In this article you will find:
How to configure Black Duck in Vulcan platform
How to view data from Black Duck in Vulcan platform
Fields Mapping
API calls in use
1. Configuring Black Duck
In the Connectors page, click on Add a Connector.

Click on the Black Duck connector.

Fill in the relevant fields:
Server URL - URL of your Black Duck account
For example: https://{ip_address}.com
API Access Token - Key to communicate with Black Duck API.
The API key should be associated with user role Super User. You can go to Administration --> User Management ---> Overall Permission --> Make sure 'Super User' is checked.
To generate the API access token, go to My Profile --> User Access Token --> Provide indicative name and description (for example 'Vulcan User') with 'read' and 'write' access.


Click on Generate.
Note that API access tokens only presented upon initial generation, so it's important to store them in a safe location as hey cannot be retrieved and will need to be regenerated if lost.
Click on Create
You can see the connector's progress in the Log tab

2. Viewing data from Black Duck in Vulcan
Vulcan provides the option to remediate vulnerabilities from 2 different angels:
Assets
Vulnerabilities
Assets
The data from Black duck will be displayed under Code Projects - This tab gathers all data came from SAST and SCA tools. To filter only Black Duck data, simply use the Search Bar.

The Project column will indicate the projects you have in Black Duck.

The Last Report column will indicate the last scanned time in Black Duck.
The Top Risk column will indicate the highest risk-value from all risks that exist in a project.
The Vulnerabilities column will indicate the number of vulnerabilities that exist in a project.
The Tags column will indicate all the tags that related to projects.
Clicking on each project will open its Asset Card where you can view in detailed the project's data, including - All related vulnerabilities, affected libraries and packages, details of projects and correlated data from other sources.

If you want to view specific vulnerability, click on it and you will get a representation of that vulnerability and its details.
Vulnerabilities
You can view all data from Black Duck in Vulnerabilities. In order to filter only Black Duck data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Black Duck account.
All the data from Black Duck including the descriptions, the offered solutions, available fixes and more are in Vulcan.

Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.
Fields Mapping
BlackDuck field | Vulcan Field | Value example |
Name | Project name | angular-node-express |
Created by | Created by |
|
Updated by | Updated By |
|
Tags | BlackDuck Tags / Tags | |
Clone Categories | Clone Categories |
|
Vulnerability title | Vulnerability title |
|
Description | Description |
|
Workaround | Workaround | |
Technical Description | Technical Description |
|
Publish date | Publish Date | |
Update Date | Last seen | |
CVSS v2 Score | Score | |
meta.links.rel.related-vulnerability.href or meta.links.rel.related-vulnerability.nist.href | CVEs | |
Vulnerability status:
| Vulnerability isn't retrieved as it is considered FIXED. | |
Vulnerability status:
| False Positive | |
Vulnerability status:
| Vulnerable | |
Vulnerability status:
| Ignored |
As part of the integration, Vulcan is using the following API calls:
{server_url}/api/tokens/authenticate
{server_url}/j_spring_security_check
{server_url}/api/vulnerabilities/
{server_url}/{project_id}/versions/{version_id}/vulnerable-bom-components
{server_url}/api/projects/
{server_url}/api/projects/tags
{server_url}/api/projects/versions
{server_url}/api/projects/{project_id}/tags
{server_url}/api/projects/{project_id}/versions
{server_url}/api/projects/{project_id}/versions/{version_id}/codelocations
{server_url}/api/projects/{project_id}/versions/{version_id}/vulnerable-bom-components