Black Duck’s multi-factor open source scanning technology ensures that you have the most complete and accurate view of open source in your applications and containers, combining build process monitoring and file system scanning to track all open source in use, including components most solutions miss.
Black Duck tracks both the components explicitly declared in package manifests as well as additional dependencies dynamically resolved during the build process.
Black Duck also performs deep analysis of file and directory metadata as well as “code prints” (SHA file signatures) to discover undeclared, modified, and partial open source components.
Most other solutions rely solely on package manager declarations to identify open source components. But these solutions miss a lot of open source that may be in your code, including:
In addition, these solutions often provide inaccurate results for transitive dependencies and components where the package declaration does not specify a single version to include in the build.
By combining file system information with build process monitoring, Black Duck solutions provide visibility into open source components not tracked by a package manager as well as component and version verification for dynamic and transitive dependencies.
The Detect open source discovery client makes it easy to integrate Black Duck into your existing development tools and processes. It automatically identifies which languages and package managers are being used, configures the appropriate integrations for discovery, and finds the most effective way to analyze your code.