Electronic design automation company Synopsys Inc. today announced the availability of Black Duck Supply Chain Edition, a new software composition analysis offering that allows organizations to mitigate upstream risks in supply chain attacks.

Black Duck Supply Chain Edition combines multiple open-source detection technologies, automated third-party software bill of materials analysis and malware detection to offer a view of software risks inherited from open-source, third-party and artificial intelligence-generated code. The offering allows development and security teams to track dependencies across the entire application lifecycle to identify and resolve security vulnerabilities, malicious packages and license violations and conflicts.

The new edition seeks to tackle the real and increasingly more prevalent issue of supply chain attacks that target vulnerable or maliciously altered open-source and third-party components.

Jason Schmitt, general manager of the Synopsys Software Integrity Group, argues that the need to tackle supply chain attacks “requires constant vigilance over the patchwork of software dependencies that get pulled in from a variety of sources, including open source components downloaded from public repositories, commercial software packages purchased from vendors, code generated from AI coding assistants, and the containers and IT infrastructure used to deploy applications.”

Schmitt added that supply chain attacks “also require the ability to detect and generate actionable insights for a wide range of risk factors such as known vulnerabilities, exposed secrets and malicious code.”

That’s where the new Black Duck Supply Chain Edition steps in. It offers a suite of features that are aimed at ensuring the security and compliance of software supply chains through advanced open-source detection technologies. The offering includes a robust combination of analysis methods, including package dependency, CodePrint, snippet, binary and container analyses, to identify open-source components across any programming language, according to Synopsys.

The platform’s capabilities extend to the importation and analysis of SBOMs from third-party suppliers, enabling the automatic cataloging of open-source, commercial and custom components. It also integrates malware detection technologies from ReversingLabs to perform post-build analyses, identifying potential threats such as suspicious files and malware.

Other features include risk identification, mitigation and compliance management, with Black Duck Supply Chain Edition continuously monitoring for vulnerabilities, exposed secrets and malicious packages within both generated and imported SBOMs. The platform manages intellectual property risks and software license compliance as well, by automatically identifying the licenses associated with dependencies and providing guidance on compliance issues.

Synopsys was last in the news in March when it announced the availability of a dynamic application security testing offering optimized for modern web applications and DevSecOps workflows. Called Synopsys fAST Dynamic, the service was built on technology acquired from the company’s acquisition of Whitehat Security in 2022 and has been designed to complement the fAST Static and fAST SCI capabilities on the Synopsys Polaris Software Integrity Platform introduced in 2023.

Photo: Wikimedia Commons