Skip to main content

BlackDuck Connector (previous revision)

Getting started with Black Duck connector

Updated over a year ago

Am I reading the right user guide?

Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).

To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.

Configuring Black Duck

In the Connectors page, click on Add a Connector.

Click on the Black Duck connector.

Fill in the relevant fields:

Server URL - URL of your Black Duck account

For example: https://{ip_address}.com

API Token:

  1. Go to the BlackDuck Platform and sign in as an Admin User.

  2. Navigate to Admin > User Management

  3. Create or edit a user you want to use for the integration.

  4. Enter the User and add the permission Global Code Scanner Role.

  5. Make sure the user is a member of the intended project or is a part of a group that is a member of the project.

    Example:

  6. Save.

  7. Log out from the Admin User and log in as the integration user.

  8. Click on the User tab, then on Access My Tokens.

  9. Create a New Token and fill in the token details,

  10. Check the Read Access option and click Create.

  11. Save the generated API Token somewhere safe.

  • You can see the connector's progress in the Log tab

Viewing data from Black Duck in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets

  • Vulnerabilities

Assets

The data from Black duck will be displayed under Code Projects  - This tab gathers all data came from SAST and SCA tools. To filter only Black Duck data, simply use the Search Bar.

The Project column will indicate the projects you have in Black Duck.

The Last Report column will indicate the last scanned time in Black Duck.
The Top Risk column will indicate the highest risk-value from all risks that exist in a project.
The Vulnerabilities column will indicate the number of vulnerabilities that exist in a project.
The Tags column will indicate all the tags that related to projects.

Clicking on each project will open its Asset Card where you can view in detailed the project's data, including - All related vulnerabilities, affected libraries and packages, details of projects and correlated data from other sources.

If you want to view specific vulnerability, click on it and you will get a representation of that vulnerability and its details.

Vulnerabilities
You can view all data from Black Duck in Vulnerabilities.  In order to filter only Black Duck data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Black Duck account.
All the data from Black Duck including the descriptions, the offered solutions, available fixes and more are in Vulcan.

Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.

Fields Mapping

BlackDuck field

Vulcan Field

Value example

Name

Project name

angular-node-express

Created by

Created by

Sysadmin

Updated by

Updated By

Sysadmin

Tags

BlackDuck Tags / Tags

Clone Categories

Clone Categories

[ "COMPONENT_DATA", "VULN_DATA", "LICENSE_TERM_FULFILLMENT" ]

Vulnerability title

Vulnerability title

Lodash Vulnerable to Remote Code Execution via Prototype Pollution in defaultsDeep Function

Description

Description

Lodash contains a prototype pollution flaw. An attacker could exploit this to modify the component or cause remote code execution or a denial-of-service (DoS).

Workaround

Workaround

Technical Description

Technical Description

Unsafe recursive JSON merges can result in an attacker being able to tamper with the JavaScript `Object` which can then influence other data-types through the prototype chain. The `defaultsDeep` function of `defaultsDeep.js` exposes this type of vulnerability. The issue has been fixed by including a check to ensure that the global object is not polluted. The exact impact of this vulnerability will range from property injection to code injection and denial-of-service, depending on the application code.

Publish date
Vulnerability Publish Date

Publish Date

Update Date
Vulnerability Update date

Last seen

CVSS v2 Score
CVSS v3 Score

Score

meta.links.rel.related-vulnerability.href

or

meta.links.rel.related-vulnerability.nist.href

CVEs

Vulnerability status:

  • PATCHED
    REMEDIATION COMPLETE

  • MITIGATED

Vulnerability isn't retrieved as it is considered FIXED.

Vulnerability status:

  • DUPLICATE

False Positive

Vulnerability status:

  • Vulnerable

  • Any other status

Vulnerable

Vulnerability status:

  • IGNORED

Ignored

4. API calls in use

As part of the integration, Vulcan is using the following API calls:

{server_url}/api/tokens/authenticate
{server_url}/j_spring_security_check
{server_url}/api/vulnerabilities/
{server_url}/{project_id}/versions/{version_id}/vulnerable-bom-components
{server_url}/api/projects/
{server_url}/api/projects/tags
{server_url}/api/projects/versions
{server_url}/api/projects/{project_id}/tags
{server_url}/api/projects/{project_id}/versions
{server_url}/api/projects/{project_id}/versions/{version_id}/codelocations
{server_url}/api/projects/{project_id}/versions/{version_id}/vulnerable-bom-components
Related Articles
Qualys Connector (previous revision)
ServiceNow Connector
Snyk Connector (previous revision)
Checkmarx CxSAST Connector (older revision)
BlackDuck Connector (new revision)
Did this answer your question?