sca-blackduck

What this skill does

# Software Composition Analysis with Black Duck

## Overview

Perform comprehensive Software Composition Analysis (SCA) using Synopsys Black Duck to identify
security vulnerabilities, license compliance risks, and supply chain threats in open source
dependencies. This skill provides automated dependency scanning, vulnerability detection with
CVE mapping, license risk analysis, and remediation guidance aligned with OWASP and NIST standards.

## Quick Start

Scan a project for dependency vulnerabilities:

```bash
# Using Black Duck Detect (recommended)
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
  --blackduck.url=$BLACKDUCK_URL \
  --blackduck.api.token=$BLACKDUCK_TOKEN \
  --detect.project.name="MyProject" \
  --detect.project.version.name="1.0.0"
```

Scan with policy violation enforcement:

```bash
# Fail build on policy violations
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
  --blackduck.url=$BLACKDUCK_URL \
  --blackduck.api.token=$BLACKDUCK_TOKEN \
  --detect.policy.check.fail.on.severities=BLOCKER,CRITICAL
```

## Core Workflows

### Workflow 1: Initial Dependency Security Assessment

Progress:
[ ] 1. Identify package managers and dependency manifests in codebase
[ ] 2. Run `scripts/blackduck_scan.py` with project detection
[ ] 3. Analyze vulnerability findings categorized by severity (CRITICAL, HIGH, MEDIUM, LOW)
[ ] 4. Map CVE findings to CWE and OWASP Top 10 categories
[ ] 5. Review license compliance risks and policy violations
[ ] 6. Generate prioritized remediation report with upgrade recommendations

Work through each step systematically. Check off completed items.

### Workflow 2: Vulnerability Remediation

1. Review scan results and identify critical/high severity vulnerabilities
2. For each vulnerability:
   - Check if fixed version is available
   - Review breaking changes in upgrade path
   - Consult `references/remediation_strategies.md` for vulnerability-specific guidance
3. Apply dependency updates using package manager
4. Re-scan to validate fixes
5. Document any vulnerabilities accepted as risk with justification

### Workflow 3: License Compliance Analysis

1. Run Black Duck scan with license risk detection enabled
2. Review components flagged with license compliance issues
3. Categorize by risk level:
   - **High Risk**: GPL, AGPL (copyleft licenses)
   - **Medium Risk**: LGPL, MPL (weak copyleft)
   - **Low Risk**: Apache, MIT, BSD (permissive)
4. Consult legal team for high-risk license violations
5. Document license decisions and create policy exceptions if approved

### Workflow 4: CI/CD Integration

1. Add Black Duck Detect to CI/CD pipeline using `assets/ci_integration/`
2. Configure environment variables for Black Duck URL and API token
3. Set policy thresholds (fail on CRITICAL/HIGH vulnerabilities)
4. Enable SBOM generation for supply chain transparency
5. Configure alerts for new vulnerabilities in production dependencies

### Workflow 5: Supply Chain Risk Assessment

1. Identify direct and transitive dependencies
2. Analyze component quality metrics:
   - Maintenance activity (last update, commit frequency)
   - Community health (contributors, issue resolution)
   - Security track record (historical CVEs)
3. Flag high-risk components (unmaintained, few maintainers, security issues)
4. Review alternative components with better security posture
5. Document supply chain risks and mitigation strategies

## Security Considerations

- **Sensitive Data Handling**: Black Duck scans require API tokens with read/write access.
  Store credentials securely in secrets management (Vault, AWS Secrets Manager).
  Never commit tokens to version control.

- **Access Control**: Limit Black Duck access to authorized security and development teams.
  Use role-based access control (RBAC) for scan result visibility and policy management.

- **Audit Logging**: Log all scan executions with timestamps, user, project version, and
  findings count for compliance auditing. Enable Black Duck's built-in audit trail.

- **Compliance**: SCA scanning supports SOC2, PCI-DSS, GDPR, and HIPAA compliance by
  tracking third-party component risks. Generate SBOM for regulatory requirements.

- **Safe Defaults**: Configure policies to fail builds on CRITICAL and HIGH severity
  vulnerabilities. Use allowlists sparingly with documented business justification.

