Synopsys has launched a brand new answer to assist corporations handle upstream dangers of software program provide chains.

Black Duck Provide Chain Version does software program composition evaluation (SCA) that makes use of plenty of safety evaluation strategies to find out the parts in a chunk of software program, corresponding to package deal dependency, CodePrint, snippet, binary, and container evaluation. 

Prospects can import SBOMs of their third-party parts and routinely catalog the parts discovered inside. It performs steady threat evaluation on each inside SBOMs and the SBOMs of third-party parts. 

This additionally permits it to establish not simply safety points, however points with licenses of third-party parts. This contains analyzing AI-generated code and detecting if any a part of it is likely to be topic to license necessities.

The instrument additionally performs post-build evaluation that may assist detect malware or probably undesirable purposes. 

SBOMs will be exported in SPDX or CycloneDX codecs, which makes it simpler to satisfy buyer, business, or regulatory necessities, in response to Synopsys. 

“With the rise in software program provide chain assaults concentrating on susceptible or maliciously altered open supply and third-party parts, it’s crucial for organizations to grasp and totally scrutinize the composition of their software program portfolios,” mentioned Jason Schmitt, basic supervisor of the Synopsys Software program Integrity Group. “This requires fixed vigilance over the patchwork of software program dependencies that get pulled in from a wide range of sources, together with open supply parts downloaded from public repositories, business software program packages bought from distributors, code generated from AI coding assistants, and the containers and IT infrastructure used to deploy purposes. It additionally requires the flexibility to detect and generate actionable insights for a variety of threat components corresponding to identified vulnerabilities, uncovered secrets and techniques, and malicious code.”