Skip to main content

Black Duck

Black Duck by Synopsys is an application security tool that scans your open source components and projects to identify potential vulnerabilities. You can bring component, project, and security data from Black Duck into Brinqa to construct a unified view of your attack surface, thus strengthening your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Black Duck and how to obtain that information from Black Duck. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Black Duck from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Black Duck with Brinqa:

  • Server URL: Your organization's Black Duck Server URL. The default format is https://<server_name>.

  • API token: The API token associated with the Black Duck account, which must have permissions to log in to the API server and return data.

Generate a Black Duck API token

For the Black Duck connector to use the Black Duck API, you must provide an API token. Since Black Duck prohibits retrieving API tokens for existing users, you'll need to generate a new one. To do so, follow these steps:

  1. Log in to your organization's Black Duck account.

  2. Click the User Account menu, and then select Access Tokens from the drop-down.

  3. Click Create Token. The Create Token dialog displays.

    Black Duck API token dialog

    Provide the following information:

    • Name: Provide a name for the API token.

    • Description: (Optional) Provide a description for the API token.

    • Scope: Select Read Access Only. The Black Duck connector does not require write access to retrieve data.

  4. Click Create.

    The new API token displays. You cannot view the token again. Copy the token and save it in a secure location.

note

If you do not have the permissions to create an API token, contact your Black Duck administrator. For additional information, see Black Duck documentation.

Additional settings

The Black Duck connector contains additional options for specific configuration:

  • Parallel requests: The maximum number of parallel API requests. The default setting is 4.

  • Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

  • Skip certificate verification: Select this option to allow for untrusted certificates.

Types of data to retrieve

The Black Duck connector can retrieve the following types of data from the Black Duck REST API:

Table 1: Data retrieved from Black Duck

Connector ObjectRequiredMaps to Data Model
ComponentYesPackage
Component VersionNoNot mapped
Open Source FindingYesOpen Source Finding
Open Source Finding DefinitionYesOpen Source Finding Definition
ProjectYesCode Project
Project VersionNoNot mapped
info

The Black Duck connector does not currently support operation options for the types of data it retrieves.

For detailed steps on how to view the data retrieved from Black Duck in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Component

Table 2: Component attribute mappings

Source Field NameMaps to Attribute
CATEGORIEScategories
DESCRIPTIONdescription
NAMEname
PROJECTSprojects
PROJECT_VERSIONSLocal variable
SYS_IDuid
URLurl
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Open Source Finding

Table 3: Open Source Finding attribute mappings

Source Field NameMaps to Attribute
COMPONENT_VERSION_ORIGIN_IDLocal variable
Component.vulnerabilitywithremediation.vulnerabilityNametype, uid
Component_VERSION_IDLocal variable
EXPLOIT_PUBLISHED_DATELocal variable
FIRST_FOUNDfirstFound
LAST_FOUNDlastFound
LAST_MODIFIEDsourceLastModified
PROJECTproject
PROJECT_IDtargets
PROJECT_VERSIONLocal variable
PROJECT_VERSION_IDLocal variable
PUBLISHED_DATEpublishedDate
SYS_IDuid
WORKAROUNDLocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Open Source Finding Definition

Table 4: Open Source Finding Definition attribute mappings

Source Field NameMaps to Attribute
COMPONENT_VERSION_ORIGIN_IDLocal variable
Component.vulnerabilitywithremediation.vulnerabilityNametype, uid
Component_VERSION_IDLocal variable
CVEcveIds
CVSSV2_BASE_SCOREcvssV2BaseScore
CVSSV2_TEMPORAL_SCOREcvssV2TemporalScore
CVSSV2_VECTORcvssV2Vector
CVSSV3_BASE_SCOREcvssV3BaseScore
CVSSV3_TEMPORAL_SCOREcvssV3TemporalScore
CVSSV3_VECTORcvssV3Vector
CWEcweIds, weaknesses
DESCRIPTIONdescription
EXPLOIT_PUBLISH_DATELocal variable
EXPLOIT_PUBLISHED_DATELocal variable
LAST_MODIFIEDsourceLastModified
PROJECTproject
PROJECT_IDtargets
PROJECT_VERSIONLocal variable
PROJECT_VERSION_IDLocal variable
PUBLISHED_DATEpublishedDate
SEVERITYseverity, sourceSeverity, severityScore
SOLUTIONrecommendation
STATUSstatus, statusCategory
TITLEname
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Project

Table 5: Project attribute mappings

Source Field NameMaps to Attribute
APPLICATION_IDSLocal variable
CATEGORIEScategories
DESCRIPTIONdescription
LAST_SCANNEDlastScanned
NAMEname
POLICY_STATUSLocal variable
SYS_IDuid
TAGStags
TIERLocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

APIs

The Black Duck connector uses the Black Duck REST API. Specifically, it uses the following endpoints:

Table 6: Black Duck REST API Endpoints

Connector ObjectAPI Endpoint
ComponentGET /api/components/{componentId}
GET /api/projects/{projectId}/versions/{projectVersionId}/components
Component VersionGET /api/projects/{projectId}/versions/{projectVersionId}/components
Open Source FindingGET /api/projects/{projectId}/versions/{projectVersionId}/vulnerable-bom-components
GET /api/vulnerabilities/{vulnerableComponentId}
Open Source Finding DefinitionGET /api/projects/{projectId}/versions/{projectVersionId}/vulnerable-bom-components
GET /api/vulnerabilities/{vulnerableComponentId}
ProjectGET /api/projects
Project VersionGET /api/projects/{projectId}/versions

Changelog

The Black Duck connector has undergone the following changes:

3.0.0