The Black Duck Hub team is in the process of shipping a Hub plugin to support visibility into the open source contents of your Eclipse workspace. This plugin makes it easier for developers to look at components and sub-components, including declared & transitive dependencies in the context of open source risk before they get packaged up with an application.
What Are We Trying to Solve?
If you are java developer and are using Eclipse, you will be able to lookup component security metadata when you pull in any open source components (from Maven Central, etc.) and view security information to take remediation steps before checking in the code.
This solution will make the Black Duck scan available earlier, so security gaps in the code can be discovered much earlier in the process. The Hub scanner utilizes a more responsive and faster scanning solution to look up security vulnerabilities than the regular iScan. Hal Hearst discusses this in more detail in this blog post. The core idea is to employ multiple scan techniques to capture numerous pieces of evidence to help you corroborate your results from a wide gamut of sources. The Eclipse solution leverages one of them. Here's a sneak peek into what you can expect once the plugin is released on GitHub.
STEP 1: Configuring the Hub System
You start with a small config menu to set up a connection with your Black Duck Hub instance after downloading the plugin from GitHub.
STEP 2: View Vulnerability Information
Once set up, you can now view vulnerability information in the Black Duck vulnerability view for components being used in Eclipse. (For example – declared dependencies mentioned in your pom.xml along with the transitive dependencies that get called during compilation will be captured here.)
Isn’t that exciting? The plugin will be open sourced and available for download at the end of this month! Now that’s what I call Christmas! :-)
If you haven’t already, try the Black Duck Hub today to help you better manage the use of open source software in your application.
Want to contribute to this project with new features and/or use cases? Visit here to talk directly with our Product team.