Synopsys has introduced Black Duck Supply Chain Edition, a software composition analysis (SCA) package that helps organizations mitigate upstream risk in software supply chains, including from AI code.
Announced April 9, Black Duck Supply Chain Edition is intended to address a rise in software supply chain attacks targeting vulnerable or maliciously altered open source and third-party components. Due April 25, the product combines open source detection technologies, automated third-party software bill of materials (SBOM) analysis, and malware detection to give a view of software risks inherited from open source, AI-generated code, and third-party code, Synopsys said. Security and development teams can track dependencies across the application life cycle to find and resolve security vulnerabilities, malicious packages, and license violations and conflicts, the company added.
Among the key features are multiple open source detection technologies that identify open source components across any programming language, using a combination of software analysis technologies including package dependency analysis and container analysis. Other features include third-party SBOM import and analysis, malware detection, continuous risk identification and monitoring for open source vulnerabilities, exposed secrets, malware, and suspicious packages, and IP risk and license management, which identifies software licenses associated with dependencies.