Synopsys has launched a brand new answer to assist firms handle upstream dangers of software program provide chains.
Black Duck Provide Chain Version does software program composition evaluation (SCA) that makes use of various safety evaluation strategies to find out the parts in a chunk of software program, resembling package deal dependency, CodePrint, snippet, binary, and container evaluation.
Prospects can import SBOMs of their third-party parts and mechanically catalog the parts discovered inside. It performs steady danger evaluation on each inner SBOMs and the SBOMs of third-party parts.
This additionally permits it to determine not simply safety points, however points with licenses of third-party parts. This contains analyzing AI-generated code and detecting if any a part of it is likely to be topic to license necessities.
The instrument additionally performs post-build evaluation that may assist detect malware or doubtlessly undesirable purposes.
SBOMs may be exported in SPDX or CycloneDX codecs, which makes it simpler to fulfill buyer, trade, or regulatory necessities, based on Synopsys.
“With the rise in software program provide chain assaults concentrating on weak or maliciously altered open supply and third-party parts, it’s crucial for organizations to know and totally scrutinize the composition of their software program portfolios,” stated Jason Schmitt, common supervisor of the Synopsys Software program Integrity Group. “This requires fixed vigilance over the patchwork of software program dependencies that get pulled in from quite a lot of sources, together with open supply parts downloaded from public repositories, business software program packages bought from distributors, code generated from AI coding assistants, and the containers and IT infrastructure used to deploy purposes. It additionally requires the power to detect and generate actionable insights for a variety of danger elements resembling identified vulnerabilities, uncovered secrets and techniques, and malicious code.”