## Supported Package Managers

Black Duck Detect automatically identifies and scans:

- **JavaScript/Node**: npm, yarn, pnpm
- **Python**: pip, pipenv, poetry
- **Java**: Maven, Gradle
- **Ruby**: Bundler, gem
- **.NET**: NuGet
- **Go**: go modules
- **PHP**: Composer
- **Rust**: Cargo
- **C/C++**: Conan, vcpkg
- **Docker**: Container image layers

## Bundled Resources

### Scripts

- `scripts/blackduck_scan.py` - Full-featured scanning with CVE/CWE mapping and reporting
- `scripts/analyze_results.py` - Parse Black Duck results and generate remediation report
- `scripts/sbom_generator.sh` - Generate SBOM (CycloneDX/SPDX) from scan results
- `scripts/policy_checker.py` - Validate compliance with organizational security policies

### References

- `references/cve_cwe_owasp_mapping.md` - CVE to CWE and OWASP Top 10 mapping
- `references/remediation_strategies.md` - Vulnerability remediation patterns and upgrade strategies
- `references/license_risk_guide.md` - License compliance risk assessment and legal guidance
- `references/supply_chain_threats.md` - Common supply chain attack patterns and mitigations

### Assets

- `assets/ci_integration/github_actions.yml` - GitHub Actions workflow for Black Duck scanning
- `assets/ci_integration/gitlab_ci.yml` - GitLab CI configuration for SCA
- `assets/ci_integration/jenkins_pipeline.groovy` - Jenkins pipeline with Black Duck integration
- `assets/policy_templates/` - Pre-configured security and compliance policies
- `assets/blackduck_config.yml` - Recommended Black Duck Detect configuration

## Common Patterns

### Pattern 1: Daily Dependency Security Baseline

```bash
# Run comprehensive scan and generate SBOM
scripts/blackduck_scan.py \
  --project "MyApp" \
  --version "1.0.0" \
  --output results.json \
  --generate-sbom \
  --severity CRITICAL HIGH
```

### Pattern 2: Pull Request Dependency Gate

```bash
# Scan PR changes, fail on new high-severity vulnerabilities
bash <(curl -s -L https://detect.synopsys.com/detect.sh) \
  --blackduck.url=$BLACKDUCK_URL \
  --blackduck.api.token=$BLACKDUCK_TOKEN \
  --detect.policy.check.fail.on.severities=CRITICAL,HIGH \
  --detect.wait.for.results=true
```

### Pattern 3: License Compliance Audit

```bash
# Generate license compliance report
scripts/blackduck_scan.py \
  --project "MyApp" \
  --version "1.0.0" \
  --report-type license \
  --output license-report.pdf
```

### Pattern 4: Vulnerability Research and Triage

```bash
# Extract CVE details and remediation guidance
scripts/analyze_results.py \
  --input scan-results.json \
  --filter-severity CRITICAL HIGH \
  --include-remediation \
  --output vulnerability-report.md
```

### Pattern 5: SBOM Generation for Compliance

```bash
# Generate Software Bill of Materials (CycloneDX format)
scripts/sbom_generator.sh \
  --project "MyApp" \
  --version "1.0.0" \
  --format cyclonedx \
  --output sbom.json
```

## Integration Points

### CI/CD Integration

- **GitHub Actions**: Use `synopsys-sig/detect-action@v1` with policy enforcement
- **GitLab CI**: Run as security scanning job with dependency scanning template
- **Jenkins**: Execute Detect as pipeline step with quality gates
- **Azure DevOps**: Integrate using Black Duck extension from marketplace

See `assets/ci_integration/` for ready-to-use pipeline configurations.

### Security Tool Integration

- **SIEM/SOAR**: Export findings in JSON/CSV for ingestion into Splunk, ELK
- **Vulnerability Management**: Integrate with Jira, ServiceNow, DefectDojo
- **Secret Scanning**: Combine with Gitleaks, TruffleHog for comprehensive security
- **SAST Tools**: Use alongside Semgrep, Bandit for d