duck’s mission has been to help organizations get the most out of open source by giving them solutions that help them manage and, if possible, avoid the security, license, and quality risks that can come with it. We believe that when teams take control of these risks, open source thrives. Black Duck Hub gives these organizations (open source consumers) a sophisticated and automated solution that allows them to secure virtually any application or container codebase, across the entire development lifecycle, at any scale.

CoPilot complements Hub by giving open source producers a solution that helps them produce better quality components and communicate that to open source consumers — and that benefits everybody. However, CoPilot is not intended to be the full open source management solution that Hub is, and its functionality is a subset of Hub. The table below provides more detail on the specific feature differences between the two.

Feature

Hub

CoPilot

Codebase Support

Wide support for virtually any codebase or container image in any repository or storage location.

Support for open source codebases on GitHub.com.

Open Source Discovery

Broad component discovery and language support using multi-factor discovery, combining source and binary scanning, package inspection, and build output analysis.

Component discovery based on package manifest information in projects built with the following build and CI tools.

Build Tools

  • Gradle
  • Maven
  • Scala Build Tool
  • NuGet
  • pip

CI Systems

  • Travis CI
  • Circle CI
  • AppVeyor

Vulnerability Data

Enhanced Vulnerability Data that extends the CVE data in NVD with independently researched vulnerability information. Provides more vulnerabilities, same-data notification, and deeper remediation guidance than NVD.

NVD CVE data only.

BOM Vulnerability Updates

Continuously updated. No need to re-scan or build to see latest vulnerabilities.

Updates when the project is rebuilt.

New Vulnerability Alerts

Yes

No

View Risks Across Multiple Projects

Yes

No

License Compliance Features

Yes

No

Policy Management Features

Yes

No

Integration Across DevOps Tool Chain

Yes – integrates in a wide variety of IDEs, build/CI tools, binary repositories, container platforms, and other DevOps tools. View the full list here.

Limited to GitHub and build/CI tools listed above.


For a developer perspective on why CoPilot is a game changer for open source project teams,
check out this blog from the developers who created it.

Get started today!

If you are an open source developer with projects on GitHub.com you can get started today by visiting copilot.blackducksoftware.com. We look forward to getting your feedback on this new offering.

Try Black Duck's CoPilot - to find vulnerable component dependencies in your projects

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Is Software Composition Analysis Compatible with Agile DevOps?

| Mar 13, 2017

You can integrate SCA with your DevOps environment if you choose your tools wisely. Last month Forrester Research published their first-ever Wave for Software Composition Analysis (SCA). Wave’s provide enterprise IT and development teams with Forrester’s assessment of the state of the vendor

| MORE >

Black Duck Hub 3.5: Improved BOM Management & More

| Feb 7, 2017

New Hub Features Make BOM Management and Code Locations Easier This past week we released version 3.5 of Black Duck Hub. This release focuses on some subtle but useful user experience enhancements that make it easier for teams to manage larger bills of material (BOMs) and scanned code locations.

| MORE >