We’ve recently updated Black Duck Hub with a number of new capabilities that make it easier for teams to discover open source in their environment, prioritize their vulnerability and compliance management activities, and determine the best upgrade path for open source components that are vulnerable. Existing Black Duck customers can take advantage of these new features by upgrading to version 4.1.
Hub Detect — Unified Open Source Discovery
The way software is built has changed significantly over the last decade. With the rise of agile development and DevOps, have come a variety of build automation tools that both improve quality and decrease time to market. For example, most modern programming languages use some form of package manager to orchestrate the build and assembly of software. Hub currently provides support for the most common package managers in use, including Maven, Gradle, NPM, Ruby, CocoaPods, NuGet, Go, apk, dpkg, RPM, and PyPi. However, users have told us that it can be a pain to determine which of our plug-ins to use and then configure it properly for the specific package manager environment.
Hub Detect eliminates this problem by providing a single universal implementation that detects what, if any, package manager is in use, obtains and configures the appropriate package manager integration, and automates the process of building a bill of materials (BOM) from a combination of source/binary scanning and package manager information. Detect is easy to set up, with no installation or future updates required — it automatically updates itself as needed. To use it, you simply add a couple of lines to your CI script or invoke it within a build script using Detect’s Command Line Interface. You can learn more about Detect in this blog post.
New Hub Summary Dashboard — Your Open Source World at a Glance
One of the first things you’ll notice in 4.1 is the new summary dashboard view. One thing we often hear from users is that — as they analyze more code, track more components, and add more projects — it can be difficult to figure out where they should start and how to focus their remediation activities. The new summary dashboard helps address this problem by highlighting the top security, policy, and component risks across all projects.
Using this information, you can determine your overall open source risk state and drill down on any of the metrics to pinpoint which projects and components are driving them.
Vulnerability Upgrade Guidance — Helps You Pick The Best Component Version
Although security risks are reported and tracked as individual vulnerabilities (CVEs), teams generally remediate not at the vulnerability level but at the component level. Put another way, the most common way to address a vulnerability in an open source component is to upgrade to a newer version of that component. In an ideal world, there will be a newer version that is completely free from vulnerabilities and requires no code rework to use. However, more often than not, it’s not that simple. Newer versions of the component may address some vulnerabilities but introduce different ones. It can be a real challenge to figure out one which version to upgrade to.
Hub 4.1 helps you address this problem by providing you with upgrade path options for any component reported to have vulnerabilities. It provides you with three potential options:
- The first subsequent version that fixes the vulnerabilities in this version. This version is less likely to require rework to integrate, but you’ll need to review the known vulnerabilities reported against it to confirm that it is actually a security improvement.
- The first subsequent version that has no known vulnerabilities. This version is likely to be newer than the first option, so it may be more likely to require rework to implement. However, given that it does not have any known vulnerabilities, it will improve security.
- The most recent version that has no known vulnerabilities. Perhaps you want to use this opportunity to get on the most current version available. However, you wouldn’t want to do that at if it introduces new vulnerabilities. This version recommendation satisfies both needs.
New Enterprise Features — Support for Large Scale Environments
Many of the world’s largest development teams use Black Duck to help them manage open source security and compliance risks. We’ve extended Hub support for large enterprise environments with two new capabilities.
- SAML Support: In larger organizations, Single Sign-On and/or Multi Factor Authentication are a requirement. Hub now supports the use of SAML to enable user management with a variety of user access management solutions including Active Directory and Okta.
- Centralized Reporting Database: Many of our larger customers have told us that they want to leverage data from Black Duck Hub within their 3rd party reporting. Hub now supports this by providing a centralized reporting database.
Existing Black Duck Hub customers can access all these capabilities by upgrading to version 4.1. Not using Hub yet? Learn more about these and other features of Black Duck Hub will help you build fast and stay secure with open source. Schedule a product walkthrough today.