Go to Vulcan Cyber
All Collections
Connectors
Application Security (SCA/SAST/DAST)
BlackDuck Connector

BlackDuck Connector

Getting started with Black Duck connector
R
Written by Roy Horev
Updated over a week ago

In this article you will find:

  1. How to configure Black Duck in Vulcan platform

  2. How to view data from Black Duck in Vulcan platform

  3. Fields Mapping

  4. API calls in use

1. Configuring Black Duck

In the Connectors page, click on Add a Connector.

Click on the Black Duck connector.

Fill in the relevant fields:

Server URL - URL of your Black Duck account

For example: https://{ip_address}.com

API Access Token - Key to communicate with Black Duck API.
The API key should be associated with user role Super User. You can go to Administration --> User Management ---> Overall Permission --> Make sure 'Super User' is checked.
To generate the API access token, go to My Profile --> User Access Token --> Provide indicative name and description (for example 'Vulcan User') with 'read' and 'write' access.

Click on Generate.
Note that API access tokens only presented upon initial generation, so it's important to store them in a safe location as hey cannot be retrieved and will need to be regenerated if lost.

Click on Create

  • You can see the connector's progress in the Log tab

2. Viewing data from Black Duck in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets

  • Vulnerabilities

Assets

The data from Black duck will be displayed under Code Projects  - This tab gathers all data came from SAST and SCA tools. To filter only Black Duck data, simply use the Search Bar.

The Project column will indicate the projects you have in Black Duck.

The Last Report column will indicate the last scanned time in Black Duck.
The Top Risk column will indicate the highest risk-value from all risks that exist in a project.
The Vulnerabilities column will indicate the number of vulnerabilities that exist in a project.
The Tags column will indicate all the tags that related to projects.

Clicking on each project will open its Asset Card where you can view in detailed the project's data, including - All related vulnerabilities, affected libraries and packages, details of projects and correlated data from other sources.

If you want to view specific vulnerability, click on it and you will get a representation of that vulnerability and its details.

Vulnerabilities
You can view all data from Black Duck in Vulnerabilities.  In order to filter only Black Duck data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Black Duck account.
All the data from Black Duck including the descriptions, the offered solutions, available fixes and more are in Vulcan.

Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.

Fields Mapping

BlackDuck field

Vulcan Field

Value example

Name

Project name

angular-node-express

Created by

Created by

Sysadmin

Updated by

Updated By

Sysadmin

Tags

BlackDuck Tags / Tags

Clone Categories

Clone Categories

[ "COMPONENT_DATA", "VULN_DATA", "LICENSE_TERM_FULFILLMENT" ]

Vulnerability title

Vulnerability title

Lodash Vulnerable to Remote Code Execution via Prototype Pollution in defaultsDeep Function

Description

Description

Lodash contains a prototype pollution flaw. An attacker could exploit this to modify the component or cause remote code execution or a denial-of-service (DoS).

Workaround

Workaround

Technical Description

Technical Description

Unsafe recursive JSON merges can result in an attacker being able to tamper with the JavaScript `Object` which can then influence other data-types through the prototype chain. The `defaultsDeep` function of `defaultsDeep.js` exposes this type of vulnerability. The issue has been fixed by including a check to ensure that the global object is not polluted. The exact impact of this vulnerability will range from property injection to code injection and denial-of-service, depending on the application code.

Publish date
Vulnerability Publish Date

Publish Date

Update Date
Vulnerability Update date

Last seen

CVSS v2 Score
CVSS v3 Score

Score

meta.links.rel.related-vulnerability.href

or

meta.links.rel.related-vulnerability.nist.href

CVEs

Vulnerability status:

  • PATCHED
    REMEDIATION COMPLETE

  • MITIGATED

Vulnerability isn't retrieved as it is considered FIXED.

Vulnerability status:

  • DUPLICATE

False Positive

Vulnerability status:

  • Vulnerable

  • Any other status

Vulnerable

Vulnerability status:

  • IGNORED

Ignored

4. API calls in use

As part of the integration, Vulcan is using the following API calls:

{server_url}/api/tokens/authenticate
{server_url}/j_spring_security_check
{server_url}/api/vulnerabilities/
{server_url}/{project_id}/versions/{version_id}/vulnerable-bom-components
{server_url}/api/projects/
{server_url}/api/projects/tags
{server_url}/api/projects/versions
{server_url}/api/projects/{project_id}/tags
{server_url}/api/projects/{project_id}/versions
{server_url}/api/projects/{project_id}/versions/{version_id}/codelocations
{server_url}/api/projects/{project_id}/versions/{version_id}/vulnerable-bom-components
Did this answer your question?