Introducing Black Duck CoPilot

CoPilot-Blog1.png

Today we’re happy to announce the release of Black Duck CoPilot (https://copilot.blackducksoftware.com/), a new cloud service that helps open source project teams catalog and report on their project’s dependencies and vulnerabilities.

What is CoPilot and What Does It Do?

Black Duck CoPilot is a FREE for open source developers who use GitHub.com (the #1 open source repository in the world today) as the repository for their projects. It connects to your GitHub repositories and provides you with security risk information for your open source project’s dependencies (i.e. the open source components used to build your project).

A completely cloud-based service, CoPilot is an easy, integrated, light-weight way to view security vulnerabilities in your open source projects. Once you connect CoPilot and build your project, you get a list of components, associated vulnerabilities (CVEs), as well as recommendations for adjacent vulnerability-free versions you can use if the components you are using have security issues.

screenshot of Black Duck CoPilot

You may already be using GitHub badges as a way to communicate information about your project, like testing coverage and license type. With CoPilot, you can also post a Black Duck “security status badge” on your project’s GitHub page to show the results of the Black Duck security analysis.

CoPilot Badge in GitHub

This badge helps you show potential users of your project that you take security seriously and that they can trust that your project won’t introduce vulnerabilities into their code. In turn, it helps those users pick the best quality components.

CoPilot – The Supply-side Complement to Black Duck Hub

Since 2004, Black Duck’s mission has been to help organizations get the most out of open source by giving them solutions that help them manage and, if possible, avoid the security, license, and quality risks that can come with it. We believe that when teams take control of these risks, open source thrives. Black Duck Hub gives these organizations (open source consumers) a sophisticated and automated solution that allows them to secure virtually any application or container codebase, across the entire development lifecycle, at any scale.

CoPilot complements Hub by giving open source producers a solution that helps them produce better quality components and communicate that to open source consumers — and that benefits everybody. However, CoPilot is not intended to be the full open source management solution that Hub is, and its functionality is a subset of Hub. The table below provides more detail on the specific feature differences between the two.

Feature

Hub

CoPilot

Codebase Support

Wide support for virtually any codebase or container image in any repository or storage location.

Support for open source codebases on GitHub.com.

Open Source Discovery

Broad component discovery and language support using multi-factor discovery, combining source and binary scanning, package inspection, and build output analysis.

Component discovery based on package manifest information in projects built with the following build and CI tools.

Build Tools

  • Gradle
  • Maven
  • Scala Build Tool
  • NuGet
  • pip

CI Systems

  • Travis CI
  • Circle CI
  • AppVeyor

Vulnerability Data

Enhanced Vulnerability Data that extends the CVE data in NVD with independently researched vulnerability information. Provides more vulnerabilities, same-data notification, and deeper remediation guidance than NVD.

NVD CVE data only.

BOM Vulnerability Updates

Continuously updated. No need to re-scan or build to see latest vulnerabilities.

Updates when the project is rebuilt.

New Vulnerability Alerts

Yes

No

View Risks Across Multiple Projects

Yes

No

License Compliance Features

Yes

No

Policy Management Features

Yes

No

Integration Across DevOps Tool Chain

Yes – integrates in a wide variety of IDEs, build/CI tools, binary repositories, container platforms, and other DevOps tools. View the full list here.

Limited to GitHub and build/CI tools listed above.


For a developer perspective on why CoPilot is a game changer for open source project teams,
check out this blog from the developers who created it.

Get started today!

If you are an open source developer with projects on GitHub.com you can get started today by visiting copilot.blackducksoftware.com. We look forward to getting your feedback on this new offering.

Try Black Duck's CoPilot - to find vulnerable component dependencies in your projects

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

| Sep 11, 2017

As most of you are aware, last Friday news broke of a major data breach at Equifax. As one of the major credit reporting agencies, Equifax maintains a vast amount of sensitive personal and financial information for residents of the United States and the United Kingdom, and this breach is reported

| MORE >

Hub 4.1 Makes Managing Open Source Risks Easier

| Aug 21, 2017

We’ve recently updated Black Duck Hub with a number of new capabilities that make it easier for teams to discover open source in their environment, prioritize their vulnerability and compliance management activities, and determine the best upgrade path for open source components that are

| MORE >